diff --git a/packages/barracuda/0.1.0/docs/README.md b/packages/barracuda/0.1.0/docs/README.md
index c6bbec5784..bb9797efca 100644
--- a/packages/barracuda/0.1.0/docs/README.md
+++ b/packages/barracuda/0.1.0/docs/README.md
@@ -16,6 +16,9 @@ The `waf` dataset collects Barracuda Web Application Firewall logs.
 | dataset.name | Dataset name. | constant_keyword |
 | dataset.namespace | Dataset namespace. | constant_keyword |
 | dataset.type | Dataset type. | constant_keyword |
+| datastream.dataset | Datastream dataset. | constant_keyword |
+| datastream.namespace | Datastream namespace. | constant_keyword |
+| datastream.type | Datastream type. | constant_keyword |
 | destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
 | destination.bytes | Bytes sent from the destination to the source. | long |
 | destination.domain | Destination domain. | keyword |
diff --git a/packages/bluecoat/0.1.0/dataset/director/agent/stream/stream.yml.hbs b/packages/bluecoat/0.1.0/dataset/director/agent/stream/stream.yml.hbs
new file mode 100644
index 0000000000..f841bd0ef5
--- /dev/null
+++ b/packages/bluecoat/0.1.0/dataset/director/agent/stream/stream.yml.hbs
@@ -0,0 +1,3554 @@
+paths:
+{{#each paths as |path i|}}
+  - {{path}}
+{{/each}}
+exclude_files: [".gz$"]
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "Bluecoat"
+        product: "Director"
+        type: "Configuration"
+publisher_pipeline.disable_host: true
+
+processors:
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.error(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(populate_fields);
+      	builder.Add(restore_flags);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var dup1 = call({
+      	dest: "nwparser.payload",
+      	fn: STRCAT,
+      	args: [
+      		field("messageid"),
+      		constant(": "),
+      		field("payload"),
+      	],
+      });
+      
+      var dup2 = match("MESSAGE#0:cli/0", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c-%{fld20}.%{severity}> %{p0}");
+      
+      var dup3 = match("MESSAGE#0:cli/1_0", "nwparser.p0", "%{username}@::%{fld5}:%{saddr->} %{p0}");
+      
+      var dup4 = match("MESSAGE#0:cli/1_1", "nwparser.p0", "%{username}@%{domain->} %{p0}");
+      
+      var dup5 = setc("eventcategory","1605000000");
+      
+      var dup6 = setf("msg","$MSG");
+      
+      var dup7 = setc("event_description","bad variable");
+      
+      var dup8 = setc("event_description","This file is automatically generated");
+      
+      var dup9 = setc("eventcategory","1603000000");
+      
+      var dup10 = setc("event_description","authentication failure");
+      
+      var dup11 = linear_select([
+      	dup3,
+      	dup4,
+      ]);
+      
+      var dup12 = match("MESSAGE#10:cli:pam", "nwparser.payload", "%{agent}[%{process_id}]: %{fld21}(%{fld1}:%{fld2}): pam_putenv: %{fld3}", processor_chain([
+      	dup5,
+      	dup6,
+      	dup7,
+      ]));
+      
+      var hdr1 = match("HEADER#0:0001", "message", "%{messageid}[%{hfld1}]: %{payload}", processor_chain([
+      	setc("header_id","0001"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant("["),
+      			field("hfld1"),
+      			constant("]: "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr2 = match("HEADER#1:0002", "message", "%{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0002"),
+      	dup1,
+      ]));
+      
+      var hdr3 = match("HEADER#2:0003", "message", "%{hfld1->} %{hfld2->} %{hfld3->} %{hfld4->} %{messageid}[%{hfld5}]: %{payload}", processor_chain([
+      	setc("header_id","0003"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant("["),
+      			field("hfld5"),
+      			constant("]: "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr4 = match("HEADER#3:0004", "message", "%{hfld1->} %{hfld2->} %{hfld3->} %{hfld4->} %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0004"),
+      	dup1,
+      ]));
+      
+      var select1 = linear_select([
+      	hdr1,
+      	hdr2,
+      	hdr3,
+      	hdr4,
+      ]);
+      
+      var part1 = match("MESSAGE#0:cli/2", "nwparser.p0", ": Processing command: %{action}");
+      
+      var all1 = all_match({
+      	processors: [
+      		dup2,
+      		dup11,
+      		part1,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		dup6,
+      	]),
+      });
+      
+      var msg1 = msg("cli", all1);
+      
+      var part2 = match("MESSAGE#1:cli:01/2", "nwparser.p0", ": Processing command %{action}");
+      
+      var all2 = all_match({
+      	processors: [
+      		dup2,
+      		dup11,
+      		part2,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		dup6,
+      	]),
+      });
+      
+      var msg2 = msg("cli:01", all2);
+      
+      var part3 = match("MESSAGE#2:cli:02/2", "nwparser.p0", ": Leaving config mode%{}");
+      
+      var all3 = all_match({
+      	processors: [
+      		dup2,
+      		dup11,
+      		part3,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		dup6,
+      		setc("event_description","Leaving config mode"),
+      	]),
+      });
+      
+      var msg3 = msg("cli:02", all3);
+      
+      var part4 = match("MESSAGE#3:cli:03/2", "nwparser.p0", ": Entering config mode%{}");
+      
+      var all4 = all_match({
+      	processors: [
+      		dup2,
+      		dup11,
+      		part4,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		dup6,
+      		setc("event_description","Entering config mode"),
+      	]),
+      });
+      
+      var msg4 = msg("cli:03", all4);
+      
+      var part5 = match("MESSAGE#4:cli:04/2", "nwparser.p0", ": CLI exiting%{}");
+      
+      var all5 = all_match({
+      	processors: [
+      		dup2,
+      		dup11,
+      		part5,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		dup6,
+      		setc("event_description","CLI exiting"),
+      	]),
+      });
+      
+      var msg5 = msg("cli:04", all5);
+      
+      var part6 = match("MESSAGE#5:cli:05/2", "nwparser.p0", ": CLI launched%{}");
+      
+      var all6 = all_match({
+      	processors: [
+      		dup2,
+      		dup11,
+      		part6,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		dup6,
+      		setc("event_description","CLI launched"),
+      	]),
+      });
+      
+      var msg6 = msg("cli:05", all6);
+      
+      var part7 = match("MESSAGE#6:Automatically/2", "nwparser.p0", ": Automatically logged out due to keyboard inactivity.%{}");
+      
+      var all7 = all_match({
+      	processors: [
+      		dup2,
+      		dup11,
+      		part7,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		setc("ec_subject","User"),
+      		setc("ec_activity","Logoff"),
+      		dup6,
+      		setc("event_description","Automatically logged out due to keyboard inactivity"),
+      	]),
+      });
+      
+      var msg7 = msg("Automatically", all7);
+      
+      var part8 = match("MESSAGE#7:cli:06/2", "nwparser.p0", ": Entering enable mode%{}");
+      
+      var all8 = all_match({
+      	processors: [
+      		dup2,
+      		dup11,
+      		part8,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		dup6,
+      		setc("event_description","Entering enable mode"),
+      	]),
+      });
+      
+      var msg8 = msg("cli:06", all8);
+      
+      var part9 = match("MESSAGE#8:cli:07/2", "nwparser.p0", ": Leaving enable mode%{}");
+      
+      var all9 = all_match({
+      	processors: [
+      		dup2,
+      		dup11,
+      		part9,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		dup6,
+      		setc("event_description","Leaving enable mode"),
+      	]),
+      });
+      
+      var msg9 = msg("cli:07", all9);
+      
+      var part10 = match("MESSAGE#9:Processing/2", "nwparser.p0", ": Processing a secure command...%{}");
+      
+      var all10 = all_match({
+      	processors: [
+      		dup2,
+      		dup11,
+      		part10,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		dup6,
+      		setc("event_description","Processing a secure command"),
+      	]),
+      });
+      
+      var msg10 = msg("Processing", all10);
+      
+      var msg11 = msg("cli:pam", dup12);
+      
+      var select2 = linear_select([
+      	msg1,
+      	msg2,
+      	msg3,
+      	msg4,
+      	msg5,
+      	msg6,
+      	msg7,
+      	msg8,
+      	msg9,
+      	msg10,
+      	msg11,
+      ]);
+      
+      var part11 = match("MESSAGE#11:schedulerd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Executing Job \"%{operation_id}\" execution %{fld6}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg12 = msg("schedulerd", part11);
+      
+      var part12 = match("MESSAGE#12:schedulerd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> System time changed, recomputing job run times.", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","System time changed, recomputing job run times"),
+      ]));
+      
+      var msg13 = msg("schedulerd:01", part12);
+      
+      var select3 = linear_select([
+      	msg12,
+      	msg13,
+      ]);
+      
+      var part13 = match("MESSAGE#13:configd:Rotating", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Rotating out backup file \"%{filename}\" for device \"%{hostname}\".", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg14 = msg("configd:Rotating", part13);
+      
+      var part14 = match("MESSAGE#14:configd:Deleting", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Deleting backup %{filename->} from device \"%{hostname}\"", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg15 = msg("configd:Deleting", part14);
+      
+      var part15 = match("MESSAGE#15:configd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device \"%{hostname}\" completed command(s) \u003c\u003c%{action}> ...", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg16 = msg("configd", part15);
+      
+      var part16 = match("MESSAGE#16:configd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: Sending commands to Device %{hostname}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg17 = msg("configd:01", part16);
+      
+      var part17 = match("MESSAGE#17:configd:11", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@%{fld6}: Sending commands to Device %{hostname}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg18 = msg("configd:11", part17);
+      
+      var part18 = match("MESSAGE#18:file", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: command: %{action->} ;; CPL generated by Visual Policy Manager: %{fld10->} ;%{fld11->} ; %{fld12->} ; %{info}", processor_chain([
+      	dup5,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg19 = msg("file", part18);
+      
+      var part19 = match("MESSAGE#19:configd:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: command: %{action}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg20 = msg("configd:02", part19);
+      
+      var part20 = match("MESSAGE#20:configd:22", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@%{fld6}: command: %{action}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg21 = msg("configd:22", part20);
+      
+      var part21 = match("MESSAGE#21:configd:03", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: Commands sent to Device %{hostname}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg22 = msg("configd:03", part21);
+      
+      var part22 = match("MESSAGE#22:configd:33", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@%{fld6}: Commands sent to Device %{hostname}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg23 = msg("configd:33", part22);
+      
+      var part23 = match("MESSAGE#23:Backup", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Backup import command finished for all devices.", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","Backup import command finished for all devices"),
+      ]));
+      
+      var msg24 = msg("Backup", part23);
+      
+      var part24 = match("MESSAGE#24:Beginning", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Beginning to make backup of cache %{hostname}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","Beginning to make backup of cache"),
+      ]));
+      
+      var msg25 = msg("Beginning", part24);
+      
+      var part25 = match("MESSAGE#25:Inputting", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Inputting overlay \u003c\u003c%{fld10}>", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","Inputting overlay"),
+      ]));
+      
+      var msg26 = msg("Inputting", part25);
+      
+      var part26 = match("MESSAGE#26:Saved", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Saved %{info->} to %{filename}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg27 = msg("Saved", part26);
+      
+      var part27 = match("MESSAGE#27:Importing", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Importing overlay \u003c\u003c%{fld25}> from %{hostname}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg28 = msg("Importing", part27);
+      
+      var part28 = match("MESSAGE#28:Overlay", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Overlay \"%{fld25}\" imported from device \"%{hostname}\"", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg29 = msg("Overlay", part28);
+      
+      var part29 = match("MESSAGE#29:Executed", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Executed the last created overlay. The filename is %{filename}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg30 = msg("Executed", part29);
+      
+      var part30 = match("MESSAGE#30:Configuration", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Configuration system online", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","Configuration system online"),
+      ]));
+      
+      var msg31 = msg("Configuration", part30);
+      
+      var part31 = match("MESSAGE#31:Create", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> CREATE %{info}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","Table creation"),
+      ]));
+      
+      var msg32 = msg("Create", part31);
+      
+      var part32 = match("MESSAGE#32:Loaded", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Loaded config file initial", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","Loaded config file initial"),
+      ]));
+      
+      var msg33 = msg("Loaded", part32);
+      
+      var part33 = match("MESSAGE#33:Setting", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Setting set-reply timeout to %{fld1}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","Setting set-reply timeout"),
+      ]));
+      
+      var msg34 = msg("Setting", part33);
+      
+      var part34 = match("MESSAGE#34:CCD", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> CCD lost connection to device \"%{hostname}\": %{event_description}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg35 = msg("CCD", part34);
+      
+      var part35 = match("MESSAGE#35:Device", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device \"%{hostname}\" is now online.", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg36 = msg("Device", part35);
+      
+      var part36 = match("MESSAGE#36:Output", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: %{fld9->} Output for device \"%{hostname}\" %{fld10}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg37 = msg("Output", part36);
+      
+      var part37 = match("MESSAGE#37:ssh", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> (ssh) %{event_description}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg38 = msg("ssh", part37);
+      
+      var part38 = match("MESSAGE#38:Applying", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: Applying overlay \u003c\u003c%{fld10}> to group %{group_object}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","Applying overlay to group"),
+      ]));
+      
+      var msg39 = msg("Applying", part38);
+      
+      var part39 = match("MESSAGE#39:Applying:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: Applying overlay \u003c\u003c%{fld10}> to cache %{hostname}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","Applying overlay to cache"),
+      ]));
+      
+      var msg40 = msg("Applying:01", part39);
+      
+      var part40 = match("MESSAGE#40:configd:backup", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Backup complete for device \"%{hostname}\". ID %{fld10}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","Backup complete for device"),
+      ]));
+      
+      var msg41 = msg("configd:backup", part40);
+      
+      var part41 = match("MESSAGE#41:file:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device \"%{hostname}\" completed command(s) %{action->} ;; CPL generated by Visual Policy Manager: %{fld10->} ;%{fld11->} ; %{fld12->} ; %{info}", processor_chain([
+      	dup5,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg42 = msg("file:01", part41);
+      
+      var part42 = match("MESSAGE#42:configd:connection", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> read: Connection reset by peer", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","Connection reset by peer"),
+      ]));
+      
+      var msg43 = msg("configd:connection", part42);
+      
+      var part43 = match("MESSAGE#43:configd:failed", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{info->} failed", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","cd session read failed"),
+      ]));
+      
+      var msg44 = msg("configd:failed", part43);
+      
+      var select4 = linear_select([
+      	msg14,
+      	msg15,
+      	msg16,
+      	msg17,
+      	msg18,
+      	msg19,
+      	msg20,
+      	msg21,
+      	msg22,
+      	msg23,
+      	msg24,
+      	msg25,
+      	msg26,
+      	msg27,
+      	msg28,
+      	msg29,
+      	msg30,
+      	msg31,
+      	msg32,
+      	msg33,
+      	msg34,
+      	msg35,
+      	msg36,
+      	msg37,
+      	msg38,
+      	msg39,
+      	msg40,
+      	msg41,
+      	msg42,
+      	msg43,
+      	msg44,
+      ]);
+      
+      var part44 = match("MESSAGE#44:poller", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Querying content system for job results.", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","Querying content system for job results"),
+      ]));
+      
+      var msg45 = msg("poller", part44);
+      
+      var part45 = match("MESSAGE#45:heartbeat", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Processing command: %{action}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg46 = msg("heartbeat", part45);
+      
+      var part46 = match("MESSAGE#46:heartbeat:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> The HB command is %{action}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg47 = msg("heartbeat:01", part46);
+      
+      var part47 = match("MESSAGE#47:heartbeat:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> director heartbeat client exiting.", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","director heartbeat client exiting"),
+      ]));
+      
+      var msg48 = msg("heartbeat:02", part47);
+      
+      var part48 = match("MESSAGE#48:heartbeat:03", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> director heartbeat client launched.", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","director heartbeat client launched"),
+      ]));
+      
+      var msg49 = msg("heartbeat:03", part48);
+      
+      var part49 = match("MESSAGE#49:heartbeat:crit1", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{filename}: undefined symbol: %{info}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","undefined symbol"),
+      ]));
+      
+      var msg50 = msg("heartbeat:crit1", part49);
+      
+      var part50 = match("MESSAGE#50:heartbeat:crit2", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> connect: %{fld1}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","No such file or directory"),
+      ]));
+      
+      var msg51 = msg("heartbeat:crit2", part50);
+      
+      var select5 = linear_select([
+      	msg46,
+      	msg47,
+      	msg48,
+      	msg49,
+      	msg50,
+      	msg51,
+      ]);
+      
+      var part51 = match("MESSAGE#51:runner", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Job \"%{operation_id}\" execution %{fld6->} command %{fld7}: \"%{action}\". Output %{fld9}: %{result}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg52 = msg("runner", part51);
+      
+      var part52 = match("MESSAGE#52:runner:01", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Processing command: %{action}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg53 = msg("runner:01", part52);
+      
+      var part53 = match("MESSAGE#53:runner:02", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Job \"%{operation_id}\" execution %{fld6->} finished running.", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg54 = msg("runner:02", part53);
+      
+      var part54 = match("MESSAGE#54:runner:crit1", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Failed to exec %{filename}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg55 = msg("runner:crit1", part54);
+      
+      var part55 = match("MESSAGE#55:runner:crit2", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> File reading failed", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","File reading failed"),
+      ]));
+      
+      var msg56 = msg("runner:crit2", part55);
+      
+      var select6 = linear_select([
+      	msg52,
+      	msg53,
+      	msg54,
+      	msg55,
+      	msg56,
+      ]);
+      
+      var part56 = match("MESSAGE#56:ccd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: attempting connection using %{fld6->} on port: %{fld7}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg57 = msg("ccd", part56);
+      
+      var part57 = match("MESSAGE#57:ccd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: %{event_description}, Reason %{result}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg58 = msg("ccd:01", part57);
+      
+      var part58 = match("MESSAGE#58:ccd:03", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: couldn't match the response \u003c\u003c%{event_description}>", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg59 = msg("ccd:03", part58);
+      
+      var part59 = match("MESSAGE#59:ccd:04", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: Did not get echo for the command \u003c\u003c%{action}>for past %{fld10}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg60 = msg("ccd:04", part59);
+      
+      var part60 = match("MESSAGE#60:ccd:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: %{info}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","info on device connection"),
+      ]));
+      
+      var msg61 = msg("ccd:02", part60);
+      
+      var part61 = match("MESSAGE#61:ccd:05", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> write to %{fld1->} pipe : %{info}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","write to ssh pipe"),
+      ]));
+      
+      var msg62 = msg("ccd:05", part61);
+      
+      var part62 = match("MESSAGE#62:ccd:06", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> ccd_handle_read_failure(), %{info}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","ccd handle read failure"),
+      ]));
+      
+      var msg63 = msg("ccd:06", part62);
+      
+      var part63 = match("MESSAGE#63:ccd:07", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device Communication Daemon online", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","device communication daemon online"),
+      ]));
+      
+      var msg64 = msg("ccd:07", part63);
+      
+      var part64 = match("MESSAGE#64:ccd:08", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> System memory is: %{fld1}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","system memory size"),
+      ]));
+      
+      var msg65 = msg("ccd:08", part64);
+      
+      var select7 = linear_select([
+      	msg57,
+      	msg58,
+      	msg59,
+      	msg60,
+      	msg61,
+      	msg62,
+      	msg63,
+      	msg64,
+      	msg65,
+      ]);
+      
+      var part65 = match("MESSAGE#65:sshd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> error: Bind to port %{fld10->} on %{fld5->} failed: %{result}", processor_chain([
+      	dup9,
+      	dup6,
+      ]));
+      
+      var msg66 = msg("sshd", part65);
+      
+      var part66 = match("MESSAGE#66:sshd:01", "nwparser.payload", "%{agent}: bad username %{fld1}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","bad username"),
+      ]));
+      
+      var msg67 = msg("sshd:01", part66);
+      
+      var part67 = match("MESSAGE#67:sshd:02", "nwparser.payload", "%{agent}[%{process_id}]: %{fld21}(%{fld1}:%{fld2}): authentication failure; %{info}", processor_chain([
+      	dup5,
+      	dup6,
+      	dup10,
+      ]));
+      
+      var msg68 = msg("sshd:02", part67);
+      
+      var part68 = match("MESSAGE#68:sshd:03", "nwparser.payload", "%{agent}[%{process_id}]: %{fld21}(%{fld1}:%{fld2}): check pass; %{fld3}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","check pass, user unknown"),
+      ]));
+      
+      var msg69 = msg("sshd:03", part68);
+      
+      var part69 = match("MESSAGE#69:sshd:04", "nwparser.payload", "%{agent}[%{process_id}]: PAM %{fld1->} more authentication failure; %{info}", processor_chain([
+      	dup5,
+      	dup6,
+      	dup10,
+      ]));
+      
+      var msg70 = msg("sshd:04", part69);
+      
+      var msg71 = msg("sshd:pam", dup12);
+      
+      var select8 = linear_select([
+      	msg66,
+      	msg67,
+      	msg68,
+      	msg69,
+      	msg70,
+      	msg71,
+      ]);
+      
+      var part70 = match("MESSAGE#71:dmd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> inserted device id = %{hostname->} and serial number = %{fld6->} into DB", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg72 = msg("dmd", part70);
+      
+      var part71 = match("MESSAGE#72:dmd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Health state for metric\"%{hostname}\" \"%{change_old}\" changed to \"%{change_new}\", reason: \"%{result}\"", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg73 = msg("dmd:01", part71);
+      
+      var part72 = match("MESSAGE#73:dmd:11", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Health state for group \"%{group_object}\" changed from \"%{change_old}\" to \"%{change_new}\"", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg74 = msg("dmd:11", part72);
+      
+      var part73 = match("MESSAGE#74:dmd:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Filter on (%{fld5}) things. %{event_description}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg75 = msg("dmd:02", part73);
+      
+      var part74 = match("MESSAGE#75:dmd:03", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device ID \"%{hostname}\" error: %{event_description}", processor_chain([
+      	dup9,
+      	dup6,
+      ]));
+      
+      var msg76 = msg("dmd:03", part74);
+      
+      var select9 = linear_select([
+      	msg72,
+      	msg73,
+      	msg74,
+      	msg75,
+      	msg76,
+      ]);
+      
+      var part75 = match("MESSAGE#76:logrotate", "nwparser.payload", "%{agent}: ALERT exited abnormally with %{fld10}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","ALERT exited abnormally"),
+      ]));
+      
+      var msg77 = msg("logrotate", part75);
+      
+      var part76 = match("MESSAGE#77:ntpd", "nwparser.payload", "%{agent}[%{process_id}]: kernel time sync enabled %{fld10}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","kernel time sync enabled"),
+      ]));
+      
+      var msg78 = msg("ntpd", part76);
+      
+      var part77 = match("MESSAGE#78:ntpd:01", "nwparser.payload", "%{agent}[%{process_id}]: time reset %{fld10}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","time reset"),
+      ]));
+      
+      var msg79 = msg("ntpd:01", part77);
+      
+      var part78 = match("MESSAGE#79:ntpd:02", "nwparser.payload", "%{agent}[%{process_id}]: ntpd %{fld10}-r %{fld11}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg80 = msg("ntpd:02", part78);
+      
+      var part79 = match("MESSAGE#80:ntpd:03", "nwparser.payload", "%{agent}[%{process_id}]: ntpd exiting on signal %{fld10}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","ntpd exiting on signal"),
+      ]));
+      
+      var msg81 = msg("ntpd:03", part79);
+      
+      var select10 = linear_select([
+      	msg78,
+      	msg79,
+      	msg80,
+      	msg81,
+      ]);
+      
+      var part80 = match("MESSAGE#81:pm", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> ntpd will start in %{fld10}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","ntpd will start in few secs"),
+      ]));
+      
+      var msg82 = msg("pm", part80);
+      
+      var part81 = match("MESSAGE#82:pm:01", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> ntpd started", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","ntpd started"),
+      ]));
+      
+      var msg83 = msg("pm:01", part81);
+      
+      var part82 = match("MESSAGE#83:pm:02", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> print_msg(), %{info}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","print message"),
+      ]));
+      
+      var msg84 = msg("pm:02", part82);
+      
+      var part83 = match("MESSAGE#84:pm:03", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> %{info->} started", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","service started"),
+      ]));
+      
+      var msg85 = msg("pm:03", part83);
+      
+      var part84 = match("MESSAGE#85:pm:04", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> %{info->} will start in %{fld1}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","service will start"),
+      ]));
+      
+      var msg86 = msg("pm:04", part84);
+      
+      var part85 = match("MESSAGE#86:pm:05", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> check_license_validity(), %{fld1}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","check license validity"),
+      ]));
+      
+      var msg87 = msg("pm:05", part85);
+      
+      var part86 = match("MESSAGE#87:pm:06", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Connected to config daemon", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","connected to config daemon"),
+      ]));
+      
+      var msg88 = msg("pm:06", part86);
+      
+      var select11 = linear_select([
+      	msg82,
+      	msg83,
+      	msg84,
+      	msg85,
+      	msg86,
+      	msg87,
+      	msg88,
+      ]);
+      
+      var part87 = match("MESSAGE#88:anacron", "nwparser.payload", "%{agent}[%{process_id}]: Updated timestamp for job %{info->} to %{fld1}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","updated timestamp"),
+      ]));
+      
+      var msg89 = msg("anacron", part87);
+      
+      var part88 = match("MESSAGE#89:anacron:01", "nwparser.payload", "%{agent}[%{process_id}]: Anacron %{version->} started on %{fld1}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","anacron started"),
+      ]));
+      
+      var msg90 = msg("anacron:01", part88);
+      
+      var part89 = match("MESSAGE#90:anacron:02", "nwparser.payload", "%{agent}[%{process_id}]: Normal exit %{fld1}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","normal exit"),
+      ]));
+      
+      var msg91 = msg("anacron:02", part89);
+      
+      var select12 = linear_select([
+      	msg89,
+      	msg90,
+      	msg91,
+      ]);
+      
+      var part90 = match("MESSAGE#91:epmd", "nwparser.payload", "%{agent}: epmd: invalid packet size (%{fld1})", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","invalid packet size"),
+      ]));
+      
+      var msg92 = msg("epmd", part90);
+      
+      var part91 = match("MESSAGE#92:epmd:01", "nwparser.payload", "%{agent}: epmd: got %{info}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg93 = msg("epmd:01", part91);
+      
+      var part92 = match("MESSAGE#93:epmd:02", "nwparser.payload", "%{agent}: epmd: epmd running %{info}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg94 = msg("epmd:02", part92);
+      
+      var select13 = linear_select([
+      	msg92,
+      	msg93,
+      	msg94,
+      ]);
+      
+      var part93 = match("MESSAGE#94:xinetd", "nwparser.payload", "%{agent}[%{process_id}]: xinetd %{event_description}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg95 = msg("xinetd", part93);
+      
+      var part94 = match("MESSAGE#95:xinetd:01", "nwparser.payload", "%{agent}[%{process_id}]: Started working: %{fld1->} available services", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg96 = msg("xinetd:01", part94);
+      
+      var select14 = linear_select([
+      	msg95,
+      	msg96,
+      ]);
+      
+      var part95 = match("MESSAGE#96:auditd", "nwparser.payload", "%{agent}[%{process_id}]: Audit daemon rotating log files", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","Audit daemon rotating log files"),
+      ]));
+      
+      var msg97 = msg("auditd", part95);
+      
+      var part96 = match("MESSAGE#97:restorecond", "nwparser.payload", "%{agent}: Reset file context %{filename}: %{fld1}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","Reset file"),
+      ]));
+      
+      var msg98 = msg("restorecond", part96);
+      
+      var part97 = match("MESSAGE#98:authd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> handle_authd unknown message =%{fld1}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","handle authd unknown message"),
+      ]));
+      
+      var msg99 = msg("authd", part97);
+      
+      var part98 = match("MESSAGE#99:authd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> authd_signal_handler(), %{fld1}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","authd signal handler"),
+      ]));
+      
+      var msg100 = msg("authd:01", part98);
+      
+      var part99 = match("MESSAGE#100:authd:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> authd_close(): %{info}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","authd close"),
+      ]));
+      
+      var msg101 = msg("authd:02", part99);
+      
+      var select15 = linear_select([
+      	msg99,
+      	msg100,
+      	msg101,
+      ]);
+      
+      var part100 = match("MESSAGE#101:rsyslogd/0", "nwparser.payload", "%{agent}: W%{p0}");
+      
+      var part101 = match("MESSAGE#101:rsyslogd/1_0", "nwparser.p0", "ARNING%{p0}");
+      
+      var part102 = match("MESSAGE#101:rsyslogd/1_1", "nwparser.p0", "arning%{p0}");
+      
+      var select16 = linear_select([
+      	part101,
+      	part102,
+      ]);
+      
+      var part103 = match("MESSAGE#101:rsyslogd/2", "nwparser.p0", ": %{event_description}");
+      
+      var all11 = all_match({
+      	processors: [
+      		part100,
+      		select16,
+      		part103,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		dup6,
+      	]),
+      });
+      
+      var msg102 = msg("rsyslogd", all11);
+      
+      var part104 = match("MESSAGE#102:shutdown", "nwparser.payload", "%{agent}[%{process_id}]: shutting down %{info}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","shutting down"),
+      ]));
+      
+      var msg103 = msg("shutdown", part104);
+      
+      var part105 = match("MESSAGE#103:cmd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> cmd starting %{fld1}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","cmd starting"),
+      ]));
+      
+      var msg104 = msg("cmd", part105);
+      
+      var chain1 = processor_chain([
+      	select1,
+      	msgid_select({
+      		"anacron": select12,
+      		"auditd": msg97,
+      		"authd": select15,
+      		"ccd": select7,
+      		"cli": select2,
+      		"cmd": msg104,
+      		"configd": select4,
+      		"dmd": select9,
+      		"epmd": select13,
+      		"heartbeat": select5,
+      		"logrotate": msg77,
+      		"ntpd": select10,
+      		"pm": select11,
+      		"poller": msg45,
+      		"restorecond": msg98,
+      		"rsyslogd": msg102,
+      		"runner": select6,
+      		"schedulerd": select3,
+      		"shutdown": msg103,
+      		"sshd": select8,
+      		"xinetd": select14,
+      	}),
+      ]);
+      
+      var part106 = match("MESSAGE#0:cli/0", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c-%{fld20}.%{severity}> %{p0}");
+      
+      var part107 = match("MESSAGE#0:cli/1_0", "nwparser.p0", "%{username}@::%{fld5}:%{saddr->} %{p0}");
+      
+      var part108 = match("MESSAGE#0:cli/1_1", "nwparser.p0", "%{username}@%{domain->} %{p0}");
+      
+      var select17 = linear_select([
+      	dup3,
+      	dup4,
+      ]);
+      
+      var part109 = match("MESSAGE#10:cli:pam", "nwparser.payload", "%{agent}[%{process_id}]: %{fld21}(%{fld1}:%{fld2}): pam_putenv: %{fld3}", processor_chain([
+      	dup5,
+      	dup6,
+      	dup7,
+      ]));
+      
+- community_id:
+- add_locale: ~
+- add_fields:
+    target: ''
+    fields:
+        ecs.version: 1.5.0
diff --git a/packages/bluecoat/0.1.0/dataset/director/agent/stream/tcp.yml.hbs b/packages/bluecoat/0.1.0/dataset/director/agent/stream/tcp.yml.hbs
new file mode 100644
index 0000000000..b6968af2ea
--- /dev/null
+++ b/packages/bluecoat/0.1.0/dataset/director/agent/stream/tcp.yml.hbs
@@ -0,0 +1,3551 @@
+tcp:
+host: "{{tcp_host}}:{{tcp_port}}"
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "Bluecoat"
+        product: "Director"
+        type: "Configuration"
+publisher_pipeline.disable_host: true
+
+processors:
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.error(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(populate_fields);
+      	builder.Add(restore_flags);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var dup1 = call({
+      	dest: "nwparser.payload",
+      	fn: STRCAT,
+      	args: [
+      		field("messageid"),
+      		constant(": "),
+      		field("payload"),
+      	],
+      });
+      
+      var dup2 = match("MESSAGE#0:cli/0", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c-%{fld20}.%{severity}> %{p0}");
+      
+      var dup3 = match("MESSAGE#0:cli/1_0", "nwparser.p0", "%{username}@::%{fld5}:%{saddr->} %{p0}");
+      
+      var dup4 = match("MESSAGE#0:cli/1_1", "nwparser.p0", "%{username}@%{domain->} %{p0}");
+      
+      var dup5 = setc("eventcategory","1605000000");
+      
+      var dup6 = setf("msg","$MSG");
+      
+      var dup7 = setc("event_description","bad variable");
+      
+      var dup8 = setc("event_description","This file is automatically generated");
+      
+      var dup9 = setc("eventcategory","1603000000");
+      
+      var dup10 = setc("event_description","authentication failure");
+      
+      var dup11 = linear_select([
+      	dup3,
+      	dup4,
+      ]);
+      
+      var dup12 = match("MESSAGE#10:cli:pam", "nwparser.payload", "%{agent}[%{process_id}]: %{fld21}(%{fld1}:%{fld2}): pam_putenv: %{fld3}", processor_chain([
+      	dup5,
+      	dup6,
+      	dup7,
+      ]));
+      
+      var hdr1 = match("HEADER#0:0001", "message", "%{messageid}[%{hfld1}]: %{payload}", processor_chain([
+      	setc("header_id","0001"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant("["),
+      			field("hfld1"),
+      			constant("]: "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr2 = match("HEADER#1:0002", "message", "%{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0002"),
+      	dup1,
+      ]));
+      
+      var hdr3 = match("HEADER#2:0003", "message", "%{hfld1->} %{hfld2->} %{hfld3->} %{hfld4->} %{messageid}[%{hfld5}]: %{payload}", processor_chain([
+      	setc("header_id","0003"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant("["),
+      			field("hfld5"),
+      			constant("]: "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr4 = match("HEADER#3:0004", "message", "%{hfld1->} %{hfld2->} %{hfld3->} %{hfld4->} %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0004"),
+      	dup1,
+      ]));
+      
+      var select1 = linear_select([
+      	hdr1,
+      	hdr2,
+      	hdr3,
+      	hdr4,
+      ]);
+      
+      var part1 = match("MESSAGE#0:cli/2", "nwparser.p0", ": Processing command: %{action}");
+      
+      var all1 = all_match({
+      	processors: [
+      		dup2,
+      		dup11,
+      		part1,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		dup6,
+      	]),
+      });
+      
+      var msg1 = msg("cli", all1);
+      
+      var part2 = match("MESSAGE#1:cli:01/2", "nwparser.p0", ": Processing command %{action}");
+      
+      var all2 = all_match({
+      	processors: [
+      		dup2,
+      		dup11,
+      		part2,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		dup6,
+      	]),
+      });
+      
+      var msg2 = msg("cli:01", all2);
+      
+      var part3 = match("MESSAGE#2:cli:02/2", "nwparser.p0", ": Leaving config mode%{}");
+      
+      var all3 = all_match({
+      	processors: [
+      		dup2,
+      		dup11,
+      		part3,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		dup6,
+      		setc("event_description","Leaving config mode"),
+      	]),
+      });
+      
+      var msg3 = msg("cli:02", all3);
+      
+      var part4 = match("MESSAGE#3:cli:03/2", "nwparser.p0", ": Entering config mode%{}");
+      
+      var all4 = all_match({
+      	processors: [
+      		dup2,
+      		dup11,
+      		part4,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		dup6,
+      		setc("event_description","Entering config mode"),
+      	]),
+      });
+      
+      var msg4 = msg("cli:03", all4);
+      
+      var part5 = match("MESSAGE#4:cli:04/2", "nwparser.p0", ": CLI exiting%{}");
+      
+      var all5 = all_match({
+      	processors: [
+      		dup2,
+      		dup11,
+      		part5,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		dup6,
+      		setc("event_description","CLI exiting"),
+      	]),
+      });
+      
+      var msg5 = msg("cli:04", all5);
+      
+      var part6 = match("MESSAGE#5:cli:05/2", "nwparser.p0", ": CLI launched%{}");
+      
+      var all6 = all_match({
+      	processors: [
+      		dup2,
+      		dup11,
+      		part6,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		dup6,
+      		setc("event_description","CLI launched"),
+      	]),
+      });
+      
+      var msg6 = msg("cli:05", all6);
+      
+      var part7 = match("MESSAGE#6:Automatically/2", "nwparser.p0", ": Automatically logged out due to keyboard inactivity.%{}");
+      
+      var all7 = all_match({
+      	processors: [
+      		dup2,
+      		dup11,
+      		part7,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		setc("ec_subject","User"),
+      		setc("ec_activity","Logoff"),
+      		dup6,
+      		setc("event_description","Automatically logged out due to keyboard inactivity"),
+      	]),
+      });
+      
+      var msg7 = msg("Automatically", all7);
+      
+      var part8 = match("MESSAGE#7:cli:06/2", "nwparser.p0", ": Entering enable mode%{}");
+      
+      var all8 = all_match({
+      	processors: [
+      		dup2,
+      		dup11,
+      		part8,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		dup6,
+      		setc("event_description","Entering enable mode"),
+      	]),
+      });
+      
+      var msg8 = msg("cli:06", all8);
+      
+      var part9 = match("MESSAGE#8:cli:07/2", "nwparser.p0", ": Leaving enable mode%{}");
+      
+      var all9 = all_match({
+      	processors: [
+      		dup2,
+      		dup11,
+      		part9,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		dup6,
+      		setc("event_description","Leaving enable mode"),
+      	]),
+      });
+      
+      var msg9 = msg("cli:07", all9);
+      
+      var part10 = match("MESSAGE#9:Processing/2", "nwparser.p0", ": Processing a secure command...%{}");
+      
+      var all10 = all_match({
+      	processors: [
+      		dup2,
+      		dup11,
+      		part10,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		dup6,
+      		setc("event_description","Processing a secure command"),
+      	]),
+      });
+      
+      var msg10 = msg("Processing", all10);
+      
+      var msg11 = msg("cli:pam", dup12);
+      
+      var select2 = linear_select([
+      	msg1,
+      	msg2,
+      	msg3,
+      	msg4,
+      	msg5,
+      	msg6,
+      	msg7,
+      	msg8,
+      	msg9,
+      	msg10,
+      	msg11,
+      ]);
+      
+      var part11 = match("MESSAGE#11:schedulerd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Executing Job \"%{operation_id}\" execution %{fld6}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg12 = msg("schedulerd", part11);
+      
+      var part12 = match("MESSAGE#12:schedulerd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> System time changed, recomputing job run times.", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","System time changed, recomputing job run times"),
+      ]));
+      
+      var msg13 = msg("schedulerd:01", part12);
+      
+      var select3 = linear_select([
+      	msg12,
+      	msg13,
+      ]);
+      
+      var part13 = match("MESSAGE#13:configd:Rotating", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Rotating out backup file \"%{filename}\" for device \"%{hostname}\".", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg14 = msg("configd:Rotating", part13);
+      
+      var part14 = match("MESSAGE#14:configd:Deleting", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Deleting backup %{filename->} from device \"%{hostname}\"", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg15 = msg("configd:Deleting", part14);
+      
+      var part15 = match("MESSAGE#15:configd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device \"%{hostname}\" completed command(s) \u003c\u003c%{action}> ...", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg16 = msg("configd", part15);
+      
+      var part16 = match("MESSAGE#16:configd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: Sending commands to Device %{hostname}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg17 = msg("configd:01", part16);
+      
+      var part17 = match("MESSAGE#17:configd:11", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@%{fld6}: Sending commands to Device %{hostname}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg18 = msg("configd:11", part17);
+      
+      var part18 = match("MESSAGE#18:file", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: command: %{action->} ;; CPL generated by Visual Policy Manager: %{fld10->} ;%{fld11->} ; %{fld12->} ; %{info}", processor_chain([
+      	dup5,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg19 = msg("file", part18);
+      
+      var part19 = match("MESSAGE#19:configd:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: command: %{action}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg20 = msg("configd:02", part19);
+      
+      var part20 = match("MESSAGE#20:configd:22", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@%{fld6}: command: %{action}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg21 = msg("configd:22", part20);
+      
+      var part21 = match("MESSAGE#21:configd:03", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: Commands sent to Device %{hostname}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg22 = msg("configd:03", part21);
+      
+      var part22 = match("MESSAGE#22:configd:33", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@%{fld6}: Commands sent to Device %{hostname}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg23 = msg("configd:33", part22);
+      
+      var part23 = match("MESSAGE#23:Backup", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Backup import command finished for all devices.", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","Backup import command finished for all devices"),
+      ]));
+      
+      var msg24 = msg("Backup", part23);
+      
+      var part24 = match("MESSAGE#24:Beginning", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Beginning to make backup of cache %{hostname}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","Beginning to make backup of cache"),
+      ]));
+      
+      var msg25 = msg("Beginning", part24);
+      
+      var part25 = match("MESSAGE#25:Inputting", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Inputting overlay \u003c\u003c%{fld10}>", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","Inputting overlay"),
+      ]));
+      
+      var msg26 = msg("Inputting", part25);
+      
+      var part26 = match("MESSAGE#26:Saved", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Saved %{info->} to %{filename}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg27 = msg("Saved", part26);
+      
+      var part27 = match("MESSAGE#27:Importing", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Importing overlay \u003c\u003c%{fld25}> from %{hostname}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg28 = msg("Importing", part27);
+      
+      var part28 = match("MESSAGE#28:Overlay", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Overlay \"%{fld25}\" imported from device \"%{hostname}\"", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg29 = msg("Overlay", part28);
+      
+      var part29 = match("MESSAGE#29:Executed", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Executed the last created overlay. The filename is %{filename}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg30 = msg("Executed", part29);
+      
+      var part30 = match("MESSAGE#30:Configuration", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Configuration system online", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","Configuration system online"),
+      ]));
+      
+      var msg31 = msg("Configuration", part30);
+      
+      var part31 = match("MESSAGE#31:Create", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> CREATE %{info}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","Table creation"),
+      ]));
+      
+      var msg32 = msg("Create", part31);
+      
+      var part32 = match("MESSAGE#32:Loaded", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Loaded config file initial", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","Loaded config file initial"),
+      ]));
+      
+      var msg33 = msg("Loaded", part32);
+      
+      var part33 = match("MESSAGE#33:Setting", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Setting set-reply timeout to %{fld1}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","Setting set-reply timeout"),
+      ]));
+      
+      var msg34 = msg("Setting", part33);
+      
+      var part34 = match("MESSAGE#34:CCD", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> CCD lost connection to device \"%{hostname}\": %{event_description}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg35 = msg("CCD", part34);
+      
+      var part35 = match("MESSAGE#35:Device", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device \"%{hostname}\" is now online.", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg36 = msg("Device", part35);
+      
+      var part36 = match("MESSAGE#36:Output", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: %{fld9->} Output for device \"%{hostname}\" %{fld10}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg37 = msg("Output", part36);
+      
+      var part37 = match("MESSAGE#37:ssh", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> (ssh) %{event_description}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg38 = msg("ssh", part37);
+      
+      var part38 = match("MESSAGE#38:Applying", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: Applying overlay \u003c\u003c%{fld10}> to group %{group_object}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","Applying overlay to group"),
+      ]));
+      
+      var msg39 = msg("Applying", part38);
+      
+      var part39 = match("MESSAGE#39:Applying:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: Applying overlay \u003c\u003c%{fld10}> to cache %{hostname}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","Applying overlay to cache"),
+      ]));
+      
+      var msg40 = msg("Applying:01", part39);
+      
+      var part40 = match("MESSAGE#40:configd:backup", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Backup complete for device \"%{hostname}\". ID %{fld10}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","Backup complete for device"),
+      ]));
+      
+      var msg41 = msg("configd:backup", part40);
+      
+      var part41 = match("MESSAGE#41:file:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device \"%{hostname}\" completed command(s) %{action->} ;; CPL generated by Visual Policy Manager: %{fld10->} ;%{fld11->} ; %{fld12->} ; %{info}", processor_chain([
+      	dup5,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg42 = msg("file:01", part41);
+      
+      var part42 = match("MESSAGE#42:configd:connection", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> read: Connection reset by peer", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","Connection reset by peer"),
+      ]));
+      
+      var msg43 = msg("configd:connection", part42);
+      
+      var part43 = match("MESSAGE#43:configd:failed", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{info->} failed", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","cd session read failed"),
+      ]));
+      
+      var msg44 = msg("configd:failed", part43);
+      
+      var select4 = linear_select([
+      	msg14,
+      	msg15,
+      	msg16,
+      	msg17,
+      	msg18,
+      	msg19,
+      	msg20,
+      	msg21,
+      	msg22,
+      	msg23,
+      	msg24,
+      	msg25,
+      	msg26,
+      	msg27,
+      	msg28,
+      	msg29,
+      	msg30,
+      	msg31,
+      	msg32,
+      	msg33,
+      	msg34,
+      	msg35,
+      	msg36,
+      	msg37,
+      	msg38,
+      	msg39,
+      	msg40,
+      	msg41,
+      	msg42,
+      	msg43,
+      	msg44,
+      ]);
+      
+      var part44 = match("MESSAGE#44:poller", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Querying content system for job results.", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","Querying content system for job results"),
+      ]));
+      
+      var msg45 = msg("poller", part44);
+      
+      var part45 = match("MESSAGE#45:heartbeat", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Processing command: %{action}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg46 = msg("heartbeat", part45);
+      
+      var part46 = match("MESSAGE#46:heartbeat:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> The HB command is %{action}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg47 = msg("heartbeat:01", part46);
+      
+      var part47 = match("MESSAGE#47:heartbeat:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> director heartbeat client exiting.", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","director heartbeat client exiting"),
+      ]));
+      
+      var msg48 = msg("heartbeat:02", part47);
+      
+      var part48 = match("MESSAGE#48:heartbeat:03", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> director heartbeat client launched.", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","director heartbeat client launched"),
+      ]));
+      
+      var msg49 = msg("heartbeat:03", part48);
+      
+      var part49 = match("MESSAGE#49:heartbeat:crit1", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{filename}: undefined symbol: %{info}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","undefined symbol"),
+      ]));
+      
+      var msg50 = msg("heartbeat:crit1", part49);
+      
+      var part50 = match("MESSAGE#50:heartbeat:crit2", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> connect: %{fld1}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","No such file or directory"),
+      ]));
+      
+      var msg51 = msg("heartbeat:crit2", part50);
+      
+      var select5 = linear_select([
+      	msg46,
+      	msg47,
+      	msg48,
+      	msg49,
+      	msg50,
+      	msg51,
+      ]);
+      
+      var part51 = match("MESSAGE#51:runner", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Job \"%{operation_id}\" execution %{fld6->} command %{fld7}: \"%{action}\". Output %{fld9}: %{result}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg52 = msg("runner", part51);
+      
+      var part52 = match("MESSAGE#52:runner:01", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Processing command: %{action}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg53 = msg("runner:01", part52);
+      
+      var part53 = match("MESSAGE#53:runner:02", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Job \"%{operation_id}\" execution %{fld6->} finished running.", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg54 = msg("runner:02", part53);
+      
+      var part54 = match("MESSAGE#54:runner:crit1", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Failed to exec %{filename}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg55 = msg("runner:crit1", part54);
+      
+      var part55 = match("MESSAGE#55:runner:crit2", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> File reading failed", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","File reading failed"),
+      ]));
+      
+      var msg56 = msg("runner:crit2", part55);
+      
+      var select6 = linear_select([
+      	msg52,
+      	msg53,
+      	msg54,
+      	msg55,
+      	msg56,
+      ]);
+      
+      var part56 = match("MESSAGE#56:ccd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: attempting connection using %{fld6->} on port: %{fld7}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg57 = msg("ccd", part56);
+      
+      var part57 = match("MESSAGE#57:ccd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: %{event_description}, Reason %{result}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg58 = msg("ccd:01", part57);
+      
+      var part58 = match("MESSAGE#58:ccd:03", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: couldn't match the response \u003c\u003c%{event_description}>", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg59 = msg("ccd:03", part58);
+      
+      var part59 = match("MESSAGE#59:ccd:04", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: Did not get echo for the command \u003c\u003c%{action}>for past %{fld10}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg60 = msg("ccd:04", part59);
+      
+      var part60 = match("MESSAGE#60:ccd:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: %{info}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","info on device connection"),
+      ]));
+      
+      var msg61 = msg("ccd:02", part60);
+      
+      var part61 = match("MESSAGE#61:ccd:05", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> write to %{fld1->} pipe : %{info}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","write to ssh pipe"),
+      ]));
+      
+      var msg62 = msg("ccd:05", part61);
+      
+      var part62 = match("MESSAGE#62:ccd:06", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> ccd_handle_read_failure(), %{info}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","ccd handle read failure"),
+      ]));
+      
+      var msg63 = msg("ccd:06", part62);
+      
+      var part63 = match("MESSAGE#63:ccd:07", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device Communication Daemon online", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","device communication daemon online"),
+      ]));
+      
+      var msg64 = msg("ccd:07", part63);
+      
+      var part64 = match("MESSAGE#64:ccd:08", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> System memory is: %{fld1}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","system memory size"),
+      ]));
+      
+      var msg65 = msg("ccd:08", part64);
+      
+      var select7 = linear_select([
+      	msg57,
+      	msg58,
+      	msg59,
+      	msg60,
+      	msg61,
+      	msg62,
+      	msg63,
+      	msg64,
+      	msg65,
+      ]);
+      
+      var part65 = match("MESSAGE#65:sshd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> error: Bind to port %{fld10->} on %{fld5->} failed: %{result}", processor_chain([
+      	dup9,
+      	dup6,
+      ]));
+      
+      var msg66 = msg("sshd", part65);
+      
+      var part66 = match("MESSAGE#66:sshd:01", "nwparser.payload", "%{agent}: bad username %{fld1}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","bad username"),
+      ]));
+      
+      var msg67 = msg("sshd:01", part66);
+      
+      var part67 = match("MESSAGE#67:sshd:02", "nwparser.payload", "%{agent}[%{process_id}]: %{fld21}(%{fld1}:%{fld2}): authentication failure; %{info}", processor_chain([
+      	dup5,
+      	dup6,
+      	dup10,
+      ]));
+      
+      var msg68 = msg("sshd:02", part67);
+      
+      var part68 = match("MESSAGE#68:sshd:03", "nwparser.payload", "%{agent}[%{process_id}]: %{fld21}(%{fld1}:%{fld2}): check pass; %{fld3}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","check pass, user unknown"),
+      ]));
+      
+      var msg69 = msg("sshd:03", part68);
+      
+      var part69 = match("MESSAGE#69:sshd:04", "nwparser.payload", "%{agent}[%{process_id}]: PAM %{fld1->} more authentication failure; %{info}", processor_chain([
+      	dup5,
+      	dup6,
+      	dup10,
+      ]));
+      
+      var msg70 = msg("sshd:04", part69);
+      
+      var msg71 = msg("sshd:pam", dup12);
+      
+      var select8 = linear_select([
+      	msg66,
+      	msg67,
+      	msg68,
+      	msg69,
+      	msg70,
+      	msg71,
+      ]);
+      
+      var part70 = match("MESSAGE#71:dmd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> inserted device id = %{hostname->} and serial number = %{fld6->} into DB", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg72 = msg("dmd", part70);
+      
+      var part71 = match("MESSAGE#72:dmd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Health state for metric\"%{hostname}\" \"%{change_old}\" changed to \"%{change_new}\", reason: \"%{result}\"", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg73 = msg("dmd:01", part71);
+      
+      var part72 = match("MESSAGE#73:dmd:11", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Health state for group \"%{group_object}\" changed from \"%{change_old}\" to \"%{change_new}\"", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg74 = msg("dmd:11", part72);
+      
+      var part73 = match("MESSAGE#74:dmd:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Filter on (%{fld5}) things. %{event_description}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg75 = msg("dmd:02", part73);
+      
+      var part74 = match("MESSAGE#75:dmd:03", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device ID \"%{hostname}\" error: %{event_description}", processor_chain([
+      	dup9,
+      	dup6,
+      ]));
+      
+      var msg76 = msg("dmd:03", part74);
+      
+      var select9 = linear_select([
+      	msg72,
+      	msg73,
+      	msg74,
+      	msg75,
+      	msg76,
+      ]);
+      
+      var part75 = match("MESSAGE#76:logrotate", "nwparser.payload", "%{agent}: ALERT exited abnormally with %{fld10}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","ALERT exited abnormally"),
+      ]));
+      
+      var msg77 = msg("logrotate", part75);
+      
+      var part76 = match("MESSAGE#77:ntpd", "nwparser.payload", "%{agent}[%{process_id}]: kernel time sync enabled %{fld10}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","kernel time sync enabled"),
+      ]));
+      
+      var msg78 = msg("ntpd", part76);
+      
+      var part77 = match("MESSAGE#78:ntpd:01", "nwparser.payload", "%{agent}[%{process_id}]: time reset %{fld10}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","time reset"),
+      ]));
+      
+      var msg79 = msg("ntpd:01", part77);
+      
+      var part78 = match("MESSAGE#79:ntpd:02", "nwparser.payload", "%{agent}[%{process_id}]: ntpd %{fld10}-r %{fld11}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg80 = msg("ntpd:02", part78);
+      
+      var part79 = match("MESSAGE#80:ntpd:03", "nwparser.payload", "%{agent}[%{process_id}]: ntpd exiting on signal %{fld10}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","ntpd exiting on signal"),
+      ]));
+      
+      var msg81 = msg("ntpd:03", part79);
+      
+      var select10 = linear_select([
+      	msg78,
+      	msg79,
+      	msg80,
+      	msg81,
+      ]);
+      
+      var part80 = match("MESSAGE#81:pm", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> ntpd will start in %{fld10}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","ntpd will start in few secs"),
+      ]));
+      
+      var msg82 = msg("pm", part80);
+      
+      var part81 = match("MESSAGE#82:pm:01", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> ntpd started", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","ntpd started"),
+      ]));
+      
+      var msg83 = msg("pm:01", part81);
+      
+      var part82 = match("MESSAGE#83:pm:02", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> print_msg(), %{info}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","print message"),
+      ]));
+      
+      var msg84 = msg("pm:02", part82);
+      
+      var part83 = match("MESSAGE#84:pm:03", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> %{info->} started", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","service started"),
+      ]));
+      
+      var msg85 = msg("pm:03", part83);
+      
+      var part84 = match("MESSAGE#85:pm:04", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> %{info->} will start in %{fld1}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","service will start"),
+      ]));
+      
+      var msg86 = msg("pm:04", part84);
+      
+      var part85 = match("MESSAGE#86:pm:05", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> check_license_validity(), %{fld1}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","check license validity"),
+      ]));
+      
+      var msg87 = msg("pm:05", part85);
+      
+      var part86 = match("MESSAGE#87:pm:06", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Connected to config daemon", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","connected to config daemon"),
+      ]));
+      
+      var msg88 = msg("pm:06", part86);
+      
+      var select11 = linear_select([
+      	msg82,
+      	msg83,
+      	msg84,
+      	msg85,
+      	msg86,
+      	msg87,
+      	msg88,
+      ]);
+      
+      var part87 = match("MESSAGE#88:anacron", "nwparser.payload", "%{agent}[%{process_id}]: Updated timestamp for job %{info->} to %{fld1}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","updated timestamp"),
+      ]));
+      
+      var msg89 = msg("anacron", part87);
+      
+      var part88 = match("MESSAGE#89:anacron:01", "nwparser.payload", "%{agent}[%{process_id}]: Anacron %{version->} started on %{fld1}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","anacron started"),
+      ]));
+      
+      var msg90 = msg("anacron:01", part88);
+      
+      var part89 = match("MESSAGE#90:anacron:02", "nwparser.payload", "%{agent}[%{process_id}]: Normal exit %{fld1}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","normal exit"),
+      ]));
+      
+      var msg91 = msg("anacron:02", part89);
+      
+      var select12 = linear_select([
+      	msg89,
+      	msg90,
+      	msg91,
+      ]);
+      
+      var part90 = match("MESSAGE#91:epmd", "nwparser.payload", "%{agent}: epmd: invalid packet size (%{fld1})", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","invalid packet size"),
+      ]));
+      
+      var msg92 = msg("epmd", part90);
+      
+      var part91 = match("MESSAGE#92:epmd:01", "nwparser.payload", "%{agent}: epmd: got %{info}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg93 = msg("epmd:01", part91);
+      
+      var part92 = match("MESSAGE#93:epmd:02", "nwparser.payload", "%{agent}: epmd: epmd running %{info}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg94 = msg("epmd:02", part92);
+      
+      var select13 = linear_select([
+      	msg92,
+      	msg93,
+      	msg94,
+      ]);
+      
+      var part93 = match("MESSAGE#94:xinetd", "nwparser.payload", "%{agent}[%{process_id}]: xinetd %{event_description}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg95 = msg("xinetd", part93);
+      
+      var part94 = match("MESSAGE#95:xinetd:01", "nwparser.payload", "%{agent}[%{process_id}]: Started working: %{fld1->} available services", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg96 = msg("xinetd:01", part94);
+      
+      var select14 = linear_select([
+      	msg95,
+      	msg96,
+      ]);
+      
+      var part95 = match("MESSAGE#96:auditd", "nwparser.payload", "%{agent}[%{process_id}]: Audit daemon rotating log files", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","Audit daemon rotating log files"),
+      ]));
+      
+      var msg97 = msg("auditd", part95);
+      
+      var part96 = match("MESSAGE#97:restorecond", "nwparser.payload", "%{agent}: Reset file context %{filename}: %{fld1}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","Reset file"),
+      ]));
+      
+      var msg98 = msg("restorecond", part96);
+      
+      var part97 = match("MESSAGE#98:authd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> handle_authd unknown message =%{fld1}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","handle authd unknown message"),
+      ]));
+      
+      var msg99 = msg("authd", part97);
+      
+      var part98 = match("MESSAGE#99:authd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> authd_signal_handler(), %{fld1}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","authd signal handler"),
+      ]));
+      
+      var msg100 = msg("authd:01", part98);
+      
+      var part99 = match("MESSAGE#100:authd:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> authd_close(): %{info}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","authd close"),
+      ]));
+      
+      var msg101 = msg("authd:02", part99);
+      
+      var select15 = linear_select([
+      	msg99,
+      	msg100,
+      	msg101,
+      ]);
+      
+      var part100 = match("MESSAGE#101:rsyslogd/0", "nwparser.payload", "%{agent}: W%{p0}");
+      
+      var part101 = match("MESSAGE#101:rsyslogd/1_0", "nwparser.p0", "ARNING%{p0}");
+      
+      var part102 = match("MESSAGE#101:rsyslogd/1_1", "nwparser.p0", "arning%{p0}");
+      
+      var select16 = linear_select([
+      	part101,
+      	part102,
+      ]);
+      
+      var part103 = match("MESSAGE#101:rsyslogd/2", "nwparser.p0", ": %{event_description}");
+      
+      var all11 = all_match({
+      	processors: [
+      		part100,
+      		select16,
+      		part103,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		dup6,
+      	]),
+      });
+      
+      var msg102 = msg("rsyslogd", all11);
+      
+      var part104 = match("MESSAGE#102:shutdown", "nwparser.payload", "%{agent}[%{process_id}]: shutting down %{info}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","shutting down"),
+      ]));
+      
+      var msg103 = msg("shutdown", part104);
+      
+      var part105 = match("MESSAGE#103:cmd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> cmd starting %{fld1}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","cmd starting"),
+      ]));
+      
+      var msg104 = msg("cmd", part105);
+      
+      var chain1 = processor_chain([
+      	select1,
+      	msgid_select({
+      		"anacron": select12,
+      		"auditd": msg97,
+      		"authd": select15,
+      		"ccd": select7,
+      		"cli": select2,
+      		"cmd": msg104,
+      		"configd": select4,
+      		"dmd": select9,
+      		"epmd": select13,
+      		"heartbeat": select5,
+      		"logrotate": msg77,
+      		"ntpd": select10,
+      		"pm": select11,
+      		"poller": msg45,
+      		"restorecond": msg98,
+      		"rsyslogd": msg102,
+      		"runner": select6,
+      		"schedulerd": select3,
+      		"shutdown": msg103,
+      		"sshd": select8,
+      		"xinetd": select14,
+      	}),
+      ]);
+      
+      var part106 = match("MESSAGE#0:cli/0", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c-%{fld20}.%{severity}> %{p0}");
+      
+      var part107 = match("MESSAGE#0:cli/1_0", "nwparser.p0", "%{username}@::%{fld5}:%{saddr->} %{p0}");
+      
+      var part108 = match("MESSAGE#0:cli/1_1", "nwparser.p0", "%{username}@%{domain->} %{p0}");
+      
+      var select17 = linear_select([
+      	dup3,
+      	dup4,
+      ]);
+      
+      var part109 = match("MESSAGE#10:cli:pam", "nwparser.payload", "%{agent}[%{process_id}]: %{fld21}(%{fld1}:%{fld2}): pam_putenv: %{fld3}", processor_chain([
+      	dup5,
+      	dup6,
+      	dup7,
+      ]));
+      
+- community_id:
+- add_locale: ~
+- add_fields:
+    target: ''
+    fields:
+        ecs.version: 1.5.0
diff --git a/packages/bluecoat/0.1.0/dataset/director/agent/stream/udp.yml.hbs b/packages/bluecoat/0.1.0/dataset/director/agent/stream/udp.yml.hbs
new file mode 100644
index 0000000000..7ae83c8dae
--- /dev/null
+++ b/packages/bluecoat/0.1.0/dataset/director/agent/stream/udp.yml.hbs
@@ -0,0 +1,3551 @@
+udp:
+host: "{{udp_host}}:{{udp_port}}"
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "Bluecoat"
+        product: "Director"
+        type: "Configuration"
+publisher_pipeline.disable_host: true
+
+processors:
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.error(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(populate_fields);
+      	builder.Add(restore_flags);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var dup1 = call({
+      	dest: "nwparser.payload",
+      	fn: STRCAT,
+      	args: [
+      		field("messageid"),
+      		constant(": "),
+      		field("payload"),
+      	],
+      });
+      
+      var dup2 = match("MESSAGE#0:cli/0", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c-%{fld20}.%{severity}> %{p0}");
+      
+      var dup3 = match("MESSAGE#0:cli/1_0", "nwparser.p0", "%{username}@::%{fld5}:%{saddr->} %{p0}");
+      
+      var dup4 = match("MESSAGE#0:cli/1_1", "nwparser.p0", "%{username}@%{domain->} %{p0}");
+      
+      var dup5 = setc("eventcategory","1605000000");
+      
+      var dup6 = setf("msg","$MSG");
+      
+      var dup7 = setc("event_description","bad variable");
+      
+      var dup8 = setc("event_description","This file is automatically generated");
+      
+      var dup9 = setc("eventcategory","1603000000");
+      
+      var dup10 = setc("event_description","authentication failure");
+      
+      var dup11 = linear_select([
+      	dup3,
+      	dup4,
+      ]);
+      
+      var dup12 = match("MESSAGE#10:cli:pam", "nwparser.payload", "%{agent}[%{process_id}]: %{fld21}(%{fld1}:%{fld2}): pam_putenv: %{fld3}", processor_chain([
+      	dup5,
+      	dup6,
+      	dup7,
+      ]));
+      
+      var hdr1 = match("HEADER#0:0001", "message", "%{messageid}[%{hfld1}]: %{payload}", processor_chain([
+      	setc("header_id","0001"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant("["),
+      			field("hfld1"),
+      			constant("]: "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr2 = match("HEADER#1:0002", "message", "%{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0002"),
+      	dup1,
+      ]));
+      
+      var hdr3 = match("HEADER#2:0003", "message", "%{hfld1->} %{hfld2->} %{hfld3->} %{hfld4->} %{messageid}[%{hfld5}]: %{payload}", processor_chain([
+      	setc("header_id","0003"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant("["),
+      			field("hfld5"),
+      			constant("]: "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr4 = match("HEADER#3:0004", "message", "%{hfld1->} %{hfld2->} %{hfld3->} %{hfld4->} %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0004"),
+      	dup1,
+      ]));
+      
+      var select1 = linear_select([
+      	hdr1,
+      	hdr2,
+      	hdr3,
+      	hdr4,
+      ]);
+      
+      var part1 = match("MESSAGE#0:cli/2", "nwparser.p0", ": Processing command: %{action}");
+      
+      var all1 = all_match({
+      	processors: [
+      		dup2,
+      		dup11,
+      		part1,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		dup6,
+      	]),
+      });
+      
+      var msg1 = msg("cli", all1);
+      
+      var part2 = match("MESSAGE#1:cli:01/2", "nwparser.p0", ": Processing command %{action}");
+      
+      var all2 = all_match({
+      	processors: [
+      		dup2,
+      		dup11,
+      		part2,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		dup6,
+      	]),
+      });
+      
+      var msg2 = msg("cli:01", all2);
+      
+      var part3 = match("MESSAGE#2:cli:02/2", "nwparser.p0", ": Leaving config mode%{}");
+      
+      var all3 = all_match({
+      	processors: [
+      		dup2,
+      		dup11,
+      		part3,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		dup6,
+      		setc("event_description","Leaving config mode"),
+      	]),
+      });
+      
+      var msg3 = msg("cli:02", all3);
+      
+      var part4 = match("MESSAGE#3:cli:03/2", "nwparser.p0", ": Entering config mode%{}");
+      
+      var all4 = all_match({
+      	processors: [
+      		dup2,
+      		dup11,
+      		part4,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		dup6,
+      		setc("event_description","Entering config mode"),
+      	]),
+      });
+      
+      var msg4 = msg("cli:03", all4);
+      
+      var part5 = match("MESSAGE#4:cli:04/2", "nwparser.p0", ": CLI exiting%{}");
+      
+      var all5 = all_match({
+      	processors: [
+      		dup2,
+      		dup11,
+      		part5,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		dup6,
+      		setc("event_description","CLI exiting"),
+      	]),
+      });
+      
+      var msg5 = msg("cli:04", all5);
+      
+      var part6 = match("MESSAGE#5:cli:05/2", "nwparser.p0", ": CLI launched%{}");
+      
+      var all6 = all_match({
+      	processors: [
+      		dup2,
+      		dup11,
+      		part6,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		dup6,
+      		setc("event_description","CLI launched"),
+      	]),
+      });
+      
+      var msg6 = msg("cli:05", all6);
+      
+      var part7 = match("MESSAGE#6:Automatically/2", "nwparser.p0", ": Automatically logged out due to keyboard inactivity.%{}");
+      
+      var all7 = all_match({
+      	processors: [
+      		dup2,
+      		dup11,
+      		part7,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		setc("ec_subject","User"),
+      		setc("ec_activity","Logoff"),
+      		dup6,
+      		setc("event_description","Automatically logged out due to keyboard inactivity"),
+      	]),
+      });
+      
+      var msg7 = msg("Automatically", all7);
+      
+      var part8 = match("MESSAGE#7:cli:06/2", "nwparser.p0", ": Entering enable mode%{}");
+      
+      var all8 = all_match({
+      	processors: [
+      		dup2,
+      		dup11,
+      		part8,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		dup6,
+      		setc("event_description","Entering enable mode"),
+      	]),
+      });
+      
+      var msg8 = msg("cli:06", all8);
+      
+      var part9 = match("MESSAGE#8:cli:07/2", "nwparser.p0", ": Leaving enable mode%{}");
+      
+      var all9 = all_match({
+      	processors: [
+      		dup2,
+      		dup11,
+      		part9,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		dup6,
+      		setc("event_description","Leaving enable mode"),
+      	]),
+      });
+      
+      var msg9 = msg("cli:07", all9);
+      
+      var part10 = match("MESSAGE#9:Processing/2", "nwparser.p0", ": Processing a secure command...%{}");
+      
+      var all10 = all_match({
+      	processors: [
+      		dup2,
+      		dup11,
+      		part10,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		dup6,
+      		setc("event_description","Processing a secure command"),
+      	]),
+      });
+      
+      var msg10 = msg("Processing", all10);
+      
+      var msg11 = msg("cli:pam", dup12);
+      
+      var select2 = linear_select([
+      	msg1,
+      	msg2,
+      	msg3,
+      	msg4,
+      	msg5,
+      	msg6,
+      	msg7,
+      	msg8,
+      	msg9,
+      	msg10,
+      	msg11,
+      ]);
+      
+      var part11 = match("MESSAGE#11:schedulerd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Executing Job \"%{operation_id}\" execution %{fld6}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg12 = msg("schedulerd", part11);
+      
+      var part12 = match("MESSAGE#12:schedulerd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> System time changed, recomputing job run times.", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","System time changed, recomputing job run times"),
+      ]));
+      
+      var msg13 = msg("schedulerd:01", part12);
+      
+      var select3 = linear_select([
+      	msg12,
+      	msg13,
+      ]);
+      
+      var part13 = match("MESSAGE#13:configd:Rotating", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Rotating out backup file \"%{filename}\" for device \"%{hostname}\".", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg14 = msg("configd:Rotating", part13);
+      
+      var part14 = match("MESSAGE#14:configd:Deleting", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Deleting backup %{filename->} from device \"%{hostname}\"", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg15 = msg("configd:Deleting", part14);
+      
+      var part15 = match("MESSAGE#15:configd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device \"%{hostname}\" completed command(s) \u003c\u003c%{action}> ...", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg16 = msg("configd", part15);
+      
+      var part16 = match("MESSAGE#16:configd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: Sending commands to Device %{hostname}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg17 = msg("configd:01", part16);
+      
+      var part17 = match("MESSAGE#17:configd:11", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@%{fld6}: Sending commands to Device %{hostname}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg18 = msg("configd:11", part17);
+      
+      var part18 = match("MESSAGE#18:file", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: command: %{action->} ;; CPL generated by Visual Policy Manager: %{fld10->} ;%{fld11->} ; %{fld12->} ; %{info}", processor_chain([
+      	dup5,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg19 = msg("file", part18);
+      
+      var part19 = match("MESSAGE#19:configd:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: command: %{action}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg20 = msg("configd:02", part19);
+      
+      var part20 = match("MESSAGE#20:configd:22", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@%{fld6}: command: %{action}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg21 = msg("configd:22", part20);
+      
+      var part21 = match("MESSAGE#21:configd:03", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: Commands sent to Device %{hostname}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg22 = msg("configd:03", part21);
+      
+      var part22 = match("MESSAGE#22:configd:33", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@%{fld6}: Commands sent to Device %{hostname}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg23 = msg("configd:33", part22);
+      
+      var part23 = match("MESSAGE#23:Backup", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Backup import command finished for all devices.", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","Backup import command finished for all devices"),
+      ]));
+      
+      var msg24 = msg("Backup", part23);
+      
+      var part24 = match("MESSAGE#24:Beginning", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Beginning to make backup of cache %{hostname}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","Beginning to make backup of cache"),
+      ]));
+      
+      var msg25 = msg("Beginning", part24);
+      
+      var part25 = match("MESSAGE#25:Inputting", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Inputting overlay \u003c\u003c%{fld10}>", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","Inputting overlay"),
+      ]));
+      
+      var msg26 = msg("Inputting", part25);
+      
+      var part26 = match("MESSAGE#26:Saved", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Saved %{info->} to %{filename}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg27 = msg("Saved", part26);
+      
+      var part27 = match("MESSAGE#27:Importing", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Importing overlay \u003c\u003c%{fld25}> from %{hostname}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg28 = msg("Importing", part27);
+      
+      var part28 = match("MESSAGE#28:Overlay", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Overlay \"%{fld25}\" imported from device \"%{hostname}\"", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg29 = msg("Overlay", part28);
+      
+      var part29 = match("MESSAGE#29:Executed", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Executed the last created overlay. The filename is %{filename}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg30 = msg("Executed", part29);
+      
+      var part30 = match("MESSAGE#30:Configuration", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Configuration system online", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","Configuration system online"),
+      ]));
+      
+      var msg31 = msg("Configuration", part30);
+      
+      var part31 = match("MESSAGE#31:Create", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> CREATE %{info}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","Table creation"),
+      ]));
+      
+      var msg32 = msg("Create", part31);
+      
+      var part32 = match("MESSAGE#32:Loaded", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Loaded config file initial", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","Loaded config file initial"),
+      ]));
+      
+      var msg33 = msg("Loaded", part32);
+      
+      var part33 = match("MESSAGE#33:Setting", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Setting set-reply timeout to %{fld1}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","Setting set-reply timeout"),
+      ]));
+      
+      var msg34 = msg("Setting", part33);
+      
+      var part34 = match("MESSAGE#34:CCD", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> CCD lost connection to device \"%{hostname}\": %{event_description}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg35 = msg("CCD", part34);
+      
+      var part35 = match("MESSAGE#35:Device", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device \"%{hostname}\" is now online.", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg36 = msg("Device", part35);
+      
+      var part36 = match("MESSAGE#36:Output", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: %{fld9->} Output for device \"%{hostname}\" %{fld10}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg37 = msg("Output", part36);
+      
+      var part37 = match("MESSAGE#37:ssh", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> (ssh) %{event_description}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg38 = msg("ssh", part37);
+      
+      var part38 = match("MESSAGE#38:Applying", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: Applying overlay \u003c\u003c%{fld10}> to group %{group_object}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","Applying overlay to group"),
+      ]));
+      
+      var msg39 = msg("Applying", part38);
+      
+      var part39 = match("MESSAGE#39:Applying:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: Applying overlay \u003c\u003c%{fld10}> to cache %{hostname}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","Applying overlay to cache"),
+      ]));
+      
+      var msg40 = msg("Applying:01", part39);
+      
+      var part40 = match("MESSAGE#40:configd:backup", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Backup complete for device \"%{hostname}\". ID %{fld10}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","Backup complete for device"),
+      ]));
+      
+      var msg41 = msg("configd:backup", part40);
+      
+      var part41 = match("MESSAGE#41:file:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device \"%{hostname}\" completed command(s) %{action->} ;; CPL generated by Visual Policy Manager: %{fld10->} ;%{fld11->} ; %{fld12->} ; %{info}", processor_chain([
+      	dup5,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg42 = msg("file:01", part41);
+      
+      var part42 = match("MESSAGE#42:configd:connection", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> read: Connection reset by peer", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","Connection reset by peer"),
+      ]));
+      
+      var msg43 = msg("configd:connection", part42);
+      
+      var part43 = match("MESSAGE#43:configd:failed", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{info->} failed", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","cd session read failed"),
+      ]));
+      
+      var msg44 = msg("configd:failed", part43);
+      
+      var select4 = linear_select([
+      	msg14,
+      	msg15,
+      	msg16,
+      	msg17,
+      	msg18,
+      	msg19,
+      	msg20,
+      	msg21,
+      	msg22,
+      	msg23,
+      	msg24,
+      	msg25,
+      	msg26,
+      	msg27,
+      	msg28,
+      	msg29,
+      	msg30,
+      	msg31,
+      	msg32,
+      	msg33,
+      	msg34,
+      	msg35,
+      	msg36,
+      	msg37,
+      	msg38,
+      	msg39,
+      	msg40,
+      	msg41,
+      	msg42,
+      	msg43,
+      	msg44,
+      ]);
+      
+      var part44 = match("MESSAGE#44:poller", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Querying content system for job results.", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","Querying content system for job results"),
+      ]));
+      
+      var msg45 = msg("poller", part44);
+      
+      var part45 = match("MESSAGE#45:heartbeat", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Processing command: %{action}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg46 = msg("heartbeat", part45);
+      
+      var part46 = match("MESSAGE#46:heartbeat:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> The HB command is %{action}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg47 = msg("heartbeat:01", part46);
+      
+      var part47 = match("MESSAGE#47:heartbeat:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> director heartbeat client exiting.", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","director heartbeat client exiting"),
+      ]));
+      
+      var msg48 = msg("heartbeat:02", part47);
+      
+      var part48 = match("MESSAGE#48:heartbeat:03", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> director heartbeat client launched.", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","director heartbeat client launched"),
+      ]));
+      
+      var msg49 = msg("heartbeat:03", part48);
+      
+      var part49 = match("MESSAGE#49:heartbeat:crit1", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{filename}: undefined symbol: %{info}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","undefined symbol"),
+      ]));
+      
+      var msg50 = msg("heartbeat:crit1", part49);
+      
+      var part50 = match("MESSAGE#50:heartbeat:crit2", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> connect: %{fld1}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","No such file or directory"),
+      ]));
+      
+      var msg51 = msg("heartbeat:crit2", part50);
+      
+      var select5 = linear_select([
+      	msg46,
+      	msg47,
+      	msg48,
+      	msg49,
+      	msg50,
+      	msg51,
+      ]);
+      
+      var part51 = match("MESSAGE#51:runner", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Job \"%{operation_id}\" execution %{fld6->} command %{fld7}: \"%{action}\". Output %{fld9}: %{result}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg52 = msg("runner", part51);
+      
+      var part52 = match("MESSAGE#52:runner:01", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Processing command: %{action}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg53 = msg("runner:01", part52);
+      
+      var part53 = match("MESSAGE#53:runner:02", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Job \"%{operation_id}\" execution %{fld6->} finished running.", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg54 = msg("runner:02", part53);
+      
+      var part54 = match("MESSAGE#54:runner:crit1", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Failed to exec %{filename}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg55 = msg("runner:crit1", part54);
+      
+      var part55 = match("MESSAGE#55:runner:crit2", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> File reading failed", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","File reading failed"),
+      ]));
+      
+      var msg56 = msg("runner:crit2", part55);
+      
+      var select6 = linear_select([
+      	msg52,
+      	msg53,
+      	msg54,
+      	msg55,
+      	msg56,
+      ]);
+      
+      var part56 = match("MESSAGE#56:ccd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: attempting connection using %{fld6->} on port: %{fld7}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg57 = msg("ccd", part56);
+      
+      var part57 = match("MESSAGE#57:ccd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: %{event_description}, Reason %{result}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg58 = msg("ccd:01", part57);
+      
+      var part58 = match("MESSAGE#58:ccd:03", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: couldn't match the response \u003c\u003c%{event_description}>", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg59 = msg("ccd:03", part58);
+      
+      var part59 = match("MESSAGE#59:ccd:04", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: Did not get echo for the command \u003c\u003c%{action}>for past %{fld10}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg60 = msg("ccd:04", part59);
+      
+      var part60 = match("MESSAGE#60:ccd:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: %{info}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","info on device connection"),
+      ]));
+      
+      var msg61 = msg("ccd:02", part60);
+      
+      var part61 = match("MESSAGE#61:ccd:05", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> write to %{fld1->} pipe : %{info}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","write to ssh pipe"),
+      ]));
+      
+      var msg62 = msg("ccd:05", part61);
+      
+      var part62 = match("MESSAGE#62:ccd:06", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> ccd_handle_read_failure(), %{info}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","ccd handle read failure"),
+      ]));
+      
+      var msg63 = msg("ccd:06", part62);
+      
+      var part63 = match("MESSAGE#63:ccd:07", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device Communication Daemon online", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","device communication daemon online"),
+      ]));
+      
+      var msg64 = msg("ccd:07", part63);
+      
+      var part64 = match("MESSAGE#64:ccd:08", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> System memory is: %{fld1}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","system memory size"),
+      ]));
+      
+      var msg65 = msg("ccd:08", part64);
+      
+      var select7 = linear_select([
+      	msg57,
+      	msg58,
+      	msg59,
+      	msg60,
+      	msg61,
+      	msg62,
+      	msg63,
+      	msg64,
+      	msg65,
+      ]);
+      
+      var part65 = match("MESSAGE#65:sshd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> error: Bind to port %{fld10->} on %{fld5->} failed: %{result}", processor_chain([
+      	dup9,
+      	dup6,
+      ]));
+      
+      var msg66 = msg("sshd", part65);
+      
+      var part66 = match("MESSAGE#66:sshd:01", "nwparser.payload", "%{agent}: bad username %{fld1}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","bad username"),
+      ]));
+      
+      var msg67 = msg("sshd:01", part66);
+      
+      var part67 = match("MESSAGE#67:sshd:02", "nwparser.payload", "%{agent}[%{process_id}]: %{fld21}(%{fld1}:%{fld2}): authentication failure; %{info}", processor_chain([
+      	dup5,
+      	dup6,
+      	dup10,
+      ]));
+      
+      var msg68 = msg("sshd:02", part67);
+      
+      var part68 = match("MESSAGE#68:sshd:03", "nwparser.payload", "%{agent}[%{process_id}]: %{fld21}(%{fld1}:%{fld2}): check pass; %{fld3}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","check pass, user unknown"),
+      ]));
+      
+      var msg69 = msg("sshd:03", part68);
+      
+      var part69 = match("MESSAGE#69:sshd:04", "nwparser.payload", "%{agent}[%{process_id}]: PAM %{fld1->} more authentication failure; %{info}", processor_chain([
+      	dup5,
+      	dup6,
+      	dup10,
+      ]));
+      
+      var msg70 = msg("sshd:04", part69);
+      
+      var msg71 = msg("sshd:pam", dup12);
+      
+      var select8 = linear_select([
+      	msg66,
+      	msg67,
+      	msg68,
+      	msg69,
+      	msg70,
+      	msg71,
+      ]);
+      
+      var part70 = match("MESSAGE#71:dmd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> inserted device id = %{hostname->} and serial number = %{fld6->} into DB", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg72 = msg("dmd", part70);
+      
+      var part71 = match("MESSAGE#72:dmd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Health state for metric\"%{hostname}\" \"%{change_old}\" changed to \"%{change_new}\", reason: \"%{result}\"", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg73 = msg("dmd:01", part71);
+      
+      var part72 = match("MESSAGE#73:dmd:11", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Health state for group \"%{group_object}\" changed from \"%{change_old}\" to \"%{change_new}\"", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg74 = msg("dmd:11", part72);
+      
+      var part73 = match("MESSAGE#74:dmd:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Filter on (%{fld5}) things. %{event_description}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg75 = msg("dmd:02", part73);
+      
+      var part74 = match("MESSAGE#75:dmd:03", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device ID \"%{hostname}\" error: %{event_description}", processor_chain([
+      	dup9,
+      	dup6,
+      ]));
+      
+      var msg76 = msg("dmd:03", part74);
+      
+      var select9 = linear_select([
+      	msg72,
+      	msg73,
+      	msg74,
+      	msg75,
+      	msg76,
+      ]);
+      
+      var part75 = match("MESSAGE#76:logrotate", "nwparser.payload", "%{agent}: ALERT exited abnormally with %{fld10}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","ALERT exited abnormally"),
+      ]));
+      
+      var msg77 = msg("logrotate", part75);
+      
+      var part76 = match("MESSAGE#77:ntpd", "nwparser.payload", "%{agent}[%{process_id}]: kernel time sync enabled %{fld10}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","kernel time sync enabled"),
+      ]));
+      
+      var msg78 = msg("ntpd", part76);
+      
+      var part77 = match("MESSAGE#78:ntpd:01", "nwparser.payload", "%{agent}[%{process_id}]: time reset %{fld10}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","time reset"),
+      ]));
+      
+      var msg79 = msg("ntpd:01", part77);
+      
+      var part78 = match("MESSAGE#79:ntpd:02", "nwparser.payload", "%{agent}[%{process_id}]: ntpd %{fld10}-r %{fld11}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg80 = msg("ntpd:02", part78);
+      
+      var part79 = match("MESSAGE#80:ntpd:03", "nwparser.payload", "%{agent}[%{process_id}]: ntpd exiting on signal %{fld10}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","ntpd exiting on signal"),
+      ]));
+      
+      var msg81 = msg("ntpd:03", part79);
+      
+      var select10 = linear_select([
+      	msg78,
+      	msg79,
+      	msg80,
+      	msg81,
+      ]);
+      
+      var part80 = match("MESSAGE#81:pm", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> ntpd will start in %{fld10}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","ntpd will start in few secs"),
+      ]));
+      
+      var msg82 = msg("pm", part80);
+      
+      var part81 = match("MESSAGE#82:pm:01", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> ntpd started", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","ntpd started"),
+      ]));
+      
+      var msg83 = msg("pm:01", part81);
+      
+      var part82 = match("MESSAGE#83:pm:02", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> print_msg(), %{info}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","print message"),
+      ]));
+      
+      var msg84 = msg("pm:02", part82);
+      
+      var part83 = match("MESSAGE#84:pm:03", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> %{info->} started", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","service started"),
+      ]));
+      
+      var msg85 = msg("pm:03", part83);
+      
+      var part84 = match("MESSAGE#85:pm:04", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> %{info->} will start in %{fld1}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","service will start"),
+      ]));
+      
+      var msg86 = msg("pm:04", part84);
+      
+      var part85 = match("MESSAGE#86:pm:05", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> check_license_validity(), %{fld1}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","check license validity"),
+      ]));
+      
+      var msg87 = msg("pm:05", part85);
+      
+      var part86 = match("MESSAGE#87:pm:06", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Connected to config daemon", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","connected to config daemon"),
+      ]));
+      
+      var msg88 = msg("pm:06", part86);
+      
+      var select11 = linear_select([
+      	msg82,
+      	msg83,
+      	msg84,
+      	msg85,
+      	msg86,
+      	msg87,
+      	msg88,
+      ]);
+      
+      var part87 = match("MESSAGE#88:anacron", "nwparser.payload", "%{agent}[%{process_id}]: Updated timestamp for job %{info->} to %{fld1}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","updated timestamp"),
+      ]));
+      
+      var msg89 = msg("anacron", part87);
+      
+      var part88 = match("MESSAGE#89:anacron:01", "nwparser.payload", "%{agent}[%{process_id}]: Anacron %{version->} started on %{fld1}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","anacron started"),
+      ]));
+      
+      var msg90 = msg("anacron:01", part88);
+      
+      var part89 = match("MESSAGE#90:anacron:02", "nwparser.payload", "%{agent}[%{process_id}]: Normal exit %{fld1}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","normal exit"),
+      ]));
+      
+      var msg91 = msg("anacron:02", part89);
+      
+      var select12 = linear_select([
+      	msg89,
+      	msg90,
+      	msg91,
+      ]);
+      
+      var part90 = match("MESSAGE#91:epmd", "nwparser.payload", "%{agent}: epmd: invalid packet size (%{fld1})", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","invalid packet size"),
+      ]));
+      
+      var msg92 = msg("epmd", part90);
+      
+      var part91 = match("MESSAGE#92:epmd:01", "nwparser.payload", "%{agent}: epmd: got %{info}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg93 = msg("epmd:01", part91);
+      
+      var part92 = match("MESSAGE#93:epmd:02", "nwparser.payload", "%{agent}: epmd: epmd running %{info}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg94 = msg("epmd:02", part92);
+      
+      var select13 = linear_select([
+      	msg92,
+      	msg93,
+      	msg94,
+      ]);
+      
+      var part93 = match("MESSAGE#94:xinetd", "nwparser.payload", "%{agent}[%{process_id}]: xinetd %{event_description}", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg95 = msg("xinetd", part93);
+      
+      var part94 = match("MESSAGE#95:xinetd:01", "nwparser.payload", "%{agent}[%{process_id}]: Started working: %{fld1->} available services", processor_chain([
+      	dup5,
+      	dup6,
+      ]));
+      
+      var msg96 = msg("xinetd:01", part94);
+      
+      var select14 = linear_select([
+      	msg95,
+      	msg96,
+      ]);
+      
+      var part95 = match("MESSAGE#96:auditd", "nwparser.payload", "%{agent}[%{process_id}]: Audit daemon rotating log files", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","Audit daemon rotating log files"),
+      ]));
+      
+      var msg97 = msg("auditd", part95);
+      
+      var part96 = match("MESSAGE#97:restorecond", "nwparser.payload", "%{agent}: Reset file context %{filename}: %{fld1}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","Reset file"),
+      ]));
+      
+      var msg98 = msg("restorecond", part96);
+      
+      var part97 = match("MESSAGE#98:authd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> handle_authd unknown message =%{fld1}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","handle authd unknown message"),
+      ]));
+      
+      var msg99 = msg("authd", part97);
+      
+      var part98 = match("MESSAGE#99:authd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> authd_signal_handler(), %{fld1}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","authd signal handler"),
+      ]));
+      
+      var msg100 = msg("authd:01", part98);
+      
+      var part99 = match("MESSAGE#100:authd:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> authd_close(): %{info}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","authd close"),
+      ]));
+      
+      var msg101 = msg("authd:02", part99);
+      
+      var select15 = linear_select([
+      	msg99,
+      	msg100,
+      	msg101,
+      ]);
+      
+      var part100 = match("MESSAGE#101:rsyslogd/0", "nwparser.payload", "%{agent}: W%{p0}");
+      
+      var part101 = match("MESSAGE#101:rsyslogd/1_0", "nwparser.p0", "ARNING%{p0}");
+      
+      var part102 = match("MESSAGE#101:rsyslogd/1_1", "nwparser.p0", "arning%{p0}");
+      
+      var select16 = linear_select([
+      	part101,
+      	part102,
+      ]);
+      
+      var part103 = match("MESSAGE#101:rsyslogd/2", "nwparser.p0", ": %{event_description}");
+      
+      var all11 = all_match({
+      	processors: [
+      		part100,
+      		select16,
+      		part103,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		dup6,
+      	]),
+      });
+      
+      var msg102 = msg("rsyslogd", all11);
+      
+      var part104 = match("MESSAGE#102:shutdown", "nwparser.payload", "%{agent}[%{process_id}]: shutting down %{info}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","shutting down"),
+      ]));
+      
+      var msg103 = msg("shutdown", part104);
+      
+      var part105 = match("MESSAGE#103:cmd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> cmd starting %{fld1}", processor_chain([
+      	dup5,
+      	dup6,
+      	setc("event_description","cmd starting"),
+      ]));
+      
+      var msg104 = msg("cmd", part105);
+      
+      var chain1 = processor_chain([
+      	select1,
+      	msgid_select({
+      		"anacron": select12,
+      		"auditd": msg97,
+      		"authd": select15,
+      		"ccd": select7,
+      		"cli": select2,
+      		"cmd": msg104,
+      		"configd": select4,
+      		"dmd": select9,
+      		"epmd": select13,
+      		"heartbeat": select5,
+      		"logrotate": msg77,
+      		"ntpd": select10,
+      		"pm": select11,
+      		"poller": msg45,
+      		"restorecond": msg98,
+      		"rsyslogd": msg102,
+      		"runner": select6,
+      		"schedulerd": select3,
+      		"shutdown": msg103,
+      		"sshd": select8,
+      		"xinetd": select14,
+      	}),
+      ]);
+      
+      var part106 = match("MESSAGE#0:cli/0", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c-%{fld20}.%{severity}> %{p0}");
+      
+      var part107 = match("MESSAGE#0:cli/1_0", "nwparser.p0", "%{username}@::%{fld5}:%{saddr->} %{p0}");
+      
+      var part108 = match("MESSAGE#0:cli/1_1", "nwparser.p0", "%{username}@%{domain->} %{p0}");
+      
+      var select17 = linear_select([
+      	dup3,
+      	dup4,
+      ]);
+      
+      var part109 = match("MESSAGE#10:cli:pam", "nwparser.payload", "%{agent}[%{process_id}]: %{fld21}(%{fld1}:%{fld2}): pam_putenv: %{fld3}", processor_chain([
+      	dup5,
+      	dup6,
+      	dup7,
+      ]));
+      
+- community_id:
+- add_locale: ~
+- add_fields:
+    target: ''
+    fields:
+        ecs.version: 1.5.0
diff --git a/packages/bluecoat/0.1.0/dataset/director/elasticsearch/ingest_pipeline/default.yml b/packages/bluecoat/0.1.0/dataset/director/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 0000000000..e26891a1ad
--- /dev/null
+++ b/packages/bluecoat/0.1.0/dataset/director/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,55 @@
+---
+description: Pipeline for Blue Coat Director
+
+processors:
+  # User agent
+  - user_agent:
+        field: user_agent.original
+        ignore_missing: true
+  # IP Geolocation Lookup
+  - geoip:
+        field: source.ip
+        target_field: source.geo
+        ignore_missing: true
+  - geoip:
+        field: destination.ip
+        target_field: destination.geo
+        ignore_missing: true
+
+  # IP Autonomous System (AS) Lookup
+  - geoip:
+        database_file: GeoLite2-ASN.mmdb
+        field: source.ip
+        target_field: source.as
+        properties:
+            - asn
+            - organization_name
+        ignore_missing: true
+  - geoip:
+        database_file: GeoLite2-ASN.mmdb
+        field: destination.ip
+        target_field: destination.as
+        properties:
+            - asn
+            - organization_name
+        ignore_missing: true
+  - rename:
+        field: source.as.asn
+        target_field: source.as.number
+        ignore_missing: true
+  - rename:
+        field: source.as.organization_name
+        target_field: source.as.organization.name
+        ignore_missing: true
+  - rename:
+        field: destination.as.asn
+        target_field: destination.as.number
+        ignore_missing: true
+  - rename:
+        field: destination.as.organization_name
+        target_field: destination.as.organization.name
+        ignore_missing: true
+on_failure:
+  - append:
+        field: error.message
+        value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/bluecoat/0.1.0/dataset/director/fields/base-fields.yml b/packages/bluecoat/0.1.0/dataset/director/fields/base-fields.yml
new file mode 100644
index 0000000000..b294eaf20e
--- /dev/null
+++ b/packages/bluecoat/0.1.0/dataset/director/fields/base-fields.yml
@@ -0,0 +1,26 @@
+- name: datastream.type
+  type: constant_keyword
+  description: Datastream type.
+- name: datastream.dataset
+  type: constant_keyword
+  description: Datastream dataset.
+- name: datastream.namespace
+  type: constant_keyword
+  description: Datastream namespace.
+
+- name: dataset.type
+  type: constant_keyword
+  description: >
+    Dataset type.
+- name: dataset.name
+  type: constant_keyword
+  description: >
+    Dataset name.
+- name: dataset.namespace
+  type: constant_keyword
+  description: >
+    Dataset namespace.
+- name: "@timestamp"
+  type: date
+  description: >
+    Event timestamp.
diff --git a/packages/bluecoat/0.1.0/dataset/director/fields/ecs.yml b/packages/bluecoat/0.1.0/dataset/director/fields/ecs.yml
new file mode 100644
index 0000000000..92af91c339
--- /dev/null
+++ b/packages/bluecoat/0.1.0/dataset/director/fields/ecs.yml
@@ -0,0 +1,836 @@
+- name: log
+  type: group
+  fields:
+  - name: original
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'This is the original log message and contains the full log message
+      before splitting it up in multiple parts.
+
+      In contrast to the `message` field which can contain an extracted part of the
+      log message, this field contains the original, full log message. It can have
+      already some modifications applied like encoding or new lines removed to clean
+      up the log message.
+
+      This field is not indexed and doc_values are disabled so it can''t be queried
+      but the value can be retrieved from `_source`.'
+    example: Sep 19 08:26:10 localhost My log
+  - name: level
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Original log level of the log event.
+
+      If the source of the event provides a log level or textual severity, this is
+      the one that goes in `log.level`. If your source doesn''t specify one, you may
+      put your event transport''s severity here (e.g. Syslog severity).
+
+      Some examples are `warn`, `err`, `i`, `informational`.'
+    example: error
+  - name: syslog
+    type: group
+    fields:
+    - name: priority
+      level: extended
+      type: long
+      format: string
+      description: 'Syslog numeric priority of the event, if available.
+
+        According to RFCs 5424 and 3164, the priority is 8 * facility + severity.
+        This number is therefore expected to contain a value between 0 and 191.'
+      example: 135
+    - name: facility
+      type: group
+      fields:
+      - name: code
+        level: extended
+        type: long
+        format: string
+        description: 'The Syslog numeric facility of the log event, if available.
+
+          According to RFCs 5424 and 3164, this value should be an integer between
+          0 and 23.'
+        example: 23
+    - name: severity
+      type: group
+      fields:
+      - name: code
+        level: extended
+        type: long
+        description: 'The Syslog numeric severity of the log event, if available.
+
+          If the event source publishing via Syslog provides a different numeric severity
+          value (e.g. firewall, IDS), your source''s numeric severity should go to
+          `event.severity`. If the event source does not specify a distinct severity,
+          you can optionally copy the Syslog severity to `event.severity`.'
+        example: 3
+- name: event
+  type: group
+  fields:
+  - name: code
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Identification code for this event, if one exists.
+
+      Some event sources use event codes to identify messages unambiguously, regardless
+      of message language or wording adjustments over time. An example of this is
+      the Windows Event ID.'
+    example: 4648
+  - name: action
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'The action captured by the event.
+
+      This describes the information in the event. It is more specific than `event.category`.
+      Examples are `group-add`, `process-started`, `file-created`. The value is normally
+      defined by the implementer.'
+    example: user-password-change
+  - name: outcome
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'This is one of four ECS Categorization Fields, and indicates the
+      lowest level in the ECS category hierarchy.
+
+      `event.outcome` simply denotes whether the event represents a success or a failure
+      from the perspective of the entity that produced the event.
+
+      Note that when a single transaction is described in multiple events, each event
+      may populate different values of `event.outcome`, according to their perspective.
+
+      Also note that in the case of a compound event (a single event that contains
+      multiple logical events), this field should be populated with the value that
+      best captures the overall success or failure from the perspective of the event
+      producer.
+
+      Further note that not all events will have an associated outcome. For example,
+      this field is generally not populated for metric events, events with `event.type:info`,
+      or any events for which an outcome does not make logical sense.'
+    example: success
+  - name: category
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'This is one of four ECS Categorization Fields, and indicates the
+      second level in the ECS category hierarchy.
+
+      `event.category` represents the "big buckets" of ECS categories. For example,
+      filtering on `event.category:process` yields all events relating to process
+      activity. This field is closely related to `event.type`, which is used as a
+      subcategory.
+
+      This field is an array. This will allow proper categorization of some events
+      that fall in multiple categories.'
+    example: authentication
+  - name: timezone
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'This field should be populated when the event''s timestamp does
+      not include timezone information already (e.g. default Syslog timestamps). It''s
+      optional otherwise.
+
+      Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated
+      (e.g. "EST") or an HH:mm differential (e.g. "-05:00").'
+- name: '@timestamp'
+  level: core
+  required: true
+  type: date
+  description: 'Date/time when the event originated.
+
+    This is the date/time extracted from the event, typically representing when the
+    event was generated by the source.
+
+    If the event source has no original timestamp, this value is typically populated
+    by the first time the event was received by the pipeline.
+
+    Required field for all events.'
+  example: '2016-05-23T08:05:34.853Z'
+- name: user
+  type: group
+  fields:
+  - name: name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: Short name or login of the user.
+    example: albert
+  - name: full_name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: User's full name, if available.
+    example: Albert Einstein
+  - name: domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Name of the directory the user is a member of.
+
+      For example, an LDAP or Active Directory domain name.'
+  - name: id
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Unique identifiers of the user.
+- name: message
+  level: core
+  type: text
+  description: 'For log events the message field contains the log message, optimized
+    for viewing in a log viewer.
+
+    For structured logs without an original message field, other fields can be concatenated
+    to form a human-readable summary of the event.
+
+    If multiple messages exist, they can be combined into one message.'
+  example: Hello World
+- name: source
+  type: group
+  fields:
+  - name: ip
+    level: core
+    type: ip
+    description: 'IP address of the source.
+
+      Can be one or multiple IPv4 or IPv6 addresses.'
+  - name: port
+    level: core
+    type: long
+    format: string
+    description: Port of the source.
+  - name: address
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Some event source addresses are defined ambiguously. The event will
+      sometimes list an IP, a domain or a unix socket.  You should always store the
+      raw address in the `.address` field.
+
+      Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+      is.'
+  - name: mac
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: MAC address of the source.
+  - name: bytes
+    level: core
+    type: long
+    format: bytes
+    description: Bytes sent from the source to the destination.
+    example: 184
+  - name: nat
+    type: group
+    fields:
+    - name: ip
+      level: extended
+      type: ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+    - name: port
+      level: extended
+      type: long
+      format: string
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+  - name: domain
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Source domain.
+  - name: geo
+    type: group
+    fields:
+    - name: country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+    - name: location
+      type: group
+      fields:
+      - type: double
+        name: lat
+      - type: double
+        name: lon
+    - name: city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+- name: host
+  type: group
+  fields:
+  - name: name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Name of the host.
+
+      It can contain what `hostname` returns on Unix systems, the fully qualified
+      domain name, or a name specified by the user. The sender decides which value
+      to use.'
+  - name: ip
+    level: core
+    type: ip
+    description: Host ip addresses.
+  - name: hostname
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Hostname of the host.
+
+      It normally contains what the `hostname` command returns on the host machine.'
+  - name: mac
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Host mac addresses.
+- name: destination
+  type: group
+  fields:
+  - name: ip
+    level: core
+    type: ip
+    description: 'IP address of the destination.
+
+      Can be one or multiple IPv4 or IPv6 addresses.'
+  - name: port
+    level: core
+    type: long
+    format: string
+    description: Port of the destination.
+  - name: address
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Some event destination addresses are defined ambiguously. The event
+      will sometimes list an IP, a domain or a unix socket.  You should always store
+      the raw address in the `.address` field.
+
+      Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+      is.'
+  - name: bytes
+    level: core
+    type: long
+    format: bytes
+    description: Bytes sent from the destination to the source.
+    example: 184
+  - name: mac
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: MAC address of the destination.
+  - name: nat
+    type: group
+    fields:
+    - name: ip
+      level: extended
+      type: ip
+      description: 'Translated ip of destination based NAT sessions (e.g. internet
+        to private DMZ)
+
+        Typically used with load balancers, firewalls, or routers.'
+    - name: port
+      level: extended
+      type: long
+      format: string
+      description: 'Port the source session is translated to by NAT Device.
+
+        Typically used with load balancers, firewalls, or routers.'
+  - name: domain
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Destination domain.
+  - name: geo
+    type: group
+    fields:
+    - name: country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+    - name: location
+      type: group
+      fields:
+      - type: double
+        name: lat
+      - type: double
+        name: lon
+    - name: city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+- name: network
+  type: group
+  fields:
+  - name: protocol
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'L7 Network protocol name. ex. http, lumberjack, transport protocol.
+
+      The field value must be normalized to lowercase for querying. See the documentation
+      section "Implementing ECS".'
+    example: http
+  - name: application
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'A name given to an application level protocol. This can be arbitrarily
+      assigned for things like microservices, but also apply to things like skype,
+      icq, facebook, twitter. This would be used in situations where the vendor or
+      service can be decoded such as from the source/dest IP owners, ports, or wire
+      format.
+
+      The field value must be normalized to lowercase for querying. See the documentation
+      section "Implementing ECS".'
+    example: aim
+  - name: interface
+    type: group
+    fields:
+    - type: keyword
+      name: name
+  - name: bytes
+    level: core
+    type: long
+    format: bytes
+    description: 'Total bytes transferred in both directions.
+
+      If `source.bytes` and `destination.bytes` are known, `network.bytes` is their
+      sum.'
+    example: 368
+  - name: direction
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: "Direction of the network traffic.\nRecommended values are:\n  *\
+      \ inbound\n  * outbound\n  * internal\n  * external\n  * unknown\n\nWhen mapping\
+      \ events from a host-based monitoring context, populate this field from the\
+      \ host's point of view.\nWhen mapping events from a network or perimeter-based\
+      \ monitoring context, populate this field from the point of view of your network\
+      \ perimeter."
+    example: inbound
+  - name: packets
+    level: core
+    type: long
+    description: 'Total packets transferred in both directions.
+
+      If `source.packets` and `destination.packets` are known, `network.packets` is
+      their sum.'
+    example: 24
+  - name: forwarded_ip
+    level: core
+    type: ip
+    description: Host IP address when the source IP address is the proxy.
+    example: 192.1.1.2
+- name: observer
+  type: group
+  fields:
+  - name: version
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Observer version.
+  - name: product
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: The product name of the observer.
+    example: s200
+  - name: ingress
+    type: group
+    fields:
+    - name: interface
+      type: group
+      fields:
+      - name: name
+        level: extended
+        type: keyword
+        ignore_above: 1024
+        description: Interface name as reported by the system.
+        example: eth0
+        default_field: false
+  - name: egress
+    type: group
+    fields:
+    - name: interface
+      type: group
+      fields:
+      - name: name
+        level: extended
+        type: keyword
+        ignore_above: 1024
+        description: Interface name as reported by the system.
+        example: eth0
+        default_field: false
+- name: file
+  type: group
+  fields:
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: Name of the file including the extension, without the directory.
+    example: example.png
+  - name: directory
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: Directory where the file is located. It should include the drive
+      letter, when appropriate.
+    example: /home/alice
+  - name: size
+    level: extended
+    type: long
+    description: 'File size in bytes.
+
+      Only relevant when `file.type` is "file".'
+    example: 16384
+  - name: type
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: File type (file, dir, or symlink).
+    example: file
+  - name: extension
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: File extension.
+    example: png
+  - name: path
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: Full path to the file, including the file name. It should include
+      the drive letter, when appropriate.
+    example: /home/alice/example.png
+  - name: attributes
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Array of file attributes.
+
+      Attributes names will vary by platform. Here''s a non-exhaustive list of values
+      that are expected in this field: archive, compressed, directory, encrypted,
+      execute, hidden, read, readonly, system, write.'
+    example: '["readonly", "system"]'
+    default_field: false
+- name: url
+  type: group
+  fields:
+  - name: original
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: 'Unmodified original url as seen in the event source.
+
+      Note that in network monitoring, the observed URL may be a full URL, whereas
+      in access logs, the URL is often just represented as a path.
+
+      This field is meant to represent the URL as it was observed, complete or not.'
+    example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
+  - name: query
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'The query field describes the query string of the request, such
+      as "q=elasticsearch".
+
+      The `?` is excluded from the query string. If a URL contains no `?`, there is
+      no query field. If there is a `?` but no query, the query field exists with
+      an empty string. The `exists` query can be used to differentiate between the
+      two cases.'
+  - name: domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Domain of the url, such as "www.elastic.co".
+
+      In some cases a URL may refer to an IP and/or port directly, without a domain
+      name. In this case, the IP address would go to the `domain` field.'
+    example: www.elastic.co
+  - name: path
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: Path of the request, such as "/search".
+  - name: top_level_domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'The effective top level domain (eTLD), also known as the domain
+      suffix, is the last part of the domain name. For example, the top level domain
+      for google.com is "com".
+
+      This value can be determined precisely with a list like the public suffix list
+      (http://publicsuffix.org). Trying to approximate this by simply taking the last
+      label will not work well for effective TLDs such as "co.uk".'
+    example: co.uk
+  - name: registered_domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'The highest registered url domain, stripped of the subdomain.
+
+      For example, the registered domain for "foo.google.com" is "google.com".
+
+      This value can be determined precisely with a list like the public suffix list
+      (http://publicsuffix.org). Trying to approximate this by simply taking the last
+      two labels will not work well for TLDs such as "co.uk".'
+    example: google.com
+- name: service
+  type: group
+  fields:
+  - name: name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Name of the service data is collected from.
+
+      The name of the service is normally user given. This allows for distributed
+      services that run on multiple hosts to correlate the related instances based
+      on the name.
+
+      In the case of Elasticsearch the `service.name` could contain the cluster name.
+      For Beats the `service.name` is by default a copy of the `service.type` field
+      if no name is specified.'
+    example: elasticsearch-metrics
+- name: server
+  type: group
+  fields:
+  - name: domain
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Server domain.
+- name: process
+  type: group
+  fields:
+  - name: pid
+    level: core
+    type: long
+    format: string
+    description: Process id.
+    example: 4242
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: 'Process name.
+
+      Sometimes called program name or similar.'
+    example: ssh
+  - name: ppid
+    level: extended
+    type: long
+    format: string
+    description: Parent process' pid.
+    example: 4241
+  - name: parent
+    type: group
+    fields:
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      default_field: false
+    - name: title
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      default_field: false
+  - name: title
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: 'Process title.
+
+      The proctitle, some times the same as process name. Can also be different: for
+      example a browser setting its title to the web page currently opened.'
+- name: rule
+  type: group
+  fields:
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: The name of the rule or signature generating the event.
+    example: BLOCK_DNS_over_TLS
+    default_field: false
+- name: user_agent
+  type: group
+  fields:
+  - name: original
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+    description: Unparsed user_agent string.
+    example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15
+      (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
+- name: http
+  type: group
+  fields:
+  - name: response
+    type: group
+    fields:
+    - name: body
+      type: group
+      fields:
+      - name: content
+        level: extended
+        type: keyword
+        ignore_above: 1024
+        multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+        description: The full HTTP response body.
+        example: Hello world
+  - name: request
+    type: group
+    fields:
+    - name: referrer
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Referrer for this HTTP request.
+      example: https://blog.example.com/
+    - name: method
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'HTTP request method.
+
+        The field value must be normalized to lowercase for querying. See the documentation
+        section "Implementing ECS".'
+      example: get, post, put
+- name: geo
+  type: group
+  fields:
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'User-defined description of a location, at the level of granularity
+      they care about.
+
+      Could be the name of their data centers, the floor number, if this describes
+      a local physical entity, city names.
+
+      Not typically used in automated geolocation.'
+    example: boston-dc
+  - name: country_name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Country name.
+    example: Canada
+  - name: city_name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: City name.
+    example: Montreal
+  - name: region_name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Region name.
+    example: Quebec
+- name: dns
+  type: group
+  fields:
+  - name: question
+    type: group
+    fields:
+    - name: type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The type of record being queried.
+      example: AAAA
+  - name: answers
+    type: group
+    fields:
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The domain name to which this resource record pertains.
+
+        If a chain of CNAME is being resolved, each answer''s `name` should be the
+        one that corresponds with the answer''s `data`. It should not simply be the
+        original `question.name` repeated.'
+      example: www.google.com
+    - name: type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The type of data contained in this resource record.
+      example: CNAME
diff --git a/packages/bluecoat/0.1.0/dataset/director/fields/fields.yml b/packages/bluecoat/0.1.0/dataset/director/fields/fields.yml
new file mode 100644
index 0000000000..2abc947fe7
--- /dev/null
+++ b/packages/bluecoat/0.1.0/dataset/director/fields/fields.yml
@@ -0,0 +1,1939 @@
+- name: rsa
+  type: group
+  fields:
+  - name: internal
+    type: group
+    fields:
+    - name: msg
+      type: keyword
+      description: This key is used to capture the raw message that comes into the
+        Log Decoder
+    - name: messageid
+      type: keyword
+    - name: event_desc
+      type: keyword
+    - name: message
+      type: keyword
+      description: This key captures the contents of instant messages
+    - name: time
+      type: date
+      description: This is the time at which a session hits a NetWitness Decoder.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness.
+    - name: level
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: msg_id
+      type: keyword
+      description: This is the Message ID1 value that identifies the exact log parser
+        definition which parses a particular log session. This key should never be
+        used to parse Meta data from a session (Logs/Packets) Directly, this is a
+        Reserved key in NetWitness
+    - name: msg_vid
+      type: keyword
+      description: This is the Message ID2 value that identifies the exact log parser
+        definition which parses a particular log session. This key should never be
+        used to parse Meta data from a session (Logs/Packets) Directly, this is a
+        Reserved key in NetWitness
+    - name: data
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: obj_server
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: obj_val
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: resource
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: obj_id
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: statement
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: audit_class
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: entry
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: hcode
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: inode
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: resource_class
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: dead
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: feed_desc
+      type: keyword
+      description: This is used to capture the description of the feed. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: feed_name
+      type: keyword
+      description: This is used to capture the name of the feed. This key should never
+        be used to parse Meta data from a session (Logs/Packets) Directly, this is
+        a Reserved key in NetWitness
+    - name: cid
+      type: keyword
+      description: This is the unique identifier used to identify a NetWitness Concentrator.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: device_class
+      type: keyword
+      description: This is the Classification of the Log Event Source under a predefined
+        fixed set of Event Source Classifications. This key should never be used to
+        parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
+        key in NetWitness
+    - name: device_group
+      type: keyword
+      description: This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_host
+      type: keyword
+      description: This is the Hostname of the log Event Source sending the logs to
+        NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_ip
+      type: ip
+      description: This is the IPv4 address of the Log Event Source sending the logs
+        to NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_ipv6
+      type: ip
+      description: This is the IPv6 address of the Log Event Source sending the logs
+        to NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_type
+      type: keyword
+      description: This is the name of the log parser which parsed a given session.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: device_type_id
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: did
+      type: keyword
+      description: This is the unique identifier used to identify a NetWitness Decoder.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: entropy_req
+      type: long
+      description: This key is only used by the Entropy Parser, the Meta Type can
+        be either UInt16 or Float32 based on the configuration
+    - name: entropy_res
+      type: long
+      description: This key is only used by the Entropy Parser, the Meta Type can
+        be either UInt16 or Float32 based on the configuration
+    - name: event_name
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: feed_category
+      type: keyword
+      description: This is used to capture the category of the feed. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: forward_ip
+      type: ip
+      description: This key should be used to capture the IPV4 address of a relay
+        system which forwarded the events from the original system to NetWitness.
+    - name: forward_ipv6
+      type: ip
+      description: This key is used to capture the IPV6 address of a relay system
+        which forwarded the events from the original system to NetWitness. This key
+        should never be used to parse Meta data from a session (Logs/Packets) Directly,
+        this is a Reserved key in NetWitness
+    - name: header_id
+      type: keyword
+      description: This is the Header ID value that identifies the exact log parser
+        header definition that parses a particular log session. This key should never
+        be used to parse Meta data from a session (Logs/Packets) Directly, this is
+        a Reserved key in NetWitness
+    - name: lc_cid
+      type: keyword
+      description: This is a unique Identifier of a Log Collector. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: lc_ctime
+      type: date
+      description: This is the time at which a log is collected in a NetWitness Log
+        Collector. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: mcb_req
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        request is simply which byte for each side (0 thru 255) was seen the most
+    - name: mcb_res
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        response is simply which byte for each side (0 thru 255) was seen the most
+    - name: mcbc_req
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        count is the number of times the most common byte (above) was seen in the
+        session streams
+    - name: mcbc_res
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        count is the number of times the most common byte (above) was seen in the
+        session streams
+    - name: medium
+      type: long
+      description: "This key is used to identify if it\u2019s a log/packet session\
+        \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
+        \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
+        \ 32 = log, 33 = correlation session, &lt; 32 is packet session"
+    - name: node_name
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: nwe_callback_id
+      type: keyword
+      description: This key denotes that event is endpoint related
+    - name: parse_error
+      type: keyword
+      description: This is a special key that stores any Meta key validation error
+        found while parsing a log session. This key should never be used to parse
+        Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
+        NetWitness
+    - name: payload_req
+      type: long
+      description: This key is only used by the Entropy Parser, the payload size metrics
+        are the payload sizes of each session side at the time of parsing. However,
+        in order to keep
+    - name: payload_res
+      type: long
+      description: This key is only used by the Entropy Parser, the payload size metrics
+        are the payload sizes of each session side at the time of parsing. However,
+        in order to keep
+    - name: process_vid_dst
+      type: keyword
+      description: Endpoint generates and uses a unique virtual ID to identify any
+        similar group of process. This ID represents the target process.
+    - name: process_vid_src
+      type: keyword
+      description: Endpoint generates and uses a unique virtual ID to identify any
+        similar group of process. This ID represents the source process.
+    - name: rid
+      type: long
+      description: This is a special ID of the Remote Session created by NetWitness
+        Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: session_split
+      type: keyword
+      description: This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: site
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: size
+      type: long
+      description: This is the size of the session as seen by the NetWitness Decoder.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: sourcefile
+      type: keyword
+      description: This is the name of the log file or PCAPs that can be imported
+        into NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: ubc_req
+      type: long
+      description: This key is only used by the Entropy Parser, Unique byte count
+        is the number of unique bytes seen in each stream. 256 would mean all byte
+        values of 0 thru 255 were seen at least once
+    - name: ubc_res
+      type: long
+      description: This key is only used by the Entropy Parser, Unique byte count
+        is the number of unique bytes seen in each stream. 256 would mean all byte
+        values of 0 thru 255 were seen at least once
+    - name: word
+      type: keyword
+      description: This is used by the Word Parsing technology to capture the first
+        5 character of every word in an unparsed log
+  - name: time
+    type: group
+    fields:
+    - name: event_time
+      type: date
+      description: This key is used to capture the time mentioned in a raw session
+        that represents the actual time an event occured in a standard normalized
+        form
+    - name: duration_time
+      type: double
+      description: This key is used to capture the normalized duration/lifetime in
+        seconds.
+    - name: event_time_str
+      type: keyword
+      description: This key is used to capture the incomplete time mentioned in a
+        session as a string
+    - name: starttime
+      type: date
+      description: This key is used to capture the Start time mentioned in a session
+        in a standard form
+    - name: month
+      type: keyword
+    - name: day
+      type: keyword
+    - name: endtime
+      type: date
+      description: This key is used to capture the End time mentioned in a session
+        in a standard form
+    - name: timezone
+      type: keyword
+      description: This key is used to capture the timezone of the Event Time
+    - name: duration_str
+      type: keyword
+      description: A text string version of the duration
+    - name: date
+      type: keyword
+    - name: year
+      type: keyword
+    - name: recorded_time
+      type: date
+      description: The event time as recorded by the system the event is collected
+        from. The usage scenario is a multi-tier application where the management
+        layer of the system records it's own timestamp at the time of collection from
+        its child nodes. Must be in timestamp format.
+    - name: datetime
+      type: keyword
+    - name: effective_time
+      type: date
+      description: This key is the effective time referenced by an individual event
+        in a Standard Timestamp format
+    - name: expire_time
+      type: date
+      description: This key is the timestamp that explicitly refers to an expiration.
+    - name: process_time
+      type: keyword
+      description: Deprecated, use duration.time
+    - name: hour
+      type: keyword
+    - name: min
+      type: keyword
+    - name: timestamp
+      type: keyword
+    - name: event_queue_time
+      type: date
+      description: This key is the Time that the event was queued.
+    - name: p_time1
+      type: keyword
+    - name: tzone
+      type: keyword
+    - name: eventtime
+      type: keyword
+    - name: gmtdate
+      type: keyword
+    - name: gmttime
+      type: keyword
+    - name: p_date
+      type: keyword
+    - name: p_month
+      type: keyword
+    - name: p_time
+      type: keyword
+    - name: p_time2
+      type: keyword
+    - name: p_year
+      type: keyword
+    - name: expire_time_str
+      type: keyword
+      description: This key is used to capture incomplete timestamp that explicitly
+        refers to an expiration.
+    - name: stamp
+      type: date
+      description: Deprecated key defined only in table map.
+  - name: misc
+    type: group
+    fields:
+    - name: action
+      type: keyword
+    - name: result
+      type: keyword
+      description: This key is used to capture the outcome/result string value of
+        an action in a session.
+    - name: severity
+      type: keyword
+      description: This key is used to capture the severity given the session
+    - name: event_type
+      type: keyword
+      description: This key captures the event category type as specified by the event
+        source.
+    - name: reference_id
+      type: keyword
+      description: This key is used to capture an event id from the session directly
+    - name: version
+      type: keyword
+      description: This key captures Version of the application or OS which is generating
+        the event.
+    - name: disposition
+      type: keyword
+      description: This key captures the The end state of an action.
+    - name: result_code
+      type: keyword
+      description: This key is used to capture the outcome/result numeric value of
+        an action in a session
+    - name: category
+      type: keyword
+      description: This key is used to capture the category of an event given by the
+        vendor in the session
+    - name: obj_name
+      type: keyword
+      description: This is used to capture name of object
+    - name: obj_type
+      type: keyword
+      description: This is used to capture type of object
+    - name: event_source
+      type: keyword
+      description: "This key captures Source of the event that\u2019s not a hostname"
+    - name: log_session_id
+      type: keyword
+      description: This key is used to capture a sessionid from the session directly
+    - name: group
+      type: keyword
+      description: This key captures the Group Name value
+    - name: policy_name
+      type: keyword
+      description: This key is used to capture the Policy Name only.
+    - name: rule_name
+      type: keyword
+      description: This key captures the Rule Name
+    - name: context
+      type: keyword
+      description: This key captures Information which adds additional context to
+        the event.
+    - name: change_new
+      type: keyword
+      description: "This key is used to capture the new values of the attribute that\u2019\
+        s changing in a session"
+    - name: space
+      type: keyword
+    - name: client
+      type: keyword
+      description: This key is used to capture only the name of the client application
+        requesting resources of the server. See the user.agent meta key for capture
+        of the specific user agent identifier or browser identification string.
+    - name: msgIdPart1
+      type: keyword
+    - name: msgIdPart2
+      type: keyword
+    - name: change_old
+      type: keyword
+      description: "This key is used to capture the old value of the attribute that\u2019\
+        s changing in a session"
+    - name: operation_id
+      type: keyword
+      description: An alert number or operation number. The values should be unique
+        and non-repeating.
+    - name: event_state
+      type: keyword
+      description: This key captures the current state of the object/item referenced
+        within the event. Describing an on-going event.
+    - name: group_object
+      type: keyword
+      description: This key captures a collection/grouping of entities. Specific usage
+    - name: node
+      type: keyword
+      description: Common use case is the node name within a cluster. The cluster
+        name is reflected by the host name.
+    - name: rule
+      type: keyword
+      description: This key captures the Rule number
+    - name: device_name
+      type: keyword
+      description: 'This is used to capture name of the Device associated with the
+        node Like: a physical disk, printer, etc'
+    - name: param
+      type: keyword
+      description: This key is the parameters passed as part of a command or application,
+        etc.
+    - name: change_attrib
+      type: keyword
+      description: "This key is used to capture the name of the attribute that\u2019\
+        s changing in a session"
+    - name: event_computer
+      type: keyword
+      description: This key is a windows only concept, where this key is used to capture
+        fully qualified domain name in a windows log.
+    - name: reference_id1
+      type: keyword
+      description: This key is for Linked ID to be used as an addition to "reference.id"
+    - name: event_log
+      type: keyword
+      description: This key captures the Name of the event log
+    - name: OS
+      type: keyword
+      description: This key captures the Name of the Operating System
+    - name: terminal
+      type: keyword
+      description: This key captures the Terminal Names only
+    - name: msgIdPart3
+      type: keyword
+    - name: filter
+      type: keyword
+      description: This key captures Filter used to reduce result set
+    - name: serial_number
+      type: keyword
+      description: This key is the Serial number associated with a physical asset.
+    - name: checksum
+      type: keyword
+      description: This key is used to capture the checksum or hash of the entity
+        such as a file or process. Checksum should be used over checksum.src or checksum.dst
+        when it is unclear whether the entity is a source or target of an action.
+    - name: event_user
+      type: keyword
+      description: This key is a windows only concept, where this key is used to capture
+        combination of domain name and username in a windows log.
+    - name: virusname
+      type: keyword
+      description: This key captures the name of the virus
+    - name: content_type
+      type: keyword
+      description: This key is used to capture Content Type only.
+    - name: group_id
+      type: keyword
+      description: This key captures Group ID Number (related to the group name)
+    - name: policy_id
+      type: keyword
+      description: This key is used to capture the Policy ID only, this should be
+        a numeric value, use policy.name otherwise
+    - name: vsys
+      type: keyword
+      description: This key captures Virtual System Name
+    - name: connection_id
+      type: keyword
+      description: This key captures the Connection ID
+    - name: reference_id2
+      type: keyword
+      description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
+        or "reference.id1" value but should not be used unless the other two variables
+        are in play.
+    - name: sensor
+      type: keyword
+      description: This key captures Name of the sensor. Typically used in IDS/IPS
+        based devices
+    - name: sig_id
+      type: long
+      description: This key captures IDS/IPS Int Signature ID
+    - name: port_name
+      type: keyword
+      description: 'This key is used for Physical or logical port connection but does
+        NOT include a network port. (Example: Printer port name).'
+    - name: rule_group
+      type: keyword
+      description: This key captures the Rule group name
+    - name: risk_num
+      type: double
+      description: This key captures a Numeric Risk value
+    - name: trigger_val
+      type: keyword
+      description: This key captures the Value of the trigger or threshold condition.
+    - name: log_session_id1
+      type: keyword
+      description: This key is used to capture a Linked (Related) Session ID from
+        the session directly
+    - name: comp_version
+      type: keyword
+      description: This key captures the Version level of a sub-component of a product.
+    - name: content_version
+      type: keyword
+      description: This key captures Version level of a signature or database content.
+    - name: hardware_id
+      type: keyword
+      description: This key is used to capture unique identifier for a device or system
+        (NOT a Mac address)
+    - name: risk
+      type: keyword
+      description: This key captures the non-numeric risk value
+    - name: event_id
+      type: keyword
+    - name: reason
+      type: keyword
+    - name: status
+      type: keyword
+    - name: mail_id
+      type: keyword
+      description: This key is used to capture the mailbox id/name
+    - name: rule_uid
+      type: keyword
+      description: This key is the Unique Identifier for a rule.
+    - name: trigger_desc
+      type: keyword
+      description: This key captures the Description of the trigger or threshold condition.
+    - name: inout
+      type: keyword
+    - name: p_msgid
+      type: keyword
+    - name: data_type
+      type: keyword
+    - name: msgIdPart4
+      type: keyword
+    - name: error
+      type: keyword
+      description: This key captures All non successful Error codes or responses
+    - name: index
+      type: keyword
+    - name: listnum
+      type: keyword
+      description: This key is used to capture listname or listnumber, primarily for
+        collecting access-list
+    - name: ntype
+      type: keyword
+    - name: observed_val
+      type: keyword
+      description: This key captures the Value observed (from the perspective of the
+        device generating the log).
+    - name: policy_value
+      type: keyword
+      description: This key captures the contents of the policy. This contains details
+        about the policy
+    - name: pool_name
+      type: keyword
+      description: This key captures the name of a resource pool
+    - name: rule_template
+      type: keyword
+      description: A default set of parameters which are overlayed onto a rule (or
+        rulename) which efffectively constitutes a template
+    - name: count
+      type: keyword
+    - name: number
+      type: keyword
+    - name: sigcat
+      type: keyword
+    - name: type
+      type: keyword
+    - name: comments
+      type: keyword
+      description: Comment information provided in the log message
+    - name: doc_number
+      type: long
+      description: This key captures File Identification number
+    - name: expected_val
+      type: keyword
+      description: This key captures the Value expected (from the perspective of the
+        device generating the log).
+    - name: job_num
+      type: keyword
+      description: This key captures the Job Number
+    - name: spi_dst
+      type: keyword
+      description: Destination SPI Index
+    - name: spi_src
+      type: keyword
+      description: Source SPI Index
+    - name: code
+      type: keyword
+    - name: agent_id
+      type: keyword
+      description: This key is used to capture agent id
+    - name: message_body
+      type: keyword
+      description: This key captures the The contents of the message body.
+    - name: phone
+      type: keyword
+    - name: sig_id_str
+      type: keyword
+      description: This key captures a string object of the sigid variable.
+    - name: cmd
+      type: keyword
+    - name: misc
+      type: keyword
+    - name: name
+      type: keyword
+    - name: cpu
+      type: long
+      description: This key is the CPU time used in the execution of the event being
+        recorded.
+    - name: event_desc
+      type: keyword
+      description: This key is used to capture a description of an event available
+        directly or inferred
+    - name: sig_id1
+      type: long
+      description: This key captures IDS/IPS Int Signature ID. This must be linked
+        to the sig.id
+    - name: im_buddyid
+      type: keyword
+    - name: im_client
+      type: keyword
+    - name: im_userid
+      type: keyword
+    - name: pid
+      type: keyword
+    - name: priority
+      type: keyword
+    - name: context_subject
+      type: keyword
+      description: This key is to be used in an audit context where the subject is
+        the object being identified
+    - name: context_target
+      type: keyword
+    - name: cve
+      type: keyword
+      description: This key captures CVE (Common Vulnerabilities and Exposures) -
+        an identifier for known information security vulnerabilities.
+    - name: fcatnum
+      type: keyword
+      description: This key captures Filter Category Number. Legacy Usage
+    - name: library
+      type: keyword
+      description: This key is used to capture library information in mainframe devices
+    - name: parent_node
+      type: keyword
+      description: This key captures the Parent Node Name. Must be related to node
+        variable.
+    - name: risk_info
+      type: keyword
+      description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: tcp_flags
+      type: long
+      description: This key is captures the TCP flags set in any packet of session
+    - name: tos
+      type: long
+      description: This key describes the type of service
+    - name: vm_target
+      type: keyword
+      description: VMWare Target **VMWARE** only varaible.
+    - name: workspace
+      type: keyword
+      description: This key captures Workspace Description
+    - name: command
+      type: keyword
+    - name: event_category
+      type: keyword
+    - name: facilityname
+      type: keyword
+    - name: forensic_info
+      type: keyword
+    - name: jobname
+      type: keyword
+    - name: mode
+      type: keyword
+    - name: policy
+      type: keyword
+    - name: policy_waiver
+      type: keyword
+    - name: second
+      type: keyword
+    - name: space1
+      type: keyword
+    - name: subcategory
+      type: keyword
+    - name: tbdstr2
+      type: keyword
+    - name: alert_id
+      type: keyword
+      description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: checksum_dst
+      type: keyword
+      description: This key is used to capture the checksum or hash of the the target
+        entity such as a process or file.
+    - name: checksum_src
+      type: keyword
+      description: This key is used to capture the checksum or hash of the source
+        entity such as a file or process.
+    - name: fresult
+      type: long
+      description: This key captures the Filter Result
+    - name: payload_dst
+      type: keyword
+      description: This key is used to capture destination payload
+    - name: payload_src
+      type: keyword
+      description: This key is used to capture source payload
+    - name: pool_id
+      type: keyword
+      description: This key captures the identifier (typically numeric field) of a
+        resource pool
+    - name: process_id_val
+      type: keyword
+      description: This key is a failure key for Process ID when it is not an integer
+        value
+    - name: risk_num_comm
+      type: double
+      description: This key captures Risk Number Community
+    - name: risk_num_next
+      type: double
+      description: This key captures Risk Number NextGen
+    - name: risk_num_sand
+      type: double
+      description: This key captures Risk Number SandBox
+    - name: risk_num_static
+      type: double
+      description: This key captures Risk Number Static
+    - name: risk_suspicious
+      type: keyword
+      description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: risk_warning
+      type: keyword
+      description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: snmp_oid
+      type: keyword
+      description: SNMP Object Identifier
+    - name: sql
+      type: keyword
+      description: This key captures the SQL query
+    - name: vuln_ref
+      type: keyword
+      description: This key captures the Vulnerability Reference details
+    - name: acl_id
+      type: keyword
+    - name: acl_op
+      type: keyword
+    - name: acl_pos
+      type: keyword
+    - name: acl_table
+      type: keyword
+    - name: admin
+      type: keyword
+    - name: alarm_id
+      type: keyword
+    - name: alarmname
+      type: keyword
+    - name: app_id
+      type: keyword
+    - name: audit
+      type: keyword
+    - name: audit_object
+      type: keyword
+    - name: auditdata
+      type: keyword
+    - name: benchmark
+      type: keyword
+    - name: bypass
+      type: keyword
+    - name: cache
+      type: keyword
+    - name: cache_hit
+      type: keyword
+    - name: cefversion
+      type: keyword
+    - name: cfg_attr
+      type: keyword
+    - name: cfg_obj
+      type: keyword
+    - name: cfg_path
+      type: keyword
+    - name: changes
+      type: keyword
+    - name: client_ip
+      type: keyword
+    - name: clustermembers
+      type: keyword
+    - name: cn_acttimeout
+      type: keyword
+    - name: cn_asn_src
+      type: keyword
+    - name: cn_bgpv4nxthop
+      type: keyword
+    - name: cn_ctr_dst_code
+      type: keyword
+    - name: cn_dst_tos
+      type: keyword
+    - name: cn_dst_vlan
+      type: keyword
+    - name: cn_engine_id
+      type: keyword
+    - name: cn_engine_type
+      type: keyword
+    - name: cn_f_switch
+      type: keyword
+    - name: cn_flowsampid
+      type: keyword
+    - name: cn_flowsampintv
+      type: keyword
+    - name: cn_flowsampmode
+      type: keyword
+    - name: cn_inacttimeout
+      type: keyword
+    - name: cn_inpermbyts
+      type: keyword
+    - name: cn_inpermpckts
+      type: keyword
+    - name: cn_invalid
+      type: keyword
+    - name: cn_ip_proto_ver
+      type: keyword
+    - name: cn_ipv4_ident
+      type: keyword
+    - name: cn_l_switch
+      type: keyword
+    - name: cn_log_did
+      type: keyword
+    - name: cn_log_rid
+      type: keyword
+    - name: cn_max_ttl
+      type: keyword
+    - name: cn_maxpcktlen
+      type: keyword
+    - name: cn_min_ttl
+      type: keyword
+    - name: cn_minpcktlen
+      type: keyword
+    - name: cn_mpls_lbl_1
+      type: keyword
+    - name: cn_mpls_lbl_10
+      type: keyword
+    - name: cn_mpls_lbl_2
+      type: keyword
+    - name: cn_mpls_lbl_3
+      type: keyword
+    - name: cn_mpls_lbl_4
+      type: keyword
+    - name: cn_mpls_lbl_5
+      type: keyword
+    - name: cn_mpls_lbl_6
+      type: keyword
+    - name: cn_mpls_lbl_7
+      type: keyword
+    - name: cn_mpls_lbl_8
+      type: keyword
+    - name: cn_mpls_lbl_9
+      type: keyword
+    - name: cn_mplstoplabel
+      type: keyword
+    - name: cn_mplstoplabip
+      type: keyword
+    - name: cn_mul_dst_byt
+      type: keyword
+    - name: cn_mul_dst_pks
+      type: keyword
+    - name: cn_muligmptype
+      type: keyword
+    - name: cn_sampalgo
+      type: keyword
+    - name: cn_sampint
+      type: keyword
+    - name: cn_seqctr
+      type: keyword
+    - name: cn_spackets
+      type: keyword
+    - name: cn_src_tos
+      type: keyword
+    - name: cn_src_vlan
+      type: keyword
+    - name: cn_sysuptime
+      type: keyword
+    - name: cn_template_id
+      type: keyword
+    - name: cn_totbytsexp
+      type: keyword
+    - name: cn_totflowexp
+      type: keyword
+    - name: cn_totpcktsexp
+      type: keyword
+    - name: cn_unixnanosecs
+      type: keyword
+    - name: cn_v6flowlabel
+      type: keyword
+    - name: cn_v6optheaders
+      type: keyword
+    - name: comp_class
+      type: keyword
+    - name: comp_name
+      type: keyword
+    - name: comp_rbytes
+      type: keyword
+    - name: comp_sbytes
+      type: keyword
+    - name: cpu_data
+      type: keyword
+    - name: criticality
+      type: keyword
+    - name: cs_agency_dst
+      type: keyword
+    - name: cs_analyzedby
+      type: keyword
+    - name: cs_av_other
+      type: keyword
+    - name: cs_av_primary
+      type: keyword
+    - name: cs_av_secondary
+      type: keyword
+    - name: cs_bgpv6nxthop
+      type: keyword
+    - name: cs_bit9status
+      type: keyword
+    - name: cs_context
+      type: keyword
+    - name: cs_control
+      type: keyword
+    - name: cs_data
+      type: keyword
+    - name: cs_datecret
+      type: keyword
+    - name: cs_dst_tld
+      type: keyword
+    - name: cs_eth_dst_ven
+      type: keyword
+    - name: cs_eth_src_ven
+      type: keyword
+    - name: cs_event_uuid
+      type: keyword
+    - name: cs_filetype
+      type: keyword
+    - name: cs_fld
+      type: keyword
+    - name: cs_if_desc
+      type: keyword
+    - name: cs_if_name
+      type: keyword
+    - name: cs_ip_next_hop
+      type: keyword
+    - name: cs_ipv4dstpre
+      type: keyword
+    - name: cs_ipv4srcpre
+      type: keyword
+    - name: cs_lifetime
+      type: keyword
+    - name: cs_log_medium
+      type: keyword
+    - name: cs_loginname
+      type: keyword
+    - name: cs_modulescore
+      type: keyword
+    - name: cs_modulesign
+      type: keyword
+    - name: cs_opswatresult
+      type: keyword
+    - name: cs_payload
+      type: keyword
+    - name: cs_registrant
+      type: keyword
+    - name: cs_registrar
+      type: keyword
+    - name: cs_represult
+      type: keyword
+    - name: cs_rpayload
+      type: keyword
+    - name: cs_sampler_name
+      type: keyword
+    - name: cs_sourcemodule
+      type: keyword
+    - name: cs_streams
+      type: keyword
+    - name: cs_targetmodule
+      type: keyword
+    - name: cs_v6nxthop
+      type: keyword
+    - name: cs_whois_server
+      type: keyword
+    - name: cs_yararesult
+      type: keyword
+    - name: description
+      type: keyword
+    - name: devvendor
+      type: keyword
+    - name: distance
+      type: keyword
+    - name: dstburb
+      type: keyword
+    - name: edomain
+      type: keyword
+    - name: edomaub
+      type: keyword
+    - name: euid
+      type: keyword
+    - name: facility
+      type: keyword
+    - name: finterface
+      type: keyword
+    - name: flags
+      type: keyword
+    - name: gaddr
+      type: keyword
+    - name: id3
+      type: keyword
+    - name: im_buddyname
+      type: keyword
+    - name: im_croomid
+      type: keyword
+    - name: im_croomtype
+      type: keyword
+    - name: im_members
+      type: keyword
+    - name: im_username
+      type: keyword
+    - name: ipkt
+      type: keyword
+    - name: ipscat
+      type: keyword
+    - name: ipspri
+      type: keyword
+    - name: latitude
+      type: keyword
+    - name: linenum
+      type: keyword
+    - name: list_name
+      type: keyword
+    - name: load_data
+      type: keyword
+    - name: location_floor
+      type: keyword
+    - name: location_mark
+      type: keyword
+    - name: log_id
+      type: keyword
+    - name: log_type
+      type: keyword
+    - name: logid
+      type: keyword
+    - name: logip
+      type: keyword
+    - name: logname
+      type: keyword
+    - name: longitude
+      type: keyword
+    - name: lport
+      type: keyword
+    - name: mbug_data
+      type: keyword
+    - name: misc_name
+      type: keyword
+    - name: msg_type
+      type: keyword
+    - name: msgid
+      type: keyword
+    - name: netsessid
+      type: keyword
+    - name: num
+      type: keyword
+    - name: number1
+      type: keyword
+    - name: number2
+      type: keyword
+    - name: nwwn
+      type: keyword
+    - name: object
+      type: keyword
+    - name: operation
+      type: keyword
+    - name: opkt
+      type: keyword
+    - name: orig_from
+      type: keyword
+    - name: owner_id
+      type: keyword
+    - name: p_action
+      type: keyword
+    - name: p_filter
+      type: keyword
+    - name: p_group_object
+      type: keyword
+    - name: p_id
+      type: keyword
+    - name: p_msgid1
+      type: keyword
+    - name: p_msgid2
+      type: keyword
+    - name: p_result1
+      type: keyword
+    - name: password_chg
+      type: keyword
+    - name: password_expire
+      type: keyword
+    - name: permgranted
+      type: keyword
+    - name: permwanted
+      type: keyword
+    - name: pgid
+      type: keyword
+    - name: policyUUID
+      type: keyword
+    - name: prog_asp_num
+      type: keyword
+    - name: program
+      type: keyword
+    - name: real_data
+      type: keyword
+    - name: rec_asp_device
+      type: keyword
+    - name: rec_asp_num
+      type: keyword
+    - name: rec_library
+      type: keyword
+    - name: recordnum
+      type: keyword
+    - name: ruid
+      type: keyword
+    - name: sburb
+      type: keyword
+    - name: sdomain_fld
+      type: keyword
+    - name: sec
+      type: keyword
+    - name: sensorname
+      type: keyword
+    - name: seqnum
+      type: keyword
+    - name: session
+      type: keyword
+    - name: sessiontype
+      type: keyword
+    - name: sigUUID
+      type: keyword
+    - name: spi
+      type: keyword
+    - name: srcburb
+      type: keyword
+    - name: srcdom
+      type: keyword
+    - name: srcservice
+      type: keyword
+    - name: state
+      type: keyword
+    - name: status1
+      type: keyword
+    - name: svcno
+      type: keyword
+    - name: system
+      type: keyword
+    - name: tbdstr1
+      type: keyword
+    - name: tgtdom
+      type: keyword
+    - name: tgtdomain
+      type: keyword
+    - name: threshold
+      type: keyword
+    - name: type1
+      type: keyword
+    - name: udb_class
+      type: keyword
+    - name: url_fld
+      type: keyword
+    - name: user_div
+      type: keyword
+    - name: userid
+      type: keyword
+    - name: username_fld
+      type: keyword
+    - name: utcstamp
+      type: keyword
+    - name: v_instafname
+      type: keyword
+    - name: virt_data
+      type: keyword
+    - name: vpnid
+      type: keyword
+    - name: autorun_type
+      type: keyword
+      description: This is used to capture Auto Run type
+    - name: cc_number
+      type: long
+      description: Valid Credit Card Numbers only
+    - name: content
+      type: keyword
+      description: This key captures the content type from protocol headers
+    - name: ein_number
+      type: long
+      description: Employee Identification Numbers only
+    - name: found
+      type: keyword
+      description: This is used to capture the results of regex match
+    - name: language
+      type: keyword
+      description: This is used to capture list of languages the client support and
+        what it prefers
+    - name: lifetime
+      type: long
+      description: This key is used to capture the session lifetime in seconds.
+    - name: link
+      type: keyword
+      description: This key is used to link the sessions together. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: match
+      type: keyword
+      description: This key is for regex match name from search.ini
+    - name: param_dst
+      type: keyword
+      description: This key captures the command line/launch argument of the target
+        process or file
+    - name: param_src
+      type: keyword
+      description: This key captures source parameter
+    - name: search_text
+      type: keyword
+      description: This key captures the Search Text used
+    - name: sig_name
+      type: keyword
+      description: This key is used to capture the Signature Name only.
+    - name: snmp_value
+      type: keyword
+      description: SNMP set request value
+    - name: streams
+      type: long
+      description: This key captures number of streams in session
+  - name: db
+    type: group
+    fields:
+    - name: index
+      type: keyword
+      description: This key captures IndexID of the index.
+    - name: instance
+      type: keyword
+      description: This key is used to capture the database server instance name
+    - name: database
+      type: keyword
+      description: This key is used to capture the name of a database or an instance
+        as seen in a session
+    - name: transact_id
+      type: keyword
+      description: This key captures the SQL transantion ID of the current session
+    - name: permissions
+      type: keyword
+      description: This key captures permission or privilege level assigned to a resource.
+    - name: table_name
+      type: keyword
+      description: This key is used to capture the table name
+    - name: db_id
+      type: keyword
+      description: This key is used to capture the unique identifier for a database
+    - name: db_pid
+      type: long
+      description: This key captures the process id of a connection with database
+        server
+    - name: lread
+      type: long
+      description: This key is used for the number of logical reads
+    - name: lwrite
+      type: long
+      description: This key is used for the number of logical writes
+    - name: pread
+      type: long
+      description: This key is used for the number of physical writes
+  - name: network
+    type: group
+    fields:
+    - name: alias_host
+      type: keyword
+      description: This key should be used when the source or destination context
+        of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
+        that isnt ad.computer.
+    - name: domain
+      type: keyword
+    - name: host_dst
+      type: keyword
+      description: "This key should only be used when it\u2019s a Destination Hostname"
+    - name: network_service
+      type: keyword
+      description: This is used to capture layer 7 protocols/service names
+    - name: interface
+      type: keyword
+      description: This key should be used when the source or destination context
+        of an interface is not clear
+    - name: network_port
+      type: long
+      description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
+        used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
+    - name: eth_host
+      type: keyword
+      description: Deprecated, use alias.mac
+    - name: sinterface
+      type: keyword
+      description: "This key should only be used when it\u2019s a Source Interface"
+    - name: dinterface
+      type: keyword
+      description: "This key should only be used when it\u2019s a Destination Interface"
+    - name: vlan
+      type: long
+      description: This key should only be used to capture the ID of the Virtual LAN
+    - name: zone_src
+      type: keyword
+      description: "This key should only be used when it\u2019s a Source Zone."
+    - name: zone
+      type: keyword
+      description: This key should be used when the source or destination context
+        of a Zone is not clear
+    - name: zone_dst
+      type: keyword
+      description: "This key should only be used when it\u2019s a Destination Zone."
+    - name: gateway
+      type: keyword
+      description: This key is used to capture the IP Address of the gateway
+    - name: icmp_type
+      type: long
+      description: This key is used to capture the ICMP type only
+    - name: mask
+      type: keyword
+      description: This key is used to capture the device network IPmask.
+    - name: icmp_code
+      type: long
+      description: This key is used to capture the ICMP code only
+    - name: protocol_detail
+      type: keyword
+      description: This key should be used to capture additional protocol information
+    - name: dmask
+      type: keyword
+      description: This key is used for Destionation Device network mask
+    - name: port
+      type: long
+      description: This key should only be used to capture a Network Port when the
+        directionality is not clear
+    - name: smask
+      type: keyword
+      description: This key is used for capturing source Network Mask
+    - name: netname
+      type: keyword
+      description: This key is used to capture the network name associated with an
+        IP range. This is configured by the end user.
+    - name: paddr
+      type: ip
+      description: Deprecated
+    - name: faddr
+      type: keyword
+    - name: lhost
+      type: keyword
+    - name: origin
+      type: keyword
+    - name: remote_domain_id
+      type: keyword
+    - name: addr
+      type: keyword
+    - name: dns_a_record
+      type: keyword
+    - name: dns_ptr_record
+      type: keyword
+    - name: fhost
+      type: keyword
+    - name: fport
+      type: keyword
+    - name: laddr
+      type: keyword
+    - name: linterface
+      type: keyword
+    - name: phost
+      type: keyword
+    - name: ad_computer_dst
+      type: keyword
+      description: Deprecated, use host.dst
+    - name: eth_type
+      type: long
+      description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
+        Only
+    - name: ip_proto
+      type: long
+      description: This key should be used to capture the Protocol number, all the
+        protocol nubers are converted into string in UI
+    - name: dns_cname_record
+      type: keyword
+    - name: dns_id
+      type: keyword
+    - name: dns_opcode
+      type: keyword
+    - name: dns_resp
+      type: keyword
+    - name: dns_type
+      type: keyword
+    - name: domain1
+      type: keyword
+    - name: host_type
+      type: keyword
+    - name: packet_length
+      type: keyword
+    - name: host_orig
+      type: keyword
+      description: This is used to capture the original hostname in case of a Forwarding
+        Agent or a Proxy in between.
+    - name: rpayload
+      type: keyword
+      description: This key is used to capture the total number of payload bytes seen
+        in the retransmitted packets.
+    - name: vlan_name
+      type: keyword
+      description: This key should only be used to capture the name of the Virtual
+        LAN
+  - name: investigations
+    type: group
+    fields:
+    - name: ec_activity
+      type: keyword
+      description: This key captures the particular event activity(Ex:Logoff)
+    - name: ec_theme
+      type: keyword
+      description: This key captures the Theme of a particular Event(Ex:Authentication)
+    - name: ec_subject
+      type: keyword
+      description: This key captures the Subject of a particular Event(Ex:User)
+    - name: ec_outcome
+      type: keyword
+      description: This key captures the outcome of a particular Event(Ex:Success)
+    - name: event_cat
+      type: long
+      description: This key captures the Event category number
+    - name: event_cat_name
+      type: keyword
+      description: This key captures the event category name corresponding to the
+        event cat code
+    - name: event_vcat
+      type: keyword
+      description: This is a vendor supplied category. This should be used in situations
+        where the vendor has adopted their own event_category taxonomy.
+    - name: analysis_file
+      type: keyword
+      description: This is used to capture all indicators used in a File Analysis.
+        This key should be used to capture an analysis of a file
+    - name: analysis_service
+      type: keyword
+      description: This is used to capture all indicators used in a Service Analysis.
+        This key should be used to capture an analysis of a service
+    - name: analysis_session
+      type: keyword
+      description: This is used to capture all indicators used for a Session Analysis.
+        This key should be used to capture an analysis of a session
+    - name: boc
+      type: keyword
+      description: This is used to capture behaviour of compromise
+    - name: eoc
+      type: keyword
+      description: This is used to capture Enablers of Compromise
+    - name: inv_category
+      type: keyword
+      description: This used to capture investigation category
+    - name: inv_context
+      type: keyword
+      description: This used to capture investigation context
+    - name: ioc
+      type: keyword
+      description: This is key capture indicator of compromise
+  - name: counters
+    type: group
+    fields:
+    - name: dclass_c1
+      type: long
+      description: This is a generic counter key that should be used with the label
+        dclass.c1.str only
+    - name: dclass_c2
+      type: long
+      description: This is a generic counter key that should be used with the label
+        dclass.c2.str only
+    - name: event_counter
+      type: long
+      description: This is used to capture the number of times an event repeated
+    - name: dclass_r1
+      type: keyword
+      description: This is a generic ratio key that should be used with the label
+        dclass.r1.str only
+    - name: dclass_c3
+      type: long
+      description: This is a generic counter key that should be used with the label
+        dclass.c3.str only
+    - name: dclass_c1_str
+      type: keyword
+      description: This is a generic counter string key that should be used with the
+        label dclass.c1 only
+    - name: dclass_c2_str
+      type: keyword
+      description: This is a generic counter string key that should be used with the
+        label dclass.c2 only
+    - name: dclass_r1_str
+      type: keyword
+      description: This is a generic ratio string key that should be used with the
+        label dclass.r1 only
+    - name: dclass_r2
+      type: keyword
+      description: This is a generic ratio key that should be used with the label
+        dclass.r2.str only
+    - name: dclass_c3_str
+      type: keyword
+      description: This is a generic counter string key that should be used with the
+        label dclass.c3 only
+    - name: dclass_r3
+      type: keyword
+      description: This is a generic ratio key that should be used with the label
+        dclass.r3.str only
+    - name: dclass_r2_str
+      type: keyword
+      description: This is a generic ratio string key that should be used with the
+        label dclass.r2 only
+    - name: dclass_r3_str
+      type: keyword
+      description: This is a generic ratio string key that should be used with the
+        label dclass.r3 only
+  - name: identity
+    type: group
+    fields:
+    - name: auth_method
+      type: keyword
+      description: This key is used to capture authentication methods used only
+    - name: user_role
+      type: keyword
+      description: This key is used to capture the Role of a user only
+    - name: dn
+      type: keyword
+      description: X.500 (LDAP) Distinguished Name
+    - name: logon_type
+      type: keyword
+      description: This key is used to capture the type of logon method used.
+    - name: profile
+      type: keyword
+      description: This key is used to capture the user profile
+    - name: accesses
+      type: keyword
+      description: This key is used to capture actual privileges used in accessing
+        an object
+    - name: realm
+      type: keyword
+      description: Radius realm or similar grouping of accounts
+    - name: user_sid_dst
+      type: keyword
+      description: This key captures Destination User Session ID
+    - name: dn_src
+      type: keyword
+      description: An X.500 (LDAP) Distinguished name that is used in a context that
+        indicates a Source dn
+    - name: org
+      type: keyword
+      description: This key captures the User organization
+    - name: dn_dst
+      type: keyword
+      description: An X.500 (LDAP) Distinguished name that used in a context that
+        indicates a Destination dn
+    - name: firstname
+      type: keyword
+      description: This key is for First Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: lastname
+      type: keyword
+      description: This key is for Last Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: user_dept
+      type: keyword
+      description: User's Department Names only
+    - name: user_sid_src
+      type: keyword
+      description: This key captures Source User Session ID
+    - name: federated_sp
+      type: keyword
+      description: This key is the Federated Service Provider. This is the application
+        requesting authentication.
+    - name: federated_idp
+      type: keyword
+      description: This key is the federated Identity Provider. This is the server
+        providing the authentication.
+    - name: logon_type_desc
+      type: keyword
+      description: This key is used to capture the textual description of an integer
+        logon type as stored in the meta key 'logon.type'.
+    - name: middlename
+      type: keyword
+      description: This key is for Middle Names only, this is used for Healthcare
+        predominantly to capture Patients information
+    - name: password
+      type: keyword
+      description: This key is for Passwords seen in any session, plain text or encrypted
+    - name: host_role
+      type: keyword
+      description: This key should only be used to capture the role of a Host Machine
+    - name: ldap
+      type: keyword
+      description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
+        t have a clear query or response context"
+    - name: ldap_query
+      type: keyword
+      description: This key is the Search criteria from an LDAP search
+    - name: ldap_response
+      type: keyword
+      description: This key is to capture Results from an LDAP search
+    - name: owner
+      type: keyword
+      description: This is used to capture username the process or service is running
+        as, the author of the task
+    - name: service_account
+      type: keyword
+      description: This key is a windows specific key, used for capturing name of
+        the account a service (referenced in the event) is running under. Legacy Usage
+  - name: email
+    type: group
+    fields:
+    - name: email_dst
+      type: keyword
+      description: This key is used to capture the Destination email address only,
+        when the destination context is not clear use email
+    - name: email_src
+      type: keyword
+      description: This key is used to capture the source email address only, when
+        the source context is not clear use email
+    - name: subject
+      type: keyword
+      description: This key is used to capture the subject string from an Email only.
+    - name: email
+      type: keyword
+      description: This key is used to capture a generic email address where the source
+        or destination context is not clear
+    - name: trans_from
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: trans_to
+      type: keyword
+      description: Deprecated key defined only in table map.
+  - name: file
+    type: group
+    fields:
+    - name: privilege
+      type: keyword
+      description: Deprecated, use permissions
+    - name: attachment
+      type: keyword
+      description: This key captures the attachment file name
+    - name: filesystem
+      type: keyword
+    - name: binary
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: filename_dst
+      type: keyword
+      description: This is used to capture name of the file targeted by the action
+    - name: filename_src
+      type: keyword
+      description: This is used to capture name of the parent filename, the file which
+        performed the action
+    - name: filename_tmp
+      type: keyword
+    - name: directory_dst
+      type: keyword
+      description: <span>This key is used to capture the directory of the target process
+        or file</span>
+    - name: directory_src
+      type: keyword
+      description: This key is used to capture the directory of the source process
+        or file
+    - name: file_entropy
+      type: double
+      description: This is used to capture entropy vale of a file
+    - name: file_vendor
+      type: keyword
+      description: This is used to capture Company name of file located in version_info
+    - name: task_name
+      type: keyword
+      description: This is used to capture name of the task
+  - name: web
+    type: group
+    fields:
+    - name: fqdn
+      type: keyword
+      description: Fully Qualified Domain Names
+    - name: web_cookie
+      type: keyword
+      description: This key is used to capture the Web cookies specifically.
+    - name: alias_host
+      type: keyword
+    - name: reputation_num
+      type: double
+      description: Reputation Number of an entity. Typically used for Web Domains
+    - name: web_ref_domain
+      type: keyword
+      description: Web referer's domain
+    - name: web_ref_query
+      type: keyword
+      description: This key captures Web referer's query portion of the URL
+    - name: remote_domain
+      type: keyword
+    - name: web_ref_page
+      type: keyword
+      description: This key captures Web referer's page information
+    - name: web_ref_root
+      type: keyword
+      description: Web referer's root URL path
+    - name: cn_asn_dst
+      type: keyword
+    - name: cn_rpackets
+      type: keyword
+    - name: urlpage
+      type: keyword
+    - name: urlroot
+      type: keyword
+    - name: p_url
+      type: keyword
+    - name: p_user_agent
+      type: keyword
+    - name: p_web_cookie
+      type: keyword
+    - name: p_web_method
+      type: keyword
+    - name: p_web_referer
+      type: keyword
+    - name: web_extension_tmp
+      type: keyword
+    - name: web_page
+      type: keyword
+  - name: threat
+    type: group
+    fields:
+    - name: threat_category
+      type: keyword
+      description: This key captures Threat Name/Threat Category/Categorization of
+        alert
+    - name: threat_desc
+      type: keyword
+      description: This key is used to capture the threat description from the session
+        directly or inferred
+    - name: alert
+      type: keyword
+      description: This key is used to capture name of the alert
+    - name: threat_source
+      type: keyword
+      description: This key is used to capture source of the threat
+  - name: crypto
+    type: group
+    fields:
+    - name: crypto
+      type: keyword
+      description: This key is used to capture the Encryption Type or Encryption Key
+        only
+    - name: cipher_src
+      type: keyword
+      description: This key is for Source (Client) Cipher
+    - name: cert_subject
+      type: keyword
+      description: This key is used to capture the Certificate organization only
+    - name: peer
+      type: keyword
+      description: This key is for Encryption peer's IP Address
+    - name: cipher_size_src
+      type: long
+      description: This key captures Source (Client) Cipher Size
+    - name: ike
+      type: keyword
+      description: IKE negotiation phase.
+    - name: scheme
+      type: keyword
+      description: This key captures the Encryption scheme used
+    - name: peer_id
+      type: keyword
+      description: "This key is for Encryption peer\u2019s identity"
+    - name: sig_type
+      type: keyword
+      description: This key captures the Signature Type
+    - name: cert_issuer
+      type: keyword
+    - name: cert_host_name
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: cert_error
+      type: keyword
+      description: This key captures the Certificate Error String
+    - name: cipher_dst
+      type: keyword
+      description: This key is for Destination (Server) Cipher
+    - name: cipher_size_dst
+      type: long
+      description: This key captures Destination (Server) Cipher Size
+    - name: ssl_ver_src
+      type: keyword
+      description: Deprecated, use version
+    - name: d_certauth
+      type: keyword
+    - name: s_certauth
+      type: keyword
+    - name: ike_cookie1
+      type: keyword
+      description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
+    - name: ike_cookie2
+      type: keyword
+      description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
+    - name: cert_checksum
+      type: keyword
+    - name: cert_host_cat
+      type: keyword
+      description: This key is used for the hostname category value of a certificate
+    - name: cert_serial
+      type: keyword
+      description: This key is used to capture the Certificate serial number only
+    - name: cert_status
+      type: keyword
+      description: This key captures Certificate validation status
+    - name: ssl_ver_dst
+      type: keyword
+      description: Deprecated, use version
+    - name: cert_keysize
+      type: keyword
+    - name: cert_username
+      type: keyword
+    - name: https_insact
+      type: keyword
+    - name: https_valid
+      type: keyword
+    - name: cert_ca
+      type: keyword
+      description: This key is used to capture the Certificate signing authority only
+    - name: cert_common
+      type: keyword
+      description: This key is used to capture the Certificate common name only
+  - name: wireless
+    type: group
+    fields:
+    - name: wlan_ssid
+      type: keyword
+      description: This key is used to capture the ssid of a Wireless Session
+    - name: access_point
+      type: keyword
+      description: This key is used to capture the access point name.
+    - name: wlan_channel
+      type: long
+      description: This is used to capture the channel names
+    - name: wlan_name
+      type: keyword
+      description: This key captures either WLAN number/name
+  - name: storage
+    type: group
+    fields:
+    - name: disk_volume
+      type: keyword
+      description: A unique name assigned to logical units (volumes) within a physical
+        disk
+    - name: lun
+      type: keyword
+      description: Logical Unit Number.This key is a very useful concept in Storage.
+    - name: pwwn
+      type: keyword
+      description: This uniquely identifies a port on a HBA.
+  - name: physical
+    type: group
+    fields:
+    - name: org_dst
+      type: keyword
+      description: This is used to capture the destination organization based on the
+        GEOPIP Maxmind database.
+    - name: org_src
+      type: keyword
+      description: This is used to capture the source organization based on the GEOPIP
+        Maxmind database.
+  - name: healthcare
+    type: group
+    fields:
+    - name: patient_fname
+      type: keyword
+      description: This key is for First Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: patient_id
+      type: keyword
+      description: This key captures the unique ID for a patient
+    - name: patient_lname
+      type: keyword
+      description: This key is for Last Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: patient_mname
+      type: keyword
+      description: This key is for Middle Names only, this is used for Healthcare
+        predominantly to capture Patients information
+  - name: endpoint
+    type: group
+    fields:
+    - name: host_state
+      type: keyword
+      description: This key is used to capture the current state of the machine, such
+        as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
+        disabled</strong> and so on
+    - name: registry_key
+      type: keyword
+      description: This key captures the path to the registry key
+    - name: registry_value
+      type: keyword
+      description: This key captures values or decorators used within a registry entry
diff --git a/packages/bluecoat/0.1.0/dataset/director/manifest.yml b/packages/bluecoat/0.1.0/dataset/director/manifest.yml
new file mode 100644
index 0000000000..dcd5e99908
--- /dev/null
+++ b/packages/bluecoat/0.1.0/dataset/director/manifest.yml
@@ -0,0 +1,155 @@
+title: Blue Coat Director logs
+release: experimental
+type: logs
+streams:
+- input: udp
+  title: Blue Coat Director logs
+  description: Collect Blue Coat Director logs
+  template_path: udp.yml.hbs
+  vars:
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - bluecoat-director
+      - forwarded
+  - name: udp_host
+    type: text
+    title: UDP host to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: localhost
+  - name: udp_port
+    type: integer
+    title: UDP port to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: 9505
+  - name: tz_offset
+    type: text
+    title: Timezone offset (+HH:mm format)
+    required: false
+    show_user: true
+    default: "local"
+  - name: rsa_fields
+    type: bool
+    title: Add non-ECS fields
+    required: false
+    show_user: true
+    default: true
+  - name: keep_raw_fields
+    type: bool
+    title: Keep raw parser fields
+    required: false
+    show_user: false
+    default: false
+  - name: debug
+    type: bool
+    title: Enable debug logging
+    required: false
+    show_user: false
+    default: false
+
+- input: tcp
+  title: Blue Coat Director logs
+  description: Collect Blue Coat Director logs
+  template_path: tcp.yml.hbs
+  vars:
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - bluecoat-director
+      - forwarded
+  - name: tcp_host
+    type: text
+    title: TCP host to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: localhost
+  - name: tcp_port
+    type: integer
+    title: TCP port to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: 9505
+  - name: tz_offset
+    type: text
+    title: Timezone offset (+HH:mm format)
+    required: false
+    show_user: true
+    default: "local"
+  - name: rsa_fields
+    type: bool
+    title: Add non-ECS fields
+    required: false
+    show_user: true
+    default: true
+  - name: keep_raw_fields
+    type: bool
+    title: Keep raw parser fields
+    required: false
+    show_user: false
+    default: false
+  - name: debug
+    type: bool
+    title: Enable debug logging
+    required: false
+    show_user: false
+    default: false
+
+- input: file
+  title: Blue Coat Director logs
+  description: Collect Blue Coat Director logs from file
+  vars:
+  - name: paths
+    type: text
+    title: Paths
+    multi: true
+    required: true
+    show_user: true
+    default:
+      - /var/log/bluecoat-director.log
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - bluecoat-director
+      - forwarded
+  - name: tz_offset
+    type: text
+    title: Timezone offset (+HH:mm format)
+    required: false
+    show_user: true
+    default: "local"
+  - name: rsa_fields
+    type: bool
+    title: Add non-ECS fields
+    required: false
+    show_user: true
+    default: true
+  - name: keep_raw_fields
+    type: bool
+    title: Keep raw parser fields
+    required: false
+    show_user: false
+    default: false
+  - name: debug
+    type: bool
+    title: Enable debug logging
+    required: false
+    show_user: false
+    default: false
diff --git a/packages/bluecoat/0.1.0/docs/README.md b/packages/bluecoat/0.1.0/docs/README.md
new file mode 100644
index 0000000000..4d0e9a063e
--- /dev/null
+++ b/packages/bluecoat/0.1.0/docs/README.md
@@ -0,0 +1,780 @@
+# Bluecoat integration
+
+This integration is for Bluecoat device's logs. It includes the following
+datasets for receiving logs over syslog or read from a file:
+- `director` dataset: supports Blue Coat Director logs.
+
+### Director
+
+The `director` dataset collects Blue Coat Director logs.
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
+| dataset.name | Dataset name. | constant_keyword |
+| dataset.namespace | Dataset namespace. | constant_keyword |
+| dataset.type | Dataset type. | constant_keyword |
+| datastream.dataset | Datastream dataset. | constant_keyword |
+| datastream.namespace | Datastream namespace. | constant_keyword |
+| datastream.type | Datastream type. | constant_keyword |
+| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| destination.bytes | Bytes sent from the destination to the source. | long |
+| destination.domain | Destination domain. | keyword |
+| destination.geo.city_name | City name. | keyword |
+| destination.geo.country_name | Country name. | keyword |
+| destination.geo.location.lat |  | double |
+| destination.geo.location.lon |  | double |
+| destination.ip | IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses. | ip |
+| destination.mac | MAC address of the destination. | keyword |
+| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip |
+| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long |
+| destination.port | Port of the destination. | long |
+| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword |
+| dns.answers.type | The type of data contained in this resource record. | keyword |
+| dns.question.type | The type of record being queried. | keyword |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword |
+| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword |
+| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword |
+| file.extension | File extension. | keyword |
+| file.name | Name of the file including the extension, without the directory. | keyword |
+| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword |
+| file.size | File size in bytes. Only relevant when `file.type` is "file". | long |
+| file.type | File type (file, dir, or symlink). | keyword |
+| geo.city_name | City name. | keyword |
+| geo.country_name | Country name. | keyword |
+| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| geo.region_name | Region name. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| http.request.method | HTTP request method. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| http.request.referrer | Referrer for this HTTP request. | keyword |
+| http.response.body.content | The full HTTP response body. | keyword |
+| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword |
+| log.original | This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. | keyword |
+| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long |
+| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. | long |
+| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text |
+| network.application | A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long |
+| network.direction | Direction of the network traffic. Recommended values are: * inbound * outbound * internal * external * unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view. When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. | keyword |
+| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip |
+| network.interface.name |  | keyword |
+| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long |
+| network.protocol | L7 Network protocol name. ex. http, lumberjack, transport protocol. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| observer.egress.interface.name | Interface name as reported by the system. | keyword |
+| observer.ingress.interface.name | Interface name as reported by the system. | keyword |
+| observer.product | The product name of the observer. | keyword |
+| observer.version | Observer version. | keyword |
+| process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.parent.name | Process name. Sometimes called program name or similar. | keyword |
+| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword |
+| process.pid | Process id. | long |
+| process.ppid | Parent process' pid. | long |
+| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword |
+| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long |
+| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword |
+| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long |
+| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword |
+| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long |
+| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword |
+| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword |
+| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword |
+| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword |
+| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword |
+| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword |
+| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword |
+| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long |
+| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword |
+| rsa.crypto.cert_checksum |  | keyword |
+| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword |
+| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword |
+| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword |
+| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword |
+| rsa.crypto.cert_issuer |  | keyword |
+| rsa.crypto.cert_keysize |  | keyword |
+| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword |
+| rsa.crypto.cert_status | This key captures Certificate validation status | keyword |
+| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword |
+| rsa.crypto.cert_username |  | keyword |
+| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword |
+| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long |
+| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long |
+| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword |
+| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword |
+| rsa.crypto.d_certauth |  | keyword |
+| rsa.crypto.https_insact |  | keyword |
+| rsa.crypto.https_valid |  | keyword |
+| rsa.crypto.ike | IKE negotiation phase. | keyword |
+| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword |
+| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword |
+| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword |
+| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword |
+| rsa.crypto.s_certauth |  | keyword |
+| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword |
+| rsa.crypto.sig_type | This key captures the Signature Type | keyword |
+| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword |
+| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword |
+| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword |
+| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword |
+| rsa.db.db_pid | This key captures the process id of a connection with database server | long |
+| rsa.db.index | This key captures IndexID of the index. | keyword |
+| rsa.db.instance | This key is used to capture the database server instance name | keyword |
+| rsa.db.lread | This key is used for the number of logical reads | long |
+| rsa.db.lwrite | This key is used for the number of logical writes | long |
+| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword |
+| rsa.db.pread | This key is used for the number of physical writes | long |
+| rsa.db.table_name | This key is used to capture the table name | keyword |
+| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword |
+| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword |
+| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword |
+| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword |
+| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword |
+| rsa.email.trans_from | Deprecated key defined only in table map. | keyword |
+| rsa.email.trans_to | Deprecated key defined only in table map. | keyword |
+| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall disabled</strong> and so on | keyword |
+| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword |
+| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword |
+| rsa.file.attachment | This key captures the attachment file name | keyword |
+| rsa.file.binary | Deprecated key defined only in table map. | keyword |
+| rsa.file.directory_dst | <span>This key is used to capture the directory of the target process or file</span> | keyword |
+| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword |
+| rsa.file.file_entropy | This is used to capture entropy vale of a file | double |
+| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword |
+| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword |
+| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword |
+| rsa.file.filename_tmp |  | keyword |
+| rsa.file.filesystem |  | keyword |
+| rsa.file.privilege | Deprecated, use permissions | keyword |
+| rsa.file.task_name | This is used to capture name of the task | keyword |
+| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword |
+| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword |
+| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword |
+| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword |
+| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword |
+| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword |
+| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword |
+| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword |
+| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword |
+| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword |
+| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword |
+| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword |
+| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword |
+| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword |
+| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.org | This key captures the User organization | keyword |
+| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword |
+| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword |
+| rsa.identity.profile | This key is used to capture the user profile | keyword |
+| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword |
+| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword |
+| rsa.identity.user_dept | User's Department Names only | keyword |
+| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword |
+| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword |
+| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword |
+| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword |
+| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.data | Deprecated key defined only in table map. | keyword |
+| rsa.internal.dead | Deprecated key defined only in table map. | long |
+| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_type_id | Deprecated key defined only in table map. | long |
+| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long |
+| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long |
+| rsa.internal.entry | Deprecated key defined only in table map. | keyword |
+| rsa.internal.event_desc |  | keyword |
+| rsa.internal.event_name | Deprecated key defined only in table map. | keyword |
+| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip |
+| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.hcode | Deprecated key defined only in table map. | keyword |
+| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.inode | Deprecated key defined only in table map. | long |
+| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date |
+| rsa.internal.level | Deprecated key defined only in table map. | long |
+| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long |
+| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long |
+| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long |
+| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long |
+| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, &lt; 32 is packet session | long |
+| rsa.internal.message | This key captures the contents of instant messages | keyword |
+| rsa.internal.messageid |  | keyword |
+| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword |
+| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.node_name | Deprecated key defined only in table map. | keyword |
+| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword |
+| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword |
+| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword |
+| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword |
+| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long |
+| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long |
+| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword |
+| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword |
+| rsa.internal.resource | Deprecated key defined only in table map. | keyword |
+| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword |
+| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long |
+| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.site | Deprecated key defined only in table map. | keyword |
+| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long |
+| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.statement | Deprecated key defined only in table map. | keyword |
+| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date |
+| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long |
+| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long |
+| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword |
+| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword |
+| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword |
+| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword |
+| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword |
+| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword |
+| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword |
+| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword |
+| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword |
+| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword |
+| rsa.investigations.event_cat | This key captures the Event category number | long |
+| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword |
+| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword |
+| rsa.investigations.inv_category | This used to capture investigation category | keyword |
+| rsa.investigations.inv_context | This used to capture investigation context | keyword |
+| rsa.investigations.ioc | This is key capture indicator of compromise | keyword |
+| rsa.misc.OS | This key captures the Name of the Operating System | keyword |
+| rsa.misc.acl_id |  | keyword |
+| rsa.misc.acl_op |  | keyword |
+| rsa.misc.acl_pos |  | keyword |
+| rsa.misc.acl_table |  | keyword |
+| rsa.misc.action |  | keyword |
+| rsa.misc.admin |  | keyword |
+| rsa.misc.agent_id | This key is used to capture agent id | keyword |
+| rsa.misc.alarm_id |  | keyword |
+| rsa.misc.alarmname |  | keyword |
+| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.app_id |  | keyword |
+| rsa.misc.audit |  | keyword |
+| rsa.misc.audit_object |  | keyword |
+| rsa.misc.auditdata |  | keyword |
+| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword |
+| rsa.misc.benchmark |  | keyword |
+| rsa.misc.bypass |  | keyword |
+| rsa.misc.cache |  | keyword |
+| rsa.misc.cache_hit |  | keyword |
+| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword |
+| rsa.misc.cc_number | Valid Credit Card Numbers only | long |
+| rsa.misc.cefversion |  | keyword |
+| rsa.misc.cfg_attr |  | keyword |
+| rsa.misc.cfg_obj |  | keyword |
+| rsa.misc.cfg_path |  | keyword |
+| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword |
+| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword |
+| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword |
+| rsa.misc.changes |  | keyword |
+| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword |
+| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword |
+| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword |
+| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword |
+| rsa.misc.client_ip |  | keyword |
+| rsa.misc.clustermembers |  | keyword |
+| rsa.misc.cmd |  | keyword |
+| rsa.misc.cn_acttimeout |  | keyword |
+| rsa.misc.cn_asn_src |  | keyword |
+| rsa.misc.cn_bgpv4nxthop |  | keyword |
+| rsa.misc.cn_ctr_dst_code |  | keyword |
+| rsa.misc.cn_dst_tos |  | keyword |
+| rsa.misc.cn_dst_vlan |  | keyword |
+| rsa.misc.cn_engine_id |  | keyword |
+| rsa.misc.cn_engine_type |  | keyword |
+| rsa.misc.cn_f_switch |  | keyword |
+| rsa.misc.cn_flowsampid |  | keyword |
+| rsa.misc.cn_flowsampintv |  | keyword |
+| rsa.misc.cn_flowsampmode |  | keyword |
+| rsa.misc.cn_inacttimeout |  | keyword |
+| rsa.misc.cn_inpermbyts |  | keyword |
+| rsa.misc.cn_inpermpckts |  | keyword |
+| rsa.misc.cn_invalid |  | keyword |
+| rsa.misc.cn_ip_proto_ver |  | keyword |
+| rsa.misc.cn_ipv4_ident |  | keyword |
+| rsa.misc.cn_l_switch |  | keyword |
+| rsa.misc.cn_log_did |  | keyword |
+| rsa.misc.cn_log_rid |  | keyword |
+| rsa.misc.cn_max_ttl |  | keyword |
+| rsa.misc.cn_maxpcktlen |  | keyword |
+| rsa.misc.cn_min_ttl |  | keyword |
+| rsa.misc.cn_minpcktlen |  | keyword |
+| rsa.misc.cn_mpls_lbl_1 |  | keyword |
+| rsa.misc.cn_mpls_lbl_10 |  | keyword |
+| rsa.misc.cn_mpls_lbl_2 |  | keyword |
+| rsa.misc.cn_mpls_lbl_3 |  | keyword |
+| rsa.misc.cn_mpls_lbl_4 |  | keyword |
+| rsa.misc.cn_mpls_lbl_5 |  | keyword |
+| rsa.misc.cn_mpls_lbl_6 |  | keyword |
+| rsa.misc.cn_mpls_lbl_7 |  | keyword |
+| rsa.misc.cn_mpls_lbl_8 |  | keyword |
+| rsa.misc.cn_mpls_lbl_9 |  | keyword |
+| rsa.misc.cn_mplstoplabel |  | keyword |
+| rsa.misc.cn_mplstoplabip |  | keyword |
+| rsa.misc.cn_mul_dst_byt |  | keyword |
+| rsa.misc.cn_mul_dst_pks |  | keyword |
+| rsa.misc.cn_muligmptype |  | keyword |
+| rsa.misc.cn_sampalgo |  | keyword |
+| rsa.misc.cn_sampint |  | keyword |
+| rsa.misc.cn_seqctr |  | keyword |
+| rsa.misc.cn_spackets |  | keyword |
+| rsa.misc.cn_src_tos |  | keyword |
+| rsa.misc.cn_src_vlan |  | keyword |
+| rsa.misc.cn_sysuptime |  | keyword |
+| rsa.misc.cn_template_id |  | keyword |
+| rsa.misc.cn_totbytsexp |  | keyword |
+| rsa.misc.cn_totflowexp |  | keyword |
+| rsa.misc.cn_totpcktsexp |  | keyword |
+| rsa.misc.cn_unixnanosecs |  | keyword |
+| rsa.misc.cn_v6flowlabel |  | keyword |
+| rsa.misc.cn_v6optheaders |  | keyword |
+| rsa.misc.code |  | keyword |
+| rsa.misc.command |  | keyword |
+| rsa.misc.comments | Comment information provided in the log message | keyword |
+| rsa.misc.comp_class |  | keyword |
+| rsa.misc.comp_name |  | keyword |
+| rsa.misc.comp_rbytes |  | keyword |
+| rsa.misc.comp_sbytes |  | keyword |
+| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword |
+| rsa.misc.connection_id | This key captures the Connection ID | keyword |
+| rsa.misc.content | This key captures the content type from protocol headers | keyword |
+| rsa.misc.content_type | This key is used to capture Content Type only. | keyword |
+| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword |
+| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword |
+| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword |
+| rsa.misc.context_target |  | keyword |
+| rsa.misc.count |  | keyword |
+| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long |
+| rsa.misc.cpu_data |  | keyword |
+| rsa.misc.criticality |  | keyword |
+| rsa.misc.cs_agency_dst |  | keyword |
+| rsa.misc.cs_analyzedby |  | keyword |
+| rsa.misc.cs_av_other |  | keyword |
+| rsa.misc.cs_av_primary |  | keyword |
+| rsa.misc.cs_av_secondary |  | keyword |
+| rsa.misc.cs_bgpv6nxthop |  | keyword |
+| rsa.misc.cs_bit9status |  | keyword |
+| rsa.misc.cs_context |  | keyword |
+| rsa.misc.cs_control |  | keyword |
+| rsa.misc.cs_data |  | keyword |
+| rsa.misc.cs_datecret |  | keyword |
+| rsa.misc.cs_dst_tld |  | keyword |
+| rsa.misc.cs_eth_dst_ven |  | keyword |
+| rsa.misc.cs_eth_src_ven |  | keyword |
+| rsa.misc.cs_event_uuid |  | keyword |
+| rsa.misc.cs_filetype |  | keyword |
+| rsa.misc.cs_fld |  | keyword |
+| rsa.misc.cs_if_desc |  | keyword |
+| rsa.misc.cs_if_name |  | keyword |
+| rsa.misc.cs_ip_next_hop |  | keyword |
+| rsa.misc.cs_ipv4dstpre |  | keyword |
+| rsa.misc.cs_ipv4srcpre |  | keyword |
+| rsa.misc.cs_lifetime |  | keyword |
+| rsa.misc.cs_log_medium |  | keyword |
+| rsa.misc.cs_loginname |  | keyword |
+| rsa.misc.cs_modulescore |  | keyword |
+| rsa.misc.cs_modulesign |  | keyword |
+| rsa.misc.cs_opswatresult |  | keyword |
+| rsa.misc.cs_payload |  | keyword |
+| rsa.misc.cs_registrant |  | keyword |
+| rsa.misc.cs_registrar |  | keyword |
+| rsa.misc.cs_represult |  | keyword |
+| rsa.misc.cs_rpayload |  | keyword |
+| rsa.misc.cs_sampler_name |  | keyword |
+| rsa.misc.cs_sourcemodule |  | keyword |
+| rsa.misc.cs_streams |  | keyword |
+| rsa.misc.cs_targetmodule |  | keyword |
+| rsa.misc.cs_v6nxthop |  | keyword |
+| rsa.misc.cs_whois_server |  | keyword |
+| rsa.misc.cs_yararesult |  | keyword |
+| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword |
+| rsa.misc.data_type |  | keyword |
+| rsa.misc.description |  | keyword |
+| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword |
+| rsa.misc.devvendor |  | keyword |
+| rsa.misc.disposition | This key captures the The end state of an action. | keyword |
+| rsa.misc.distance |  | keyword |
+| rsa.misc.doc_number | This key captures File Identification number | long |
+| rsa.misc.dstburb |  | keyword |
+| rsa.misc.edomain |  | keyword |
+| rsa.misc.edomaub |  | keyword |
+| rsa.misc.ein_number | Employee Identification Numbers only | long |
+| rsa.misc.error | This key captures All non successful Error codes or responses | keyword |
+| rsa.misc.euid |  | keyword |
+| rsa.misc.event_category |  | keyword |
+| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword |
+| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword |
+| rsa.misc.event_id |  | keyword |
+| rsa.misc.event_log | This key captures the Name of the event log | keyword |
+| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword |
+| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword |
+| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword |
+| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword |
+| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword |
+| rsa.misc.facility |  | keyword |
+| rsa.misc.facilityname |  | keyword |
+| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword |
+| rsa.misc.filter | This key captures Filter used to reduce result set | keyword |
+| rsa.misc.finterface |  | keyword |
+| rsa.misc.flags |  | keyword |
+| rsa.misc.forensic_info |  | keyword |
+| rsa.misc.found | This is used to capture the results of regex match | keyword |
+| rsa.misc.fresult | This key captures the Filter Result | long |
+| rsa.misc.gaddr |  | keyword |
+| rsa.misc.group | This key captures the Group Name value | keyword |
+| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword |
+| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword |
+| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword |
+| rsa.misc.id3 |  | keyword |
+| rsa.misc.im_buddyid |  | keyword |
+| rsa.misc.im_buddyname |  | keyword |
+| rsa.misc.im_client |  | keyword |
+| rsa.misc.im_croomid |  | keyword |
+| rsa.misc.im_croomtype |  | keyword |
+| rsa.misc.im_members |  | keyword |
+| rsa.misc.im_userid |  | keyword |
+| rsa.misc.im_username |  | keyword |
+| rsa.misc.index |  | keyword |
+| rsa.misc.inout |  | keyword |
+| rsa.misc.ipkt |  | keyword |
+| rsa.misc.ipscat |  | keyword |
+| rsa.misc.ipspri |  | keyword |
+| rsa.misc.job_num | This key captures the Job Number | keyword |
+| rsa.misc.jobname |  | keyword |
+| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword |
+| rsa.misc.latitude |  | keyword |
+| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword |
+| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long |
+| rsa.misc.linenum |  | keyword |
+| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.misc.list_name |  | keyword |
+| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword |
+| rsa.misc.load_data |  | keyword |
+| rsa.misc.location_floor |  | keyword |
+| rsa.misc.location_mark |  | keyword |
+| rsa.misc.log_id |  | keyword |
+| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword |
+| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword |
+| rsa.misc.log_type |  | keyword |
+| rsa.misc.logid |  | keyword |
+| rsa.misc.logip |  | keyword |
+| rsa.misc.logname |  | keyword |
+| rsa.misc.longitude |  | keyword |
+| rsa.misc.lport |  | keyword |
+| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword |
+| rsa.misc.match | This key is for regex match name from search.ini | keyword |
+| rsa.misc.mbug_data |  | keyword |
+| rsa.misc.message_body | This key captures the The contents of the message body. | keyword |
+| rsa.misc.misc |  | keyword |
+| rsa.misc.misc_name |  | keyword |
+| rsa.misc.mode |  | keyword |
+| rsa.misc.msgIdPart1 |  | keyword |
+| rsa.misc.msgIdPart2 |  | keyword |
+| rsa.misc.msgIdPart3 |  | keyword |
+| rsa.misc.msgIdPart4 |  | keyword |
+| rsa.misc.msg_type |  | keyword |
+| rsa.misc.msgid |  | keyword |
+| rsa.misc.name |  | keyword |
+| rsa.misc.netsessid |  | keyword |
+| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword |
+| rsa.misc.ntype |  | keyword |
+| rsa.misc.num |  | keyword |
+| rsa.misc.number |  | keyword |
+| rsa.misc.number1 |  | keyword |
+| rsa.misc.number2 |  | keyword |
+| rsa.misc.nwwn |  | keyword |
+| rsa.misc.obj_name | This is used to capture name of object | keyword |
+| rsa.misc.obj_type | This is used to capture type of object | keyword |
+| rsa.misc.object |  | keyword |
+| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword |
+| rsa.misc.operation |  | keyword |
+| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword |
+| rsa.misc.opkt |  | keyword |
+| rsa.misc.orig_from |  | keyword |
+| rsa.misc.owner_id |  | keyword |
+| rsa.misc.p_action |  | keyword |
+| rsa.misc.p_filter |  | keyword |
+| rsa.misc.p_group_object |  | keyword |
+| rsa.misc.p_id |  | keyword |
+| rsa.misc.p_msgid |  | keyword |
+| rsa.misc.p_msgid1 |  | keyword |
+| rsa.misc.p_msgid2 |  | keyword |
+| rsa.misc.p_result1 |  | keyword |
+| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword |
+| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword |
+| rsa.misc.param_src | This key captures source parameter | keyword |
+| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword |
+| rsa.misc.password_chg |  | keyword |
+| rsa.misc.password_expire |  | keyword |
+| rsa.misc.payload_dst | This key is used to capture destination payload | keyword |
+| rsa.misc.payload_src | This key is used to capture source payload | keyword |
+| rsa.misc.permgranted |  | keyword |
+| rsa.misc.permwanted |  | keyword |
+| rsa.misc.pgid |  | keyword |
+| rsa.misc.phone |  | keyword |
+| rsa.misc.pid |  | keyword |
+| rsa.misc.policy |  | keyword |
+| rsa.misc.policyUUID |  | keyword |
+| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword |
+| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword |
+| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword |
+| rsa.misc.policy_waiver |  | keyword |
+| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword |
+| rsa.misc.pool_name | This key captures the name of a resource pool | keyword |
+| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword |
+| rsa.misc.priority |  | keyword |
+| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword |
+| rsa.misc.prog_asp_num |  | keyword |
+| rsa.misc.program |  | keyword |
+| rsa.misc.real_data |  | keyword |
+| rsa.misc.reason |  | keyword |
+| rsa.misc.rec_asp_device |  | keyword |
+| rsa.misc.rec_asp_num |  | keyword |
+| rsa.misc.rec_library |  | keyword |
+| rsa.misc.recordnum |  | keyword |
+| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword |
+| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword |
+| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword |
+| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword |
+| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword |
+| rsa.misc.risk | This key captures the non-numeric risk value | keyword |
+| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.risk_num | This key captures a Numeric Risk value | double |
+| rsa.misc.risk_num_comm | This key captures Risk Number Community | double |
+| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double |
+| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double |
+| rsa.misc.risk_num_static | This key captures Risk Number Static | double |
+| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.ruid |  | keyword |
+| rsa.misc.rule | This key captures the Rule number | keyword |
+| rsa.misc.rule_group | This key captures the Rule group name | keyword |
+| rsa.misc.rule_name | This key captures the Rule Name | keyword |
+| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword |
+| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword |
+| rsa.misc.sburb |  | keyword |
+| rsa.misc.sdomain_fld |  | keyword |
+| rsa.misc.search_text | This key captures the Search Text used | keyword |
+| rsa.misc.sec |  | keyword |
+| rsa.misc.second |  | keyword |
+| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword |
+| rsa.misc.sensorname |  | keyword |
+| rsa.misc.seqnum |  | keyword |
+| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword |
+| rsa.misc.session |  | keyword |
+| rsa.misc.sessiontype |  | keyword |
+| rsa.misc.severity | This key is used to capture the severity given the session | keyword |
+| rsa.misc.sigUUID |  | keyword |
+| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long |
+| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long |
+| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword |
+| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword |
+| rsa.misc.sigcat |  | keyword |
+| rsa.misc.snmp_oid | SNMP Object Identifier | keyword |
+| rsa.misc.snmp_value | SNMP set request value | keyword |
+| rsa.misc.space |  | keyword |
+| rsa.misc.space1 |  | keyword |
+| rsa.misc.spi |  | keyword |
+| rsa.misc.spi_dst | Destination SPI Index | keyword |
+| rsa.misc.spi_src | Source SPI Index | keyword |
+| rsa.misc.sql | This key captures the SQL query | keyword |
+| rsa.misc.srcburb |  | keyword |
+| rsa.misc.srcdom |  | keyword |
+| rsa.misc.srcservice |  | keyword |
+| rsa.misc.state |  | keyword |
+| rsa.misc.status |  | keyword |
+| rsa.misc.status1 |  | keyword |
+| rsa.misc.streams | This key captures number of streams in session | long |
+| rsa.misc.subcategory |  | keyword |
+| rsa.misc.svcno |  | keyword |
+| rsa.misc.system |  | keyword |
+| rsa.misc.tbdstr1 |  | keyword |
+| rsa.misc.tbdstr2 |  | keyword |
+| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long |
+| rsa.misc.terminal | This key captures the Terminal Names only | keyword |
+| rsa.misc.tgtdom |  | keyword |
+| rsa.misc.tgtdomain |  | keyword |
+| rsa.misc.threshold |  | keyword |
+| rsa.misc.tos | This key describes the type of service | long |
+| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword |
+| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword |
+| rsa.misc.type |  | keyword |
+| rsa.misc.type1 |  | keyword |
+| rsa.misc.udb_class |  | keyword |
+| rsa.misc.url_fld |  | keyword |
+| rsa.misc.user_div |  | keyword |
+| rsa.misc.userid |  | keyword |
+| rsa.misc.username_fld |  | keyword |
+| rsa.misc.utcstamp |  | keyword |
+| rsa.misc.v_instafname |  | keyword |
+| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword |
+| rsa.misc.virt_data |  | keyword |
+| rsa.misc.virusname | This key captures the name of the virus | keyword |
+| rsa.misc.vm_target | VMWare Target **VMWARE** only varaible. | keyword |
+| rsa.misc.vpnid |  | keyword |
+| rsa.misc.vsys | This key captures Virtual System Name | keyword |
+| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword |
+| rsa.misc.workspace | This key captures Workspace Description | keyword |
+| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword |
+| rsa.network.addr |  | keyword |
+| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword |
+| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword |
+| rsa.network.dmask | This key is used for Destionation Device network mask | keyword |
+| rsa.network.dns_a_record |  | keyword |
+| rsa.network.dns_cname_record |  | keyword |
+| rsa.network.dns_id |  | keyword |
+| rsa.network.dns_opcode |  | keyword |
+| rsa.network.dns_ptr_record |  | keyword |
+| rsa.network.dns_resp |  | keyword |
+| rsa.network.dns_type |  | keyword |
+| rsa.network.domain |  | keyword |
+| rsa.network.domain1 |  | keyword |
+| rsa.network.eth_host | Deprecated, use alias.mac | keyword |
+| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long |
+| rsa.network.faddr |  | keyword |
+| rsa.network.fhost |  | keyword |
+| rsa.network.fport |  | keyword |
+| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword |
+| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword |
+| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword |
+| rsa.network.host_type |  | keyword |
+| rsa.network.icmp_code | This key is used to capture the ICMP code only | long |
+| rsa.network.icmp_type | This key is used to capture the ICMP type only | long |
+| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword |
+| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long |
+| rsa.network.laddr |  | keyword |
+| rsa.network.lhost |  | keyword |
+| rsa.network.linterface |  | keyword |
+| rsa.network.mask | This key is used to capture the device network IPmask. | keyword |
+| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword |
+| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long |
+| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword |
+| rsa.network.origin |  | keyword |
+| rsa.network.packet_length |  | keyword |
+| rsa.network.paddr | Deprecated | ip |
+| rsa.network.phost |  | keyword |
+| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long |
+| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword |
+| rsa.network.remote_domain_id |  | keyword |
+| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword |
+| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword |
+| rsa.network.smask | This key is used for capturing source Network Mask | keyword |
+| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long |
+| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword |
+| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword |
+| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword |
+| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword |
+| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword |
+| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword |
+| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword |
+| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword |
+| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword |
+| rsa.threat.alert | This key is used to capture name of the alert | keyword |
+| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword |
+| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword |
+| rsa.threat.threat_source | This key is used to capture source of the threat | keyword |
+| rsa.time.date |  | keyword |
+| rsa.time.datetime |  | keyword |
+| rsa.time.day |  | keyword |
+| rsa.time.duration_str | A text string version of the duration | keyword |
+| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double |
+| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date |
+| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date |
+| rsa.time.event_queue_time | This key is the Time that the event was queued. | date |
+| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date |
+| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword |
+| rsa.time.eventtime |  | keyword |
+| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date |
+| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword |
+| rsa.time.gmtdate |  | keyword |
+| rsa.time.gmttime |  | keyword |
+| rsa.time.hour |  | keyword |
+| rsa.time.min |  | keyword |
+| rsa.time.month |  | keyword |
+| rsa.time.p_date |  | keyword |
+| rsa.time.p_month |  | keyword |
+| rsa.time.p_time |  | keyword |
+| rsa.time.p_time1 |  | keyword |
+| rsa.time.p_time2 |  | keyword |
+| rsa.time.p_year |  | keyword |
+| rsa.time.process_time | Deprecated, use duration.time | keyword |
+| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date |
+| rsa.time.stamp | Deprecated key defined only in table map. | date |
+| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date |
+| rsa.time.timestamp |  | keyword |
+| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword |
+| rsa.time.tzone |  | keyword |
+| rsa.time.year |  | keyword |
+| rsa.web.alias_host |  | keyword |
+| rsa.web.cn_asn_dst |  | keyword |
+| rsa.web.cn_rpackets |  | keyword |
+| rsa.web.fqdn | Fully Qualified Domain Names | keyword |
+| rsa.web.p_url |  | keyword |
+| rsa.web.p_user_agent |  | keyword |
+| rsa.web.p_web_cookie |  | keyword |
+| rsa.web.p_web_method |  | keyword |
+| rsa.web.p_web_referer |  | keyword |
+| rsa.web.remote_domain |  | keyword |
+| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double |
+| rsa.web.urlpage |  | keyword |
+| rsa.web.urlroot |  | keyword |
+| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword |
+| rsa.web.web_extension_tmp |  | keyword |
+| rsa.web.web_page |  | keyword |
+| rsa.web.web_ref_domain | Web referer's domain | keyword |
+| rsa.web.web_ref_page | This key captures Web referer's page information | keyword |
+| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword |
+| rsa.web.web_ref_root | Web referer's root URL path | keyword |
+| rsa.wireless.access_point | This key is used to capture the access point name. | keyword |
+| rsa.wireless.wlan_channel | This is used to capture the channel names | long |
+| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword |
+| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword |
+| rule.name | The name of the rule or signature generating the event. | keyword |
+| server.domain | Server domain. | keyword |
+| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword |
+| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.bytes | Bytes sent from the source to the destination. | long |
+| source.domain | Source domain. | keyword |
+| source.geo.city_name | City name. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location.lat |  | double |
+| source.geo.location.lon |  | double |
+| source.ip | IP address of the source. Can be one or multiple IPv4 or IPv6 addresses. | ip |
+| source.mac | MAC address of the source. | keyword |
+| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip |
+| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long |
+| source.port | Port of the source. | long |
+| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. | keyword |
+| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | keyword |
+| url.path | Path of the request, such as "/search". | keyword |
+| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword |
+| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.google.com" is "google.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword |
+| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword |
+| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| user.full_name | User's full name, if available. | keyword |
+| user.id | Unique identifiers of the user. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user_agent.original | Unparsed user_agent string. | keyword |
diff --git a/packages/bluecoat/0.1.0/manifest.yml b/packages/bluecoat/0.1.0/manifest.yml
new file mode 100644
index 0000000000..bd4a883e9b
--- /dev/null
+++ b/packages/bluecoat/0.1.0/manifest.yml
@@ -0,0 +1,31 @@
+format_version: 1.0.0
+name: bluecoat
+title: Blue Coat Director
+version: 0.1.0
+description: Blue Coat Director Integration
+categories: ["network","security"]
+release: experimental
+removable: true
+license: basic
+type: integration
+conditions:
+    kibana:
+        version: '>=7.9.0'
+    elasticsearch:
+        version: '>=7.9.0'
+config_templates:
+- name: director
+  title: Blue Coat Director
+  description: Collect Blue Coat Director logs from syslog or a file.
+  inputs:
+      - type: udp
+        title: Collect logs from Blue Coat Director via UDP
+        description: Collecting syslog from Blue Coat Director via UDP
+      - type: tcp
+        title: Collect logs from Blue Coat Director via TCP
+        description: Collecting syslog from Blue Coat Director via TCP
+      - type: file
+        title: Collect logs from Blue Coat Director via file
+        description: Collecting syslog from Blue Coat Director via file.
+# No icon
+icons:
diff --git a/packages/citrix/0.1.0/dataset/virtualapps/agent/stream/stream.yml.hbs b/packages/citrix/0.1.0/dataset/virtualapps/agent/stream/stream.yml.hbs
new file mode 100644
index 0000000000..8920aff9ac
--- /dev/null
+++ b/packages/citrix/0.1.0/dataset/virtualapps/agent/stream/stream.yml.hbs
@@ -0,0 +1,2567 @@
+paths:
+{{#each paths as |path i|}}
+  - {{path}}
+{{/each}}
+exclude_files: [".gz$"]
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "Citrix"
+        product: "Virtual"
+        type: "Virtualization"
+publisher_pipeline.disable_host: true
+
+processors:
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.error(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(populate_fields);
+      	builder.Add(restore_flags);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var map_operationtype = {
+      	keyvaluepairs: {
+      		"0": constant("NONE"),
+      		"1": constant("Created"),
+      		"2": constant("Modified"),
+      		"3": constant("Removed"),
+      	},
+      	"default": constant("0"),
+      };
+      
+      var map_AdminTaskType = {
+      	keyvaluepairs: {
+      		"0": constant("Application"),
+      		"1": constant("Application Isolation Environment"),
+      		"10": constant("Server Group"),
+      		"11": constant("User"),
+      		"12": constant("Policy"),
+      		"13": constant("Monitoring Profile"),
+      		"14": constant("Load Manager"),
+      		"15": constant("Virtual IP Farm Range"),
+      		"16": constant("Virtual IP Server Range"),
+      		"17": constant("Print Driver"),
+      		"18": constant("Database"),
+      		"19": constant("Zone"),
+      		"2": constant("AIE Application"),
+      		"4": constant("Farm"),
+      		"5": constant("File Type Association"),
+      		"6": constant("Folder"),
+      		"7": constant("Installation Manager Application"),
+      		"8": constant("Printer"),
+      		"9": constant("Server"),
+      	},
+      	"default": constant("0"),
+      };
+      
+      var dup1 = setc("eventcategory","1612000000");
+      
+      var dup2 = date_time({
+      	dest: "event_time",
+      	args: ["fld1","fld2"],
+      	fmts: [
+      		[dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup3 = match("MESSAGE#3:Broker_SDK", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3}^^%{event_type}^^%{saddr}^^%{event_description}^^%{application}", processor_chain([
+      	dup1,
+      	dup2,
+      ]));
+      
+      var hdr1 = match("HEADER#0:0001", "message", "%citrixxa: %{hdatetime}^^%{messageid}^^%{payload}", processor_chain([
+      	setc("header_id","0001"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hdatetime"),
+      			constant("^^"),
+      			field("messageid"),
+      			constant("^^"),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr2 = match("HEADER#1:0002", "message", "%citrixxa: %{hdatetime}^^%{msgIdPart1->} %{msgIdPart2}^^%{payload}", processor_chain([
+      	setc("header_id","0002"),
+      	call({
+      		dest: "nwparser.messageid",
+      		fn: STRCAT,
+      		args: [
+      			field("msgIdPart1"),
+      			constant("_"),
+      			field("msgIdPart2"),
+      		],
+      	}),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hdatetime"),
+      			constant("^^"),
+      			field("msgIdPart1"),
+      			constant(" "),
+      			field("msgIdPart2"),
+      			constant("^^"),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var select1 = linear_select([
+      	hdr1,
+      	hdr2,
+      ]);
+      
+      var part1 = match("MESSAGE#0:CONFIGINFO", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3}^^%{event_type}^^%{administrator}^^%{shost}^^%{hostname}^^%{operation_id}^^%{obj_type}^^%{obj_name}", processor_chain([
+      	dup1,
+      	dup2,
+      	lookup({
+      		dest: "nwparser.operation_id",
+      		map: map_operationtype,
+      		key: field("operation_id"),
+      	}),
+      	lookup({
+      		dest: "nwparser.obj_type",
+      		map: map_AdminTaskType,
+      		key: field("obj_type"),
+      	}),
+      ]));
+      
+      var msg1 = msg("CONFIGINFO", part1);
+      
+      var part2 = match("MESSAGE#1:SESSIONINFO", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3}^^%{event_type}^^%{username}^^%{hostname}^^%{saddr}^^%{application}^^%{fld4->} %{fld5}.%{fld6}", processor_chain([
+      	dup1,
+      	date_time({
+      		dest: "starttime",
+      		args: ["fld1","fld2"],
+      		fmts: [
+      			[dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO],
+      		],
+      	}),
+      	date_time({
+      		dest: "endtime",
+      		args: ["fld4","fld5"],
+      		fmts: [
+      			[dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO],
+      		],
+      	}),
+      ]));
+      
+      var msg2 = msg("SESSIONINFO", part2);
+      
+      var part3 = match("MESSAGE#2:APPINFO", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3}^^%{event_type}^^%{domain}^^%{group_object}^^%{hostname}^^%{application}", processor_chain([
+      	dup1,
+      	dup2,
+      ]));
+      
+      var msg3 = msg("APPINFO", part3);
+      
+      var msg4 = msg("Broker_SDK", dup3);
+      
+      var msg5 = msg("ConfigurationLogging", dup3);
+      
+      var msg6 = msg("Monitor", dup3);
+      
+      var msg7 = msg("Analytics", dup3);
+      
+      var msg8 = msg("Storefront", dup3);
+      
+      var msg9 = msg("Configuration", dup3);
+      
+      var chain1 = processor_chain([
+      	select1,
+      	msgid_select({
+      		"APPINFO": msg3,
+      		"Analytics": msg7,
+      		"Broker_SDK": msg4,
+      		"CONFIGINFO": msg1,
+      		"Configuration": msg9,
+      		"ConfigurationLogging": msg5,
+      		"Monitor": msg6,
+      		"SESSIONINFO": msg2,
+      		"Storefront": msg8,
+      	}),
+      ]);
+      
+      var part4 = match("MESSAGE#3:Broker_SDK", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3}^^%{event_type}^^%{saddr}^^%{event_description}^^%{application}", processor_chain([
+      	dup1,
+      	dup2,
+      ]));
+      
+- community_id:
+- add_locale: ~
+- add_fields:
+    target: ''
+    fields:
+        ecs.version: 1.5.0
diff --git a/packages/citrix/0.1.0/dataset/virtualapps/agent/stream/tcp.yml.hbs b/packages/citrix/0.1.0/dataset/virtualapps/agent/stream/tcp.yml.hbs
new file mode 100644
index 0000000000..24e21626de
--- /dev/null
+++ b/packages/citrix/0.1.0/dataset/virtualapps/agent/stream/tcp.yml.hbs
@@ -0,0 +1,2564 @@
+tcp:
+host: "{{tcp_host}}:{{tcp_port}}"
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "Citrix"
+        product: "Virtual"
+        type: "Virtualization"
+publisher_pipeline.disable_host: true
+
+processors:
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.error(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(populate_fields);
+      	builder.Add(restore_flags);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var map_operationtype = {
+      	keyvaluepairs: {
+      		"0": constant("NONE"),
+      		"1": constant("Created"),
+      		"2": constant("Modified"),
+      		"3": constant("Removed"),
+      	},
+      	"default": constant("0"),
+      };
+      
+      var map_AdminTaskType = {
+      	keyvaluepairs: {
+      		"0": constant("Application"),
+      		"1": constant("Application Isolation Environment"),
+      		"10": constant("Server Group"),
+      		"11": constant("User"),
+      		"12": constant("Policy"),
+      		"13": constant("Monitoring Profile"),
+      		"14": constant("Load Manager"),
+      		"15": constant("Virtual IP Farm Range"),
+      		"16": constant("Virtual IP Server Range"),
+      		"17": constant("Print Driver"),
+      		"18": constant("Database"),
+      		"19": constant("Zone"),
+      		"2": constant("AIE Application"),
+      		"4": constant("Farm"),
+      		"5": constant("File Type Association"),
+      		"6": constant("Folder"),
+      		"7": constant("Installation Manager Application"),
+      		"8": constant("Printer"),
+      		"9": constant("Server"),
+      	},
+      	"default": constant("0"),
+      };
+      
+      var dup1 = setc("eventcategory","1612000000");
+      
+      var dup2 = date_time({
+      	dest: "event_time",
+      	args: ["fld1","fld2"],
+      	fmts: [
+      		[dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup3 = match("MESSAGE#3:Broker_SDK", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3}^^%{event_type}^^%{saddr}^^%{event_description}^^%{application}", processor_chain([
+      	dup1,
+      	dup2,
+      ]));
+      
+      var hdr1 = match("HEADER#0:0001", "message", "%citrixxa: %{hdatetime}^^%{messageid}^^%{payload}", processor_chain([
+      	setc("header_id","0001"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hdatetime"),
+      			constant("^^"),
+      			field("messageid"),
+      			constant("^^"),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr2 = match("HEADER#1:0002", "message", "%citrixxa: %{hdatetime}^^%{msgIdPart1->} %{msgIdPart2}^^%{payload}", processor_chain([
+      	setc("header_id","0002"),
+      	call({
+      		dest: "nwparser.messageid",
+      		fn: STRCAT,
+      		args: [
+      			field("msgIdPart1"),
+      			constant("_"),
+      			field("msgIdPart2"),
+      		],
+      	}),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hdatetime"),
+      			constant("^^"),
+      			field("msgIdPart1"),
+      			constant(" "),
+      			field("msgIdPart2"),
+      			constant("^^"),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var select1 = linear_select([
+      	hdr1,
+      	hdr2,
+      ]);
+      
+      var part1 = match("MESSAGE#0:CONFIGINFO", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3}^^%{event_type}^^%{administrator}^^%{shost}^^%{hostname}^^%{operation_id}^^%{obj_type}^^%{obj_name}", processor_chain([
+      	dup1,
+      	dup2,
+      	lookup({
+      		dest: "nwparser.operation_id",
+      		map: map_operationtype,
+      		key: field("operation_id"),
+      	}),
+      	lookup({
+      		dest: "nwparser.obj_type",
+      		map: map_AdminTaskType,
+      		key: field("obj_type"),
+      	}),
+      ]));
+      
+      var msg1 = msg("CONFIGINFO", part1);
+      
+      var part2 = match("MESSAGE#1:SESSIONINFO", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3}^^%{event_type}^^%{username}^^%{hostname}^^%{saddr}^^%{application}^^%{fld4->} %{fld5}.%{fld6}", processor_chain([
+      	dup1,
+      	date_time({
+      		dest: "starttime",
+      		args: ["fld1","fld2"],
+      		fmts: [
+      			[dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO],
+      		],
+      	}),
+      	date_time({
+      		dest: "endtime",
+      		args: ["fld4","fld5"],
+      		fmts: [
+      			[dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO],
+      		],
+      	}),
+      ]));
+      
+      var msg2 = msg("SESSIONINFO", part2);
+      
+      var part3 = match("MESSAGE#2:APPINFO", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3}^^%{event_type}^^%{domain}^^%{group_object}^^%{hostname}^^%{application}", processor_chain([
+      	dup1,
+      	dup2,
+      ]));
+      
+      var msg3 = msg("APPINFO", part3);
+      
+      var msg4 = msg("Broker_SDK", dup3);
+      
+      var msg5 = msg("ConfigurationLogging", dup3);
+      
+      var msg6 = msg("Monitor", dup3);
+      
+      var msg7 = msg("Analytics", dup3);
+      
+      var msg8 = msg("Storefront", dup3);
+      
+      var msg9 = msg("Configuration", dup3);
+      
+      var chain1 = processor_chain([
+      	select1,
+      	msgid_select({
+      		"APPINFO": msg3,
+      		"Analytics": msg7,
+      		"Broker_SDK": msg4,
+      		"CONFIGINFO": msg1,
+      		"Configuration": msg9,
+      		"ConfigurationLogging": msg5,
+      		"Monitor": msg6,
+      		"SESSIONINFO": msg2,
+      		"Storefront": msg8,
+      	}),
+      ]);
+      
+      var part4 = match("MESSAGE#3:Broker_SDK", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3}^^%{event_type}^^%{saddr}^^%{event_description}^^%{application}", processor_chain([
+      	dup1,
+      	dup2,
+      ]));
+      
+- community_id:
+- add_locale: ~
+- add_fields:
+    target: ''
+    fields:
+        ecs.version: 1.5.0
diff --git a/packages/citrix/0.1.0/dataset/virtualapps/agent/stream/udp.yml.hbs b/packages/citrix/0.1.0/dataset/virtualapps/agent/stream/udp.yml.hbs
new file mode 100644
index 0000000000..02a747abe0
--- /dev/null
+++ b/packages/citrix/0.1.0/dataset/virtualapps/agent/stream/udp.yml.hbs
@@ -0,0 +1,2564 @@
+udp:
+host: "{{udp_host}}:{{udp_port}}"
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "Citrix"
+        product: "Virtual"
+        type: "Virtualization"
+publisher_pipeline.disable_host: true
+
+processors:
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.error(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(populate_fields);
+      	builder.Add(restore_flags);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var map_operationtype = {
+      	keyvaluepairs: {
+      		"0": constant("NONE"),
+      		"1": constant("Created"),
+      		"2": constant("Modified"),
+      		"3": constant("Removed"),
+      	},
+      	"default": constant("0"),
+      };
+      
+      var map_AdminTaskType = {
+      	keyvaluepairs: {
+      		"0": constant("Application"),
+      		"1": constant("Application Isolation Environment"),
+      		"10": constant("Server Group"),
+      		"11": constant("User"),
+      		"12": constant("Policy"),
+      		"13": constant("Monitoring Profile"),
+      		"14": constant("Load Manager"),
+      		"15": constant("Virtual IP Farm Range"),
+      		"16": constant("Virtual IP Server Range"),
+      		"17": constant("Print Driver"),
+      		"18": constant("Database"),
+      		"19": constant("Zone"),
+      		"2": constant("AIE Application"),
+      		"4": constant("Farm"),
+      		"5": constant("File Type Association"),
+      		"6": constant("Folder"),
+      		"7": constant("Installation Manager Application"),
+      		"8": constant("Printer"),
+      		"9": constant("Server"),
+      	},
+      	"default": constant("0"),
+      };
+      
+      var dup1 = setc("eventcategory","1612000000");
+      
+      var dup2 = date_time({
+      	dest: "event_time",
+      	args: ["fld1","fld2"],
+      	fmts: [
+      		[dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup3 = match("MESSAGE#3:Broker_SDK", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3}^^%{event_type}^^%{saddr}^^%{event_description}^^%{application}", processor_chain([
+      	dup1,
+      	dup2,
+      ]));
+      
+      var hdr1 = match("HEADER#0:0001", "message", "%citrixxa: %{hdatetime}^^%{messageid}^^%{payload}", processor_chain([
+      	setc("header_id","0001"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hdatetime"),
+      			constant("^^"),
+      			field("messageid"),
+      			constant("^^"),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr2 = match("HEADER#1:0002", "message", "%citrixxa: %{hdatetime}^^%{msgIdPart1->} %{msgIdPart2}^^%{payload}", processor_chain([
+      	setc("header_id","0002"),
+      	call({
+      		dest: "nwparser.messageid",
+      		fn: STRCAT,
+      		args: [
+      			field("msgIdPart1"),
+      			constant("_"),
+      			field("msgIdPart2"),
+      		],
+      	}),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hdatetime"),
+      			constant("^^"),
+      			field("msgIdPart1"),
+      			constant(" "),
+      			field("msgIdPart2"),
+      			constant("^^"),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var select1 = linear_select([
+      	hdr1,
+      	hdr2,
+      ]);
+      
+      var part1 = match("MESSAGE#0:CONFIGINFO", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3}^^%{event_type}^^%{administrator}^^%{shost}^^%{hostname}^^%{operation_id}^^%{obj_type}^^%{obj_name}", processor_chain([
+      	dup1,
+      	dup2,
+      	lookup({
+      		dest: "nwparser.operation_id",
+      		map: map_operationtype,
+      		key: field("operation_id"),
+      	}),
+      	lookup({
+      		dest: "nwparser.obj_type",
+      		map: map_AdminTaskType,
+      		key: field("obj_type"),
+      	}),
+      ]));
+      
+      var msg1 = msg("CONFIGINFO", part1);
+      
+      var part2 = match("MESSAGE#1:SESSIONINFO", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3}^^%{event_type}^^%{username}^^%{hostname}^^%{saddr}^^%{application}^^%{fld4->} %{fld5}.%{fld6}", processor_chain([
+      	dup1,
+      	date_time({
+      		dest: "starttime",
+      		args: ["fld1","fld2"],
+      		fmts: [
+      			[dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO],
+      		],
+      	}),
+      	date_time({
+      		dest: "endtime",
+      		args: ["fld4","fld5"],
+      		fmts: [
+      			[dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO],
+      		],
+      	}),
+      ]));
+      
+      var msg2 = msg("SESSIONINFO", part2);
+      
+      var part3 = match("MESSAGE#2:APPINFO", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3}^^%{event_type}^^%{domain}^^%{group_object}^^%{hostname}^^%{application}", processor_chain([
+      	dup1,
+      	dup2,
+      ]));
+      
+      var msg3 = msg("APPINFO", part3);
+      
+      var msg4 = msg("Broker_SDK", dup3);
+      
+      var msg5 = msg("ConfigurationLogging", dup3);
+      
+      var msg6 = msg("Monitor", dup3);
+      
+      var msg7 = msg("Analytics", dup3);
+      
+      var msg8 = msg("Storefront", dup3);
+      
+      var msg9 = msg("Configuration", dup3);
+      
+      var chain1 = processor_chain([
+      	select1,
+      	msgid_select({
+      		"APPINFO": msg3,
+      		"Analytics": msg7,
+      		"Broker_SDK": msg4,
+      		"CONFIGINFO": msg1,
+      		"Configuration": msg9,
+      		"ConfigurationLogging": msg5,
+      		"Monitor": msg6,
+      		"SESSIONINFO": msg2,
+      		"Storefront": msg8,
+      	}),
+      ]);
+      
+      var part4 = match("MESSAGE#3:Broker_SDK", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3}^^%{event_type}^^%{saddr}^^%{event_description}^^%{application}", processor_chain([
+      	dup1,
+      	dup2,
+      ]));
+      
+- community_id:
+- add_locale: ~
+- add_fields:
+    target: ''
+    fields:
+        ecs.version: 1.5.0
diff --git a/packages/citrix/0.1.0/dataset/virtualapps/elasticsearch/ingest_pipeline/default.yml b/packages/citrix/0.1.0/dataset/virtualapps/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 0000000000..9b7b503ea6
--- /dev/null
+++ b/packages/citrix/0.1.0/dataset/virtualapps/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,55 @@
+---
+description: Pipeline for Citrix XenApp
+
+processors:
+  # User agent
+  - user_agent:
+        field: user_agent.original
+        ignore_missing: true
+  # IP Geolocation Lookup
+  - geoip:
+        field: source.ip
+        target_field: source.geo
+        ignore_missing: true
+  - geoip:
+        field: destination.ip
+        target_field: destination.geo
+        ignore_missing: true
+
+  # IP Autonomous System (AS) Lookup
+  - geoip:
+        database_file: GeoLite2-ASN.mmdb
+        field: source.ip
+        target_field: source.as
+        properties:
+            - asn
+            - organization_name
+        ignore_missing: true
+  - geoip:
+        database_file: GeoLite2-ASN.mmdb
+        field: destination.ip
+        target_field: destination.as
+        properties:
+            - asn
+            - organization_name
+        ignore_missing: true
+  - rename:
+        field: source.as.asn
+        target_field: source.as.number
+        ignore_missing: true
+  - rename:
+        field: source.as.organization_name
+        target_field: source.as.organization.name
+        ignore_missing: true
+  - rename:
+        field: destination.as.asn
+        target_field: destination.as.number
+        ignore_missing: true
+  - rename:
+        field: destination.as.organization_name
+        target_field: destination.as.organization.name
+        ignore_missing: true
+on_failure:
+  - append:
+        field: error.message
+        value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/citrix/0.1.0/dataset/virtualapps/fields/base-fields.yml b/packages/citrix/0.1.0/dataset/virtualapps/fields/base-fields.yml
new file mode 100644
index 0000000000..b294eaf20e
--- /dev/null
+++ b/packages/citrix/0.1.0/dataset/virtualapps/fields/base-fields.yml
@@ -0,0 +1,26 @@
+- name: datastream.type
+  type: constant_keyword
+  description: Datastream type.
+- name: datastream.dataset
+  type: constant_keyword
+  description: Datastream dataset.
+- name: datastream.namespace
+  type: constant_keyword
+  description: Datastream namespace.
+
+- name: dataset.type
+  type: constant_keyword
+  description: >
+    Dataset type.
+- name: dataset.name
+  type: constant_keyword
+  description: >
+    Dataset name.
+- name: dataset.namespace
+  type: constant_keyword
+  description: >
+    Dataset namespace.
+- name: "@timestamp"
+  type: date
+  description: >
+    Event timestamp.
diff --git a/packages/citrix/0.1.0/dataset/virtualapps/fields/ecs.yml b/packages/citrix/0.1.0/dataset/virtualapps/fields/ecs.yml
new file mode 100644
index 0000000000..92af91c339
--- /dev/null
+++ b/packages/citrix/0.1.0/dataset/virtualapps/fields/ecs.yml
@@ -0,0 +1,836 @@
+- name: log
+  type: group
+  fields:
+  - name: original
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'This is the original log message and contains the full log message
+      before splitting it up in multiple parts.
+
+      In contrast to the `message` field which can contain an extracted part of the
+      log message, this field contains the original, full log message. It can have
+      already some modifications applied like encoding or new lines removed to clean
+      up the log message.
+
+      This field is not indexed and doc_values are disabled so it can''t be queried
+      but the value can be retrieved from `_source`.'
+    example: Sep 19 08:26:10 localhost My log
+  - name: level
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Original log level of the log event.
+
+      If the source of the event provides a log level or textual severity, this is
+      the one that goes in `log.level`. If your source doesn''t specify one, you may
+      put your event transport''s severity here (e.g. Syslog severity).
+
+      Some examples are `warn`, `err`, `i`, `informational`.'
+    example: error
+  - name: syslog
+    type: group
+    fields:
+    - name: priority
+      level: extended
+      type: long
+      format: string
+      description: 'Syslog numeric priority of the event, if available.
+
+        According to RFCs 5424 and 3164, the priority is 8 * facility + severity.
+        This number is therefore expected to contain a value between 0 and 191.'
+      example: 135
+    - name: facility
+      type: group
+      fields:
+      - name: code
+        level: extended
+        type: long
+        format: string
+        description: 'The Syslog numeric facility of the log event, if available.
+
+          According to RFCs 5424 and 3164, this value should be an integer between
+          0 and 23.'
+        example: 23
+    - name: severity
+      type: group
+      fields:
+      - name: code
+        level: extended
+        type: long
+        description: 'The Syslog numeric severity of the log event, if available.
+
+          If the event source publishing via Syslog provides a different numeric severity
+          value (e.g. firewall, IDS), your source''s numeric severity should go to
+          `event.severity`. If the event source does not specify a distinct severity,
+          you can optionally copy the Syslog severity to `event.severity`.'
+        example: 3
+- name: event
+  type: group
+  fields:
+  - name: code
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Identification code for this event, if one exists.
+
+      Some event sources use event codes to identify messages unambiguously, regardless
+      of message language or wording adjustments over time. An example of this is
+      the Windows Event ID.'
+    example: 4648
+  - name: action
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'The action captured by the event.
+
+      This describes the information in the event. It is more specific than `event.category`.
+      Examples are `group-add`, `process-started`, `file-created`. The value is normally
+      defined by the implementer.'
+    example: user-password-change
+  - name: outcome
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'This is one of four ECS Categorization Fields, and indicates the
+      lowest level in the ECS category hierarchy.
+
+      `event.outcome` simply denotes whether the event represents a success or a failure
+      from the perspective of the entity that produced the event.
+
+      Note that when a single transaction is described in multiple events, each event
+      may populate different values of `event.outcome`, according to their perspective.
+
+      Also note that in the case of a compound event (a single event that contains
+      multiple logical events), this field should be populated with the value that
+      best captures the overall success or failure from the perspective of the event
+      producer.
+
+      Further note that not all events will have an associated outcome. For example,
+      this field is generally not populated for metric events, events with `event.type:info`,
+      or any events for which an outcome does not make logical sense.'
+    example: success
+  - name: category
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'This is one of four ECS Categorization Fields, and indicates the
+      second level in the ECS category hierarchy.
+
+      `event.category` represents the "big buckets" of ECS categories. For example,
+      filtering on `event.category:process` yields all events relating to process
+      activity. This field is closely related to `event.type`, which is used as a
+      subcategory.
+
+      This field is an array. This will allow proper categorization of some events
+      that fall in multiple categories.'
+    example: authentication
+  - name: timezone
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'This field should be populated when the event''s timestamp does
+      not include timezone information already (e.g. default Syslog timestamps). It''s
+      optional otherwise.
+
+      Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated
+      (e.g. "EST") or an HH:mm differential (e.g. "-05:00").'
+- name: '@timestamp'
+  level: core
+  required: true
+  type: date
+  description: 'Date/time when the event originated.
+
+    This is the date/time extracted from the event, typically representing when the
+    event was generated by the source.
+
+    If the event source has no original timestamp, this value is typically populated
+    by the first time the event was received by the pipeline.
+
+    Required field for all events.'
+  example: '2016-05-23T08:05:34.853Z'
+- name: user
+  type: group
+  fields:
+  - name: name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: Short name or login of the user.
+    example: albert
+  - name: full_name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: User's full name, if available.
+    example: Albert Einstein
+  - name: domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Name of the directory the user is a member of.
+
+      For example, an LDAP or Active Directory domain name.'
+  - name: id
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Unique identifiers of the user.
+- name: message
+  level: core
+  type: text
+  description: 'For log events the message field contains the log message, optimized
+    for viewing in a log viewer.
+
+    For structured logs without an original message field, other fields can be concatenated
+    to form a human-readable summary of the event.
+
+    If multiple messages exist, they can be combined into one message.'
+  example: Hello World
+- name: source
+  type: group
+  fields:
+  - name: ip
+    level: core
+    type: ip
+    description: 'IP address of the source.
+
+      Can be one or multiple IPv4 or IPv6 addresses.'
+  - name: port
+    level: core
+    type: long
+    format: string
+    description: Port of the source.
+  - name: address
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Some event source addresses are defined ambiguously. The event will
+      sometimes list an IP, a domain or a unix socket.  You should always store the
+      raw address in the `.address` field.
+
+      Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+      is.'
+  - name: mac
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: MAC address of the source.
+  - name: bytes
+    level: core
+    type: long
+    format: bytes
+    description: Bytes sent from the source to the destination.
+    example: 184
+  - name: nat
+    type: group
+    fields:
+    - name: ip
+      level: extended
+      type: ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+    - name: port
+      level: extended
+      type: long
+      format: string
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+  - name: domain
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Source domain.
+  - name: geo
+    type: group
+    fields:
+    - name: country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+    - name: location
+      type: group
+      fields:
+      - type: double
+        name: lat
+      - type: double
+        name: lon
+    - name: city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+- name: host
+  type: group
+  fields:
+  - name: name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Name of the host.
+
+      It can contain what `hostname` returns on Unix systems, the fully qualified
+      domain name, or a name specified by the user. The sender decides which value
+      to use.'
+  - name: ip
+    level: core
+    type: ip
+    description: Host ip addresses.
+  - name: hostname
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Hostname of the host.
+
+      It normally contains what the `hostname` command returns on the host machine.'
+  - name: mac
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Host mac addresses.
+- name: destination
+  type: group
+  fields:
+  - name: ip
+    level: core
+    type: ip
+    description: 'IP address of the destination.
+
+      Can be one or multiple IPv4 or IPv6 addresses.'
+  - name: port
+    level: core
+    type: long
+    format: string
+    description: Port of the destination.
+  - name: address
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Some event destination addresses are defined ambiguously. The event
+      will sometimes list an IP, a domain or a unix socket.  You should always store
+      the raw address in the `.address` field.
+
+      Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+      is.'
+  - name: bytes
+    level: core
+    type: long
+    format: bytes
+    description: Bytes sent from the destination to the source.
+    example: 184
+  - name: mac
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: MAC address of the destination.
+  - name: nat
+    type: group
+    fields:
+    - name: ip
+      level: extended
+      type: ip
+      description: 'Translated ip of destination based NAT sessions (e.g. internet
+        to private DMZ)
+
+        Typically used with load balancers, firewalls, or routers.'
+    - name: port
+      level: extended
+      type: long
+      format: string
+      description: 'Port the source session is translated to by NAT Device.
+
+        Typically used with load balancers, firewalls, or routers.'
+  - name: domain
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Destination domain.
+  - name: geo
+    type: group
+    fields:
+    - name: country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+    - name: location
+      type: group
+      fields:
+      - type: double
+        name: lat
+      - type: double
+        name: lon
+    - name: city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+- name: network
+  type: group
+  fields:
+  - name: protocol
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'L7 Network protocol name. ex. http, lumberjack, transport protocol.
+
+      The field value must be normalized to lowercase for querying. See the documentation
+      section "Implementing ECS".'
+    example: http
+  - name: application
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'A name given to an application level protocol. This can be arbitrarily
+      assigned for things like microservices, but also apply to things like skype,
+      icq, facebook, twitter. This would be used in situations where the vendor or
+      service can be decoded such as from the source/dest IP owners, ports, or wire
+      format.
+
+      The field value must be normalized to lowercase for querying. See the documentation
+      section "Implementing ECS".'
+    example: aim
+  - name: interface
+    type: group
+    fields:
+    - type: keyword
+      name: name
+  - name: bytes
+    level: core
+    type: long
+    format: bytes
+    description: 'Total bytes transferred in both directions.
+
+      If `source.bytes` and `destination.bytes` are known, `network.bytes` is their
+      sum.'
+    example: 368
+  - name: direction
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: "Direction of the network traffic.\nRecommended values are:\n  *\
+      \ inbound\n  * outbound\n  * internal\n  * external\n  * unknown\n\nWhen mapping\
+      \ events from a host-based monitoring context, populate this field from the\
+      \ host's point of view.\nWhen mapping events from a network or perimeter-based\
+      \ monitoring context, populate this field from the point of view of your network\
+      \ perimeter."
+    example: inbound
+  - name: packets
+    level: core
+    type: long
+    description: 'Total packets transferred in both directions.
+
+      If `source.packets` and `destination.packets` are known, `network.packets` is
+      their sum.'
+    example: 24
+  - name: forwarded_ip
+    level: core
+    type: ip
+    description: Host IP address when the source IP address is the proxy.
+    example: 192.1.1.2
+- name: observer
+  type: group
+  fields:
+  - name: version
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Observer version.
+  - name: product
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: The product name of the observer.
+    example: s200
+  - name: ingress
+    type: group
+    fields:
+    - name: interface
+      type: group
+      fields:
+      - name: name
+        level: extended
+        type: keyword
+        ignore_above: 1024
+        description: Interface name as reported by the system.
+        example: eth0
+        default_field: false
+  - name: egress
+    type: group
+    fields:
+    - name: interface
+      type: group
+      fields:
+      - name: name
+        level: extended
+        type: keyword
+        ignore_above: 1024
+        description: Interface name as reported by the system.
+        example: eth0
+        default_field: false
+- name: file
+  type: group
+  fields:
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: Name of the file including the extension, without the directory.
+    example: example.png
+  - name: directory
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: Directory where the file is located. It should include the drive
+      letter, when appropriate.
+    example: /home/alice
+  - name: size
+    level: extended
+    type: long
+    description: 'File size in bytes.
+
+      Only relevant when `file.type` is "file".'
+    example: 16384
+  - name: type
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: File type (file, dir, or symlink).
+    example: file
+  - name: extension
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: File extension.
+    example: png
+  - name: path
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: Full path to the file, including the file name. It should include
+      the drive letter, when appropriate.
+    example: /home/alice/example.png
+  - name: attributes
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Array of file attributes.
+
+      Attributes names will vary by platform. Here''s a non-exhaustive list of values
+      that are expected in this field: archive, compressed, directory, encrypted,
+      execute, hidden, read, readonly, system, write.'
+    example: '["readonly", "system"]'
+    default_field: false
+- name: url
+  type: group
+  fields:
+  - name: original
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: 'Unmodified original url as seen in the event source.
+
+      Note that in network monitoring, the observed URL may be a full URL, whereas
+      in access logs, the URL is often just represented as a path.
+
+      This field is meant to represent the URL as it was observed, complete or not.'
+    example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
+  - name: query
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'The query field describes the query string of the request, such
+      as "q=elasticsearch".
+
+      The `?` is excluded from the query string. If a URL contains no `?`, there is
+      no query field. If there is a `?` but no query, the query field exists with
+      an empty string. The `exists` query can be used to differentiate between the
+      two cases.'
+  - name: domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Domain of the url, such as "www.elastic.co".
+
+      In some cases a URL may refer to an IP and/or port directly, without a domain
+      name. In this case, the IP address would go to the `domain` field.'
+    example: www.elastic.co
+  - name: path
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: Path of the request, such as "/search".
+  - name: top_level_domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'The effective top level domain (eTLD), also known as the domain
+      suffix, is the last part of the domain name. For example, the top level domain
+      for google.com is "com".
+
+      This value can be determined precisely with a list like the public suffix list
+      (http://publicsuffix.org). Trying to approximate this by simply taking the last
+      label will not work well for effective TLDs such as "co.uk".'
+    example: co.uk
+  - name: registered_domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'The highest registered url domain, stripped of the subdomain.
+
+      For example, the registered domain for "foo.google.com" is "google.com".
+
+      This value can be determined precisely with a list like the public suffix list
+      (http://publicsuffix.org). Trying to approximate this by simply taking the last
+      two labels will not work well for TLDs such as "co.uk".'
+    example: google.com
+- name: service
+  type: group
+  fields:
+  - name: name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Name of the service data is collected from.
+
+      The name of the service is normally user given. This allows for distributed
+      services that run on multiple hosts to correlate the related instances based
+      on the name.
+
+      In the case of Elasticsearch the `service.name` could contain the cluster name.
+      For Beats the `service.name` is by default a copy of the `service.type` field
+      if no name is specified.'
+    example: elasticsearch-metrics
+- name: server
+  type: group
+  fields:
+  - name: domain
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Server domain.
+- name: process
+  type: group
+  fields:
+  - name: pid
+    level: core
+    type: long
+    format: string
+    description: Process id.
+    example: 4242
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: 'Process name.
+
+      Sometimes called program name or similar.'
+    example: ssh
+  - name: ppid
+    level: extended
+    type: long
+    format: string
+    description: Parent process' pid.
+    example: 4241
+  - name: parent
+    type: group
+    fields:
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      default_field: false
+    - name: title
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      default_field: false
+  - name: title
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: 'Process title.
+
+      The proctitle, some times the same as process name. Can also be different: for
+      example a browser setting its title to the web page currently opened.'
+- name: rule
+  type: group
+  fields:
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: The name of the rule or signature generating the event.
+    example: BLOCK_DNS_over_TLS
+    default_field: false
+- name: user_agent
+  type: group
+  fields:
+  - name: original
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+    description: Unparsed user_agent string.
+    example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15
+      (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
+- name: http
+  type: group
+  fields:
+  - name: response
+    type: group
+    fields:
+    - name: body
+      type: group
+      fields:
+      - name: content
+        level: extended
+        type: keyword
+        ignore_above: 1024
+        multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+        description: The full HTTP response body.
+        example: Hello world
+  - name: request
+    type: group
+    fields:
+    - name: referrer
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Referrer for this HTTP request.
+      example: https://blog.example.com/
+    - name: method
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'HTTP request method.
+
+        The field value must be normalized to lowercase for querying. See the documentation
+        section "Implementing ECS".'
+      example: get, post, put
+- name: geo
+  type: group
+  fields:
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'User-defined description of a location, at the level of granularity
+      they care about.
+
+      Could be the name of their data centers, the floor number, if this describes
+      a local physical entity, city names.
+
+      Not typically used in automated geolocation.'
+    example: boston-dc
+  - name: country_name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Country name.
+    example: Canada
+  - name: city_name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: City name.
+    example: Montreal
+  - name: region_name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Region name.
+    example: Quebec
+- name: dns
+  type: group
+  fields:
+  - name: question
+    type: group
+    fields:
+    - name: type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The type of record being queried.
+      example: AAAA
+  - name: answers
+    type: group
+    fields:
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The domain name to which this resource record pertains.
+
+        If a chain of CNAME is being resolved, each answer''s `name` should be the
+        one that corresponds with the answer''s `data`. It should not simply be the
+        original `question.name` repeated.'
+      example: www.google.com
+    - name: type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The type of data contained in this resource record.
+      example: CNAME
diff --git a/packages/citrix/0.1.0/dataset/virtualapps/fields/fields.yml b/packages/citrix/0.1.0/dataset/virtualapps/fields/fields.yml
new file mode 100644
index 0000000000..2abc947fe7
--- /dev/null
+++ b/packages/citrix/0.1.0/dataset/virtualapps/fields/fields.yml
@@ -0,0 +1,1939 @@
+- name: rsa
+  type: group
+  fields:
+  - name: internal
+    type: group
+    fields:
+    - name: msg
+      type: keyword
+      description: This key is used to capture the raw message that comes into the
+        Log Decoder
+    - name: messageid
+      type: keyword
+    - name: event_desc
+      type: keyword
+    - name: message
+      type: keyword
+      description: This key captures the contents of instant messages
+    - name: time
+      type: date
+      description: This is the time at which a session hits a NetWitness Decoder.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness.
+    - name: level
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: msg_id
+      type: keyword
+      description: This is the Message ID1 value that identifies the exact log parser
+        definition which parses a particular log session. This key should never be
+        used to parse Meta data from a session (Logs/Packets) Directly, this is a
+        Reserved key in NetWitness
+    - name: msg_vid
+      type: keyword
+      description: This is the Message ID2 value that identifies the exact log parser
+        definition which parses a particular log session. This key should never be
+        used to parse Meta data from a session (Logs/Packets) Directly, this is a
+        Reserved key in NetWitness
+    - name: data
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: obj_server
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: obj_val
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: resource
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: obj_id
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: statement
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: audit_class
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: entry
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: hcode
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: inode
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: resource_class
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: dead
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: feed_desc
+      type: keyword
+      description: This is used to capture the description of the feed. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: feed_name
+      type: keyword
+      description: This is used to capture the name of the feed. This key should never
+        be used to parse Meta data from a session (Logs/Packets) Directly, this is
+        a Reserved key in NetWitness
+    - name: cid
+      type: keyword
+      description: This is the unique identifier used to identify a NetWitness Concentrator.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: device_class
+      type: keyword
+      description: This is the Classification of the Log Event Source under a predefined
+        fixed set of Event Source Classifications. This key should never be used to
+        parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
+        key in NetWitness
+    - name: device_group
+      type: keyword
+      description: This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_host
+      type: keyword
+      description: This is the Hostname of the log Event Source sending the logs to
+        NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_ip
+      type: ip
+      description: This is the IPv4 address of the Log Event Source sending the logs
+        to NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_ipv6
+      type: ip
+      description: This is the IPv6 address of the Log Event Source sending the logs
+        to NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_type
+      type: keyword
+      description: This is the name of the log parser which parsed a given session.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: device_type_id
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: did
+      type: keyword
+      description: This is the unique identifier used to identify a NetWitness Decoder.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: entropy_req
+      type: long
+      description: This key is only used by the Entropy Parser, the Meta Type can
+        be either UInt16 or Float32 based on the configuration
+    - name: entropy_res
+      type: long
+      description: This key is only used by the Entropy Parser, the Meta Type can
+        be either UInt16 or Float32 based on the configuration
+    - name: event_name
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: feed_category
+      type: keyword
+      description: This is used to capture the category of the feed. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: forward_ip
+      type: ip
+      description: This key should be used to capture the IPV4 address of a relay
+        system which forwarded the events from the original system to NetWitness.
+    - name: forward_ipv6
+      type: ip
+      description: This key is used to capture the IPV6 address of a relay system
+        which forwarded the events from the original system to NetWitness. This key
+        should never be used to parse Meta data from a session (Logs/Packets) Directly,
+        this is a Reserved key in NetWitness
+    - name: header_id
+      type: keyword
+      description: This is the Header ID value that identifies the exact log parser
+        header definition that parses a particular log session. This key should never
+        be used to parse Meta data from a session (Logs/Packets) Directly, this is
+        a Reserved key in NetWitness
+    - name: lc_cid
+      type: keyword
+      description: This is a unique Identifier of a Log Collector. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: lc_ctime
+      type: date
+      description: This is the time at which a log is collected in a NetWitness Log
+        Collector. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: mcb_req
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        request is simply which byte for each side (0 thru 255) was seen the most
+    - name: mcb_res
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        response is simply which byte for each side (0 thru 255) was seen the most
+    - name: mcbc_req
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        count is the number of times the most common byte (above) was seen in the
+        session streams
+    - name: mcbc_res
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        count is the number of times the most common byte (above) was seen in the
+        session streams
+    - name: medium
+      type: long
+      description: "This key is used to identify if it\u2019s a log/packet session\
+        \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
+        \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
+        \ 32 = log, 33 = correlation session, &lt; 32 is packet session"
+    - name: node_name
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: nwe_callback_id
+      type: keyword
+      description: This key denotes that event is endpoint related
+    - name: parse_error
+      type: keyword
+      description: This is a special key that stores any Meta key validation error
+        found while parsing a log session. This key should never be used to parse
+        Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
+        NetWitness
+    - name: payload_req
+      type: long
+      description: This key is only used by the Entropy Parser, the payload size metrics
+        are the payload sizes of each session side at the time of parsing. However,
+        in order to keep
+    - name: payload_res
+      type: long
+      description: This key is only used by the Entropy Parser, the payload size metrics
+        are the payload sizes of each session side at the time of parsing. However,
+        in order to keep
+    - name: process_vid_dst
+      type: keyword
+      description: Endpoint generates and uses a unique virtual ID to identify any
+        similar group of process. This ID represents the target process.
+    - name: process_vid_src
+      type: keyword
+      description: Endpoint generates and uses a unique virtual ID to identify any
+        similar group of process. This ID represents the source process.
+    - name: rid
+      type: long
+      description: This is a special ID of the Remote Session created by NetWitness
+        Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: session_split
+      type: keyword
+      description: This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: site
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: size
+      type: long
+      description: This is the size of the session as seen by the NetWitness Decoder.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: sourcefile
+      type: keyword
+      description: This is the name of the log file or PCAPs that can be imported
+        into NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: ubc_req
+      type: long
+      description: This key is only used by the Entropy Parser, Unique byte count
+        is the number of unique bytes seen in each stream. 256 would mean all byte
+        values of 0 thru 255 were seen at least once
+    - name: ubc_res
+      type: long
+      description: This key is only used by the Entropy Parser, Unique byte count
+        is the number of unique bytes seen in each stream. 256 would mean all byte
+        values of 0 thru 255 were seen at least once
+    - name: word
+      type: keyword
+      description: This is used by the Word Parsing technology to capture the first
+        5 character of every word in an unparsed log
+  - name: time
+    type: group
+    fields:
+    - name: event_time
+      type: date
+      description: This key is used to capture the time mentioned in a raw session
+        that represents the actual time an event occured in a standard normalized
+        form
+    - name: duration_time
+      type: double
+      description: This key is used to capture the normalized duration/lifetime in
+        seconds.
+    - name: event_time_str
+      type: keyword
+      description: This key is used to capture the incomplete time mentioned in a
+        session as a string
+    - name: starttime
+      type: date
+      description: This key is used to capture the Start time mentioned in a session
+        in a standard form
+    - name: month
+      type: keyword
+    - name: day
+      type: keyword
+    - name: endtime
+      type: date
+      description: This key is used to capture the End time mentioned in a session
+        in a standard form
+    - name: timezone
+      type: keyword
+      description: This key is used to capture the timezone of the Event Time
+    - name: duration_str
+      type: keyword
+      description: A text string version of the duration
+    - name: date
+      type: keyword
+    - name: year
+      type: keyword
+    - name: recorded_time
+      type: date
+      description: The event time as recorded by the system the event is collected
+        from. The usage scenario is a multi-tier application where the management
+        layer of the system records it's own timestamp at the time of collection from
+        its child nodes. Must be in timestamp format.
+    - name: datetime
+      type: keyword
+    - name: effective_time
+      type: date
+      description: This key is the effective time referenced by an individual event
+        in a Standard Timestamp format
+    - name: expire_time
+      type: date
+      description: This key is the timestamp that explicitly refers to an expiration.
+    - name: process_time
+      type: keyword
+      description: Deprecated, use duration.time
+    - name: hour
+      type: keyword
+    - name: min
+      type: keyword
+    - name: timestamp
+      type: keyword
+    - name: event_queue_time
+      type: date
+      description: This key is the Time that the event was queued.
+    - name: p_time1
+      type: keyword
+    - name: tzone
+      type: keyword
+    - name: eventtime
+      type: keyword
+    - name: gmtdate
+      type: keyword
+    - name: gmttime
+      type: keyword
+    - name: p_date
+      type: keyword
+    - name: p_month
+      type: keyword
+    - name: p_time
+      type: keyword
+    - name: p_time2
+      type: keyword
+    - name: p_year
+      type: keyword
+    - name: expire_time_str
+      type: keyword
+      description: This key is used to capture incomplete timestamp that explicitly
+        refers to an expiration.
+    - name: stamp
+      type: date
+      description: Deprecated key defined only in table map.
+  - name: misc
+    type: group
+    fields:
+    - name: action
+      type: keyword
+    - name: result
+      type: keyword
+      description: This key is used to capture the outcome/result string value of
+        an action in a session.
+    - name: severity
+      type: keyword
+      description: This key is used to capture the severity given the session
+    - name: event_type
+      type: keyword
+      description: This key captures the event category type as specified by the event
+        source.
+    - name: reference_id
+      type: keyword
+      description: This key is used to capture an event id from the session directly
+    - name: version
+      type: keyword
+      description: This key captures Version of the application or OS which is generating
+        the event.
+    - name: disposition
+      type: keyword
+      description: This key captures the The end state of an action.
+    - name: result_code
+      type: keyword
+      description: This key is used to capture the outcome/result numeric value of
+        an action in a session
+    - name: category
+      type: keyword
+      description: This key is used to capture the category of an event given by the
+        vendor in the session
+    - name: obj_name
+      type: keyword
+      description: This is used to capture name of object
+    - name: obj_type
+      type: keyword
+      description: This is used to capture type of object
+    - name: event_source
+      type: keyword
+      description: "This key captures Source of the event that\u2019s not a hostname"
+    - name: log_session_id
+      type: keyword
+      description: This key is used to capture a sessionid from the session directly
+    - name: group
+      type: keyword
+      description: This key captures the Group Name value
+    - name: policy_name
+      type: keyword
+      description: This key is used to capture the Policy Name only.
+    - name: rule_name
+      type: keyword
+      description: This key captures the Rule Name
+    - name: context
+      type: keyword
+      description: This key captures Information which adds additional context to
+        the event.
+    - name: change_new
+      type: keyword
+      description: "This key is used to capture the new values of the attribute that\u2019\
+        s changing in a session"
+    - name: space
+      type: keyword
+    - name: client
+      type: keyword
+      description: This key is used to capture only the name of the client application
+        requesting resources of the server. See the user.agent meta key for capture
+        of the specific user agent identifier or browser identification string.
+    - name: msgIdPart1
+      type: keyword
+    - name: msgIdPart2
+      type: keyword
+    - name: change_old
+      type: keyword
+      description: "This key is used to capture the old value of the attribute that\u2019\
+        s changing in a session"
+    - name: operation_id
+      type: keyword
+      description: An alert number or operation number. The values should be unique
+        and non-repeating.
+    - name: event_state
+      type: keyword
+      description: This key captures the current state of the object/item referenced
+        within the event. Describing an on-going event.
+    - name: group_object
+      type: keyword
+      description: This key captures a collection/grouping of entities. Specific usage
+    - name: node
+      type: keyword
+      description: Common use case is the node name within a cluster. The cluster
+        name is reflected by the host name.
+    - name: rule
+      type: keyword
+      description: This key captures the Rule number
+    - name: device_name
+      type: keyword
+      description: 'This is used to capture name of the Device associated with the
+        node Like: a physical disk, printer, etc'
+    - name: param
+      type: keyword
+      description: This key is the parameters passed as part of a command or application,
+        etc.
+    - name: change_attrib
+      type: keyword
+      description: "This key is used to capture the name of the attribute that\u2019\
+        s changing in a session"
+    - name: event_computer
+      type: keyword
+      description: This key is a windows only concept, where this key is used to capture
+        fully qualified domain name in a windows log.
+    - name: reference_id1
+      type: keyword
+      description: This key is for Linked ID to be used as an addition to "reference.id"
+    - name: event_log
+      type: keyword
+      description: This key captures the Name of the event log
+    - name: OS
+      type: keyword
+      description: This key captures the Name of the Operating System
+    - name: terminal
+      type: keyword
+      description: This key captures the Terminal Names only
+    - name: msgIdPart3
+      type: keyword
+    - name: filter
+      type: keyword
+      description: This key captures Filter used to reduce result set
+    - name: serial_number
+      type: keyword
+      description: This key is the Serial number associated with a physical asset.
+    - name: checksum
+      type: keyword
+      description: This key is used to capture the checksum or hash of the entity
+        such as a file or process. Checksum should be used over checksum.src or checksum.dst
+        when it is unclear whether the entity is a source or target of an action.
+    - name: event_user
+      type: keyword
+      description: This key is a windows only concept, where this key is used to capture
+        combination of domain name and username in a windows log.
+    - name: virusname
+      type: keyword
+      description: This key captures the name of the virus
+    - name: content_type
+      type: keyword
+      description: This key is used to capture Content Type only.
+    - name: group_id
+      type: keyword
+      description: This key captures Group ID Number (related to the group name)
+    - name: policy_id
+      type: keyword
+      description: This key is used to capture the Policy ID only, this should be
+        a numeric value, use policy.name otherwise
+    - name: vsys
+      type: keyword
+      description: This key captures Virtual System Name
+    - name: connection_id
+      type: keyword
+      description: This key captures the Connection ID
+    - name: reference_id2
+      type: keyword
+      description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
+        or "reference.id1" value but should not be used unless the other two variables
+        are in play.
+    - name: sensor
+      type: keyword
+      description: This key captures Name of the sensor. Typically used in IDS/IPS
+        based devices
+    - name: sig_id
+      type: long
+      description: This key captures IDS/IPS Int Signature ID
+    - name: port_name
+      type: keyword
+      description: 'This key is used for Physical or logical port connection but does
+        NOT include a network port. (Example: Printer port name).'
+    - name: rule_group
+      type: keyword
+      description: This key captures the Rule group name
+    - name: risk_num
+      type: double
+      description: This key captures a Numeric Risk value
+    - name: trigger_val
+      type: keyword
+      description: This key captures the Value of the trigger or threshold condition.
+    - name: log_session_id1
+      type: keyword
+      description: This key is used to capture a Linked (Related) Session ID from
+        the session directly
+    - name: comp_version
+      type: keyword
+      description: This key captures the Version level of a sub-component of a product.
+    - name: content_version
+      type: keyword
+      description: This key captures Version level of a signature or database content.
+    - name: hardware_id
+      type: keyword
+      description: This key is used to capture unique identifier for a device or system
+        (NOT a Mac address)
+    - name: risk
+      type: keyword
+      description: This key captures the non-numeric risk value
+    - name: event_id
+      type: keyword
+    - name: reason
+      type: keyword
+    - name: status
+      type: keyword
+    - name: mail_id
+      type: keyword
+      description: This key is used to capture the mailbox id/name
+    - name: rule_uid
+      type: keyword
+      description: This key is the Unique Identifier for a rule.
+    - name: trigger_desc
+      type: keyword
+      description: This key captures the Description of the trigger or threshold condition.
+    - name: inout
+      type: keyword
+    - name: p_msgid
+      type: keyword
+    - name: data_type
+      type: keyword
+    - name: msgIdPart4
+      type: keyword
+    - name: error
+      type: keyword
+      description: This key captures All non successful Error codes or responses
+    - name: index
+      type: keyword
+    - name: listnum
+      type: keyword
+      description: This key is used to capture listname or listnumber, primarily for
+        collecting access-list
+    - name: ntype
+      type: keyword
+    - name: observed_val
+      type: keyword
+      description: This key captures the Value observed (from the perspective of the
+        device generating the log).
+    - name: policy_value
+      type: keyword
+      description: This key captures the contents of the policy. This contains details
+        about the policy
+    - name: pool_name
+      type: keyword
+      description: This key captures the name of a resource pool
+    - name: rule_template
+      type: keyword
+      description: A default set of parameters which are overlayed onto a rule (or
+        rulename) which efffectively constitutes a template
+    - name: count
+      type: keyword
+    - name: number
+      type: keyword
+    - name: sigcat
+      type: keyword
+    - name: type
+      type: keyword
+    - name: comments
+      type: keyword
+      description: Comment information provided in the log message
+    - name: doc_number
+      type: long
+      description: This key captures File Identification number
+    - name: expected_val
+      type: keyword
+      description: This key captures the Value expected (from the perspective of the
+        device generating the log).
+    - name: job_num
+      type: keyword
+      description: This key captures the Job Number
+    - name: spi_dst
+      type: keyword
+      description: Destination SPI Index
+    - name: spi_src
+      type: keyword
+      description: Source SPI Index
+    - name: code
+      type: keyword
+    - name: agent_id
+      type: keyword
+      description: This key is used to capture agent id
+    - name: message_body
+      type: keyword
+      description: This key captures the The contents of the message body.
+    - name: phone
+      type: keyword
+    - name: sig_id_str
+      type: keyword
+      description: This key captures a string object of the sigid variable.
+    - name: cmd
+      type: keyword
+    - name: misc
+      type: keyword
+    - name: name
+      type: keyword
+    - name: cpu
+      type: long
+      description: This key is the CPU time used in the execution of the event being
+        recorded.
+    - name: event_desc
+      type: keyword
+      description: This key is used to capture a description of an event available
+        directly or inferred
+    - name: sig_id1
+      type: long
+      description: This key captures IDS/IPS Int Signature ID. This must be linked
+        to the sig.id
+    - name: im_buddyid
+      type: keyword
+    - name: im_client
+      type: keyword
+    - name: im_userid
+      type: keyword
+    - name: pid
+      type: keyword
+    - name: priority
+      type: keyword
+    - name: context_subject
+      type: keyword
+      description: This key is to be used in an audit context where the subject is
+        the object being identified
+    - name: context_target
+      type: keyword
+    - name: cve
+      type: keyword
+      description: This key captures CVE (Common Vulnerabilities and Exposures) -
+        an identifier for known information security vulnerabilities.
+    - name: fcatnum
+      type: keyword
+      description: This key captures Filter Category Number. Legacy Usage
+    - name: library
+      type: keyword
+      description: This key is used to capture library information in mainframe devices
+    - name: parent_node
+      type: keyword
+      description: This key captures the Parent Node Name. Must be related to node
+        variable.
+    - name: risk_info
+      type: keyword
+      description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: tcp_flags
+      type: long
+      description: This key is captures the TCP flags set in any packet of session
+    - name: tos
+      type: long
+      description: This key describes the type of service
+    - name: vm_target
+      type: keyword
+      description: VMWare Target **VMWARE** only varaible.
+    - name: workspace
+      type: keyword
+      description: This key captures Workspace Description
+    - name: command
+      type: keyword
+    - name: event_category
+      type: keyword
+    - name: facilityname
+      type: keyword
+    - name: forensic_info
+      type: keyword
+    - name: jobname
+      type: keyword
+    - name: mode
+      type: keyword
+    - name: policy
+      type: keyword
+    - name: policy_waiver
+      type: keyword
+    - name: second
+      type: keyword
+    - name: space1
+      type: keyword
+    - name: subcategory
+      type: keyword
+    - name: tbdstr2
+      type: keyword
+    - name: alert_id
+      type: keyword
+      description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: checksum_dst
+      type: keyword
+      description: This key is used to capture the checksum or hash of the the target
+        entity such as a process or file.
+    - name: checksum_src
+      type: keyword
+      description: This key is used to capture the checksum or hash of the source
+        entity such as a file or process.
+    - name: fresult
+      type: long
+      description: This key captures the Filter Result
+    - name: payload_dst
+      type: keyword
+      description: This key is used to capture destination payload
+    - name: payload_src
+      type: keyword
+      description: This key is used to capture source payload
+    - name: pool_id
+      type: keyword
+      description: This key captures the identifier (typically numeric field) of a
+        resource pool
+    - name: process_id_val
+      type: keyword
+      description: This key is a failure key for Process ID when it is not an integer
+        value
+    - name: risk_num_comm
+      type: double
+      description: This key captures Risk Number Community
+    - name: risk_num_next
+      type: double
+      description: This key captures Risk Number NextGen
+    - name: risk_num_sand
+      type: double
+      description: This key captures Risk Number SandBox
+    - name: risk_num_static
+      type: double
+      description: This key captures Risk Number Static
+    - name: risk_suspicious
+      type: keyword
+      description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: risk_warning
+      type: keyword
+      description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: snmp_oid
+      type: keyword
+      description: SNMP Object Identifier
+    - name: sql
+      type: keyword
+      description: This key captures the SQL query
+    - name: vuln_ref
+      type: keyword
+      description: This key captures the Vulnerability Reference details
+    - name: acl_id
+      type: keyword
+    - name: acl_op
+      type: keyword
+    - name: acl_pos
+      type: keyword
+    - name: acl_table
+      type: keyword
+    - name: admin
+      type: keyword
+    - name: alarm_id
+      type: keyword
+    - name: alarmname
+      type: keyword
+    - name: app_id
+      type: keyword
+    - name: audit
+      type: keyword
+    - name: audit_object
+      type: keyword
+    - name: auditdata
+      type: keyword
+    - name: benchmark
+      type: keyword
+    - name: bypass
+      type: keyword
+    - name: cache
+      type: keyword
+    - name: cache_hit
+      type: keyword
+    - name: cefversion
+      type: keyword
+    - name: cfg_attr
+      type: keyword
+    - name: cfg_obj
+      type: keyword
+    - name: cfg_path
+      type: keyword
+    - name: changes
+      type: keyword
+    - name: client_ip
+      type: keyword
+    - name: clustermembers
+      type: keyword
+    - name: cn_acttimeout
+      type: keyword
+    - name: cn_asn_src
+      type: keyword
+    - name: cn_bgpv4nxthop
+      type: keyword
+    - name: cn_ctr_dst_code
+      type: keyword
+    - name: cn_dst_tos
+      type: keyword
+    - name: cn_dst_vlan
+      type: keyword
+    - name: cn_engine_id
+      type: keyword
+    - name: cn_engine_type
+      type: keyword
+    - name: cn_f_switch
+      type: keyword
+    - name: cn_flowsampid
+      type: keyword
+    - name: cn_flowsampintv
+      type: keyword
+    - name: cn_flowsampmode
+      type: keyword
+    - name: cn_inacttimeout
+      type: keyword
+    - name: cn_inpermbyts
+      type: keyword
+    - name: cn_inpermpckts
+      type: keyword
+    - name: cn_invalid
+      type: keyword
+    - name: cn_ip_proto_ver
+      type: keyword
+    - name: cn_ipv4_ident
+      type: keyword
+    - name: cn_l_switch
+      type: keyword
+    - name: cn_log_did
+      type: keyword
+    - name: cn_log_rid
+      type: keyword
+    - name: cn_max_ttl
+      type: keyword
+    - name: cn_maxpcktlen
+      type: keyword
+    - name: cn_min_ttl
+      type: keyword
+    - name: cn_minpcktlen
+      type: keyword
+    - name: cn_mpls_lbl_1
+      type: keyword
+    - name: cn_mpls_lbl_10
+      type: keyword
+    - name: cn_mpls_lbl_2
+      type: keyword
+    - name: cn_mpls_lbl_3
+      type: keyword
+    - name: cn_mpls_lbl_4
+      type: keyword
+    - name: cn_mpls_lbl_5
+      type: keyword
+    - name: cn_mpls_lbl_6
+      type: keyword
+    - name: cn_mpls_lbl_7
+      type: keyword
+    - name: cn_mpls_lbl_8
+      type: keyword
+    - name: cn_mpls_lbl_9
+      type: keyword
+    - name: cn_mplstoplabel
+      type: keyword
+    - name: cn_mplstoplabip
+      type: keyword
+    - name: cn_mul_dst_byt
+      type: keyword
+    - name: cn_mul_dst_pks
+      type: keyword
+    - name: cn_muligmptype
+      type: keyword
+    - name: cn_sampalgo
+      type: keyword
+    - name: cn_sampint
+      type: keyword
+    - name: cn_seqctr
+      type: keyword
+    - name: cn_spackets
+      type: keyword
+    - name: cn_src_tos
+      type: keyword
+    - name: cn_src_vlan
+      type: keyword
+    - name: cn_sysuptime
+      type: keyword
+    - name: cn_template_id
+      type: keyword
+    - name: cn_totbytsexp
+      type: keyword
+    - name: cn_totflowexp
+      type: keyword
+    - name: cn_totpcktsexp
+      type: keyword
+    - name: cn_unixnanosecs
+      type: keyword
+    - name: cn_v6flowlabel
+      type: keyword
+    - name: cn_v6optheaders
+      type: keyword
+    - name: comp_class
+      type: keyword
+    - name: comp_name
+      type: keyword
+    - name: comp_rbytes
+      type: keyword
+    - name: comp_sbytes
+      type: keyword
+    - name: cpu_data
+      type: keyword
+    - name: criticality
+      type: keyword
+    - name: cs_agency_dst
+      type: keyword
+    - name: cs_analyzedby
+      type: keyword
+    - name: cs_av_other
+      type: keyword
+    - name: cs_av_primary
+      type: keyword
+    - name: cs_av_secondary
+      type: keyword
+    - name: cs_bgpv6nxthop
+      type: keyword
+    - name: cs_bit9status
+      type: keyword
+    - name: cs_context
+      type: keyword
+    - name: cs_control
+      type: keyword
+    - name: cs_data
+      type: keyword
+    - name: cs_datecret
+      type: keyword
+    - name: cs_dst_tld
+      type: keyword
+    - name: cs_eth_dst_ven
+      type: keyword
+    - name: cs_eth_src_ven
+      type: keyword
+    - name: cs_event_uuid
+      type: keyword
+    - name: cs_filetype
+      type: keyword
+    - name: cs_fld
+      type: keyword
+    - name: cs_if_desc
+      type: keyword
+    - name: cs_if_name
+      type: keyword
+    - name: cs_ip_next_hop
+      type: keyword
+    - name: cs_ipv4dstpre
+      type: keyword
+    - name: cs_ipv4srcpre
+      type: keyword
+    - name: cs_lifetime
+      type: keyword
+    - name: cs_log_medium
+      type: keyword
+    - name: cs_loginname
+      type: keyword
+    - name: cs_modulescore
+      type: keyword
+    - name: cs_modulesign
+      type: keyword
+    - name: cs_opswatresult
+      type: keyword
+    - name: cs_payload
+      type: keyword
+    - name: cs_registrant
+      type: keyword
+    - name: cs_registrar
+      type: keyword
+    - name: cs_represult
+      type: keyword
+    - name: cs_rpayload
+      type: keyword
+    - name: cs_sampler_name
+      type: keyword
+    - name: cs_sourcemodule
+      type: keyword
+    - name: cs_streams
+      type: keyword
+    - name: cs_targetmodule
+      type: keyword
+    - name: cs_v6nxthop
+      type: keyword
+    - name: cs_whois_server
+      type: keyword
+    - name: cs_yararesult
+      type: keyword
+    - name: description
+      type: keyword
+    - name: devvendor
+      type: keyword
+    - name: distance
+      type: keyword
+    - name: dstburb
+      type: keyword
+    - name: edomain
+      type: keyword
+    - name: edomaub
+      type: keyword
+    - name: euid
+      type: keyword
+    - name: facility
+      type: keyword
+    - name: finterface
+      type: keyword
+    - name: flags
+      type: keyword
+    - name: gaddr
+      type: keyword
+    - name: id3
+      type: keyword
+    - name: im_buddyname
+      type: keyword
+    - name: im_croomid
+      type: keyword
+    - name: im_croomtype
+      type: keyword
+    - name: im_members
+      type: keyword
+    - name: im_username
+      type: keyword
+    - name: ipkt
+      type: keyword
+    - name: ipscat
+      type: keyword
+    - name: ipspri
+      type: keyword
+    - name: latitude
+      type: keyword
+    - name: linenum
+      type: keyword
+    - name: list_name
+      type: keyword
+    - name: load_data
+      type: keyword
+    - name: location_floor
+      type: keyword
+    - name: location_mark
+      type: keyword
+    - name: log_id
+      type: keyword
+    - name: log_type
+      type: keyword
+    - name: logid
+      type: keyword
+    - name: logip
+      type: keyword
+    - name: logname
+      type: keyword
+    - name: longitude
+      type: keyword
+    - name: lport
+      type: keyword
+    - name: mbug_data
+      type: keyword
+    - name: misc_name
+      type: keyword
+    - name: msg_type
+      type: keyword
+    - name: msgid
+      type: keyword
+    - name: netsessid
+      type: keyword
+    - name: num
+      type: keyword
+    - name: number1
+      type: keyword
+    - name: number2
+      type: keyword
+    - name: nwwn
+      type: keyword
+    - name: object
+      type: keyword
+    - name: operation
+      type: keyword
+    - name: opkt
+      type: keyword
+    - name: orig_from
+      type: keyword
+    - name: owner_id
+      type: keyword
+    - name: p_action
+      type: keyword
+    - name: p_filter
+      type: keyword
+    - name: p_group_object
+      type: keyword
+    - name: p_id
+      type: keyword
+    - name: p_msgid1
+      type: keyword
+    - name: p_msgid2
+      type: keyword
+    - name: p_result1
+      type: keyword
+    - name: password_chg
+      type: keyword
+    - name: password_expire
+      type: keyword
+    - name: permgranted
+      type: keyword
+    - name: permwanted
+      type: keyword
+    - name: pgid
+      type: keyword
+    - name: policyUUID
+      type: keyword
+    - name: prog_asp_num
+      type: keyword
+    - name: program
+      type: keyword
+    - name: real_data
+      type: keyword
+    - name: rec_asp_device
+      type: keyword
+    - name: rec_asp_num
+      type: keyword
+    - name: rec_library
+      type: keyword
+    - name: recordnum
+      type: keyword
+    - name: ruid
+      type: keyword
+    - name: sburb
+      type: keyword
+    - name: sdomain_fld
+      type: keyword
+    - name: sec
+      type: keyword
+    - name: sensorname
+      type: keyword
+    - name: seqnum
+      type: keyword
+    - name: session
+      type: keyword
+    - name: sessiontype
+      type: keyword
+    - name: sigUUID
+      type: keyword
+    - name: spi
+      type: keyword
+    - name: srcburb
+      type: keyword
+    - name: srcdom
+      type: keyword
+    - name: srcservice
+      type: keyword
+    - name: state
+      type: keyword
+    - name: status1
+      type: keyword
+    - name: svcno
+      type: keyword
+    - name: system
+      type: keyword
+    - name: tbdstr1
+      type: keyword
+    - name: tgtdom
+      type: keyword
+    - name: tgtdomain
+      type: keyword
+    - name: threshold
+      type: keyword
+    - name: type1
+      type: keyword
+    - name: udb_class
+      type: keyword
+    - name: url_fld
+      type: keyword
+    - name: user_div
+      type: keyword
+    - name: userid
+      type: keyword
+    - name: username_fld
+      type: keyword
+    - name: utcstamp
+      type: keyword
+    - name: v_instafname
+      type: keyword
+    - name: virt_data
+      type: keyword
+    - name: vpnid
+      type: keyword
+    - name: autorun_type
+      type: keyword
+      description: This is used to capture Auto Run type
+    - name: cc_number
+      type: long
+      description: Valid Credit Card Numbers only
+    - name: content
+      type: keyword
+      description: This key captures the content type from protocol headers
+    - name: ein_number
+      type: long
+      description: Employee Identification Numbers only
+    - name: found
+      type: keyword
+      description: This is used to capture the results of regex match
+    - name: language
+      type: keyword
+      description: This is used to capture list of languages the client support and
+        what it prefers
+    - name: lifetime
+      type: long
+      description: This key is used to capture the session lifetime in seconds.
+    - name: link
+      type: keyword
+      description: This key is used to link the sessions together. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: match
+      type: keyword
+      description: This key is for regex match name from search.ini
+    - name: param_dst
+      type: keyword
+      description: This key captures the command line/launch argument of the target
+        process or file
+    - name: param_src
+      type: keyword
+      description: This key captures source parameter
+    - name: search_text
+      type: keyword
+      description: This key captures the Search Text used
+    - name: sig_name
+      type: keyword
+      description: This key is used to capture the Signature Name only.
+    - name: snmp_value
+      type: keyword
+      description: SNMP set request value
+    - name: streams
+      type: long
+      description: This key captures number of streams in session
+  - name: db
+    type: group
+    fields:
+    - name: index
+      type: keyword
+      description: This key captures IndexID of the index.
+    - name: instance
+      type: keyword
+      description: This key is used to capture the database server instance name
+    - name: database
+      type: keyword
+      description: This key is used to capture the name of a database or an instance
+        as seen in a session
+    - name: transact_id
+      type: keyword
+      description: This key captures the SQL transantion ID of the current session
+    - name: permissions
+      type: keyword
+      description: This key captures permission or privilege level assigned to a resource.
+    - name: table_name
+      type: keyword
+      description: This key is used to capture the table name
+    - name: db_id
+      type: keyword
+      description: This key is used to capture the unique identifier for a database
+    - name: db_pid
+      type: long
+      description: This key captures the process id of a connection with database
+        server
+    - name: lread
+      type: long
+      description: This key is used for the number of logical reads
+    - name: lwrite
+      type: long
+      description: This key is used for the number of logical writes
+    - name: pread
+      type: long
+      description: This key is used for the number of physical writes
+  - name: network
+    type: group
+    fields:
+    - name: alias_host
+      type: keyword
+      description: This key should be used when the source or destination context
+        of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
+        that isnt ad.computer.
+    - name: domain
+      type: keyword
+    - name: host_dst
+      type: keyword
+      description: "This key should only be used when it\u2019s a Destination Hostname"
+    - name: network_service
+      type: keyword
+      description: This is used to capture layer 7 protocols/service names
+    - name: interface
+      type: keyword
+      description: This key should be used when the source or destination context
+        of an interface is not clear
+    - name: network_port
+      type: long
+      description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
+        used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
+    - name: eth_host
+      type: keyword
+      description: Deprecated, use alias.mac
+    - name: sinterface
+      type: keyword
+      description: "This key should only be used when it\u2019s a Source Interface"
+    - name: dinterface
+      type: keyword
+      description: "This key should only be used when it\u2019s a Destination Interface"
+    - name: vlan
+      type: long
+      description: This key should only be used to capture the ID of the Virtual LAN
+    - name: zone_src
+      type: keyword
+      description: "This key should only be used when it\u2019s a Source Zone."
+    - name: zone
+      type: keyword
+      description: This key should be used when the source or destination context
+        of a Zone is not clear
+    - name: zone_dst
+      type: keyword
+      description: "This key should only be used when it\u2019s a Destination Zone."
+    - name: gateway
+      type: keyword
+      description: This key is used to capture the IP Address of the gateway
+    - name: icmp_type
+      type: long
+      description: This key is used to capture the ICMP type only
+    - name: mask
+      type: keyword
+      description: This key is used to capture the device network IPmask.
+    - name: icmp_code
+      type: long
+      description: This key is used to capture the ICMP code only
+    - name: protocol_detail
+      type: keyword
+      description: This key should be used to capture additional protocol information
+    - name: dmask
+      type: keyword
+      description: This key is used for Destionation Device network mask
+    - name: port
+      type: long
+      description: This key should only be used to capture a Network Port when the
+        directionality is not clear
+    - name: smask
+      type: keyword
+      description: This key is used for capturing source Network Mask
+    - name: netname
+      type: keyword
+      description: This key is used to capture the network name associated with an
+        IP range. This is configured by the end user.
+    - name: paddr
+      type: ip
+      description: Deprecated
+    - name: faddr
+      type: keyword
+    - name: lhost
+      type: keyword
+    - name: origin
+      type: keyword
+    - name: remote_domain_id
+      type: keyword
+    - name: addr
+      type: keyword
+    - name: dns_a_record
+      type: keyword
+    - name: dns_ptr_record
+      type: keyword
+    - name: fhost
+      type: keyword
+    - name: fport
+      type: keyword
+    - name: laddr
+      type: keyword
+    - name: linterface
+      type: keyword
+    - name: phost
+      type: keyword
+    - name: ad_computer_dst
+      type: keyword
+      description: Deprecated, use host.dst
+    - name: eth_type
+      type: long
+      description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
+        Only
+    - name: ip_proto
+      type: long
+      description: This key should be used to capture the Protocol number, all the
+        protocol nubers are converted into string in UI
+    - name: dns_cname_record
+      type: keyword
+    - name: dns_id
+      type: keyword
+    - name: dns_opcode
+      type: keyword
+    - name: dns_resp
+      type: keyword
+    - name: dns_type
+      type: keyword
+    - name: domain1
+      type: keyword
+    - name: host_type
+      type: keyword
+    - name: packet_length
+      type: keyword
+    - name: host_orig
+      type: keyword
+      description: This is used to capture the original hostname in case of a Forwarding
+        Agent or a Proxy in between.
+    - name: rpayload
+      type: keyword
+      description: This key is used to capture the total number of payload bytes seen
+        in the retransmitted packets.
+    - name: vlan_name
+      type: keyword
+      description: This key should only be used to capture the name of the Virtual
+        LAN
+  - name: investigations
+    type: group
+    fields:
+    - name: ec_activity
+      type: keyword
+      description: This key captures the particular event activity(Ex:Logoff)
+    - name: ec_theme
+      type: keyword
+      description: This key captures the Theme of a particular Event(Ex:Authentication)
+    - name: ec_subject
+      type: keyword
+      description: This key captures the Subject of a particular Event(Ex:User)
+    - name: ec_outcome
+      type: keyword
+      description: This key captures the outcome of a particular Event(Ex:Success)
+    - name: event_cat
+      type: long
+      description: This key captures the Event category number
+    - name: event_cat_name
+      type: keyword
+      description: This key captures the event category name corresponding to the
+        event cat code
+    - name: event_vcat
+      type: keyword
+      description: This is a vendor supplied category. This should be used in situations
+        where the vendor has adopted their own event_category taxonomy.
+    - name: analysis_file
+      type: keyword
+      description: This is used to capture all indicators used in a File Analysis.
+        This key should be used to capture an analysis of a file
+    - name: analysis_service
+      type: keyword
+      description: This is used to capture all indicators used in a Service Analysis.
+        This key should be used to capture an analysis of a service
+    - name: analysis_session
+      type: keyword
+      description: This is used to capture all indicators used for a Session Analysis.
+        This key should be used to capture an analysis of a session
+    - name: boc
+      type: keyword
+      description: This is used to capture behaviour of compromise
+    - name: eoc
+      type: keyword
+      description: This is used to capture Enablers of Compromise
+    - name: inv_category
+      type: keyword
+      description: This used to capture investigation category
+    - name: inv_context
+      type: keyword
+      description: This used to capture investigation context
+    - name: ioc
+      type: keyword
+      description: This is key capture indicator of compromise
+  - name: counters
+    type: group
+    fields:
+    - name: dclass_c1
+      type: long
+      description: This is a generic counter key that should be used with the label
+        dclass.c1.str only
+    - name: dclass_c2
+      type: long
+      description: This is a generic counter key that should be used with the label
+        dclass.c2.str only
+    - name: event_counter
+      type: long
+      description: This is used to capture the number of times an event repeated
+    - name: dclass_r1
+      type: keyword
+      description: This is a generic ratio key that should be used with the label
+        dclass.r1.str only
+    - name: dclass_c3
+      type: long
+      description: This is a generic counter key that should be used with the label
+        dclass.c3.str only
+    - name: dclass_c1_str
+      type: keyword
+      description: This is a generic counter string key that should be used with the
+        label dclass.c1 only
+    - name: dclass_c2_str
+      type: keyword
+      description: This is a generic counter string key that should be used with the
+        label dclass.c2 only
+    - name: dclass_r1_str
+      type: keyword
+      description: This is a generic ratio string key that should be used with the
+        label dclass.r1 only
+    - name: dclass_r2
+      type: keyword
+      description: This is a generic ratio key that should be used with the label
+        dclass.r2.str only
+    - name: dclass_c3_str
+      type: keyword
+      description: This is a generic counter string key that should be used with the
+        label dclass.c3 only
+    - name: dclass_r3
+      type: keyword
+      description: This is a generic ratio key that should be used with the label
+        dclass.r3.str only
+    - name: dclass_r2_str
+      type: keyword
+      description: This is a generic ratio string key that should be used with the
+        label dclass.r2 only
+    - name: dclass_r3_str
+      type: keyword
+      description: This is a generic ratio string key that should be used with the
+        label dclass.r3 only
+  - name: identity
+    type: group
+    fields:
+    - name: auth_method
+      type: keyword
+      description: This key is used to capture authentication methods used only
+    - name: user_role
+      type: keyword
+      description: This key is used to capture the Role of a user only
+    - name: dn
+      type: keyword
+      description: X.500 (LDAP) Distinguished Name
+    - name: logon_type
+      type: keyword
+      description: This key is used to capture the type of logon method used.
+    - name: profile
+      type: keyword
+      description: This key is used to capture the user profile
+    - name: accesses
+      type: keyword
+      description: This key is used to capture actual privileges used in accessing
+        an object
+    - name: realm
+      type: keyword
+      description: Radius realm or similar grouping of accounts
+    - name: user_sid_dst
+      type: keyword
+      description: This key captures Destination User Session ID
+    - name: dn_src
+      type: keyword
+      description: An X.500 (LDAP) Distinguished name that is used in a context that
+        indicates a Source dn
+    - name: org
+      type: keyword
+      description: This key captures the User organization
+    - name: dn_dst
+      type: keyword
+      description: An X.500 (LDAP) Distinguished name that used in a context that
+        indicates a Destination dn
+    - name: firstname
+      type: keyword
+      description: This key is for First Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: lastname
+      type: keyword
+      description: This key is for Last Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: user_dept
+      type: keyword
+      description: User's Department Names only
+    - name: user_sid_src
+      type: keyword
+      description: This key captures Source User Session ID
+    - name: federated_sp
+      type: keyword
+      description: This key is the Federated Service Provider. This is the application
+        requesting authentication.
+    - name: federated_idp
+      type: keyword
+      description: This key is the federated Identity Provider. This is the server
+        providing the authentication.
+    - name: logon_type_desc
+      type: keyword
+      description: This key is used to capture the textual description of an integer
+        logon type as stored in the meta key 'logon.type'.
+    - name: middlename
+      type: keyword
+      description: This key is for Middle Names only, this is used for Healthcare
+        predominantly to capture Patients information
+    - name: password
+      type: keyword
+      description: This key is for Passwords seen in any session, plain text or encrypted
+    - name: host_role
+      type: keyword
+      description: This key should only be used to capture the role of a Host Machine
+    - name: ldap
+      type: keyword
+      description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
+        t have a clear query or response context"
+    - name: ldap_query
+      type: keyword
+      description: This key is the Search criteria from an LDAP search
+    - name: ldap_response
+      type: keyword
+      description: This key is to capture Results from an LDAP search
+    - name: owner
+      type: keyword
+      description: This is used to capture username the process or service is running
+        as, the author of the task
+    - name: service_account
+      type: keyword
+      description: This key is a windows specific key, used for capturing name of
+        the account a service (referenced in the event) is running under. Legacy Usage
+  - name: email
+    type: group
+    fields:
+    - name: email_dst
+      type: keyword
+      description: This key is used to capture the Destination email address only,
+        when the destination context is not clear use email
+    - name: email_src
+      type: keyword
+      description: This key is used to capture the source email address only, when
+        the source context is not clear use email
+    - name: subject
+      type: keyword
+      description: This key is used to capture the subject string from an Email only.
+    - name: email
+      type: keyword
+      description: This key is used to capture a generic email address where the source
+        or destination context is not clear
+    - name: trans_from
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: trans_to
+      type: keyword
+      description: Deprecated key defined only in table map.
+  - name: file
+    type: group
+    fields:
+    - name: privilege
+      type: keyword
+      description: Deprecated, use permissions
+    - name: attachment
+      type: keyword
+      description: This key captures the attachment file name
+    - name: filesystem
+      type: keyword
+    - name: binary
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: filename_dst
+      type: keyword
+      description: This is used to capture name of the file targeted by the action
+    - name: filename_src
+      type: keyword
+      description: This is used to capture name of the parent filename, the file which
+        performed the action
+    - name: filename_tmp
+      type: keyword
+    - name: directory_dst
+      type: keyword
+      description: <span>This key is used to capture the directory of the target process
+        or file</span>
+    - name: directory_src
+      type: keyword
+      description: This key is used to capture the directory of the source process
+        or file
+    - name: file_entropy
+      type: double
+      description: This is used to capture entropy vale of a file
+    - name: file_vendor
+      type: keyword
+      description: This is used to capture Company name of file located in version_info
+    - name: task_name
+      type: keyword
+      description: This is used to capture name of the task
+  - name: web
+    type: group
+    fields:
+    - name: fqdn
+      type: keyword
+      description: Fully Qualified Domain Names
+    - name: web_cookie
+      type: keyword
+      description: This key is used to capture the Web cookies specifically.
+    - name: alias_host
+      type: keyword
+    - name: reputation_num
+      type: double
+      description: Reputation Number of an entity. Typically used for Web Domains
+    - name: web_ref_domain
+      type: keyword
+      description: Web referer's domain
+    - name: web_ref_query
+      type: keyword
+      description: This key captures Web referer's query portion of the URL
+    - name: remote_domain
+      type: keyword
+    - name: web_ref_page
+      type: keyword
+      description: This key captures Web referer's page information
+    - name: web_ref_root
+      type: keyword
+      description: Web referer's root URL path
+    - name: cn_asn_dst
+      type: keyword
+    - name: cn_rpackets
+      type: keyword
+    - name: urlpage
+      type: keyword
+    - name: urlroot
+      type: keyword
+    - name: p_url
+      type: keyword
+    - name: p_user_agent
+      type: keyword
+    - name: p_web_cookie
+      type: keyword
+    - name: p_web_method
+      type: keyword
+    - name: p_web_referer
+      type: keyword
+    - name: web_extension_tmp
+      type: keyword
+    - name: web_page
+      type: keyword
+  - name: threat
+    type: group
+    fields:
+    - name: threat_category
+      type: keyword
+      description: This key captures Threat Name/Threat Category/Categorization of
+        alert
+    - name: threat_desc
+      type: keyword
+      description: This key is used to capture the threat description from the session
+        directly or inferred
+    - name: alert
+      type: keyword
+      description: This key is used to capture name of the alert
+    - name: threat_source
+      type: keyword
+      description: This key is used to capture source of the threat
+  - name: crypto
+    type: group
+    fields:
+    - name: crypto
+      type: keyword
+      description: This key is used to capture the Encryption Type or Encryption Key
+        only
+    - name: cipher_src
+      type: keyword
+      description: This key is for Source (Client) Cipher
+    - name: cert_subject
+      type: keyword
+      description: This key is used to capture the Certificate organization only
+    - name: peer
+      type: keyword
+      description: This key is for Encryption peer's IP Address
+    - name: cipher_size_src
+      type: long
+      description: This key captures Source (Client) Cipher Size
+    - name: ike
+      type: keyword
+      description: IKE negotiation phase.
+    - name: scheme
+      type: keyword
+      description: This key captures the Encryption scheme used
+    - name: peer_id
+      type: keyword
+      description: "This key is for Encryption peer\u2019s identity"
+    - name: sig_type
+      type: keyword
+      description: This key captures the Signature Type
+    - name: cert_issuer
+      type: keyword
+    - name: cert_host_name
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: cert_error
+      type: keyword
+      description: This key captures the Certificate Error String
+    - name: cipher_dst
+      type: keyword
+      description: This key is for Destination (Server) Cipher
+    - name: cipher_size_dst
+      type: long
+      description: This key captures Destination (Server) Cipher Size
+    - name: ssl_ver_src
+      type: keyword
+      description: Deprecated, use version
+    - name: d_certauth
+      type: keyword
+    - name: s_certauth
+      type: keyword
+    - name: ike_cookie1
+      type: keyword
+      description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
+    - name: ike_cookie2
+      type: keyword
+      description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
+    - name: cert_checksum
+      type: keyword
+    - name: cert_host_cat
+      type: keyword
+      description: This key is used for the hostname category value of a certificate
+    - name: cert_serial
+      type: keyword
+      description: This key is used to capture the Certificate serial number only
+    - name: cert_status
+      type: keyword
+      description: This key captures Certificate validation status
+    - name: ssl_ver_dst
+      type: keyword
+      description: Deprecated, use version
+    - name: cert_keysize
+      type: keyword
+    - name: cert_username
+      type: keyword
+    - name: https_insact
+      type: keyword
+    - name: https_valid
+      type: keyword
+    - name: cert_ca
+      type: keyword
+      description: This key is used to capture the Certificate signing authority only
+    - name: cert_common
+      type: keyword
+      description: This key is used to capture the Certificate common name only
+  - name: wireless
+    type: group
+    fields:
+    - name: wlan_ssid
+      type: keyword
+      description: This key is used to capture the ssid of a Wireless Session
+    - name: access_point
+      type: keyword
+      description: This key is used to capture the access point name.
+    - name: wlan_channel
+      type: long
+      description: This is used to capture the channel names
+    - name: wlan_name
+      type: keyword
+      description: This key captures either WLAN number/name
+  - name: storage
+    type: group
+    fields:
+    - name: disk_volume
+      type: keyword
+      description: A unique name assigned to logical units (volumes) within a physical
+        disk
+    - name: lun
+      type: keyword
+      description: Logical Unit Number.This key is a very useful concept in Storage.
+    - name: pwwn
+      type: keyword
+      description: This uniquely identifies a port on a HBA.
+  - name: physical
+    type: group
+    fields:
+    - name: org_dst
+      type: keyword
+      description: This is used to capture the destination organization based on the
+        GEOPIP Maxmind database.
+    - name: org_src
+      type: keyword
+      description: This is used to capture the source organization based on the GEOPIP
+        Maxmind database.
+  - name: healthcare
+    type: group
+    fields:
+    - name: patient_fname
+      type: keyword
+      description: This key is for First Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: patient_id
+      type: keyword
+      description: This key captures the unique ID for a patient
+    - name: patient_lname
+      type: keyword
+      description: This key is for Last Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: patient_mname
+      type: keyword
+      description: This key is for Middle Names only, this is used for Healthcare
+        predominantly to capture Patients information
+  - name: endpoint
+    type: group
+    fields:
+    - name: host_state
+      type: keyword
+      description: This key is used to capture the current state of the machine, such
+        as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
+        disabled</strong> and so on
+    - name: registry_key
+      type: keyword
+      description: This key captures the path to the registry key
+    - name: registry_value
+      type: keyword
+      description: This key captures values or decorators used within a registry entry
diff --git a/packages/citrix/0.1.0/dataset/virtualapps/manifest.yml b/packages/citrix/0.1.0/dataset/virtualapps/manifest.yml
new file mode 100644
index 0000000000..efef89b65e
--- /dev/null
+++ b/packages/citrix/0.1.0/dataset/virtualapps/manifest.yml
@@ -0,0 +1,155 @@
+title: Citrix XenApp logs
+release: experimental
+type: logs
+streams:
+- input: udp
+  title: Citrix XenApp logs
+  description: Collect Citrix XenApp logs
+  template_path: udp.yml.hbs
+  vars:
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - citrix-virtualapps
+      - forwarded
+  - name: udp_host
+    type: text
+    title: UDP host to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: localhost
+  - name: udp_port
+    type: integer
+    title: UDP port to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: 9507
+  - name: tz_offset
+    type: text
+    title: Timezone offset (+HH:mm format)
+    required: false
+    show_user: true
+    default: "local"
+  - name: rsa_fields
+    type: bool
+    title: Add non-ECS fields
+    required: false
+    show_user: true
+    default: true
+  - name: keep_raw_fields
+    type: bool
+    title: Keep raw parser fields
+    required: false
+    show_user: false
+    default: false
+  - name: debug
+    type: bool
+    title: Enable debug logging
+    required: false
+    show_user: false
+    default: false
+
+- input: tcp
+  title: Citrix XenApp logs
+  description: Collect Citrix XenApp logs
+  template_path: tcp.yml.hbs
+  vars:
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - citrix-virtualapps
+      - forwarded
+  - name: tcp_host
+    type: text
+    title: TCP host to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: localhost
+  - name: tcp_port
+    type: integer
+    title: TCP port to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: 9507
+  - name: tz_offset
+    type: text
+    title: Timezone offset (+HH:mm format)
+    required: false
+    show_user: true
+    default: "local"
+  - name: rsa_fields
+    type: bool
+    title: Add non-ECS fields
+    required: false
+    show_user: true
+    default: true
+  - name: keep_raw_fields
+    type: bool
+    title: Keep raw parser fields
+    required: false
+    show_user: false
+    default: false
+  - name: debug
+    type: bool
+    title: Enable debug logging
+    required: false
+    show_user: false
+    default: false
+
+- input: file
+  title: Citrix XenApp logs
+  description: Collect Citrix XenApp logs from file
+  vars:
+  - name: paths
+    type: text
+    title: Paths
+    multi: true
+    required: true
+    show_user: true
+    default:
+      - /var/log/citrix-virtualapps.log
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - citrix-virtualapps
+      - forwarded
+  - name: tz_offset
+    type: text
+    title: Timezone offset (+HH:mm format)
+    required: false
+    show_user: true
+    default: "local"
+  - name: rsa_fields
+    type: bool
+    title: Add non-ECS fields
+    required: false
+    show_user: true
+    default: true
+  - name: keep_raw_fields
+    type: bool
+    title: Keep raw parser fields
+    required: false
+    show_user: false
+    default: false
+  - name: debug
+    type: bool
+    title: Enable debug logging
+    required: false
+    show_user: false
+    default: false
diff --git a/packages/citrix/0.1.0/docs/README.md b/packages/citrix/0.1.0/docs/README.md
new file mode 100644
index 0000000000..2e5bfe2d87
--- /dev/null
+++ b/packages/citrix/0.1.0/docs/README.md
@@ -0,0 +1,780 @@
+# Citrix integration
+
+This integration is for Citrix device's logs. It includes the following
+datasets for receiving logs over syslog or read from a file:
+- `virtualapps` dataset: supports Citrix XenApp logs.
+
+### Virtualapps
+
+The `virtualapps` dataset collects Citrix XenApp logs.
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
+| dataset.name | Dataset name. | constant_keyword |
+| dataset.namespace | Dataset namespace. | constant_keyword |
+| dataset.type | Dataset type. | constant_keyword |
+| datastream.dataset | Datastream dataset. | constant_keyword |
+| datastream.namespace | Datastream namespace. | constant_keyword |
+| datastream.type | Datastream type. | constant_keyword |
+| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| destination.bytes | Bytes sent from the destination to the source. | long |
+| destination.domain | Destination domain. | keyword |
+| destination.geo.city_name | City name. | keyword |
+| destination.geo.country_name | Country name. | keyword |
+| destination.geo.location.lat |  | double |
+| destination.geo.location.lon |  | double |
+| destination.ip | IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses. | ip |
+| destination.mac | MAC address of the destination. | keyword |
+| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip |
+| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long |
+| destination.port | Port of the destination. | long |
+| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword |
+| dns.answers.type | The type of data contained in this resource record. | keyword |
+| dns.question.type | The type of record being queried. | keyword |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword |
+| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword |
+| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword |
+| file.extension | File extension. | keyword |
+| file.name | Name of the file including the extension, without the directory. | keyword |
+| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword |
+| file.size | File size in bytes. Only relevant when `file.type` is "file". | long |
+| file.type | File type (file, dir, or symlink). | keyword |
+| geo.city_name | City name. | keyword |
+| geo.country_name | Country name. | keyword |
+| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| geo.region_name | Region name. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| http.request.method | HTTP request method. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| http.request.referrer | Referrer for this HTTP request. | keyword |
+| http.response.body.content | The full HTTP response body. | keyword |
+| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword |
+| log.original | This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. | keyword |
+| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long |
+| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. | long |
+| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text |
+| network.application | A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long |
+| network.direction | Direction of the network traffic. Recommended values are: * inbound * outbound * internal * external * unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view. When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. | keyword |
+| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip |
+| network.interface.name |  | keyword |
+| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long |
+| network.protocol | L7 Network protocol name. ex. http, lumberjack, transport protocol. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| observer.egress.interface.name | Interface name as reported by the system. | keyword |
+| observer.ingress.interface.name | Interface name as reported by the system. | keyword |
+| observer.product | The product name of the observer. | keyword |
+| observer.version | Observer version. | keyword |
+| process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.parent.name | Process name. Sometimes called program name or similar. | keyword |
+| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword |
+| process.pid | Process id. | long |
+| process.ppid | Parent process' pid. | long |
+| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword |
+| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long |
+| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword |
+| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long |
+| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword |
+| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long |
+| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword |
+| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword |
+| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword |
+| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword |
+| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword |
+| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword |
+| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword |
+| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long |
+| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword |
+| rsa.crypto.cert_checksum |  | keyword |
+| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword |
+| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword |
+| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword |
+| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword |
+| rsa.crypto.cert_issuer |  | keyword |
+| rsa.crypto.cert_keysize |  | keyword |
+| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword |
+| rsa.crypto.cert_status | This key captures Certificate validation status | keyword |
+| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword |
+| rsa.crypto.cert_username |  | keyword |
+| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword |
+| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long |
+| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long |
+| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword |
+| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword |
+| rsa.crypto.d_certauth |  | keyword |
+| rsa.crypto.https_insact |  | keyword |
+| rsa.crypto.https_valid |  | keyword |
+| rsa.crypto.ike | IKE negotiation phase. | keyword |
+| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword |
+| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword |
+| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword |
+| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword |
+| rsa.crypto.s_certauth |  | keyword |
+| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword |
+| rsa.crypto.sig_type | This key captures the Signature Type | keyword |
+| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword |
+| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword |
+| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword |
+| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword |
+| rsa.db.db_pid | This key captures the process id of a connection with database server | long |
+| rsa.db.index | This key captures IndexID of the index. | keyword |
+| rsa.db.instance | This key is used to capture the database server instance name | keyword |
+| rsa.db.lread | This key is used for the number of logical reads | long |
+| rsa.db.lwrite | This key is used for the number of logical writes | long |
+| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword |
+| rsa.db.pread | This key is used for the number of physical writes | long |
+| rsa.db.table_name | This key is used to capture the table name | keyword |
+| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword |
+| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword |
+| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword |
+| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword |
+| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword |
+| rsa.email.trans_from | Deprecated key defined only in table map. | keyword |
+| rsa.email.trans_to | Deprecated key defined only in table map. | keyword |
+| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall disabled</strong> and so on | keyword |
+| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword |
+| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword |
+| rsa.file.attachment | This key captures the attachment file name | keyword |
+| rsa.file.binary | Deprecated key defined only in table map. | keyword |
+| rsa.file.directory_dst | <span>This key is used to capture the directory of the target process or file</span> | keyword |
+| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword |
+| rsa.file.file_entropy | This is used to capture entropy vale of a file | double |
+| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword |
+| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword |
+| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword |
+| rsa.file.filename_tmp |  | keyword |
+| rsa.file.filesystem |  | keyword |
+| rsa.file.privilege | Deprecated, use permissions | keyword |
+| rsa.file.task_name | This is used to capture name of the task | keyword |
+| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword |
+| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword |
+| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword |
+| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword |
+| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword |
+| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword |
+| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword |
+| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword |
+| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword |
+| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword |
+| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword |
+| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword |
+| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword |
+| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword |
+| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.org | This key captures the User organization | keyword |
+| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword |
+| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword |
+| rsa.identity.profile | This key is used to capture the user profile | keyword |
+| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword |
+| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword |
+| rsa.identity.user_dept | User's Department Names only | keyword |
+| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword |
+| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword |
+| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword |
+| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword |
+| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.data | Deprecated key defined only in table map. | keyword |
+| rsa.internal.dead | Deprecated key defined only in table map. | long |
+| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_type_id | Deprecated key defined only in table map. | long |
+| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long |
+| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long |
+| rsa.internal.entry | Deprecated key defined only in table map. | keyword |
+| rsa.internal.event_desc |  | keyword |
+| rsa.internal.event_name | Deprecated key defined only in table map. | keyword |
+| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip |
+| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.hcode | Deprecated key defined only in table map. | keyword |
+| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.inode | Deprecated key defined only in table map. | long |
+| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date |
+| rsa.internal.level | Deprecated key defined only in table map. | long |
+| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long |
+| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long |
+| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long |
+| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long |
+| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, &lt; 32 is packet session | long |
+| rsa.internal.message | This key captures the contents of instant messages | keyword |
+| rsa.internal.messageid |  | keyword |
+| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword |
+| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.node_name | Deprecated key defined only in table map. | keyword |
+| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword |
+| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword |
+| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword |
+| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword |
+| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long |
+| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long |
+| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword |
+| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword |
+| rsa.internal.resource | Deprecated key defined only in table map. | keyword |
+| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword |
+| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long |
+| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.site | Deprecated key defined only in table map. | keyword |
+| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long |
+| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.statement | Deprecated key defined only in table map. | keyword |
+| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date |
+| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long |
+| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long |
+| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword |
+| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword |
+| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword |
+| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword |
+| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword |
+| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword |
+| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword |
+| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword |
+| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword |
+| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword |
+| rsa.investigations.event_cat | This key captures the Event category number | long |
+| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword |
+| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword |
+| rsa.investigations.inv_category | This used to capture investigation category | keyword |
+| rsa.investigations.inv_context | This used to capture investigation context | keyword |
+| rsa.investigations.ioc | This is key capture indicator of compromise | keyword |
+| rsa.misc.OS | This key captures the Name of the Operating System | keyword |
+| rsa.misc.acl_id |  | keyword |
+| rsa.misc.acl_op |  | keyword |
+| rsa.misc.acl_pos |  | keyword |
+| rsa.misc.acl_table |  | keyword |
+| rsa.misc.action |  | keyword |
+| rsa.misc.admin |  | keyword |
+| rsa.misc.agent_id | This key is used to capture agent id | keyword |
+| rsa.misc.alarm_id |  | keyword |
+| rsa.misc.alarmname |  | keyword |
+| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.app_id |  | keyword |
+| rsa.misc.audit |  | keyword |
+| rsa.misc.audit_object |  | keyword |
+| rsa.misc.auditdata |  | keyword |
+| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword |
+| rsa.misc.benchmark |  | keyword |
+| rsa.misc.bypass |  | keyword |
+| rsa.misc.cache |  | keyword |
+| rsa.misc.cache_hit |  | keyword |
+| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword |
+| rsa.misc.cc_number | Valid Credit Card Numbers only | long |
+| rsa.misc.cefversion |  | keyword |
+| rsa.misc.cfg_attr |  | keyword |
+| rsa.misc.cfg_obj |  | keyword |
+| rsa.misc.cfg_path |  | keyword |
+| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword |
+| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword |
+| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword |
+| rsa.misc.changes |  | keyword |
+| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword |
+| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword |
+| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword |
+| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword |
+| rsa.misc.client_ip |  | keyword |
+| rsa.misc.clustermembers |  | keyword |
+| rsa.misc.cmd |  | keyword |
+| rsa.misc.cn_acttimeout |  | keyword |
+| rsa.misc.cn_asn_src |  | keyword |
+| rsa.misc.cn_bgpv4nxthop |  | keyword |
+| rsa.misc.cn_ctr_dst_code |  | keyword |
+| rsa.misc.cn_dst_tos |  | keyword |
+| rsa.misc.cn_dst_vlan |  | keyword |
+| rsa.misc.cn_engine_id |  | keyword |
+| rsa.misc.cn_engine_type |  | keyword |
+| rsa.misc.cn_f_switch |  | keyword |
+| rsa.misc.cn_flowsampid |  | keyword |
+| rsa.misc.cn_flowsampintv |  | keyword |
+| rsa.misc.cn_flowsampmode |  | keyword |
+| rsa.misc.cn_inacttimeout |  | keyword |
+| rsa.misc.cn_inpermbyts |  | keyword |
+| rsa.misc.cn_inpermpckts |  | keyword |
+| rsa.misc.cn_invalid |  | keyword |
+| rsa.misc.cn_ip_proto_ver |  | keyword |
+| rsa.misc.cn_ipv4_ident |  | keyword |
+| rsa.misc.cn_l_switch |  | keyword |
+| rsa.misc.cn_log_did |  | keyword |
+| rsa.misc.cn_log_rid |  | keyword |
+| rsa.misc.cn_max_ttl |  | keyword |
+| rsa.misc.cn_maxpcktlen |  | keyword |
+| rsa.misc.cn_min_ttl |  | keyword |
+| rsa.misc.cn_minpcktlen |  | keyword |
+| rsa.misc.cn_mpls_lbl_1 |  | keyword |
+| rsa.misc.cn_mpls_lbl_10 |  | keyword |
+| rsa.misc.cn_mpls_lbl_2 |  | keyword |
+| rsa.misc.cn_mpls_lbl_3 |  | keyword |
+| rsa.misc.cn_mpls_lbl_4 |  | keyword |
+| rsa.misc.cn_mpls_lbl_5 |  | keyword |
+| rsa.misc.cn_mpls_lbl_6 |  | keyword |
+| rsa.misc.cn_mpls_lbl_7 |  | keyword |
+| rsa.misc.cn_mpls_lbl_8 |  | keyword |
+| rsa.misc.cn_mpls_lbl_9 |  | keyword |
+| rsa.misc.cn_mplstoplabel |  | keyword |
+| rsa.misc.cn_mplstoplabip |  | keyword |
+| rsa.misc.cn_mul_dst_byt |  | keyword |
+| rsa.misc.cn_mul_dst_pks |  | keyword |
+| rsa.misc.cn_muligmptype |  | keyword |
+| rsa.misc.cn_sampalgo |  | keyword |
+| rsa.misc.cn_sampint |  | keyword |
+| rsa.misc.cn_seqctr |  | keyword |
+| rsa.misc.cn_spackets |  | keyword |
+| rsa.misc.cn_src_tos |  | keyword |
+| rsa.misc.cn_src_vlan |  | keyword |
+| rsa.misc.cn_sysuptime |  | keyword |
+| rsa.misc.cn_template_id |  | keyword |
+| rsa.misc.cn_totbytsexp |  | keyword |
+| rsa.misc.cn_totflowexp |  | keyword |
+| rsa.misc.cn_totpcktsexp |  | keyword |
+| rsa.misc.cn_unixnanosecs |  | keyword |
+| rsa.misc.cn_v6flowlabel |  | keyword |
+| rsa.misc.cn_v6optheaders |  | keyword |
+| rsa.misc.code |  | keyword |
+| rsa.misc.command |  | keyword |
+| rsa.misc.comments | Comment information provided in the log message | keyword |
+| rsa.misc.comp_class |  | keyword |
+| rsa.misc.comp_name |  | keyword |
+| rsa.misc.comp_rbytes |  | keyword |
+| rsa.misc.comp_sbytes |  | keyword |
+| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword |
+| rsa.misc.connection_id | This key captures the Connection ID | keyword |
+| rsa.misc.content | This key captures the content type from protocol headers | keyword |
+| rsa.misc.content_type | This key is used to capture Content Type only. | keyword |
+| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword |
+| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword |
+| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword |
+| rsa.misc.context_target |  | keyword |
+| rsa.misc.count |  | keyword |
+| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long |
+| rsa.misc.cpu_data |  | keyword |
+| rsa.misc.criticality |  | keyword |
+| rsa.misc.cs_agency_dst |  | keyword |
+| rsa.misc.cs_analyzedby |  | keyword |
+| rsa.misc.cs_av_other |  | keyword |
+| rsa.misc.cs_av_primary |  | keyword |
+| rsa.misc.cs_av_secondary |  | keyword |
+| rsa.misc.cs_bgpv6nxthop |  | keyword |
+| rsa.misc.cs_bit9status |  | keyword |
+| rsa.misc.cs_context |  | keyword |
+| rsa.misc.cs_control |  | keyword |
+| rsa.misc.cs_data |  | keyword |
+| rsa.misc.cs_datecret |  | keyword |
+| rsa.misc.cs_dst_tld |  | keyword |
+| rsa.misc.cs_eth_dst_ven |  | keyword |
+| rsa.misc.cs_eth_src_ven |  | keyword |
+| rsa.misc.cs_event_uuid |  | keyword |
+| rsa.misc.cs_filetype |  | keyword |
+| rsa.misc.cs_fld |  | keyword |
+| rsa.misc.cs_if_desc |  | keyword |
+| rsa.misc.cs_if_name |  | keyword |
+| rsa.misc.cs_ip_next_hop |  | keyword |
+| rsa.misc.cs_ipv4dstpre |  | keyword |
+| rsa.misc.cs_ipv4srcpre |  | keyword |
+| rsa.misc.cs_lifetime |  | keyword |
+| rsa.misc.cs_log_medium |  | keyword |
+| rsa.misc.cs_loginname |  | keyword |
+| rsa.misc.cs_modulescore |  | keyword |
+| rsa.misc.cs_modulesign |  | keyword |
+| rsa.misc.cs_opswatresult |  | keyword |
+| rsa.misc.cs_payload |  | keyword |
+| rsa.misc.cs_registrant |  | keyword |
+| rsa.misc.cs_registrar |  | keyword |
+| rsa.misc.cs_represult |  | keyword |
+| rsa.misc.cs_rpayload |  | keyword |
+| rsa.misc.cs_sampler_name |  | keyword |
+| rsa.misc.cs_sourcemodule |  | keyword |
+| rsa.misc.cs_streams |  | keyword |
+| rsa.misc.cs_targetmodule |  | keyword |
+| rsa.misc.cs_v6nxthop |  | keyword |
+| rsa.misc.cs_whois_server |  | keyword |
+| rsa.misc.cs_yararesult |  | keyword |
+| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword |
+| rsa.misc.data_type |  | keyword |
+| rsa.misc.description |  | keyword |
+| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword |
+| rsa.misc.devvendor |  | keyword |
+| rsa.misc.disposition | This key captures the The end state of an action. | keyword |
+| rsa.misc.distance |  | keyword |
+| rsa.misc.doc_number | This key captures File Identification number | long |
+| rsa.misc.dstburb |  | keyword |
+| rsa.misc.edomain |  | keyword |
+| rsa.misc.edomaub |  | keyword |
+| rsa.misc.ein_number | Employee Identification Numbers only | long |
+| rsa.misc.error | This key captures All non successful Error codes or responses | keyword |
+| rsa.misc.euid |  | keyword |
+| rsa.misc.event_category |  | keyword |
+| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword |
+| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword |
+| rsa.misc.event_id |  | keyword |
+| rsa.misc.event_log | This key captures the Name of the event log | keyword |
+| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword |
+| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword |
+| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword |
+| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword |
+| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword |
+| rsa.misc.facility |  | keyword |
+| rsa.misc.facilityname |  | keyword |
+| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword |
+| rsa.misc.filter | This key captures Filter used to reduce result set | keyword |
+| rsa.misc.finterface |  | keyword |
+| rsa.misc.flags |  | keyword |
+| rsa.misc.forensic_info |  | keyword |
+| rsa.misc.found | This is used to capture the results of regex match | keyword |
+| rsa.misc.fresult | This key captures the Filter Result | long |
+| rsa.misc.gaddr |  | keyword |
+| rsa.misc.group | This key captures the Group Name value | keyword |
+| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword |
+| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword |
+| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword |
+| rsa.misc.id3 |  | keyword |
+| rsa.misc.im_buddyid |  | keyword |
+| rsa.misc.im_buddyname |  | keyword |
+| rsa.misc.im_client |  | keyword |
+| rsa.misc.im_croomid |  | keyword |
+| rsa.misc.im_croomtype |  | keyword |
+| rsa.misc.im_members |  | keyword |
+| rsa.misc.im_userid |  | keyword |
+| rsa.misc.im_username |  | keyword |
+| rsa.misc.index |  | keyword |
+| rsa.misc.inout |  | keyword |
+| rsa.misc.ipkt |  | keyword |
+| rsa.misc.ipscat |  | keyword |
+| rsa.misc.ipspri |  | keyword |
+| rsa.misc.job_num | This key captures the Job Number | keyword |
+| rsa.misc.jobname |  | keyword |
+| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword |
+| rsa.misc.latitude |  | keyword |
+| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword |
+| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long |
+| rsa.misc.linenum |  | keyword |
+| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.misc.list_name |  | keyword |
+| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword |
+| rsa.misc.load_data |  | keyword |
+| rsa.misc.location_floor |  | keyword |
+| rsa.misc.location_mark |  | keyword |
+| rsa.misc.log_id |  | keyword |
+| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword |
+| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword |
+| rsa.misc.log_type |  | keyword |
+| rsa.misc.logid |  | keyword |
+| rsa.misc.logip |  | keyword |
+| rsa.misc.logname |  | keyword |
+| rsa.misc.longitude |  | keyword |
+| rsa.misc.lport |  | keyword |
+| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword |
+| rsa.misc.match | This key is for regex match name from search.ini | keyword |
+| rsa.misc.mbug_data |  | keyword |
+| rsa.misc.message_body | This key captures the The contents of the message body. | keyword |
+| rsa.misc.misc |  | keyword |
+| rsa.misc.misc_name |  | keyword |
+| rsa.misc.mode |  | keyword |
+| rsa.misc.msgIdPart1 |  | keyword |
+| rsa.misc.msgIdPart2 |  | keyword |
+| rsa.misc.msgIdPart3 |  | keyword |
+| rsa.misc.msgIdPart4 |  | keyword |
+| rsa.misc.msg_type |  | keyword |
+| rsa.misc.msgid |  | keyword |
+| rsa.misc.name |  | keyword |
+| rsa.misc.netsessid |  | keyword |
+| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword |
+| rsa.misc.ntype |  | keyword |
+| rsa.misc.num |  | keyword |
+| rsa.misc.number |  | keyword |
+| rsa.misc.number1 |  | keyword |
+| rsa.misc.number2 |  | keyword |
+| rsa.misc.nwwn |  | keyword |
+| rsa.misc.obj_name | This is used to capture name of object | keyword |
+| rsa.misc.obj_type | This is used to capture type of object | keyword |
+| rsa.misc.object |  | keyword |
+| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword |
+| rsa.misc.operation |  | keyword |
+| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword |
+| rsa.misc.opkt |  | keyword |
+| rsa.misc.orig_from |  | keyword |
+| rsa.misc.owner_id |  | keyword |
+| rsa.misc.p_action |  | keyword |
+| rsa.misc.p_filter |  | keyword |
+| rsa.misc.p_group_object |  | keyword |
+| rsa.misc.p_id |  | keyword |
+| rsa.misc.p_msgid |  | keyword |
+| rsa.misc.p_msgid1 |  | keyword |
+| rsa.misc.p_msgid2 |  | keyword |
+| rsa.misc.p_result1 |  | keyword |
+| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword |
+| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword |
+| rsa.misc.param_src | This key captures source parameter | keyword |
+| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword |
+| rsa.misc.password_chg |  | keyword |
+| rsa.misc.password_expire |  | keyword |
+| rsa.misc.payload_dst | This key is used to capture destination payload | keyword |
+| rsa.misc.payload_src | This key is used to capture source payload | keyword |
+| rsa.misc.permgranted |  | keyword |
+| rsa.misc.permwanted |  | keyword |
+| rsa.misc.pgid |  | keyword |
+| rsa.misc.phone |  | keyword |
+| rsa.misc.pid |  | keyword |
+| rsa.misc.policy |  | keyword |
+| rsa.misc.policyUUID |  | keyword |
+| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword |
+| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword |
+| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword |
+| rsa.misc.policy_waiver |  | keyword |
+| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword |
+| rsa.misc.pool_name | This key captures the name of a resource pool | keyword |
+| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword |
+| rsa.misc.priority |  | keyword |
+| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword |
+| rsa.misc.prog_asp_num |  | keyword |
+| rsa.misc.program |  | keyword |
+| rsa.misc.real_data |  | keyword |
+| rsa.misc.reason |  | keyword |
+| rsa.misc.rec_asp_device |  | keyword |
+| rsa.misc.rec_asp_num |  | keyword |
+| rsa.misc.rec_library |  | keyword |
+| rsa.misc.recordnum |  | keyword |
+| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword |
+| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword |
+| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword |
+| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword |
+| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword |
+| rsa.misc.risk | This key captures the non-numeric risk value | keyword |
+| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.risk_num | This key captures a Numeric Risk value | double |
+| rsa.misc.risk_num_comm | This key captures Risk Number Community | double |
+| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double |
+| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double |
+| rsa.misc.risk_num_static | This key captures Risk Number Static | double |
+| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.ruid |  | keyword |
+| rsa.misc.rule | This key captures the Rule number | keyword |
+| rsa.misc.rule_group | This key captures the Rule group name | keyword |
+| rsa.misc.rule_name | This key captures the Rule Name | keyword |
+| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword |
+| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword |
+| rsa.misc.sburb |  | keyword |
+| rsa.misc.sdomain_fld |  | keyword |
+| rsa.misc.search_text | This key captures the Search Text used | keyword |
+| rsa.misc.sec |  | keyword |
+| rsa.misc.second |  | keyword |
+| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword |
+| rsa.misc.sensorname |  | keyword |
+| rsa.misc.seqnum |  | keyword |
+| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword |
+| rsa.misc.session |  | keyword |
+| rsa.misc.sessiontype |  | keyword |
+| rsa.misc.severity | This key is used to capture the severity given the session | keyword |
+| rsa.misc.sigUUID |  | keyword |
+| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long |
+| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long |
+| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword |
+| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword |
+| rsa.misc.sigcat |  | keyword |
+| rsa.misc.snmp_oid | SNMP Object Identifier | keyword |
+| rsa.misc.snmp_value | SNMP set request value | keyword |
+| rsa.misc.space |  | keyword |
+| rsa.misc.space1 |  | keyword |
+| rsa.misc.spi |  | keyword |
+| rsa.misc.spi_dst | Destination SPI Index | keyword |
+| rsa.misc.spi_src | Source SPI Index | keyword |
+| rsa.misc.sql | This key captures the SQL query | keyword |
+| rsa.misc.srcburb |  | keyword |
+| rsa.misc.srcdom |  | keyword |
+| rsa.misc.srcservice |  | keyword |
+| rsa.misc.state |  | keyword |
+| rsa.misc.status |  | keyword |
+| rsa.misc.status1 |  | keyword |
+| rsa.misc.streams | This key captures number of streams in session | long |
+| rsa.misc.subcategory |  | keyword |
+| rsa.misc.svcno |  | keyword |
+| rsa.misc.system |  | keyword |
+| rsa.misc.tbdstr1 |  | keyword |
+| rsa.misc.tbdstr2 |  | keyword |
+| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long |
+| rsa.misc.terminal | This key captures the Terminal Names only | keyword |
+| rsa.misc.tgtdom |  | keyword |
+| rsa.misc.tgtdomain |  | keyword |
+| rsa.misc.threshold |  | keyword |
+| rsa.misc.tos | This key describes the type of service | long |
+| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword |
+| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword |
+| rsa.misc.type |  | keyword |
+| rsa.misc.type1 |  | keyword |
+| rsa.misc.udb_class |  | keyword |
+| rsa.misc.url_fld |  | keyword |
+| rsa.misc.user_div |  | keyword |
+| rsa.misc.userid |  | keyword |
+| rsa.misc.username_fld |  | keyword |
+| rsa.misc.utcstamp |  | keyword |
+| rsa.misc.v_instafname |  | keyword |
+| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword |
+| rsa.misc.virt_data |  | keyword |
+| rsa.misc.virusname | This key captures the name of the virus | keyword |
+| rsa.misc.vm_target | VMWare Target **VMWARE** only varaible. | keyword |
+| rsa.misc.vpnid |  | keyword |
+| rsa.misc.vsys | This key captures Virtual System Name | keyword |
+| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword |
+| rsa.misc.workspace | This key captures Workspace Description | keyword |
+| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword |
+| rsa.network.addr |  | keyword |
+| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword |
+| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword |
+| rsa.network.dmask | This key is used for Destionation Device network mask | keyword |
+| rsa.network.dns_a_record |  | keyword |
+| rsa.network.dns_cname_record |  | keyword |
+| rsa.network.dns_id |  | keyword |
+| rsa.network.dns_opcode |  | keyword |
+| rsa.network.dns_ptr_record |  | keyword |
+| rsa.network.dns_resp |  | keyword |
+| rsa.network.dns_type |  | keyword |
+| rsa.network.domain |  | keyword |
+| rsa.network.domain1 |  | keyword |
+| rsa.network.eth_host | Deprecated, use alias.mac | keyword |
+| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long |
+| rsa.network.faddr |  | keyword |
+| rsa.network.fhost |  | keyword |
+| rsa.network.fport |  | keyword |
+| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword |
+| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword |
+| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword |
+| rsa.network.host_type |  | keyword |
+| rsa.network.icmp_code | This key is used to capture the ICMP code only | long |
+| rsa.network.icmp_type | This key is used to capture the ICMP type only | long |
+| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword |
+| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long |
+| rsa.network.laddr |  | keyword |
+| rsa.network.lhost |  | keyword |
+| rsa.network.linterface |  | keyword |
+| rsa.network.mask | This key is used to capture the device network IPmask. | keyword |
+| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword |
+| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long |
+| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword |
+| rsa.network.origin |  | keyword |
+| rsa.network.packet_length |  | keyword |
+| rsa.network.paddr | Deprecated | ip |
+| rsa.network.phost |  | keyword |
+| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long |
+| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword |
+| rsa.network.remote_domain_id |  | keyword |
+| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword |
+| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword |
+| rsa.network.smask | This key is used for capturing source Network Mask | keyword |
+| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long |
+| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword |
+| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword |
+| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword |
+| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword |
+| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword |
+| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword |
+| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword |
+| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword |
+| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword |
+| rsa.threat.alert | This key is used to capture name of the alert | keyword |
+| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword |
+| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword |
+| rsa.threat.threat_source | This key is used to capture source of the threat | keyword |
+| rsa.time.date |  | keyword |
+| rsa.time.datetime |  | keyword |
+| rsa.time.day |  | keyword |
+| rsa.time.duration_str | A text string version of the duration | keyword |
+| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double |
+| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date |
+| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date |
+| rsa.time.event_queue_time | This key is the Time that the event was queued. | date |
+| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date |
+| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword |
+| rsa.time.eventtime |  | keyword |
+| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date |
+| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword |
+| rsa.time.gmtdate |  | keyword |
+| rsa.time.gmttime |  | keyword |
+| rsa.time.hour |  | keyword |
+| rsa.time.min |  | keyword |
+| rsa.time.month |  | keyword |
+| rsa.time.p_date |  | keyword |
+| rsa.time.p_month |  | keyword |
+| rsa.time.p_time |  | keyword |
+| rsa.time.p_time1 |  | keyword |
+| rsa.time.p_time2 |  | keyword |
+| rsa.time.p_year |  | keyword |
+| rsa.time.process_time | Deprecated, use duration.time | keyword |
+| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date |
+| rsa.time.stamp | Deprecated key defined only in table map. | date |
+| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date |
+| rsa.time.timestamp |  | keyword |
+| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword |
+| rsa.time.tzone |  | keyword |
+| rsa.time.year |  | keyword |
+| rsa.web.alias_host |  | keyword |
+| rsa.web.cn_asn_dst |  | keyword |
+| rsa.web.cn_rpackets |  | keyword |
+| rsa.web.fqdn | Fully Qualified Domain Names | keyword |
+| rsa.web.p_url |  | keyword |
+| rsa.web.p_user_agent |  | keyword |
+| rsa.web.p_web_cookie |  | keyword |
+| rsa.web.p_web_method |  | keyword |
+| rsa.web.p_web_referer |  | keyword |
+| rsa.web.remote_domain |  | keyword |
+| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double |
+| rsa.web.urlpage |  | keyword |
+| rsa.web.urlroot |  | keyword |
+| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword |
+| rsa.web.web_extension_tmp |  | keyword |
+| rsa.web.web_page |  | keyword |
+| rsa.web.web_ref_domain | Web referer's domain | keyword |
+| rsa.web.web_ref_page | This key captures Web referer's page information | keyword |
+| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword |
+| rsa.web.web_ref_root | Web referer's root URL path | keyword |
+| rsa.wireless.access_point | This key is used to capture the access point name. | keyword |
+| rsa.wireless.wlan_channel | This is used to capture the channel names | long |
+| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword |
+| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword |
+| rule.name | The name of the rule or signature generating the event. | keyword |
+| server.domain | Server domain. | keyword |
+| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword |
+| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.bytes | Bytes sent from the source to the destination. | long |
+| source.domain | Source domain. | keyword |
+| source.geo.city_name | City name. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location.lat |  | double |
+| source.geo.location.lon |  | double |
+| source.ip | IP address of the source. Can be one or multiple IPv4 or IPv6 addresses. | ip |
+| source.mac | MAC address of the source. | keyword |
+| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip |
+| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long |
+| source.port | Port of the source. | long |
+| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. | keyword |
+| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | keyword |
+| url.path | Path of the request, such as "/search". | keyword |
+| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword |
+| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.google.com" is "google.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword |
+| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword |
+| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| user.full_name | User's full name, if available. | keyword |
+| user.id | Unique identifiers of the user. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user_agent.original | Unparsed user_agent string. | keyword |
diff --git a/packages/citrix/0.1.0/img/logo.svg b/packages/citrix/0.1.0/img/logo.svg
new file mode 100644
index 0000000000..2c8858cb9f
--- /dev/null
+++ b/packages/citrix/0.1.0/img/logo.svg
@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Generator: Adobe Illustrator 13.0.0, SVG Export Plug-In . SVG Version: 6.00 Build 14948)  -->
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.0//EN" "http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd">
+<svg version="1.0" id="svg38898" xmlns:svg="http://www.w3.org/2000/svg"
+	 xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" width="111.98px" height="44.8px"
+	 viewBox="0 0 111.98 44.8" enable-background="new 0 0 111.98 44.8" xml:space="preserve">
+<g id="g38907" transform="matrix(1.25,0,0,-1.25,-539.88561,154.39707)">
+	<g id="XMLID_1_">
+		<g>
+			<path d="M518.516,114.646c1.2,0,2.184-0.976,2.184-2.184c0-1.208-0.984-2.184-2.184-2.184c-1.208,0-2.191,0.976-2.191,2.184
+				C516.325,113.67,517.308,114.646,518.516,114.646z M520.412,112.462c0,1.04-0.848,1.896-1.896,1.896
+				c-1.048,0-1.895-0.856-1.895-1.896c0-1.048,0.848-1.896,1.895-1.896C519.565,110.566,520.412,111.414,520.412,112.462z"/>
+			<path d="M519.5,111.27h-0.4c-0.023,0.088-0.032,0.168-0.032,0.304c0,0.512-0.159,0.648-0.6,0.648h-0.423v-0.952h-0.384v2.4h0.808
+				c0.513,0,1.032-0.112,1.032-0.696c0-0.408-0.313-0.544-0.591-0.584c0.359-0.08,0.545-0.296,0.545-0.72
+				C519.453,111.502,519.469,111.334,519.5,111.27z M519.076,112.974c0,0.28-0.232,0.408-0.609,0.408h-0.423v-0.872h0.423
+				C518.861,112.51,519.076,112.662,519.076,112.974z"/>
+			<polygon points="509.357,106.286 515.629,96.55 509.14,96.55 506.133,101.862 502.325,96.55 495.772,96.55 502.997,106.31 
+				497.461,114.582 504.076,114.582 506.212,110.758 508.685,114.582 515.325,114.582 			"/>
+			<polygon points="489.421,114.582 494.837,114.582 494.837,114.582 			"/>
+			<path d="M492.133,95.03c1.872,0,3.391-1.512,3.391-3.384c0-1.872-1.52-3.391-3.391-3.391c-1.873,0-3.392,1.52-3.392,3.391
+				C488.74,93.518,490.261,95.03,492.133,95.03z"/>
+			<path d="M482.716,103.734l5.513-7.184h-6.816l-3.44,5.384V96.55h-5.408v18.032h7.088c2.104,0,3.808-0.592,4.927-1.712
+				c1-1,1.505-2.352,1.505-4.032C486.085,106.358,484.78,104.438,482.716,103.734z M481.244,108.566c0,0.608-0.159,1.056-0.48,1.384
+				c-0.64,0.64-1.872,0.728-2.791,0.736v-4.248C480.285,106.462,481.244,107.078,481.244,108.566z"/>
+			<polygon points="471.1,114.582 471.1,109.87 466.988,109.87 466.988,96.55 461.604,96.55 461.604,109.87 457.493,109.87 
+				457.493,114.582 			"/>
+			<polygon points="456.036,114.582 456.036,96.55 450.629,96.55 450.629,99.022 450.629,112.094 450.629,114.582 			"/>
+			<path d="M453.333,122.87c1.872,0,3.391-1.52,3.391-3.384c0-1.872-1.52-3.4-3.391-3.4c-1.88,0-3.392,1.528-3.392,3.4
+				C449.94,121.35,451.452,122.87,453.333,122.87z"/>
+			<path d="M448.981,112.094l-2.848-4.6c-0.8,1.328-2.377,2.184-3.968,2.184c-2.273,0-3.936-1.848-3.936-4.12
+				s1.663-4.113,3.936-4.113c1.591,0,3.168,0.856,3.968,2.184l2.848-4.608c-1.72-1.792-4.136-2.905-6.816-2.905
+				c-5.216,0-9.448,4.223-9.448,9.441c0,5.216,4.232,9.456,9.448,9.456C444.845,115.014,447.261,113.894,448.981,112.094z"/>
+		</g>
+	</g>
+</g>
+<polygon points="78.659,11.169 78.659,33.709 71.9,33.709 71.9,30.62 71.9,14.28 71.9,11.169 "/>
+</svg>
diff --git a/packages/citrix/0.1.0/manifest.yml b/packages/citrix/0.1.0/manifest.yml
new file mode 100644
index 0000000000..0e80ef974a
--- /dev/null
+++ b/packages/citrix/0.1.0/manifest.yml
@@ -0,0 +1,36 @@
+format_version: 1.0.0
+name: citrix
+title: Citrix XenApp
+version: 0.1.0
+description: Citrix XenApp Integration
+categories: ["os_system"]
+release: experimental
+removable: true
+license: basic
+type: integration
+conditions:
+    kibana:
+        version: '>=7.9.0'
+    elasticsearch:
+        version: '>=7.9.0'
+config_templates:
+- name: virtualapps
+  title: Citrix XenApp
+  description: Collect Citrix XenApp logs from syslog or a file.
+  inputs:
+      - type: udp
+        title: Collect logs from Citrix XenApp via UDP
+        description: Collecting syslog from Citrix XenApp via UDP
+      - type: tcp
+        title: Collect logs from Citrix XenApp via TCP
+        description: Collecting syslog from Citrix XenApp via TCP
+      - type: file
+        title: Collect logs from Citrix XenApp via file
+        description: Collecting syslog from Citrix XenApp via file.
+# No icon
+icons:
+ - src: /img/logo.svg
+   title: Citrix XenApp logo
+   size: 32x32
+   type: image/svg+xml
+
diff --git a/packages/cylance/0.1.0/dataset/protect/agent/stream/stream.yml.hbs b/packages/cylance/0.1.0/dataset/protect/agent/stream/stream.yml.hbs
new file mode 100644
index 0000000000..918d290d99
--- /dev/null
+++ b/packages/cylance/0.1.0/dataset/protect/agent/stream/stream.yml.hbs
@@ -0,0 +1,3366 @@
+paths:
+{{#each paths as |path i|}}
+  - {{path}}
+{{/each}}
+exclude_files: [".gz$"]
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "Cylance"
+        product: "Protect"
+        type: "Anti-Virus"
+publisher_pipeline.disable_host: true
+
+processors:
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.error(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(populate_fields);
+      	builder.Add(restore_flags);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var map_getEventLegacyCategoryName = {
+      	keyvaluepairs: {
+      		"1003010000": constant("Attacks.Malicious Code.Virus"),
+      		"1401060000": constant("User.Activity.Successful Logins"),
+      		"1502000000": constant("Policies.Rules"),
+      		"1502030000": constant("Policies.Rules.Added"),
+      		"1600000000": constant("System"),
+      		"1609000000": constant("System.Alerts"),
+      		"1701000000": constant("Config.Changes"),
+      		"1804000000": constant("Network.Devices"),
+      		"1804010000": constant("Network.Devices.Additions"),
+      		"1804020000": constant("Network.Devices.Removals"),
+      	},
+      	"default": constant("Other.Default"),
+      };
+      
+      var map_getEventLegacyCategory = {
+      	keyvaluepairs: {
+      		"Alert": constant("1609000000"),
+      		"Device Policy Assigned": constant("1502000000"),
+      		"Device Updated": constant("1804010000"),
+      		"DeviceEdit": dup21,
+      		"DeviceRemove": constant("1804020000"),
+      		"LoginSuccess": constant("1401060000"),
+      		"PolicyAdd": constant("1502030000"),
+      		"Registration": dup22,
+      		"SyslogSettingsSave": dup21,
+      		"SystemSecurity": constant("1600000000"),
+      		"ThreatUpdated": dup23,
+      		"ZoneAdd": dup21,
+      		"ZoneAddDevice": dup21,
+      		"fullaccess": dup22,
+      		"pechange": dup21,
+      		"threat_changed": dup23,
+      		"threat_found": dup23,
+      		"threat_quarantined": dup23,
+      	},
+      	"default": constant("1901000000"),
+      };
+      
+      var dup1 = setc("messageid","CylancePROTECT");
+      
+      var dup2 = match("MESSAGE#0:CylancePROTECT:01/0", "nwparser.payload", "%{fld13->} %{fld14->} %{p0}");
+      
+      var dup3 = match("MESSAGE#0:CylancePROTECT:01/1_0", "nwparser.p0", "[%{fld2}] Event Type: AuditLog, Event Name: %{p0}");
+      
+      var dup4 = match("MESSAGE#0:CylancePROTECT:01/1_1", "nwparser.p0", " %{fld5->} Event Type: AuditLog, Event Name: %{p0}");
+      
+      var dup5 = match("MESSAGE#0:CylancePROTECT:01/5", "nwparser.p0", "%{user_fname->} %{user_lname->} (%{mail_id})");
+      
+      var dup6 = setc("eventcategory","1901000000");
+      
+      var dup7 = setc("vendor_event_cat"," AuditLog");
+      
+      var dup8 = date_time({
+      	dest: "event_time",
+      	args: ["hdate","htime"],
+      	fmts: [
+      		[dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup9 = field("event_type");
+      
+      var dup10 = field("event_cat");
+      
+      var dup11 = match("MESSAGE#1:CylancePROTECT:02/2", "nwparser.p0", "%{event_type}, Message: %{p0}");
+      
+      var dup12 = match("MESSAGE#8:CylancePROTECT:09/1_0", "nwparser.p0", "[%{fld2}] Event Type: ScriptControl, Event Name: %{p0}");
+      
+      var dup13 = match("MESSAGE#8:CylancePROTECT:09/1_1", "nwparser.p0", " %{fld5->} Event Type: ScriptControl, Event Name: %{p0}");
+      
+      var dup14 = match("MESSAGE#8:CylancePROTECT:09/3_1", "nwparser.p0", "%{info}");
+      
+      var dup15 = match("MESSAGE#11:CylancePROTECT:15/1_0", "nwparser.p0", "[%{fld2}] Event Type: %{p0}");
+      
+      var dup16 = match("MESSAGE#11:CylancePROTECT:15/1_1", "nwparser.p0", " %{fld5->} Event Type: %{p0}");
+      
+      var dup17 = match("MESSAGE#13:CylancePROTECT:13/3_0", "nwparser.p0", "%{os->} Zone Names: %{info}");
+      
+      var dup18 = match("MESSAGE#13:CylancePROTECT:13/3_1", "nwparser.p0", "%{os}");
+      
+      var dup19 = date_time({
+      	dest: "event_time",
+      	args: ["hmonth","hdate","hhour","hmin","hsec"],
+      	fmts: [
+      		[dB,dF,dN,dU,dO],
+      	],
+      });
+      
+      var dup20 = match("MESSAGE#22:CylancePROTECT:22/2_0", "nwparser.p0", "%{info}, Device Id: %{fld3}");
+      
+      var dup21 = constant("1701000000");
+      
+      var dup22 = constant("1804000000");
+      
+      var dup23 = constant("1003010000");
+      
+      var dup24 = linear_select([
+      	dup3,
+      	dup4,
+      ]);
+      
+      var dup25 = lookup({
+      	dest: "nwparser.event_cat",
+      	map: map_getEventLegacyCategory,
+      	key: dup9,
+      });
+      
+      var dup26 = lookup({
+      	dest: "nwparser.event_cat_name",
+      	map: map_getEventLegacyCategoryName,
+      	key: dup10,
+      });
+      
+      var dup27 = linear_select([
+      	dup12,
+      	dup13,
+      ]);
+      
+      var dup28 = linear_select([
+      	dup15,
+      	dup16,
+      ]);
+      
+      var dup29 = linear_select([
+      	dup17,
+      	dup18,
+      ]);
+      
+      var dup30 = linear_select([
+      	dup20,
+      	dup14,
+      ]);
+      
+      var hdr1 = match("HEADER#0:0001", "message", "%{hday}-%{hmonth}-%{hyear->} %{hhour}:%{hmin}:%{hsec->} %{hseverity->} %{hhost->} %{hfld2->} \u003c\u003c%{fld44}>%{hfld3->} %{hdate}T%{htime}.%{hfld4->} %{hostname->} CylancePROTECT %{payload}", processor_chain([
+      	setc("header_id","0001"),
+      	dup1,
+      ]));
+      
+      var hdr2 = match("HEADER#1:0002", "message", "%{hfld1->} %{hdate}T%{htime}.%{hfld2->} %{hostname->} CylancePROTECT %{payload}", processor_chain([
+      	setc("header_id","0002"),
+      	dup1,
+      ]));
+      
+      var hdr3 = match("HEADER#2:0004", "message", "%{hdate}T%{htime}.%{hfld2->} %{hostname->} CylancePROTECT %{payload}", processor_chain([
+      	setc("header_id","0004"),
+      	dup1,
+      ]));
+      
+      var hdr4 = match("HEADER#3:0003", "message", "%{hmonth->} %{hdate->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} CylancePROTECT Event Type:%{vendor_event_cat}, %{payload}", processor_chain([
+      	setc("header_id","0003"),
+      	dup1,
+      ]));
+      
+      var select1 = linear_select([
+      	hdr1,
+      	hdr2,
+      	hdr3,
+      	hdr4,
+      ]);
+      
+      var part1 = match("MESSAGE#0:CylancePROTECT:01/2", "nwparser.p0", "%{event_type}, Message: S%{p0}");
+      
+      var part2 = match("MESSAGE#0:CylancePROTECT:01/3_0", "nwparser.p0", "ource: %{product}; SHA256: %{checksum}; %{p0}");
+      
+      var part3 = match("MESSAGE#0:CylancePROTECT:01/3_1", "nwparser.p0", "HA256: %{checksum}; %{p0}");
+      
+      var select2 = linear_select([
+      	part2,
+      	part3,
+      ]);
+      
+      var part4 = match("MESSAGE#0:CylancePROTECT:01/4_0", "nwparser.p0", "Category: %{category}; Reason: %{result}, User: %{p0}");
+      
+      var part5 = match("MESSAGE#0:CylancePROTECT:01/4_1", "nwparser.p0", "Reason: %{result}, User: %{p0}");
+      
+      var select3 = linear_select([
+      	part4,
+      	part5,
+      ]);
+      
+      var all1 = all_match({
+      	processors: [
+      		dup2,
+      		dup24,
+      		part1,
+      		select2,
+      		select3,
+      		dup5,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup7,
+      		dup8,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg1 = msg("CylancePROTECT:01", all1);
+      
+      var part6 = match("MESSAGE#1:CylancePROTECT:02/3_0", "nwparser.p0", "Device: %{node}; SHA256: %{p0}");
+      
+      var part7 = match("MESSAGE#1:CylancePROTECT:02/3_1", "nwparser.p0", "Policy: %{policyname}; SHA256: %{p0}");
+      
+      var select4 = linear_select([
+      	part6,
+      	part7,
+      ]);
+      
+      var part8 = match("MESSAGE#1:CylancePROTECT:02/4_0", "nwparser.p0", "%{checksum}; Category: %{category}, User: %{user_fname->} %{user_lname->} (%{mail_id})");
+      
+      var part9 = match("MESSAGE#1:CylancePROTECT:02/4_1", "nwparser.p0", "%{checksum}, User: %{user_fname->} %{user_lname->} (%{mail_id})");
+      
+      var select5 = linear_select([
+      	part8,
+      	part9,
+      ]);
+      
+      var all2 = all_match({
+      	processors: [
+      		dup2,
+      		dup24,
+      		dup11,
+      		select4,
+      		select5,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup7,
+      		dup8,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg2 = msg("CylancePROTECT:02", all2);
+      
+      var part10 = match("MESSAGE#2:CylancePROTECT:03/3_0", "nwparser.p0", "Devices: %{node},%{p0}");
+      
+      var part11 = match("MESSAGE#2:CylancePROTECT:03/3_1", "nwparser.p0", "Device: %{node};%{p0}");
+      
+      var part12 = match("MESSAGE#2:CylancePROTECT:03/3_2", "nwparser.p0", "Policy: %{policyname},%{p0}");
+      
+      var select6 = linear_select([
+      	part10,
+      	part11,
+      	part12,
+      ]);
+      
+      var part13 = match("MESSAGE#2:CylancePROTECT:03/4", "nwparser.p0", "%{}User: %{user_fname->} %{user_lname->} (%{mail_id})");
+      
+      var all3 = all_match({
+      	processors: [
+      		dup2,
+      		dup24,
+      		dup11,
+      		select6,
+      		part13,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup7,
+      		dup8,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg3 = msg("CylancePROTECT:03", all3);
+      
+      var part14 = match("MESSAGE#3:CylancePROTECT:04/2", "nwparser.p0", "%{event_type}, Message: Zone: %{info}; Policy: %{policyname}; Value: %{fld3}, User: %{user_fname->} %{user_lname->} (%{mail_id})");
+      
+      var all4 = all_match({
+      	processors: [
+      		dup2,
+      		dup24,
+      		part14,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup7,
+      		dup8,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg4 = msg("CylancePROTECT:04", all4);
+      
+      var part15 = match("MESSAGE#4:CylancePROTECT:05/3_0", "nwparser.p0", "Policy Assigned:%{signame}; Devices: %{node->} , User: %{p0}");
+      
+      var part16 = match("MESSAGE#4:CylancePROTECT:05/3_1", "nwparser.p0", " Provider: %{product}, Source IP: %{saddr}, User: %{p0}");
+      
+      var part17 = match("MESSAGE#4:CylancePROTECT:05/3_2", "nwparser.p0", "%{info}, User: %{p0}");
+      
+      var select7 = linear_select([
+      	part15,
+      	part16,
+      	part17,
+      ]);
+      
+      var all5 = all_match({
+      	processors: [
+      		dup2,
+      		dup24,
+      		dup11,
+      		select7,
+      		dup5,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup7,
+      		dup8,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg5 = msg("CylancePROTECT:05", all5);
+      
+      var part18 = match("MESSAGE#5:CylancePROTECT:06/2", "nwparser.p0", "%{event_type}, Message: The Device: %{node->} was auto assigned to the Zone: IP Address: %{p0}");
+      
+      var part19 = match("MESSAGE#5:CylancePROTECT:06/3_0", "nwparser.p0", "Fake Devices, User: %{p0}");
+      
+      var part20 = match("MESSAGE#5:CylancePROTECT:06/3_1", "nwparser.p0", "%{saddr}, User: %{p0}");
+      
+      var select8 = linear_select([
+      	part19,
+      	part20,
+      ]);
+      
+      var part21 = match("MESSAGE#5:CylancePROTECT:06/4_0", "nwparser.p0", " (%{mail_id})");
+      
+      var select9 = linear_select([
+      	part21,
+      	dup5,
+      ]);
+      
+      var all6 = all_match({
+      	processors: [
+      		dup2,
+      		dup24,
+      		part18,
+      		select8,
+      		select9,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup7,
+      		dup8,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg6 = msg("CylancePROTECT:06", all6);
+      
+      var part22 = match("MESSAGE#6:CylancePROTECT:07/1_0", "nwparser.p0", "[%{fld2}] Event Type: ExploitAttempt, Event Name: %{p0}");
+      
+      var part23 = match("MESSAGE#6:CylancePROTECT:07/1_1", "nwparser.p0", " %{fld5->} Event Type: ExploitAttempt, Event Name: %{p0}");
+      
+      var select10 = linear_select([
+      	part22,
+      	part23,
+      ]);
+      
+      var part24 = match("MESSAGE#6:CylancePROTECT:07/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), Action: %{action}, Process ID: %{process_id}, Process Name: %{process}, User Name: %{username}, Violation Type: %{signame}, Zone Names: %{info}");
+      
+      var all7 = all_match({
+      	processors: [
+      		dup2,
+      		select10,
+      		part24,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		setc("vendor_event_cat"," ExploitAttempt"),
+      		dup8,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg7 = msg("CylancePROTECT:07", all7);
+      
+      var part25 = match("MESSAGE#7:CylancePROTECT:08/1_0", "nwparser.p0", "[%{fld2}] Event Type: DeviceControl, Event Name: %{p0}");
+      
+      var part26 = match("MESSAGE#7:CylancePROTECT:08/1_1", "nwparser.p0", " %{fld5->} Event Type: DeviceControl, Event Name: %{p0}");
+      
+      var select11 = linear_select([
+      	part25,
+      	part26,
+      ]);
+      
+      var part27 = match("MESSAGE#7:CylancePROTECT:08/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, External Device Type: %{fld3}, External Device Vendor ID: %{fld18}, External Device Name: %{fld4}, External Device Product ID: %{fld17}, External Device Serial Number: %{serial_number}, Zone Names: %{info}");
+      
+      var all8 = all_match({
+      	processors: [
+      		dup2,
+      		select11,
+      		part27,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		setc("vendor_event_cat"," DeviceControl"),
+      		dup8,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg8 = msg("CylancePROTECT:08", all8);
+      
+      var part28 = match("MESSAGE#8:CylancePROTECT:09/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, File Path: %{directory}, Interpreter: %{application}, Interpreter Version: %{version->} (%{fld3}), Zone Names: %{p0}");
+      
+      var part29 = match("MESSAGE#8:CylancePROTECT:09/3_0", "nwparser.p0", "%{info}, User Name: %{username}");
+      
+      var select12 = linear_select([
+      	part29,
+      	dup14,
+      ]);
+      
+      var all9 = all_match({
+      	processors: [
+      		dup2,
+      		dup27,
+      		part28,
+      		select12,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		setc("vendor_event_cat"," ScriptControl"),
+      		dup8,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg9 = msg("CylancePROTECT:09", all9);
+      
+      var part30 = match("MESSAGE#9:CylancePROTECT:10/1_0", "nwparser.p0", "[%{fld2}] Event Type: Threat, Event Name: %{p0}");
+      
+      var part31 = match("MESSAGE#9:CylancePROTECT:10/1_1", "nwparser.p0", " %{fld4->} Event Type: Threat, Event Name: %{p0}");
+      
+      var select13 = linear_select([
+      	part30,
+      	part31,
+      ]);
+      
+      var part32 = match("MESSAGE#9:CylancePROTECT:10/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), File Name: %{filename}, Path: %{directory}, Drive Type: %{fld1}, SHA256: %{checksum}, MD5: %{fld3}, Status: %{event_state}, Cylance Score: %{reputation_num}, Found Date: %{fld5}, File Type: %{filetype}, Is Running: %{fld6}, Auto Run: %{fld7}, Detected By: %{fld8}, Zone Names: %{info}, Is Malware: %{fld10}, Is Unique To Cylance: %{fld11}, Threat Classification: %{sigtype}");
+      
+      var all10 = all_match({
+      	processors: [
+      		dup2,
+      		select13,
+      		part32,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		setc("vendor_event_cat"," Threat"),
+      		dup8,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg10 = msg("CylancePROTECT:10", all10);
+      
+      var part33 = match("MESSAGE#10:CylancePROTECT:11/1_0", "nwparser.p0", "[%{fld2}] Event Type: AppControl, Event Name: %{p0}");
+      
+      var part34 = match("MESSAGE#10:CylancePROTECT:11/1_1", "nwparser.p0", " %{fld5->} Event Type: AppControl, Event Name: %{p0}");
+      
+      var select14 = linear_select([
+      	part33,
+      	part34,
+      ]);
+      
+      var part35 = match("MESSAGE#10:CylancePROTECT:11/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), Action: %{action}, Action Type: %{fld3}, File Path: %{directory}, SHA256: %{checksum}, Zone Names: %{info}");
+      
+      var all11 = all_match({
+      	processors: [
+      		dup2,
+      		select14,
+      		part35,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		setc("vendor_event_cat"," AppControl"),
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg11 = msg("CylancePROTECT:11", all11);
+      
+      var part36 = match("MESSAGE#11:CylancePROTECT:15/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Threat Class: %{sigtype}, Threat Subclass: %{fld7}, SHA256: %{checksum}, MD5: %{fld8}");
+      
+      var all12 = all_match({
+      	processors: [
+      		dup2,
+      		dup28,
+      		part36,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup8,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg12 = msg("CylancePROTECT:15", all12);
+      
+      var part37 = match("MESSAGE#12:CylancePROTECT:14/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Names: (%{node}), Policy Name: %{policyname}, User: %{user_fname->} %{user_lname->} (%{mail_id})");
+      
+      var all13 = all_match({
+      	processors: [
+      		dup2,
+      		dup28,
+      		part37,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup8,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg13 = msg("CylancePROTECT:14", all13);
+      
+      var part38 = match("MESSAGE#13:CylancePROTECT:13/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Name: %{node}, Agent Version: %{fld6}, IP Address: (%{saddr}, %{fld15}), MAC Address: (%{macaddr}, %{fld16}), Logged On Users: (%{username}), OS: %{p0}");
+      
+      var all14 = all_match({
+      	processors: [
+      		dup2,
+      		dup28,
+      		part38,
+      		dup29,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup8,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg14 = msg("CylancePROTECT:13", all14);
+      
+      var part39 = match("MESSAGE#14:CylancePROTECT:16/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Name: %{node}, Agent Version: %{fld1}, IP Address: (%{saddr}), MAC Address: (%{macaddr}), Logged On Users: (%{username}), OS: %{p0}");
+      
+      var all15 = all_match({
+      	processors: [
+      		dup2,
+      		dup28,
+      		part39,
+      		dup29,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup8,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg15 = msg("CylancePROTECT:16", all15);
+      
+      var part40 = match("MESSAGE#15:CylancePROTECT:25/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, File Path: %{directory}, Interpreter: %{application}, Interpreter Version: %{version}, Zone Names: %{info}, User Name: %{username}");
+      
+      var all16 = all_match({
+      	processors: [
+      		dup2,
+      		dup27,
+      		part40,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup8,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg16 = msg("CylancePROTECT:25", all16);
+      
+      var part41 = match("MESSAGE#16:CylancePROTECT:12/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, %{p0}");
+      
+      var part42 = match("MESSAGE#16:CylancePROTECT:12/3_0", "nwparser.p0", "Device Name: %{node}, Zone Names:%{info}");
+      
+      var part43 = match("MESSAGE#16:CylancePROTECT:12/3_1", "nwparser.p0", "Device Name: %{node}");
+      
+      var part44 = match("MESSAGE#16:CylancePROTECT:12/3_2", "nwparser.p0", "%{fld1}");
+      
+      var select15 = linear_select([
+      	part42,
+      	part43,
+      	part44,
+      ]);
+      
+      var all17 = all_match({
+      	processors: [
+      		dup2,
+      		dup28,
+      		part41,
+      		select15,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup8,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg17 = msg("CylancePROTECT:12", all17);
+      
+      var part45 = match("MESSAGE#17:CylancePROTECT:17/0", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, File Path:%{filename}, Interpreter:%{application}, Interpreter Version:%{version}, Zone Names:%{info}, User Name: %{p0}");
+      
+      var part46 = match("MESSAGE#17:CylancePROTECT:17/1_0", "nwparser.p0", "%{username}, Device Id: %{fld3}, Policy Name: %{policyname}");
+      
+      var part47 = match("MESSAGE#17:CylancePROTECT:17/1_1", "nwparser.p0", "%{username}");
+      
+      var select16 = linear_select([
+      	part46,
+      	part47,
+      ]);
+      
+      var all18 = all_match({
+      	processors: [
+      		part45,
+      		select16,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup19,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg18 = msg("CylancePROTECT:17", all18);
+      
+      var part48 = match("MESSAGE#18:CylancePROTECT:18", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, Agent Version:%{fld1}, IP Address: (%{saddr}), MAC Address: (%{macaddr}), Logged On Users: (%{username}), OS:%{os}, Zone Names:%{info}", processor_chain([
+      	dup6,
+      	dup19,
+      	dup25,
+      	dup26,
+      ]));
+      
+      var msg19 = msg("CylancePROTECT:18", part48);
+      
+      var part49 = match("MESSAGE#19:CylancePROTECT:19/0", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, External Device Type:%{device}, External Device Vendor ID:%{fld2}, External Device Name:%{fld3}, External Device Product ID:%{fld4}, External Device Serial Number:%{serial_number}, Zone Names:%{p0}");
+      
+      var part50 = match("MESSAGE#19:CylancePROTECT:19/1_0", "nwparser.p0", "%{info}, Device Id: %{fld5}, Policy Name: %{policyname->} ");
+      
+      var select17 = linear_select([
+      	part50,
+      	dup14,
+      ]);
+      
+      var all19 = all_match({
+      	processors: [
+      		part49,
+      		select17,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup19,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg20 = msg("CylancePROTECT:19", all19);
+      
+      var part51 = match("MESSAGE#20:CylancePROTECT:20/0", "nwparser.payload", "Event Name:%{event_type}, Message: %{p0}");
+      
+      var part52 = match("MESSAGE#20:CylancePROTECT:20/1_0", "nwparser.p0", "The Device%{p0}");
+      
+      var part53 = match("MESSAGE#20:CylancePROTECT:20/1_1", "nwparser.p0", "Device%{p0}");
+      
+      var select18 = linear_select([
+      	part52,
+      	part53,
+      ]);
+      
+      var part54 = match("MESSAGE#20:CylancePROTECT:20/2", "nwparser.p0", ":%{node}was auto assigned %{p0}");
+      
+      var part55 = match("MESSAGE#20:CylancePROTECT:20/3_0", "nwparser.p0", "to the%{p0}");
+      
+      var part56 = match("MESSAGE#20:CylancePROTECT:20/3_1", "nwparser.p0", " to%{p0}");
+      
+      var select19 = linear_select([
+      	part55,
+      	part56,
+      ]);
+      
+      var part57 = match("MESSAGE#20:CylancePROTECT:20/4", "nwparser.p0", "%{}Zone:%{zone}, User:%{user_fname}");
+      
+      var all20 = all_match({
+      	processors: [
+      		part51,
+      		select18,
+      		part54,
+      		select19,
+      		part57,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup19,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg21 = msg("CylancePROTECT:20", all20);
+      
+      var part58 = match("MESSAGE#21:CylancePROTECT:21", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, IP Address: (%{saddr}), File Name:%{filename}, Path:%{directory}, Drive Type:%{fld1}, SHA256:%{checksum}, MD5:%{fld3}, Status:%{event_state}, Cylance Score:%{fld4}, Found Date:%{fld51}, File Type:%{fld6}, Is Running:%{fld7}, Auto Run:%{fld8}, Detected By:%{fld9}, Zone Names: (%{info}), Is Malware:%{fld10}, Is Unique To Cylance:%{fld11}, Threat Classification:%{sigtype}", processor_chain([
+      	dup6,
+      	dup19,
+      	dup25,
+      	dup26,
+      	date_time({
+      		dest: "effective_time",
+      		args: ["fld51"],
+      		fmts: [
+      			[dG,dc("/"),dF,dc("/"),dW,dN,dc(":"),dU,dc(":"),dO,dQ],
+      		],
+      	}),
+      ]));
+      
+      var msg22 = msg("CylancePROTECT:21", part58);
+      
+      var part59 = match("MESSAGE#22:CylancePROTECT:22/0", "nwparser.payload", "Event Name:%{p0}");
+      
+      var part60 = match("MESSAGE#22:CylancePROTECT:22/1_0", "nwparser.p0", " %{event_type}, Device Name: %{device}, IP Address: (%{saddr}), Action: %{action}, Process ID: %{process_id}, Process Name: %{process}, User Name: %{username}, Violation Type: %{signame}, Zone Names:%{p0}");
+      
+      var part61 = match("MESSAGE#22:CylancePROTECT:22/1_1", "nwparser.p0", "%{event_type}, Device Name:%{node}, Zone Names:%{p0}");
+      
+      var select20 = linear_select([
+      	part60,
+      	part61,
+      ]);
+      
+      var all21 = all_match({
+      	processors: [
+      		part59,
+      		select20,
+      		dup30,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup19,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg23 = msg("CylancePROTECT:22", all21);
+      
+      var part62 = match("MESSAGE#23:CylancePROTECT:23", "nwparser.payload", "Event Name:%{event_type}, Threat Class:%{sigtype}, Threat Subclass:%{fld1}, SHA256:%{checksum}, MD5:%{fld3}", processor_chain([
+      	dup6,
+      	dup19,
+      	dup25,
+      	dup26,
+      ]));
+      
+      var msg24 = msg("CylancePROTECT:23", part62);
+      
+      var part63 = match("MESSAGE#24:CylancePROTECT:24/0", "nwparser.payload", "Event Name:%{event_type}, Message: Provider:%{fld3}, Source IP:%{saddr}, User: %{user_fname->} %{user_lname->} (%{p0}");
+      
+      var part64 = match("MESSAGE#24:CylancePROTECT:24/1_0", "nwparser.p0", "%{mail_id})#015");
+      
+      var part65 = match("MESSAGE#24:CylancePROTECT:24/1_1", "nwparser.p0", "%{mail_id})");
+      
+      var select21 = linear_select([
+      	part64,
+      	part65,
+      ]);
+      
+      var all22 = all_match({
+      	processors: [
+      		part63,
+      		select21,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup19,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg25 = msg("CylancePROTECT:24", all22);
+      
+      var part66 = match("MESSAGE#25:CylancePROTECT:26/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device}; Policy Changed: %{fld4->} to '%{policyname}', User: %{user_fname->} %{user_lname->} (%{mail_id}), Zone Names:%{p0}");
+      
+      var all23 = all_match({
+      	processors: [
+      		part66,
+      		dup30,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup19,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg26 = msg("CylancePROTECT:26", all23);
+      
+      var part67 = match("MESSAGE#26:CylancePROTECT:27/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device}; Zones Removed: %{p0}");
+      
+      var part68 = match("MESSAGE#26:CylancePROTECT:27/1_0", "nwparser.p0", "%{fld4}; Zones Added: %{fld5},%{p0}");
+      
+      var part69 = match("MESSAGE#26:CylancePROTECT:27/1_1", "nwparser.p0", "%{fld4},%{p0}");
+      
+      var select22 = linear_select([
+      	part68,
+      	part69,
+      ]);
+      
+      var part70 = match("MESSAGE#26:CylancePROTECT:27/2", "nwparser.p0", "%{}User: %{user_fname->} %{user_lname->} (%{mail_id}), Zone Names:%{p0}");
+      
+      var part71 = match("MESSAGE#26:CylancePROTECT:27/3_0", "nwparser.p0", "%{info->} Device Id: %{fld3}");
+      
+      var select23 = linear_select([
+      	part71,
+      	dup14,
+      ]);
+      
+      var all24 = all_match({
+      	processors: [
+      		part67,
+      		select22,
+      		part70,
+      		select23,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup19,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg27 = msg("CylancePROTECT:27", all24);
+      
+      var part72 = match("MESSAGE#27:CylancePROTECT:28/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device->} %{p0}");
+      
+      var part73 = match("MESSAGE#27:CylancePROTECT:28/1_0", "nwparser.p0", "Agent Self Protection Level Changed: '%{change_old}' to '%{change_new}', User: %{user_fname->} %{user_lname->} (%{mail_id}),%{p0}");
+      
+      var part74 = match("MESSAGE#27:CylancePROTECT:28/1_1", "nwparser.p0", "User: %{user_fname->} %{user_lname->} (%{mail_id}),%{p0}");
+      
+      var select24 = linear_select([
+      	part73,
+      	part74,
+      ]);
+      
+      var part75 = match("MESSAGE#27:CylancePROTECT:28/2", "nwparser.p0", "%{}Zone Names: %{info->} Device Id: %{fld3}");
+      
+      var all25 = all_match({
+      	processors: [
+      		part72,
+      		select24,
+      		part75,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup19,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg28 = msg("CylancePROTECT:28", all25);
+      
+      var select25 = linear_select([
+      	msg1,
+      	msg2,
+      	msg3,
+      	msg4,
+      	msg5,
+      	msg6,
+      	msg7,
+      	msg8,
+      	msg9,
+      	msg10,
+      	msg11,
+      	msg12,
+      	msg13,
+      	msg14,
+      	msg15,
+      	msg16,
+      	msg17,
+      	msg18,
+      	msg19,
+      	msg20,
+      	msg21,
+      	msg22,
+      	msg23,
+      	msg24,
+      	msg25,
+      	msg26,
+      	msg27,
+      	msg28,
+      ]);
+      
+      var chain1 = processor_chain([
+      	select1,
+      	msgid_select({
+      		"CylancePROTECT": select25,
+      	}),
+      ]);
+      
+      var part76 = match("MESSAGE#0:CylancePROTECT:01/0", "nwparser.payload", "%{fld13->} %{fld14->} %{p0}");
+      
+      var part77 = match("MESSAGE#0:CylancePROTECT:01/1_0", "nwparser.p0", "[%{fld2}] Event Type: AuditLog, Event Name: %{p0}");
+      
+      var part78 = match("MESSAGE#0:CylancePROTECT:01/1_1", "nwparser.p0", " %{fld5->} Event Type: AuditLog, Event Name: %{p0}");
+      
+      var part79 = match("MESSAGE#0:CylancePROTECT:01/5", "nwparser.p0", "%{user_fname->} %{user_lname->} (%{mail_id})");
+      
+      var part80 = match("MESSAGE#1:CylancePROTECT:02/2", "nwparser.p0", "%{event_type}, Message: %{p0}");
+      
+      var part81 = match("MESSAGE#8:CylancePROTECT:09/1_0", "nwparser.p0", "[%{fld2}] Event Type: ScriptControl, Event Name: %{p0}");
+      
+      var part82 = match("MESSAGE#8:CylancePROTECT:09/1_1", "nwparser.p0", " %{fld5->} Event Type: ScriptControl, Event Name: %{p0}");
+      
+      var part83 = match("MESSAGE#8:CylancePROTECT:09/3_1", "nwparser.p0", "%{info}");
+      
+      var part84 = match("MESSAGE#11:CylancePROTECT:15/1_0", "nwparser.p0", "[%{fld2}] Event Type: %{p0}");
+      
+      var part85 = match("MESSAGE#11:CylancePROTECT:15/1_1", "nwparser.p0", " %{fld5->} Event Type: %{p0}");
+      
+      var part86 = match("MESSAGE#13:CylancePROTECT:13/3_0", "nwparser.p0", "%{os->} Zone Names: %{info}");
+      
+      var part87 = match("MESSAGE#13:CylancePROTECT:13/3_1", "nwparser.p0", "%{os}");
+      
+      var part88 = match("MESSAGE#22:CylancePROTECT:22/2_0", "nwparser.p0", "%{info}, Device Id: %{fld3}");
+      
+      var select26 = linear_select([
+      	dup3,
+      	dup4,
+      ]);
+      
+      var select27 = linear_select([
+      	dup12,
+      	dup13,
+      ]);
+      
+      var select28 = linear_select([
+      	dup15,
+      	dup16,
+      ]);
+      
+      var select29 = linear_select([
+      	dup17,
+      	dup18,
+      ]);
+      
+      var select30 = linear_select([
+      	dup20,
+      	dup14,
+      ]);
+      
+- community_id:
+- add_locale: ~
+- add_fields:
+    target: ''
+    fields:
+        ecs.version: 1.5.0
diff --git a/packages/cylance/0.1.0/dataset/protect/agent/stream/tcp.yml.hbs b/packages/cylance/0.1.0/dataset/protect/agent/stream/tcp.yml.hbs
new file mode 100644
index 0000000000..fd606430a9
--- /dev/null
+++ b/packages/cylance/0.1.0/dataset/protect/agent/stream/tcp.yml.hbs
@@ -0,0 +1,3363 @@
+tcp:
+host: "{{tcp_host}}:{{tcp_port}}"
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "Cylance"
+        product: "Protect"
+        type: "Anti-Virus"
+publisher_pipeline.disable_host: true
+
+processors:
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.error(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(populate_fields);
+      	builder.Add(restore_flags);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var map_getEventLegacyCategoryName = {
+      	keyvaluepairs: {
+      		"1003010000": constant("Attacks.Malicious Code.Virus"),
+      		"1401060000": constant("User.Activity.Successful Logins"),
+      		"1502000000": constant("Policies.Rules"),
+      		"1502030000": constant("Policies.Rules.Added"),
+      		"1600000000": constant("System"),
+      		"1609000000": constant("System.Alerts"),
+      		"1701000000": constant("Config.Changes"),
+      		"1804000000": constant("Network.Devices"),
+      		"1804010000": constant("Network.Devices.Additions"),
+      		"1804020000": constant("Network.Devices.Removals"),
+      	},
+      	"default": constant("Other.Default"),
+      };
+      
+      var map_getEventLegacyCategory = {
+      	keyvaluepairs: {
+      		"Alert": constant("1609000000"),
+      		"Device Policy Assigned": constant("1502000000"),
+      		"Device Updated": constant("1804010000"),
+      		"DeviceEdit": dup21,
+      		"DeviceRemove": constant("1804020000"),
+      		"LoginSuccess": constant("1401060000"),
+      		"PolicyAdd": constant("1502030000"),
+      		"Registration": dup22,
+      		"SyslogSettingsSave": dup21,
+      		"SystemSecurity": constant("1600000000"),
+      		"ThreatUpdated": dup23,
+      		"ZoneAdd": dup21,
+      		"ZoneAddDevice": dup21,
+      		"fullaccess": dup22,
+      		"pechange": dup21,
+      		"threat_changed": dup23,
+      		"threat_found": dup23,
+      		"threat_quarantined": dup23,
+      	},
+      	"default": constant("1901000000"),
+      };
+      
+      var dup1 = setc("messageid","CylancePROTECT");
+      
+      var dup2 = match("MESSAGE#0:CylancePROTECT:01/0", "nwparser.payload", "%{fld13->} %{fld14->} %{p0}");
+      
+      var dup3 = match("MESSAGE#0:CylancePROTECT:01/1_0", "nwparser.p0", "[%{fld2}] Event Type: AuditLog, Event Name: %{p0}");
+      
+      var dup4 = match("MESSAGE#0:CylancePROTECT:01/1_1", "nwparser.p0", " %{fld5->} Event Type: AuditLog, Event Name: %{p0}");
+      
+      var dup5 = match("MESSAGE#0:CylancePROTECT:01/5", "nwparser.p0", "%{user_fname->} %{user_lname->} (%{mail_id})");
+      
+      var dup6 = setc("eventcategory","1901000000");
+      
+      var dup7 = setc("vendor_event_cat"," AuditLog");
+      
+      var dup8 = date_time({
+      	dest: "event_time",
+      	args: ["hdate","htime"],
+      	fmts: [
+      		[dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup9 = field("event_type");
+      
+      var dup10 = field("event_cat");
+      
+      var dup11 = match("MESSAGE#1:CylancePROTECT:02/2", "nwparser.p0", "%{event_type}, Message: %{p0}");
+      
+      var dup12 = match("MESSAGE#8:CylancePROTECT:09/1_0", "nwparser.p0", "[%{fld2}] Event Type: ScriptControl, Event Name: %{p0}");
+      
+      var dup13 = match("MESSAGE#8:CylancePROTECT:09/1_1", "nwparser.p0", " %{fld5->} Event Type: ScriptControl, Event Name: %{p0}");
+      
+      var dup14 = match("MESSAGE#8:CylancePROTECT:09/3_1", "nwparser.p0", "%{info}");
+      
+      var dup15 = match("MESSAGE#11:CylancePROTECT:15/1_0", "nwparser.p0", "[%{fld2}] Event Type: %{p0}");
+      
+      var dup16 = match("MESSAGE#11:CylancePROTECT:15/1_1", "nwparser.p0", " %{fld5->} Event Type: %{p0}");
+      
+      var dup17 = match("MESSAGE#13:CylancePROTECT:13/3_0", "nwparser.p0", "%{os->} Zone Names: %{info}");
+      
+      var dup18 = match("MESSAGE#13:CylancePROTECT:13/3_1", "nwparser.p0", "%{os}");
+      
+      var dup19 = date_time({
+      	dest: "event_time",
+      	args: ["hmonth","hdate","hhour","hmin","hsec"],
+      	fmts: [
+      		[dB,dF,dN,dU,dO],
+      	],
+      });
+      
+      var dup20 = match("MESSAGE#22:CylancePROTECT:22/2_0", "nwparser.p0", "%{info}, Device Id: %{fld3}");
+      
+      var dup21 = constant("1701000000");
+      
+      var dup22 = constant("1804000000");
+      
+      var dup23 = constant("1003010000");
+      
+      var dup24 = linear_select([
+      	dup3,
+      	dup4,
+      ]);
+      
+      var dup25 = lookup({
+      	dest: "nwparser.event_cat",
+      	map: map_getEventLegacyCategory,
+      	key: dup9,
+      });
+      
+      var dup26 = lookup({
+      	dest: "nwparser.event_cat_name",
+      	map: map_getEventLegacyCategoryName,
+      	key: dup10,
+      });
+      
+      var dup27 = linear_select([
+      	dup12,
+      	dup13,
+      ]);
+      
+      var dup28 = linear_select([
+      	dup15,
+      	dup16,
+      ]);
+      
+      var dup29 = linear_select([
+      	dup17,
+      	dup18,
+      ]);
+      
+      var dup30 = linear_select([
+      	dup20,
+      	dup14,
+      ]);
+      
+      var hdr1 = match("HEADER#0:0001", "message", "%{hday}-%{hmonth}-%{hyear->} %{hhour}:%{hmin}:%{hsec->} %{hseverity->} %{hhost->} %{hfld2->} \u003c\u003c%{fld44}>%{hfld3->} %{hdate}T%{htime}.%{hfld4->} %{hostname->} CylancePROTECT %{payload}", processor_chain([
+      	setc("header_id","0001"),
+      	dup1,
+      ]));
+      
+      var hdr2 = match("HEADER#1:0002", "message", "%{hfld1->} %{hdate}T%{htime}.%{hfld2->} %{hostname->} CylancePROTECT %{payload}", processor_chain([
+      	setc("header_id","0002"),
+      	dup1,
+      ]));
+      
+      var hdr3 = match("HEADER#2:0004", "message", "%{hdate}T%{htime}.%{hfld2->} %{hostname->} CylancePROTECT %{payload}", processor_chain([
+      	setc("header_id","0004"),
+      	dup1,
+      ]));
+      
+      var hdr4 = match("HEADER#3:0003", "message", "%{hmonth->} %{hdate->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} CylancePROTECT Event Type:%{vendor_event_cat}, %{payload}", processor_chain([
+      	setc("header_id","0003"),
+      	dup1,
+      ]));
+      
+      var select1 = linear_select([
+      	hdr1,
+      	hdr2,
+      	hdr3,
+      	hdr4,
+      ]);
+      
+      var part1 = match("MESSAGE#0:CylancePROTECT:01/2", "nwparser.p0", "%{event_type}, Message: S%{p0}");
+      
+      var part2 = match("MESSAGE#0:CylancePROTECT:01/3_0", "nwparser.p0", "ource: %{product}; SHA256: %{checksum}; %{p0}");
+      
+      var part3 = match("MESSAGE#0:CylancePROTECT:01/3_1", "nwparser.p0", "HA256: %{checksum}; %{p0}");
+      
+      var select2 = linear_select([
+      	part2,
+      	part3,
+      ]);
+      
+      var part4 = match("MESSAGE#0:CylancePROTECT:01/4_0", "nwparser.p0", "Category: %{category}; Reason: %{result}, User: %{p0}");
+      
+      var part5 = match("MESSAGE#0:CylancePROTECT:01/4_1", "nwparser.p0", "Reason: %{result}, User: %{p0}");
+      
+      var select3 = linear_select([
+      	part4,
+      	part5,
+      ]);
+      
+      var all1 = all_match({
+      	processors: [
+      		dup2,
+      		dup24,
+      		part1,
+      		select2,
+      		select3,
+      		dup5,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup7,
+      		dup8,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg1 = msg("CylancePROTECT:01", all1);
+      
+      var part6 = match("MESSAGE#1:CylancePROTECT:02/3_0", "nwparser.p0", "Device: %{node}; SHA256: %{p0}");
+      
+      var part7 = match("MESSAGE#1:CylancePROTECT:02/3_1", "nwparser.p0", "Policy: %{policyname}; SHA256: %{p0}");
+      
+      var select4 = linear_select([
+      	part6,
+      	part7,
+      ]);
+      
+      var part8 = match("MESSAGE#1:CylancePROTECT:02/4_0", "nwparser.p0", "%{checksum}; Category: %{category}, User: %{user_fname->} %{user_lname->} (%{mail_id})");
+      
+      var part9 = match("MESSAGE#1:CylancePROTECT:02/4_1", "nwparser.p0", "%{checksum}, User: %{user_fname->} %{user_lname->} (%{mail_id})");
+      
+      var select5 = linear_select([
+      	part8,
+      	part9,
+      ]);
+      
+      var all2 = all_match({
+      	processors: [
+      		dup2,
+      		dup24,
+      		dup11,
+      		select4,
+      		select5,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup7,
+      		dup8,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg2 = msg("CylancePROTECT:02", all2);
+      
+      var part10 = match("MESSAGE#2:CylancePROTECT:03/3_0", "nwparser.p0", "Devices: %{node},%{p0}");
+      
+      var part11 = match("MESSAGE#2:CylancePROTECT:03/3_1", "nwparser.p0", "Device: %{node};%{p0}");
+      
+      var part12 = match("MESSAGE#2:CylancePROTECT:03/3_2", "nwparser.p0", "Policy: %{policyname},%{p0}");
+      
+      var select6 = linear_select([
+      	part10,
+      	part11,
+      	part12,
+      ]);
+      
+      var part13 = match("MESSAGE#2:CylancePROTECT:03/4", "nwparser.p0", "%{}User: %{user_fname->} %{user_lname->} (%{mail_id})");
+      
+      var all3 = all_match({
+      	processors: [
+      		dup2,
+      		dup24,
+      		dup11,
+      		select6,
+      		part13,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup7,
+      		dup8,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg3 = msg("CylancePROTECT:03", all3);
+      
+      var part14 = match("MESSAGE#3:CylancePROTECT:04/2", "nwparser.p0", "%{event_type}, Message: Zone: %{info}; Policy: %{policyname}; Value: %{fld3}, User: %{user_fname->} %{user_lname->} (%{mail_id})");
+      
+      var all4 = all_match({
+      	processors: [
+      		dup2,
+      		dup24,
+      		part14,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup7,
+      		dup8,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg4 = msg("CylancePROTECT:04", all4);
+      
+      var part15 = match("MESSAGE#4:CylancePROTECT:05/3_0", "nwparser.p0", "Policy Assigned:%{signame}; Devices: %{node->} , User: %{p0}");
+      
+      var part16 = match("MESSAGE#4:CylancePROTECT:05/3_1", "nwparser.p0", " Provider: %{product}, Source IP: %{saddr}, User: %{p0}");
+      
+      var part17 = match("MESSAGE#4:CylancePROTECT:05/3_2", "nwparser.p0", "%{info}, User: %{p0}");
+      
+      var select7 = linear_select([
+      	part15,
+      	part16,
+      	part17,
+      ]);
+      
+      var all5 = all_match({
+      	processors: [
+      		dup2,
+      		dup24,
+      		dup11,
+      		select7,
+      		dup5,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup7,
+      		dup8,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg5 = msg("CylancePROTECT:05", all5);
+      
+      var part18 = match("MESSAGE#5:CylancePROTECT:06/2", "nwparser.p0", "%{event_type}, Message: The Device: %{node->} was auto assigned to the Zone: IP Address: %{p0}");
+      
+      var part19 = match("MESSAGE#5:CylancePROTECT:06/3_0", "nwparser.p0", "Fake Devices, User: %{p0}");
+      
+      var part20 = match("MESSAGE#5:CylancePROTECT:06/3_1", "nwparser.p0", "%{saddr}, User: %{p0}");
+      
+      var select8 = linear_select([
+      	part19,
+      	part20,
+      ]);
+      
+      var part21 = match("MESSAGE#5:CylancePROTECT:06/4_0", "nwparser.p0", " (%{mail_id})");
+      
+      var select9 = linear_select([
+      	part21,
+      	dup5,
+      ]);
+      
+      var all6 = all_match({
+      	processors: [
+      		dup2,
+      		dup24,
+      		part18,
+      		select8,
+      		select9,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup7,
+      		dup8,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg6 = msg("CylancePROTECT:06", all6);
+      
+      var part22 = match("MESSAGE#6:CylancePROTECT:07/1_0", "nwparser.p0", "[%{fld2}] Event Type: ExploitAttempt, Event Name: %{p0}");
+      
+      var part23 = match("MESSAGE#6:CylancePROTECT:07/1_1", "nwparser.p0", " %{fld5->} Event Type: ExploitAttempt, Event Name: %{p0}");
+      
+      var select10 = linear_select([
+      	part22,
+      	part23,
+      ]);
+      
+      var part24 = match("MESSAGE#6:CylancePROTECT:07/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), Action: %{action}, Process ID: %{process_id}, Process Name: %{process}, User Name: %{username}, Violation Type: %{signame}, Zone Names: %{info}");
+      
+      var all7 = all_match({
+      	processors: [
+      		dup2,
+      		select10,
+      		part24,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		setc("vendor_event_cat"," ExploitAttempt"),
+      		dup8,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg7 = msg("CylancePROTECT:07", all7);
+      
+      var part25 = match("MESSAGE#7:CylancePROTECT:08/1_0", "nwparser.p0", "[%{fld2}] Event Type: DeviceControl, Event Name: %{p0}");
+      
+      var part26 = match("MESSAGE#7:CylancePROTECT:08/1_1", "nwparser.p0", " %{fld5->} Event Type: DeviceControl, Event Name: %{p0}");
+      
+      var select11 = linear_select([
+      	part25,
+      	part26,
+      ]);
+      
+      var part27 = match("MESSAGE#7:CylancePROTECT:08/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, External Device Type: %{fld3}, External Device Vendor ID: %{fld18}, External Device Name: %{fld4}, External Device Product ID: %{fld17}, External Device Serial Number: %{serial_number}, Zone Names: %{info}");
+      
+      var all8 = all_match({
+      	processors: [
+      		dup2,
+      		select11,
+      		part27,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		setc("vendor_event_cat"," DeviceControl"),
+      		dup8,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg8 = msg("CylancePROTECT:08", all8);
+      
+      var part28 = match("MESSAGE#8:CylancePROTECT:09/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, File Path: %{directory}, Interpreter: %{application}, Interpreter Version: %{version->} (%{fld3}), Zone Names: %{p0}");
+      
+      var part29 = match("MESSAGE#8:CylancePROTECT:09/3_0", "nwparser.p0", "%{info}, User Name: %{username}");
+      
+      var select12 = linear_select([
+      	part29,
+      	dup14,
+      ]);
+      
+      var all9 = all_match({
+      	processors: [
+      		dup2,
+      		dup27,
+      		part28,
+      		select12,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		setc("vendor_event_cat"," ScriptControl"),
+      		dup8,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg9 = msg("CylancePROTECT:09", all9);
+      
+      var part30 = match("MESSAGE#9:CylancePROTECT:10/1_0", "nwparser.p0", "[%{fld2}] Event Type: Threat, Event Name: %{p0}");
+      
+      var part31 = match("MESSAGE#9:CylancePROTECT:10/1_1", "nwparser.p0", " %{fld4->} Event Type: Threat, Event Name: %{p0}");
+      
+      var select13 = linear_select([
+      	part30,
+      	part31,
+      ]);
+      
+      var part32 = match("MESSAGE#9:CylancePROTECT:10/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), File Name: %{filename}, Path: %{directory}, Drive Type: %{fld1}, SHA256: %{checksum}, MD5: %{fld3}, Status: %{event_state}, Cylance Score: %{reputation_num}, Found Date: %{fld5}, File Type: %{filetype}, Is Running: %{fld6}, Auto Run: %{fld7}, Detected By: %{fld8}, Zone Names: %{info}, Is Malware: %{fld10}, Is Unique To Cylance: %{fld11}, Threat Classification: %{sigtype}");
+      
+      var all10 = all_match({
+      	processors: [
+      		dup2,
+      		select13,
+      		part32,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		setc("vendor_event_cat"," Threat"),
+      		dup8,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg10 = msg("CylancePROTECT:10", all10);
+      
+      var part33 = match("MESSAGE#10:CylancePROTECT:11/1_0", "nwparser.p0", "[%{fld2}] Event Type: AppControl, Event Name: %{p0}");
+      
+      var part34 = match("MESSAGE#10:CylancePROTECT:11/1_1", "nwparser.p0", " %{fld5->} Event Type: AppControl, Event Name: %{p0}");
+      
+      var select14 = linear_select([
+      	part33,
+      	part34,
+      ]);
+      
+      var part35 = match("MESSAGE#10:CylancePROTECT:11/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), Action: %{action}, Action Type: %{fld3}, File Path: %{directory}, SHA256: %{checksum}, Zone Names: %{info}");
+      
+      var all11 = all_match({
+      	processors: [
+      		dup2,
+      		select14,
+      		part35,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		setc("vendor_event_cat"," AppControl"),
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg11 = msg("CylancePROTECT:11", all11);
+      
+      var part36 = match("MESSAGE#11:CylancePROTECT:15/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Threat Class: %{sigtype}, Threat Subclass: %{fld7}, SHA256: %{checksum}, MD5: %{fld8}");
+      
+      var all12 = all_match({
+      	processors: [
+      		dup2,
+      		dup28,
+      		part36,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup8,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg12 = msg("CylancePROTECT:15", all12);
+      
+      var part37 = match("MESSAGE#12:CylancePROTECT:14/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Names: (%{node}), Policy Name: %{policyname}, User: %{user_fname->} %{user_lname->} (%{mail_id})");
+      
+      var all13 = all_match({
+      	processors: [
+      		dup2,
+      		dup28,
+      		part37,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup8,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg13 = msg("CylancePROTECT:14", all13);
+      
+      var part38 = match("MESSAGE#13:CylancePROTECT:13/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Name: %{node}, Agent Version: %{fld6}, IP Address: (%{saddr}, %{fld15}), MAC Address: (%{macaddr}, %{fld16}), Logged On Users: (%{username}), OS: %{p0}");
+      
+      var all14 = all_match({
+      	processors: [
+      		dup2,
+      		dup28,
+      		part38,
+      		dup29,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup8,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg14 = msg("CylancePROTECT:13", all14);
+      
+      var part39 = match("MESSAGE#14:CylancePROTECT:16/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Name: %{node}, Agent Version: %{fld1}, IP Address: (%{saddr}), MAC Address: (%{macaddr}), Logged On Users: (%{username}), OS: %{p0}");
+      
+      var all15 = all_match({
+      	processors: [
+      		dup2,
+      		dup28,
+      		part39,
+      		dup29,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup8,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg15 = msg("CylancePROTECT:16", all15);
+      
+      var part40 = match("MESSAGE#15:CylancePROTECT:25/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, File Path: %{directory}, Interpreter: %{application}, Interpreter Version: %{version}, Zone Names: %{info}, User Name: %{username}");
+      
+      var all16 = all_match({
+      	processors: [
+      		dup2,
+      		dup27,
+      		part40,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup8,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg16 = msg("CylancePROTECT:25", all16);
+      
+      var part41 = match("MESSAGE#16:CylancePROTECT:12/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, %{p0}");
+      
+      var part42 = match("MESSAGE#16:CylancePROTECT:12/3_0", "nwparser.p0", "Device Name: %{node}, Zone Names:%{info}");
+      
+      var part43 = match("MESSAGE#16:CylancePROTECT:12/3_1", "nwparser.p0", "Device Name: %{node}");
+      
+      var part44 = match("MESSAGE#16:CylancePROTECT:12/3_2", "nwparser.p0", "%{fld1}");
+      
+      var select15 = linear_select([
+      	part42,
+      	part43,
+      	part44,
+      ]);
+      
+      var all17 = all_match({
+      	processors: [
+      		dup2,
+      		dup28,
+      		part41,
+      		select15,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup8,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg17 = msg("CylancePROTECT:12", all17);
+      
+      var part45 = match("MESSAGE#17:CylancePROTECT:17/0", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, File Path:%{filename}, Interpreter:%{application}, Interpreter Version:%{version}, Zone Names:%{info}, User Name: %{p0}");
+      
+      var part46 = match("MESSAGE#17:CylancePROTECT:17/1_0", "nwparser.p0", "%{username}, Device Id: %{fld3}, Policy Name: %{policyname}");
+      
+      var part47 = match("MESSAGE#17:CylancePROTECT:17/1_1", "nwparser.p0", "%{username}");
+      
+      var select16 = linear_select([
+      	part46,
+      	part47,
+      ]);
+      
+      var all18 = all_match({
+      	processors: [
+      		part45,
+      		select16,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup19,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg18 = msg("CylancePROTECT:17", all18);
+      
+      var part48 = match("MESSAGE#18:CylancePROTECT:18", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, Agent Version:%{fld1}, IP Address: (%{saddr}), MAC Address: (%{macaddr}), Logged On Users: (%{username}), OS:%{os}, Zone Names:%{info}", processor_chain([
+      	dup6,
+      	dup19,
+      	dup25,
+      	dup26,
+      ]));
+      
+      var msg19 = msg("CylancePROTECT:18", part48);
+      
+      var part49 = match("MESSAGE#19:CylancePROTECT:19/0", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, External Device Type:%{device}, External Device Vendor ID:%{fld2}, External Device Name:%{fld3}, External Device Product ID:%{fld4}, External Device Serial Number:%{serial_number}, Zone Names:%{p0}");
+      
+      var part50 = match("MESSAGE#19:CylancePROTECT:19/1_0", "nwparser.p0", "%{info}, Device Id: %{fld5}, Policy Name: %{policyname->} ");
+      
+      var select17 = linear_select([
+      	part50,
+      	dup14,
+      ]);
+      
+      var all19 = all_match({
+      	processors: [
+      		part49,
+      		select17,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup19,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg20 = msg("CylancePROTECT:19", all19);
+      
+      var part51 = match("MESSAGE#20:CylancePROTECT:20/0", "nwparser.payload", "Event Name:%{event_type}, Message: %{p0}");
+      
+      var part52 = match("MESSAGE#20:CylancePROTECT:20/1_0", "nwparser.p0", "The Device%{p0}");
+      
+      var part53 = match("MESSAGE#20:CylancePROTECT:20/1_1", "nwparser.p0", "Device%{p0}");
+      
+      var select18 = linear_select([
+      	part52,
+      	part53,
+      ]);
+      
+      var part54 = match("MESSAGE#20:CylancePROTECT:20/2", "nwparser.p0", ":%{node}was auto assigned %{p0}");
+      
+      var part55 = match("MESSAGE#20:CylancePROTECT:20/3_0", "nwparser.p0", "to the%{p0}");
+      
+      var part56 = match("MESSAGE#20:CylancePROTECT:20/3_1", "nwparser.p0", " to%{p0}");
+      
+      var select19 = linear_select([
+      	part55,
+      	part56,
+      ]);
+      
+      var part57 = match("MESSAGE#20:CylancePROTECT:20/4", "nwparser.p0", "%{}Zone:%{zone}, User:%{user_fname}");
+      
+      var all20 = all_match({
+      	processors: [
+      		part51,
+      		select18,
+      		part54,
+      		select19,
+      		part57,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup19,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg21 = msg("CylancePROTECT:20", all20);
+      
+      var part58 = match("MESSAGE#21:CylancePROTECT:21", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, IP Address: (%{saddr}), File Name:%{filename}, Path:%{directory}, Drive Type:%{fld1}, SHA256:%{checksum}, MD5:%{fld3}, Status:%{event_state}, Cylance Score:%{fld4}, Found Date:%{fld51}, File Type:%{fld6}, Is Running:%{fld7}, Auto Run:%{fld8}, Detected By:%{fld9}, Zone Names: (%{info}), Is Malware:%{fld10}, Is Unique To Cylance:%{fld11}, Threat Classification:%{sigtype}", processor_chain([
+      	dup6,
+      	dup19,
+      	dup25,
+      	dup26,
+      	date_time({
+      		dest: "effective_time",
+      		args: ["fld51"],
+      		fmts: [
+      			[dG,dc("/"),dF,dc("/"),dW,dN,dc(":"),dU,dc(":"),dO,dQ],
+      		],
+      	}),
+      ]));
+      
+      var msg22 = msg("CylancePROTECT:21", part58);
+      
+      var part59 = match("MESSAGE#22:CylancePROTECT:22/0", "nwparser.payload", "Event Name:%{p0}");
+      
+      var part60 = match("MESSAGE#22:CylancePROTECT:22/1_0", "nwparser.p0", " %{event_type}, Device Name: %{device}, IP Address: (%{saddr}), Action: %{action}, Process ID: %{process_id}, Process Name: %{process}, User Name: %{username}, Violation Type: %{signame}, Zone Names:%{p0}");
+      
+      var part61 = match("MESSAGE#22:CylancePROTECT:22/1_1", "nwparser.p0", "%{event_type}, Device Name:%{node}, Zone Names:%{p0}");
+      
+      var select20 = linear_select([
+      	part60,
+      	part61,
+      ]);
+      
+      var all21 = all_match({
+      	processors: [
+      		part59,
+      		select20,
+      		dup30,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup19,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg23 = msg("CylancePROTECT:22", all21);
+      
+      var part62 = match("MESSAGE#23:CylancePROTECT:23", "nwparser.payload", "Event Name:%{event_type}, Threat Class:%{sigtype}, Threat Subclass:%{fld1}, SHA256:%{checksum}, MD5:%{fld3}", processor_chain([
+      	dup6,
+      	dup19,
+      	dup25,
+      	dup26,
+      ]));
+      
+      var msg24 = msg("CylancePROTECT:23", part62);
+      
+      var part63 = match("MESSAGE#24:CylancePROTECT:24/0", "nwparser.payload", "Event Name:%{event_type}, Message: Provider:%{fld3}, Source IP:%{saddr}, User: %{user_fname->} %{user_lname->} (%{p0}");
+      
+      var part64 = match("MESSAGE#24:CylancePROTECT:24/1_0", "nwparser.p0", "%{mail_id})#015");
+      
+      var part65 = match("MESSAGE#24:CylancePROTECT:24/1_1", "nwparser.p0", "%{mail_id})");
+      
+      var select21 = linear_select([
+      	part64,
+      	part65,
+      ]);
+      
+      var all22 = all_match({
+      	processors: [
+      		part63,
+      		select21,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup19,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg25 = msg("CylancePROTECT:24", all22);
+      
+      var part66 = match("MESSAGE#25:CylancePROTECT:26/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device}; Policy Changed: %{fld4->} to '%{policyname}', User: %{user_fname->} %{user_lname->} (%{mail_id}), Zone Names:%{p0}");
+      
+      var all23 = all_match({
+      	processors: [
+      		part66,
+      		dup30,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup19,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg26 = msg("CylancePROTECT:26", all23);
+      
+      var part67 = match("MESSAGE#26:CylancePROTECT:27/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device}; Zones Removed: %{p0}");
+      
+      var part68 = match("MESSAGE#26:CylancePROTECT:27/1_0", "nwparser.p0", "%{fld4}; Zones Added: %{fld5},%{p0}");
+      
+      var part69 = match("MESSAGE#26:CylancePROTECT:27/1_1", "nwparser.p0", "%{fld4},%{p0}");
+      
+      var select22 = linear_select([
+      	part68,
+      	part69,
+      ]);
+      
+      var part70 = match("MESSAGE#26:CylancePROTECT:27/2", "nwparser.p0", "%{}User: %{user_fname->} %{user_lname->} (%{mail_id}), Zone Names:%{p0}");
+      
+      var part71 = match("MESSAGE#26:CylancePROTECT:27/3_0", "nwparser.p0", "%{info->} Device Id: %{fld3}");
+      
+      var select23 = linear_select([
+      	part71,
+      	dup14,
+      ]);
+      
+      var all24 = all_match({
+      	processors: [
+      		part67,
+      		select22,
+      		part70,
+      		select23,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup19,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg27 = msg("CylancePROTECT:27", all24);
+      
+      var part72 = match("MESSAGE#27:CylancePROTECT:28/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device->} %{p0}");
+      
+      var part73 = match("MESSAGE#27:CylancePROTECT:28/1_0", "nwparser.p0", "Agent Self Protection Level Changed: '%{change_old}' to '%{change_new}', User: %{user_fname->} %{user_lname->} (%{mail_id}),%{p0}");
+      
+      var part74 = match("MESSAGE#27:CylancePROTECT:28/1_1", "nwparser.p0", "User: %{user_fname->} %{user_lname->} (%{mail_id}),%{p0}");
+      
+      var select24 = linear_select([
+      	part73,
+      	part74,
+      ]);
+      
+      var part75 = match("MESSAGE#27:CylancePROTECT:28/2", "nwparser.p0", "%{}Zone Names: %{info->} Device Id: %{fld3}");
+      
+      var all25 = all_match({
+      	processors: [
+      		part72,
+      		select24,
+      		part75,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup19,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg28 = msg("CylancePROTECT:28", all25);
+      
+      var select25 = linear_select([
+      	msg1,
+      	msg2,
+      	msg3,
+      	msg4,
+      	msg5,
+      	msg6,
+      	msg7,
+      	msg8,
+      	msg9,
+      	msg10,
+      	msg11,
+      	msg12,
+      	msg13,
+      	msg14,
+      	msg15,
+      	msg16,
+      	msg17,
+      	msg18,
+      	msg19,
+      	msg20,
+      	msg21,
+      	msg22,
+      	msg23,
+      	msg24,
+      	msg25,
+      	msg26,
+      	msg27,
+      	msg28,
+      ]);
+      
+      var chain1 = processor_chain([
+      	select1,
+      	msgid_select({
+      		"CylancePROTECT": select25,
+      	}),
+      ]);
+      
+      var part76 = match("MESSAGE#0:CylancePROTECT:01/0", "nwparser.payload", "%{fld13->} %{fld14->} %{p0}");
+      
+      var part77 = match("MESSAGE#0:CylancePROTECT:01/1_0", "nwparser.p0", "[%{fld2}] Event Type: AuditLog, Event Name: %{p0}");
+      
+      var part78 = match("MESSAGE#0:CylancePROTECT:01/1_1", "nwparser.p0", " %{fld5->} Event Type: AuditLog, Event Name: %{p0}");
+      
+      var part79 = match("MESSAGE#0:CylancePROTECT:01/5", "nwparser.p0", "%{user_fname->} %{user_lname->} (%{mail_id})");
+      
+      var part80 = match("MESSAGE#1:CylancePROTECT:02/2", "nwparser.p0", "%{event_type}, Message: %{p0}");
+      
+      var part81 = match("MESSAGE#8:CylancePROTECT:09/1_0", "nwparser.p0", "[%{fld2}] Event Type: ScriptControl, Event Name: %{p0}");
+      
+      var part82 = match("MESSAGE#8:CylancePROTECT:09/1_1", "nwparser.p0", " %{fld5->} Event Type: ScriptControl, Event Name: %{p0}");
+      
+      var part83 = match("MESSAGE#8:CylancePROTECT:09/3_1", "nwparser.p0", "%{info}");
+      
+      var part84 = match("MESSAGE#11:CylancePROTECT:15/1_0", "nwparser.p0", "[%{fld2}] Event Type: %{p0}");
+      
+      var part85 = match("MESSAGE#11:CylancePROTECT:15/1_1", "nwparser.p0", " %{fld5->} Event Type: %{p0}");
+      
+      var part86 = match("MESSAGE#13:CylancePROTECT:13/3_0", "nwparser.p0", "%{os->} Zone Names: %{info}");
+      
+      var part87 = match("MESSAGE#13:CylancePROTECT:13/3_1", "nwparser.p0", "%{os}");
+      
+      var part88 = match("MESSAGE#22:CylancePROTECT:22/2_0", "nwparser.p0", "%{info}, Device Id: %{fld3}");
+      
+      var select26 = linear_select([
+      	dup3,
+      	dup4,
+      ]);
+      
+      var select27 = linear_select([
+      	dup12,
+      	dup13,
+      ]);
+      
+      var select28 = linear_select([
+      	dup15,
+      	dup16,
+      ]);
+      
+      var select29 = linear_select([
+      	dup17,
+      	dup18,
+      ]);
+      
+      var select30 = linear_select([
+      	dup20,
+      	dup14,
+      ]);
+      
+- community_id:
+- add_locale: ~
+- add_fields:
+    target: ''
+    fields:
+        ecs.version: 1.5.0
diff --git a/packages/cylance/0.1.0/dataset/protect/agent/stream/udp.yml.hbs b/packages/cylance/0.1.0/dataset/protect/agent/stream/udp.yml.hbs
new file mode 100644
index 0000000000..ade6d9e37c
--- /dev/null
+++ b/packages/cylance/0.1.0/dataset/protect/agent/stream/udp.yml.hbs
@@ -0,0 +1,3363 @@
+udp:
+host: "{{udp_host}}:{{udp_port}}"
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "Cylance"
+        product: "Protect"
+        type: "Anti-Virus"
+publisher_pipeline.disable_host: true
+
+processors:
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.error(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(populate_fields);
+      	builder.Add(restore_flags);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var map_getEventLegacyCategoryName = {
+      	keyvaluepairs: {
+      		"1003010000": constant("Attacks.Malicious Code.Virus"),
+      		"1401060000": constant("User.Activity.Successful Logins"),
+      		"1502000000": constant("Policies.Rules"),
+      		"1502030000": constant("Policies.Rules.Added"),
+      		"1600000000": constant("System"),
+      		"1609000000": constant("System.Alerts"),
+      		"1701000000": constant("Config.Changes"),
+      		"1804000000": constant("Network.Devices"),
+      		"1804010000": constant("Network.Devices.Additions"),
+      		"1804020000": constant("Network.Devices.Removals"),
+      	},
+      	"default": constant("Other.Default"),
+      };
+      
+      var map_getEventLegacyCategory = {
+      	keyvaluepairs: {
+      		"Alert": constant("1609000000"),
+      		"Device Policy Assigned": constant("1502000000"),
+      		"Device Updated": constant("1804010000"),
+      		"DeviceEdit": dup21,
+      		"DeviceRemove": constant("1804020000"),
+      		"LoginSuccess": constant("1401060000"),
+      		"PolicyAdd": constant("1502030000"),
+      		"Registration": dup22,
+      		"SyslogSettingsSave": dup21,
+      		"SystemSecurity": constant("1600000000"),
+      		"ThreatUpdated": dup23,
+      		"ZoneAdd": dup21,
+      		"ZoneAddDevice": dup21,
+      		"fullaccess": dup22,
+      		"pechange": dup21,
+      		"threat_changed": dup23,
+      		"threat_found": dup23,
+      		"threat_quarantined": dup23,
+      	},
+      	"default": constant("1901000000"),
+      };
+      
+      var dup1 = setc("messageid","CylancePROTECT");
+      
+      var dup2 = match("MESSAGE#0:CylancePROTECT:01/0", "nwparser.payload", "%{fld13->} %{fld14->} %{p0}");
+      
+      var dup3 = match("MESSAGE#0:CylancePROTECT:01/1_0", "nwparser.p0", "[%{fld2}] Event Type: AuditLog, Event Name: %{p0}");
+      
+      var dup4 = match("MESSAGE#0:CylancePROTECT:01/1_1", "nwparser.p0", " %{fld5->} Event Type: AuditLog, Event Name: %{p0}");
+      
+      var dup5 = match("MESSAGE#0:CylancePROTECT:01/5", "nwparser.p0", "%{user_fname->} %{user_lname->} (%{mail_id})");
+      
+      var dup6 = setc("eventcategory","1901000000");
+      
+      var dup7 = setc("vendor_event_cat"," AuditLog");
+      
+      var dup8 = date_time({
+      	dest: "event_time",
+      	args: ["hdate","htime"],
+      	fmts: [
+      		[dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup9 = field("event_type");
+      
+      var dup10 = field("event_cat");
+      
+      var dup11 = match("MESSAGE#1:CylancePROTECT:02/2", "nwparser.p0", "%{event_type}, Message: %{p0}");
+      
+      var dup12 = match("MESSAGE#8:CylancePROTECT:09/1_0", "nwparser.p0", "[%{fld2}] Event Type: ScriptControl, Event Name: %{p0}");
+      
+      var dup13 = match("MESSAGE#8:CylancePROTECT:09/1_1", "nwparser.p0", " %{fld5->} Event Type: ScriptControl, Event Name: %{p0}");
+      
+      var dup14 = match("MESSAGE#8:CylancePROTECT:09/3_1", "nwparser.p0", "%{info}");
+      
+      var dup15 = match("MESSAGE#11:CylancePROTECT:15/1_0", "nwparser.p0", "[%{fld2}] Event Type: %{p0}");
+      
+      var dup16 = match("MESSAGE#11:CylancePROTECT:15/1_1", "nwparser.p0", " %{fld5->} Event Type: %{p0}");
+      
+      var dup17 = match("MESSAGE#13:CylancePROTECT:13/3_0", "nwparser.p0", "%{os->} Zone Names: %{info}");
+      
+      var dup18 = match("MESSAGE#13:CylancePROTECT:13/3_1", "nwparser.p0", "%{os}");
+      
+      var dup19 = date_time({
+      	dest: "event_time",
+      	args: ["hmonth","hdate","hhour","hmin","hsec"],
+      	fmts: [
+      		[dB,dF,dN,dU,dO],
+      	],
+      });
+      
+      var dup20 = match("MESSAGE#22:CylancePROTECT:22/2_0", "nwparser.p0", "%{info}, Device Id: %{fld3}");
+      
+      var dup21 = constant("1701000000");
+      
+      var dup22 = constant("1804000000");
+      
+      var dup23 = constant("1003010000");
+      
+      var dup24 = linear_select([
+      	dup3,
+      	dup4,
+      ]);
+      
+      var dup25 = lookup({
+      	dest: "nwparser.event_cat",
+      	map: map_getEventLegacyCategory,
+      	key: dup9,
+      });
+      
+      var dup26 = lookup({
+      	dest: "nwparser.event_cat_name",
+      	map: map_getEventLegacyCategoryName,
+      	key: dup10,
+      });
+      
+      var dup27 = linear_select([
+      	dup12,
+      	dup13,
+      ]);
+      
+      var dup28 = linear_select([
+      	dup15,
+      	dup16,
+      ]);
+      
+      var dup29 = linear_select([
+      	dup17,
+      	dup18,
+      ]);
+      
+      var dup30 = linear_select([
+      	dup20,
+      	dup14,
+      ]);
+      
+      var hdr1 = match("HEADER#0:0001", "message", "%{hday}-%{hmonth}-%{hyear->} %{hhour}:%{hmin}:%{hsec->} %{hseverity->} %{hhost->} %{hfld2->} \u003c\u003c%{fld44}>%{hfld3->} %{hdate}T%{htime}.%{hfld4->} %{hostname->} CylancePROTECT %{payload}", processor_chain([
+      	setc("header_id","0001"),
+      	dup1,
+      ]));
+      
+      var hdr2 = match("HEADER#1:0002", "message", "%{hfld1->} %{hdate}T%{htime}.%{hfld2->} %{hostname->} CylancePROTECT %{payload}", processor_chain([
+      	setc("header_id","0002"),
+      	dup1,
+      ]));
+      
+      var hdr3 = match("HEADER#2:0004", "message", "%{hdate}T%{htime}.%{hfld2->} %{hostname->} CylancePROTECT %{payload}", processor_chain([
+      	setc("header_id","0004"),
+      	dup1,
+      ]));
+      
+      var hdr4 = match("HEADER#3:0003", "message", "%{hmonth->} %{hdate->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} CylancePROTECT Event Type:%{vendor_event_cat}, %{payload}", processor_chain([
+      	setc("header_id","0003"),
+      	dup1,
+      ]));
+      
+      var select1 = linear_select([
+      	hdr1,
+      	hdr2,
+      	hdr3,
+      	hdr4,
+      ]);
+      
+      var part1 = match("MESSAGE#0:CylancePROTECT:01/2", "nwparser.p0", "%{event_type}, Message: S%{p0}");
+      
+      var part2 = match("MESSAGE#0:CylancePROTECT:01/3_0", "nwparser.p0", "ource: %{product}; SHA256: %{checksum}; %{p0}");
+      
+      var part3 = match("MESSAGE#0:CylancePROTECT:01/3_1", "nwparser.p0", "HA256: %{checksum}; %{p0}");
+      
+      var select2 = linear_select([
+      	part2,
+      	part3,
+      ]);
+      
+      var part4 = match("MESSAGE#0:CylancePROTECT:01/4_0", "nwparser.p0", "Category: %{category}; Reason: %{result}, User: %{p0}");
+      
+      var part5 = match("MESSAGE#0:CylancePROTECT:01/4_1", "nwparser.p0", "Reason: %{result}, User: %{p0}");
+      
+      var select3 = linear_select([
+      	part4,
+      	part5,
+      ]);
+      
+      var all1 = all_match({
+      	processors: [
+      		dup2,
+      		dup24,
+      		part1,
+      		select2,
+      		select3,
+      		dup5,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup7,
+      		dup8,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg1 = msg("CylancePROTECT:01", all1);
+      
+      var part6 = match("MESSAGE#1:CylancePROTECT:02/3_0", "nwparser.p0", "Device: %{node}; SHA256: %{p0}");
+      
+      var part7 = match("MESSAGE#1:CylancePROTECT:02/3_1", "nwparser.p0", "Policy: %{policyname}; SHA256: %{p0}");
+      
+      var select4 = linear_select([
+      	part6,
+      	part7,
+      ]);
+      
+      var part8 = match("MESSAGE#1:CylancePROTECT:02/4_0", "nwparser.p0", "%{checksum}; Category: %{category}, User: %{user_fname->} %{user_lname->} (%{mail_id})");
+      
+      var part9 = match("MESSAGE#1:CylancePROTECT:02/4_1", "nwparser.p0", "%{checksum}, User: %{user_fname->} %{user_lname->} (%{mail_id})");
+      
+      var select5 = linear_select([
+      	part8,
+      	part9,
+      ]);
+      
+      var all2 = all_match({
+      	processors: [
+      		dup2,
+      		dup24,
+      		dup11,
+      		select4,
+      		select5,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup7,
+      		dup8,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg2 = msg("CylancePROTECT:02", all2);
+      
+      var part10 = match("MESSAGE#2:CylancePROTECT:03/3_0", "nwparser.p0", "Devices: %{node},%{p0}");
+      
+      var part11 = match("MESSAGE#2:CylancePROTECT:03/3_1", "nwparser.p0", "Device: %{node};%{p0}");
+      
+      var part12 = match("MESSAGE#2:CylancePROTECT:03/3_2", "nwparser.p0", "Policy: %{policyname},%{p0}");
+      
+      var select6 = linear_select([
+      	part10,
+      	part11,
+      	part12,
+      ]);
+      
+      var part13 = match("MESSAGE#2:CylancePROTECT:03/4", "nwparser.p0", "%{}User: %{user_fname->} %{user_lname->} (%{mail_id})");
+      
+      var all3 = all_match({
+      	processors: [
+      		dup2,
+      		dup24,
+      		dup11,
+      		select6,
+      		part13,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup7,
+      		dup8,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg3 = msg("CylancePROTECT:03", all3);
+      
+      var part14 = match("MESSAGE#3:CylancePROTECT:04/2", "nwparser.p0", "%{event_type}, Message: Zone: %{info}; Policy: %{policyname}; Value: %{fld3}, User: %{user_fname->} %{user_lname->} (%{mail_id})");
+      
+      var all4 = all_match({
+      	processors: [
+      		dup2,
+      		dup24,
+      		part14,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup7,
+      		dup8,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg4 = msg("CylancePROTECT:04", all4);
+      
+      var part15 = match("MESSAGE#4:CylancePROTECT:05/3_0", "nwparser.p0", "Policy Assigned:%{signame}; Devices: %{node->} , User: %{p0}");
+      
+      var part16 = match("MESSAGE#4:CylancePROTECT:05/3_1", "nwparser.p0", " Provider: %{product}, Source IP: %{saddr}, User: %{p0}");
+      
+      var part17 = match("MESSAGE#4:CylancePROTECT:05/3_2", "nwparser.p0", "%{info}, User: %{p0}");
+      
+      var select7 = linear_select([
+      	part15,
+      	part16,
+      	part17,
+      ]);
+      
+      var all5 = all_match({
+      	processors: [
+      		dup2,
+      		dup24,
+      		dup11,
+      		select7,
+      		dup5,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup7,
+      		dup8,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg5 = msg("CylancePROTECT:05", all5);
+      
+      var part18 = match("MESSAGE#5:CylancePROTECT:06/2", "nwparser.p0", "%{event_type}, Message: The Device: %{node->} was auto assigned to the Zone: IP Address: %{p0}");
+      
+      var part19 = match("MESSAGE#5:CylancePROTECT:06/3_0", "nwparser.p0", "Fake Devices, User: %{p0}");
+      
+      var part20 = match("MESSAGE#5:CylancePROTECT:06/3_1", "nwparser.p0", "%{saddr}, User: %{p0}");
+      
+      var select8 = linear_select([
+      	part19,
+      	part20,
+      ]);
+      
+      var part21 = match("MESSAGE#5:CylancePROTECT:06/4_0", "nwparser.p0", " (%{mail_id})");
+      
+      var select9 = linear_select([
+      	part21,
+      	dup5,
+      ]);
+      
+      var all6 = all_match({
+      	processors: [
+      		dup2,
+      		dup24,
+      		part18,
+      		select8,
+      		select9,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup7,
+      		dup8,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg6 = msg("CylancePROTECT:06", all6);
+      
+      var part22 = match("MESSAGE#6:CylancePROTECT:07/1_0", "nwparser.p0", "[%{fld2}] Event Type: ExploitAttempt, Event Name: %{p0}");
+      
+      var part23 = match("MESSAGE#6:CylancePROTECT:07/1_1", "nwparser.p0", " %{fld5->} Event Type: ExploitAttempt, Event Name: %{p0}");
+      
+      var select10 = linear_select([
+      	part22,
+      	part23,
+      ]);
+      
+      var part24 = match("MESSAGE#6:CylancePROTECT:07/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), Action: %{action}, Process ID: %{process_id}, Process Name: %{process}, User Name: %{username}, Violation Type: %{signame}, Zone Names: %{info}");
+      
+      var all7 = all_match({
+      	processors: [
+      		dup2,
+      		select10,
+      		part24,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		setc("vendor_event_cat"," ExploitAttempt"),
+      		dup8,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg7 = msg("CylancePROTECT:07", all7);
+      
+      var part25 = match("MESSAGE#7:CylancePROTECT:08/1_0", "nwparser.p0", "[%{fld2}] Event Type: DeviceControl, Event Name: %{p0}");
+      
+      var part26 = match("MESSAGE#7:CylancePROTECT:08/1_1", "nwparser.p0", " %{fld5->} Event Type: DeviceControl, Event Name: %{p0}");
+      
+      var select11 = linear_select([
+      	part25,
+      	part26,
+      ]);
+      
+      var part27 = match("MESSAGE#7:CylancePROTECT:08/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, External Device Type: %{fld3}, External Device Vendor ID: %{fld18}, External Device Name: %{fld4}, External Device Product ID: %{fld17}, External Device Serial Number: %{serial_number}, Zone Names: %{info}");
+      
+      var all8 = all_match({
+      	processors: [
+      		dup2,
+      		select11,
+      		part27,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		setc("vendor_event_cat"," DeviceControl"),
+      		dup8,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg8 = msg("CylancePROTECT:08", all8);
+      
+      var part28 = match("MESSAGE#8:CylancePROTECT:09/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, File Path: %{directory}, Interpreter: %{application}, Interpreter Version: %{version->} (%{fld3}), Zone Names: %{p0}");
+      
+      var part29 = match("MESSAGE#8:CylancePROTECT:09/3_0", "nwparser.p0", "%{info}, User Name: %{username}");
+      
+      var select12 = linear_select([
+      	part29,
+      	dup14,
+      ]);
+      
+      var all9 = all_match({
+      	processors: [
+      		dup2,
+      		dup27,
+      		part28,
+      		select12,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		setc("vendor_event_cat"," ScriptControl"),
+      		dup8,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg9 = msg("CylancePROTECT:09", all9);
+      
+      var part30 = match("MESSAGE#9:CylancePROTECT:10/1_0", "nwparser.p0", "[%{fld2}] Event Type: Threat, Event Name: %{p0}");
+      
+      var part31 = match("MESSAGE#9:CylancePROTECT:10/1_1", "nwparser.p0", " %{fld4->} Event Type: Threat, Event Name: %{p0}");
+      
+      var select13 = linear_select([
+      	part30,
+      	part31,
+      ]);
+      
+      var part32 = match("MESSAGE#9:CylancePROTECT:10/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), File Name: %{filename}, Path: %{directory}, Drive Type: %{fld1}, SHA256: %{checksum}, MD5: %{fld3}, Status: %{event_state}, Cylance Score: %{reputation_num}, Found Date: %{fld5}, File Type: %{filetype}, Is Running: %{fld6}, Auto Run: %{fld7}, Detected By: %{fld8}, Zone Names: %{info}, Is Malware: %{fld10}, Is Unique To Cylance: %{fld11}, Threat Classification: %{sigtype}");
+      
+      var all10 = all_match({
+      	processors: [
+      		dup2,
+      		select13,
+      		part32,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		setc("vendor_event_cat"," Threat"),
+      		dup8,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg10 = msg("CylancePROTECT:10", all10);
+      
+      var part33 = match("MESSAGE#10:CylancePROTECT:11/1_0", "nwparser.p0", "[%{fld2}] Event Type: AppControl, Event Name: %{p0}");
+      
+      var part34 = match("MESSAGE#10:CylancePROTECT:11/1_1", "nwparser.p0", " %{fld5->} Event Type: AppControl, Event Name: %{p0}");
+      
+      var select14 = linear_select([
+      	part33,
+      	part34,
+      ]);
+      
+      var part35 = match("MESSAGE#10:CylancePROTECT:11/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), Action: %{action}, Action Type: %{fld3}, File Path: %{directory}, SHA256: %{checksum}, Zone Names: %{info}");
+      
+      var all11 = all_match({
+      	processors: [
+      		dup2,
+      		select14,
+      		part35,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		setc("vendor_event_cat"," AppControl"),
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg11 = msg("CylancePROTECT:11", all11);
+      
+      var part36 = match("MESSAGE#11:CylancePROTECT:15/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Threat Class: %{sigtype}, Threat Subclass: %{fld7}, SHA256: %{checksum}, MD5: %{fld8}");
+      
+      var all12 = all_match({
+      	processors: [
+      		dup2,
+      		dup28,
+      		part36,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup8,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg12 = msg("CylancePROTECT:15", all12);
+      
+      var part37 = match("MESSAGE#12:CylancePROTECT:14/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Names: (%{node}), Policy Name: %{policyname}, User: %{user_fname->} %{user_lname->} (%{mail_id})");
+      
+      var all13 = all_match({
+      	processors: [
+      		dup2,
+      		dup28,
+      		part37,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup8,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg13 = msg("CylancePROTECT:14", all13);
+      
+      var part38 = match("MESSAGE#13:CylancePROTECT:13/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Name: %{node}, Agent Version: %{fld6}, IP Address: (%{saddr}, %{fld15}), MAC Address: (%{macaddr}, %{fld16}), Logged On Users: (%{username}), OS: %{p0}");
+      
+      var all14 = all_match({
+      	processors: [
+      		dup2,
+      		dup28,
+      		part38,
+      		dup29,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup8,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg14 = msg("CylancePROTECT:13", all14);
+      
+      var part39 = match("MESSAGE#14:CylancePROTECT:16/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Name: %{node}, Agent Version: %{fld1}, IP Address: (%{saddr}), MAC Address: (%{macaddr}), Logged On Users: (%{username}), OS: %{p0}");
+      
+      var all15 = all_match({
+      	processors: [
+      		dup2,
+      		dup28,
+      		part39,
+      		dup29,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup8,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg15 = msg("CylancePROTECT:16", all15);
+      
+      var part40 = match("MESSAGE#15:CylancePROTECT:25/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, File Path: %{directory}, Interpreter: %{application}, Interpreter Version: %{version}, Zone Names: %{info}, User Name: %{username}");
+      
+      var all16 = all_match({
+      	processors: [
+      		dup2,
+      		dup27,
+      		part40,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup8,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg16 = msg("CylancePROTECT:25", all16);
+      
+      var part41 = match("MESSAGE#16:CylancePROTECT:12/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, %{p0}");
+      
+      var part42 = match("MESSAGE#16:CylancePROTECT:12/3_0", "nwparser.p0", "Device Name: %{node}, Zone Names:%{info}");
+      
+      var part43 = match("MESSAGE#16:CylancePROTECT:12/3_1", "nwparser.p0", "Device Name: %{node}");
+      
+      var part44 = match("MESSAGE#16:CylancePROTECT:12/3_2", "nwparser.p0", "%{fld1}");
+      
+      var select15 = linear_select([
+      	part42,
+      	part43,
+      	part44,
+      ]);
+      
+      var all17 = all_match({
+      	processors: [
+      		dup2,
+      		dup28,
+      		part41,
+      		select15,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup8,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg17 = msg("CylancePROTECT:12", all17);
+      
+      var part45 = match("MESSAGE#17:CylancePROTECT:17/0", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, File Path:%{filename}, Interpreter:%{application}, Interpreter Version:%{version}, Zone Names:%{info}, User Name: %{p0}");
+      
+      var part46 = match("MESSAGE#17:CylancePROTECT:17/1_0", "nwparser.p0", "%{username}, Device Id: %{fld3}, Policy Name: %{policyname}");
+      
+      var part47 = match("MESSAGE#17:CylancePROTECT:17/1_1", "nwparser.p0", "%{username}");
+      
+      var select16 = linear_select([
+      	part46,
+      	part47,
+      ]);
+      
+      var all18 = all_match({
+      	processors: [
+      		part45,
+      		select16,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup19,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg18 = msg("CylancePROTECT:17", all18);
+      
+      var part48 = match("MESSAGE#18:CylancePROTECT:18", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, Agent Version:%{fld1}, IP Address: (%{saddr}), MAC Address: (%{macaddr}), Logged On Users: (%{username}), OS:%{os}, Zone Names:%{info}", processor_chain([
+      	dup6,
+      	dup19,
+      	dup25,
+      	dup26,
+      ]));
+      
+      var msg19 = msg("CylancePROTECT:18", part48);
+      
+      var part49 = match("MESSAGE#19:CylancePROTECT:19/0", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, External Device Type:%{device}, External Device Vendor ID:%{fld2}, External Device Name:%{fld3}, External Device Product ID:%{fld4}, External Device Serial Number:%{serial_number}, Zone Names:%{p0}");
+      
+      var part50 = match("MESSAGE#19:CylancePROTECT:19/1_0", "nwparser.p0", "%{info}, Device Id: %{fld5}, Policy Name: %{policyname->} ");
+      
+      var select17 = linear_select([
+      	part50,
+      	dup14,
+      ]);
+      
+      var all19 = all_match({
+      	processors: [
+      		part49,
+      		select17,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup19,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg20 = msg("CylancePROTECT:19", all19);
+      
+      var part51 = match("MESSAGE#20:CylancePROTECT:20/0", "nwparser.payload", "Event Name:%{event_type}, Message: %{p0}");
+      
+      var part52 = match("MESSAGE#20:CylancePROTECT:20/1_0", "nwparser.p0", "The Device%{p0}");
+      
+      var part53 = match("MESSAGE#20:CylancePROTECT:20/1_1", "nwparser.p0", "Device%{p0}");
+      
+      var select18 = linear_select([
+      	part52,
+      	part53,
+      ]);
+      
+      var part54 = match("MESSAGE#20:CylancePROTECT:20/2", "nwparser.p0", ":%{node}was auto assigned %{p0}");
+      
+      var part55 = match("MESSAGE#20:CylancePROTECT:20/3_0", "nwparser.p0", "to the%{p0}");
+      
+      var part56 = match("MESSAGE#20:CylancePROTECT:20/3_1", "nwparser.p0", " to%{p0}");
+      
+      var select19 = linear_select([
+      	part55,
+      	part56,
+      ]);
+      
+      var part57 = match("MESSAGE#20:CylancePROTECT:20/4", "nwparser.p0", "%{}Zone:%{zone}, User:%{user_fname}");
+      
+      var all20 = all_match({
+      	processors: [
+      		part51,
+      		select18,
+      		part54,
+      		select19,
+      		part57,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup19,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg21 = msg("CylancePROTECT:20", all20);
+      
+      var part58 = match("MESSAGE#21:CylancePROTECT:21", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, IP Address: (%{saddr}), File Name:%{filename}, Path:%{directory}, Drive Type:%{fld1}, SHA256:%{checksum}, MD5:%{fld3}, Status:%{event_state}, Cylance Score:%{fld4}, Found Date:%{fld51}, File Type:%{fld6}, Is Running:%{fld7}, Auto Run:%{fld8}, Detected By:%{fld9}, Zone Names: (%{info}), Is Malware:%{fld10}, Is Unique To Cylance:%{fld11}, Threat Classification:%{sigtype}", processor_chain([
+      	dup6,
+      	dup19,
+      	dup25,
+      	dup26,
+      	date_time({
+      		dest: "effective_time",
+      		args: ["fld51"],
+      		fmts: [
+      			[dG,dc("/"),dF,dc("/"),dW,dN,dc(":"),dU,dc(":"),dO,dQ],
+      		],
+      	}),
+      ]));
+      
+      var msg22 = msg("CylancePROTECT:21", part58);
+      
+      var part59 = match("MESSAGE#22:CylancePROTECT:22/0", "nwparser.payload", "Event Name:%{p0}");
+      
+      var part60 = match("MESSAGE#22:CylancePROTECT:22/1_0", "nwparser.p0", " %{event_type}, Device Name: %{device}, IP Address: (%{saddr}), Action: %{action}, Process ID: %{process_id}, Process Name: %{process}, User Name: %{username}, Violation Type: %{signame}, Zone Names:%{p0}");
+      
+      var part61 = match("MESSAGE#22:CylancePROTECT:22/1_1", "nwparser.p0", "%{event_type}, Device Name:%{node}, Zone Names:%{p0}");
+      
+      var select20 = linear_select([
+      	part60,
+      	part61,
+      ]);
+      
+      var all21 = all_match({
+      	processors: [
+      		part59,
+      		select20,
+      		dup30,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup19,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg23 = msg("CylancePROTECT:22", all21);
+      
+      var part62 = match("MESSAGE#23:CylancePROTECT:23", "nwparser.payload", "Event Name:%{event_type}, Threat Class:%{sigtype}, Threat Subclass:%{fld1}, SHA256:%{checksum}, MD5:%{fld3}", processor_chain([
+      	dup6,
+      	dup19,
+      	dup25,
+      	dup26,
+      ]));
+      
+      var msg24 = msg("CylancePROTECT:23", part62);
+      
+      var part63 = match("MESSAGE#24:CylancePROTECT:24/0", "nwparser.payload", "Event Name:%{event_type}, Message: Provider:%{fld3}, Source IP:%{saddr}, User: %{user_fname->} %{user_lname->} (%{p0}");
+      
+      var part64 = match("MESSAGE#24:CylancePROTECT:24/1_0", "nwparser.p0", "%{mail_id})#015");
+      
+      var part65 = match("MESSAGE#24:CylancePROTECT:24/1_1", "nwparser.p0", "%{mail_id})");
+      
+      var select21 = linear_select([
+      	part64,
+      	part65,
+      ]);
+      
+      var all22 = all_match({
+      	processors: [
+      		part63,
+      		select21,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup19,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg25 = msg("CylancePROTECT:24", all22);
+      
+      var part66 = match("MESSAGE#25:CylancePROTECT:26/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device}; Policy Changed: %{fld4->} to '%{policyname}', User: %{user_fname->} %{user_lname->} (%{mail_id}), Zone Names:%{p0}");
+      
+      var all23 = all_match({
+      	processors: [
+      		part66,
+      		dup30,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup19,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg26 = msg("CylancePROTECT:26", all23);
+      
+      var part67 = match("MESSAGE#26:CylancePROTECT:27/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device}; Zones Removed: %{p0}");
+      
+      var part68 = match("MESSAGE#26:CylancePROTECT:27/1_0", "nwparser.p0", "%{fld4}; Zones Added: %{fld5},%{p0}");
+      
+      var part69 = match("MESSAGE#26:CylancePROTECT:27/1_1", "nwparser.p0", "%{fld4},%{p0}");
+      
+      var select22 = linear_select([
+      	part68,
+      	part69,
+      ]);
+      
+      var part70 = match("MESSAGE#26:CylancePROTECT:27/2", "nwparser.p0", "%{}User: %{user_fname->} %{user_lname->} (%{mail_id}), Zone Names:%{p0}");
+      
+      var part71 = match("MESSAGE#26:CylancePROTECT:27/3_0", "nwparser.p0", "%{info->} Device Id: %{fld3}");
+      
+      var select23 = linear_select([
+      	part71,
+      	dup14,
+      ]);
+      
+      var all24 = all_match({
+      	processors: [
+      		part67,
+      		select22,
+      		part70,
+      		select23,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup19,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg27 = msg("CylancePROTECT:27", all24);
+      
+      var part72 = match("MESSAGE#27:CylancePROTECT:28/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device->} %{p0}");
+      
+      var part73 = match("MESSAGE#27:CylancePROTECT:28/1_0", "nwparser.p0", "Agent Self Protection Level Changed: '%{change_old}' to '%{change_new}', User: %{user_fname->} %{user_lname->} (%{mail_id}),%{p0}");
+      
+      var part74 = match("MESSAGE#27:CylancePROTECT:28/1_1", "nwparser.p0", "User: %{user_fname->} %{user_lname->} (%{mail_id}),%{p0}");
+      
+      var select24 = linear_select([
+      	part73,
+      	part74,
+      ]);
+      
+      var part75 = match("MESSAGE#27:CylancePROTECT:28/2", "nwparser.p0", "%{}Zone Names: %{info->} Device Id: %{fld3}");
+      
+      var all25 = all_match({
+      	processors: [
+      		part72,
+      		select24,
+      		part75,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup19,
+      		dup25,
+      		dup26,
+      	]),
+      });
+      
+      var msg28 = msg("CylancePROTECT:28", all25);
+      
+      var select25 = linear_select([
+      	msg1,
+      	msg2,
+      	msg3,
+      	msg4,
+      	msg5,
+      	msg6,
+      	msg7,
+      	msg8,
+      	msg9,
+      	msg10,
+      	msg11,
+      	msg12,
+      	msg13,
+      	msg14,
+      	msg15,
+      	msg16,
+      	msg17,
+      	msg18,
+      	msg19,
+      	msg20,
+      	msg21,
+      	msg22,
+      	msg23,
+      	msg24,
+      	msg25,
+      	msg26,
+      	msg27,
+      	msg28,
+      ]);
+      
+      var chain1 = processor_chain([
+      	select1,
+      	msgid_select({
+      		"CylancePROTECT": select25,
+      	}),
+      ]);
+      
+      var part76 = match("MESSAGE#0:CylancePROTECT:01/0", "nwparser.payload", "%{fld13->} %{fld14->} %{p0}");
+      
+      var part77 = match("MESSAGE#0:CylancePROTECT:01/1_0", "nwparser.p0", "[%{fld2}] Event Type: AuditLog, Event Name: %{p0}");
+      
+      var part78 = match("MESSAGE#0:CylancePROTECT:01/1_1", "nwparser.p0", " %{fld5->} Event Type: AuditLog, Event Name: %{p0}");
+      
+      var part79 = match("MESSAGE#0:CylancePROTECT:01/5", "nwparser.p0", "%{user_fname->} %{user_lname->} (%{mail_id})");
+      
+      var part80 = match("MESSAGE#1:CylancePROTECT:02/2", "nwparser.p0", "%{event_type}, Message: %{p0}");
+      
+      var part81 = match("MESSAGE#8:CylancePROTECT:09/1_0", "nwparser.p0", "[%{fld2}] Event Type: ScriptControl, Event Name: %{p0}");
+      
+      var part82 = match("MESSAGE#8:CylancePROTECT:09/1_1", "nwparser.p0", " %{fld5->} Event Type: ScriptControl, Event Name: %{p0}");
+      
+      var part83 = match("MESSAGE#8:CylancePROTECT:09/3_1", "nwparser.p0", "%{info}");
+      
+      var part84 = match("MESSAGE#11:CylancePROTECT:15/1_0", "nwparser.p0", "[%{fld2}] Event Type: %{p0}");
+      
+      var part85 = match("MESSAGE#11:CylancePROTECT:15/1_1", "nwparser.p0", " %{fld5->} Event Type: %{p0}");
+      
+      var part86 = match("MESSAGE#13:CylancePROTECT:13/3_0", "nwparser.p0", "%{os->} Zone Names: %{info}");
+      
+      var part87 = match("MESSAGE#13:CylancePROTECT:13/3_1", "nwparser.p0", "%{os}");
+      
+      var part88 = match("MESSAGE#22:CylancePROTECT:22/2_0", "nwparser.p0", "%{info}, Device Id: %{fld3}");
+      
+      var select26 = linear_select([
+      	dup3,
+      	dup4,
+      ]);
+      
+      var select27 = linear_select([
+      	dup12,
+      	dup13,
+      ]);
+      
+      var select28 = linear_select([
+      	dup15,
+      	dup16,
+      ]);
+      
+      var select29 = linear_select([
+      	dup17,
+      	dup18,
+      ]);
+      
+      var select30 = linear_select([
+      	dup20,
+      	dup14,
+      ]);
+      
+- community_id:
+- add_locale: ~
+- add_fields:
+    target: ''
+    fields:
+        ecs.version: 1.5.0
diff --git a/packages/cylance/0.1.0/dataset/protect/elasticsearch/ingest_pipeline/default.yml b/packages/cylance/0.1.0/dataset/protect/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 0000000000..d6bca1e8c4
--- /dev/null
+++ b/packages/cylance/0.1.0/dataset/protect/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,55 @@
+---
+description: Pipeline for CylanceProtect
+
+processors:
+  # User agent
+  - user_agent:
+        field: user_agent.original
+        ignore_missing: true
+  # IP Geolocation Lookup
+  - geoip:
+        field: source.ip
+        target_field: source.geo
+        ignore_missing: true
+  - geoip:
+        field: destination.ip
+        target_field: destination.geo
+        ignore_missing: true
+
+  # IP Autonomous System (AS) Lookup
+  - geoip:
+        database_file: GeoLite2-ASN.mmdb
+        field: source.ip
+        target_field: source.as
+        properties:
+            - asn
+            - organization_name
+        ignore_missing: true
+  - geoip:
+        database_file: GeoLite2-ASN.mmdb
+        field: destination.ip
+        target_field: destination.as
+        properties:
+            - asn
+            - organization_name
+        ignore_missing: true
+  - rename:
+        field: source.as.asn
+        target_field: source.as.number
+        ignore_missing: true
+  - rename:
+        field: source.as.organization_name
+        target_field: source.as.organization.name
+        ignore_missing: true
+  - rename:
+        field: destination.as.asn
+        target_field: destination.as.number
+        ignore_missing: true
+  - rename:
+        field: destination.as.organization_name
+        target_field: destination.as.organization.name
+        ignore_missing: true
+on_failure:
+  - append:
+        field: error.message
+        value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/cylance/0.1.0/dataset/protect/fields/base-fields.yml b/packages/cylance/0.1.0/dataset/protect/fields/base-fields.yml
new file mode 100644
index 0000000000..b294eaf20e
--- /dev/null
+++ b/packages/cylance/0.1.0/dataset/protect/fields/base-fields.yml
@@ -0,0 +1,26 @@
+- name: datastream.type
+  type: constant_keyword
+  description: Datastream type.
+- name: datastream.dataset
+  type: constant_keyword
+  description: Datastream dataset.
+- name: datastream.namespace
+  type: constant_keyword
+  description: Datastream namespace.
+
+- name: dataset.type
+  type: constant_keyword
+  description: >
+    Dataset type.
+- name: dataset.name
+  type: constant_keyword
+  description: >
+    Dataset name.
+- name: dataset.namespace
+  type: constant_keyword
+  description: >
+    Dataset namespace.
+- name: "@timestamp"
+  type: date
+  description: >
+    Event timestamp.
diff --git a/packages/cylance/0.1.0/dataset/protect/fields/ecs.yml b/packages/cylance/0.1.0/dataset/protect/fields/ecs.yml
new file mode 100644
index 0000000000..92af91c339
--- /dev/null
+++ b/packages/cylance/0.1.0/dataset/protect/fields/ecs.yml
@@ -0,0 +1,836 @@
+- name: log
+  type: group
+  fields:
+  - name: original
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'This is the original log message and contains the full log message
+      before splitting it up in multiple parts.
+
+      In contrast to the `message` field which can contain an extracted part of the
+      log message, this field contains the original, full log message. It can have
+      already some modifications applied like encoding or new lines removed to clean
+      up the log message.
+
+      This field is not indexed and doc_values are disabled so it can''t be queried
+      but the value can be retrieved from `_source`.'
+    example: Sep 19 08:26:10 localhost My log
+  - name: level
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Original log level of the log event.
+
+      If the source of the event provides a log level or textual severity, this is
+      the one that goes in `log.level`. If your source doesn''t specify one, you may
+      put your event transport''s severity here (e.g. Syslog severity).
+
+      Some examples are `warn`, `err`, `i`, `informational`.'
+    example: error
+  - name: syslog
+    type: group
+    fields:
+    - name: priority
+      level: extended
+      type: long
+      format: string
+      description: 'Syslog numeric priority of the event, if available.
+
+        According to RFCs 5424 and 3164, the priority is 8 * facility + severity.
+        This number is therefore expected to contain a value between 0 and 191.'
+      example: 135
+    - name: facility
+      type: group
+      fields:
+      - name: code
+        level: extended
+        type: long
+        format: string
+        description: 'The Syslog numeric facility of the log event, if available.
+
+          According to RFCs 5424 and 3164, this value should be an integer between
+          0 and 23.'
+        example: 23
+    - name: severity
+      type: group
+      fields:
+      - name: code
+        level: extended
+        type: long
+        description: 'The Syslog numeric severity of the log event, if available.
+
+          If the event source publishing via Syslog provides a different numeric severity
+          value (e.g. firewall, IDS), your source''s numeric severity should go to
+          `event.severity`. If the event source does not specify a distinct severity,
+          you can optionally copy the Syslog severity to `event.severity`.'
+        example: 3
+- name: event
+  type: group
+  fields:
+  - name: code
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Identification code for this event, if one exists.
+
+      Some event sources use event codes to identify messages unambiguously, regardless
+      of message language or wording adjustments over time. An example of this is
+      the Windows Event ID.'
+    example: 4648
+  - name: action
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'The action captured by the event.
+
+      This describes the information in the event. It is more specific than `event.category`.
+      Examples are `group-add`, `process-started`, `file-created`. The value is normally
+      defined by the implementer.'
+    example: user-password-change
+  - name: outcome
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'This is one of four ECS Categorization Fields, and indicates the
+      lowest level in the ECS category hierarchy.
+
+      `event.outcome` simply denotes whether the event represents a success or a failure
+      from the perspective of the entity that produced the event.
+
+      Note that when a single transaction is described in multiple events, each event
+      may populate different values of `event.outcome`, according to their perspective.
+
+      Also note that in the case of a compound event (a single event that contains
+      multiple logical events), this field should be populated with the value that
+      best captures the overall success or failure from the perspective of the event
+      producer.
+
+      Further note that not all events will have an associated outcome. For example,
+      this field is generally not populated for metric events, events with `event.type:info`,
+      or any events for which an outcome does not make logical sense.'
+    example: success
+  - name: category
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'This is one of four ECS Categorization Fields, and indicates the
+      second level in the ECS category hierarchy.
+
+      `event.category` represents the "big buckets" of ECS categories. For example,
+      filtering on `event.category:process` yields all events relating to process
+      activity. This field is closely related to `event.type`, which is used as a
+      subcategory.
+
+      This field is an array. This will allow proper categorization of some events
+      that fall in multiple categories.'
+    example: authentication
+  - name: timezone
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'This field should be populated when the event''s timestamp does
+      not include timezone information already (e.g. default Syslog timestamps). It''s
+      optional otherwise.
+
+      Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated
+      (e.g. "EST") or an HH:mm differential (e.g. "-05:00").'
+- name: '@timestamp'
+  level: core
+  required: true
+  type: date
+  description: 'Date/time when the event originated.
+
+    This is the date/time extracted from the event, typically representing when the
+    event was generated by the source.
+
+    If the event source has no original timestamp, this value is typically populated
+    by the first time the event was received by the pipeline.
+
+    Required field for all events.'
+  example: '2016-05-23T08:05:34.853Z'
+- name: user
+  type: group
+  fields:
+  - name: name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: Short name or login of the user.
+    example: albert
+  - name: full_name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: User's full name, if available.
+    example: Albert Einstein
+  - name: domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Name of the directory the user is a member of.
+
+      For example, an LDAP or Active Directory domain name.'
+  - name: id
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Unique identifiers of the user.
+- name: message
+  level: core
+  type: text
+  description: 'For log events the message field contains the log message, optimized
+    for viewing in a log viewer.
+
+    For structured logs without an original message field, other fields can be concatenated
+    to form a human-readable summary of the event.
+
+    If multiple messages exist, they can be combined into one message.'
+  example: Hello World
+- name: source
+  type: group
+  fields:
+  - name: ip
+    level: core
+    type: ip
+    description: 'IP address of the source.
+
+      Can be one or multiple IPv4 or IPv6 addresses.'
+  - name: port
+    level: core
+    type: long
+    format: string
+    description: Port of the source.
+  - name: address
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Some event source addresses are defined ambiguously. The event will
+      sometimes list an IP, a domain or a unix socket.  You should always store the
+      raw address in the `.address` field.
+
+      Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+      is.'
+  - name: mac
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: MAC address of the source.
+  - name: bytes
+    level: core
+    type: long
+    format: bytes
+    description: Bytes sent from the source to the destination.
+    example: 184
+  - name: nat
+    type: group
+    fields:
+    - name: ip
+      level: extended
+      type: ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+    - name: port
+      level: extended
+      type: long
+      format: string
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+  - name: domain
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Source domain.
+  - name: geo
+    type: group
+    fields:
+    - name: country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+    - name: location
+      type: group
+      fields:
+      - type: double
+        name: lat
+      - type: double
+        name: lon
+    - name: city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+- name: host
+  type: group
+  fields:
+  - name: name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Name of the host.
+
+      It can contain what `hostname` returns on Unix systems, the fully qualified
+      domain name, or a name specified by the user. The sender decides which value
+      to use.'
+  - name: ip
+    level: core
+    type: ip
+    description: Host ip addresses.
+  - name: hostname
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Hostname of the host.
+
+      It normally contains what the `hostname` command returns on the host machine.'
+  - name: mac
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Host mac addresses.
+- name: destination
+  type: group
+  fields:
+  - name: ip
+    level: core
+    type: ip
+    description: 'IP address of the destination.
+
+      Can be one or multiple IPv4 or IPv6 addresses.'
+  - name: port
+    level: core
+    type: long
+    format: string
+    description: Port of the destination.
+  - name: address
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Some event destination addresses are defined ambiguously. The event
+      will sometimes list an IP, a domain or a unix socket.  You should always store
+      the raw address in the `.address` field.
+
+      Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+      is.'
+  - name: bytes
+    level: core
+    type: long
+    format: bytes
+    description: Bytes sent from the destination to the source.
+    example: 184
+  - name: mac
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: MAC address of the destination.
+  - name: nat
+    type: group
+    fields:
+    - name: ip
+      level: extended
+      type: ip
+      description: 'Translated ip of destination based NAT sessions (e.g. internet
+        to private DMZ)
+
+        Typically used with load balancers, firewalls, or routers.'
+    - name: port
+      level: extended
+      type: long
+      format: string
+      description: 'Port the source session is translated to by NAT Device.
+
+        Typically used with load balancers, firewalls, or routers.'
+  - name: domain
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Destination domain.
+  - name: geo
+    type: group
+    fields:
+    - name: country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+    - name: location
+      type: group
+      fields:
+      - type: double
+        name: lat
+      - type: double
+        name: lon
+    - name: city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+- name: network
+  type: group
+  fields:
+  - name: protocol
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'L7 Network protocol name. ex. http, lumberjack, transport protocol.
+
+      The field value must be normalized to lowercase for querying. See the documentation
+      section "Implementing ECS".'
+    example: http
+  - name: application
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'A name given to an application level protocol. This can be arbitrarily
+      assigned for things like microservices, but also apply to things like skype,
+      icq, facebook, twitter. This would be used in situations where the vendor or
+      service can be decoded such as from the source/dest IP owners, ports, or wire
+      format.
+
+      The field value must be normalized to lowercase for querying. See the documentation
+      section "Implementing ECS".'
+    example: aim
+  - name: interface
+    type: group
+    fields:
+    - type: keyword
+      name: name
+  - name: bytes
+    level: core
+    type: long
+    format: bytes
+    description: 'Total bytes transferred in both directions.
+
+      If `source.bytes` and `destination.bytes` are known, `network.bytes` is their
+      sum.'
+    example: 368
+  - name: direction
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: "Direction of the network traffic.\nRecommended values are:\n  *\
+      \ inbound\n  * outbound\n  * internal\n  * external\n  * unknown\n\nWhen mapping\
+      \ events from a host-based monitoring context, populate this field from the\
+      \ host's point of view.\nWhen mapping events from a network or perimeter-based\
+      \ monitoring context, populate this field from the point of view of your network\
+      \ perimeter."
+    example: inbound
+  - name: packets
+    level: core
+    type: long
+    description: 'Total packets transferred in both directions.
+
+      If `source.packets` and `destination.packets` are known, `network.packets` is
+      their sum.'
+    example: 24
+  - name: forwarded_ip
+    level: core
+    type: ip
+    description: Host IP address when the source IP address is the proxy.
+    example: 192.1.1.2
+- name: observer
+  type: group
+  fields:
+  - name: version
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Observer version.
+  - name: product
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: The product name of the observer.
+    example: s200
+  - name: ingress
+    type: group
+    fields:
+    - name: interface
+      type: group
+      fields:
+      - name: name
+        level: extended
+        type: keyword
+        ignore_above: 1024
+        description: Interface name as reported by the system.
+        example: eth0
+        default_field: false
+  - name: egress
+    type: group
+    fields:
+    - name: interface
+      type: group
+      fields:
+      - name: name
+        level: extended
+        type: keyword
+        ignore_above: 1024
+        description: Interface name as reported by the system.
+        example: eth0
+        default_field: false
+- name: file
+  type: group
+  fields:
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: Name of the file including the extension, without the directory.
+    example: example.png
+  - name: directory
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: Directory where the file is located. It should include the drive
+      letter, when appropriate.
+    example: /home/alice
+  - name: size
+    level: extended
+    type: long
+    description: 'File size in bytes.
+
+      Only relevant when `file.type` is "file".'
+    example: 16384
+  - name: type
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: File type (file, dir, or symlink).
+    example: file
+  - name: extension
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: File extension.
+    example: png
+  - name: path
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: Full path to the file, including the file name. It should include
+      the drive letter, when appropriate.
+    example: /home/alice/example.png
+  - name: attributes
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Array of file attributes.
+
+      Attributes names will vary by platform. Here''s a non-exhaustive list of values
+      that are expected in this field: archive, compressed, directory, encrypted,
+      execute, hidden, read, readonly, system, write.'
+    example: '["readonly", "system"]'
+    default_field: false
+- name: url
+  type: group
+  fields:
+  - name: original
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: 'Unmodified original url as seen in the event source.
+
+      Note that in network monitoring, the observed URL may be a full URL, whereas
+      in access logs, the URL is often just represented as a path.
+
+      This field is meant to represent the URL as it was observed, complete or not.'
+    example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
+  - name: query
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'The query field describes the query string of the request, such
+      as "q=elasticsearch".
+
+      The `?` is excluded from the query string. If a URL contains no `?`, there is
+      no query field. If there is a `?` but no query, the query field exists with
+      an empty string. The `exists` query can be used to differentiate between the
+      two cases.'
+  - name: domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Domain of the url, such as "www.elastic.co".
+
+      In some cases a URL may refer to an IP and/or port directly, without a domain
+      name. In this case, the IP address would go to the `domain` field.'
+    example: www.elastic.co
+  - name: path
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: Path of the request, such as "/search".
+  - name: top_level_domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'The effective top level domain (eTLD), also known as the domain
+      suffix, is the last part of the domain name. For example, the top level domain
+      for google.com is "com".
+
+      This value can be determined precisely with a list like the public suffix list
+      (http://publicsuffix.org). Trying to approximate this by simply taking the last
+      label will not work well for effective TLDs such as "co.uk".'
+    example: co.uk
+  - name: registered_domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'The highest registered url domain, stripped of the subdomain.
+
+      For example, the registered domain for "foo.google.com" is "google.com".
+
+      This value can be determined precisely with a list like the public suffix list
+      (http://publicsuffix.org). Trying to approximate this by simply taking the last
+      two labels will not work well for TLDs such as "co.uk".'
+    example: google.com
+- name: service
+  type: group
+  fields:
+  - name: name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Name of the service data is collected from.
+
+      The name of the service is normally user given. This allows for distributed
+      services that run on multiple hosts to correlate the related instances based
+      on the name.
+
+      In the case of Elasticsearch the `service.name` could contain the cluster name.
+      For Beats the `service.name` is by default a copy of the `service.type` field
+      if no name is specified.'
+    example: elasticsearch-metrics
+- name: server
+  type: group
+  fields:
+  - name: domain
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Server domain.
+- name: process
+  type: group
+  fields:
+  - name: pid
+    level: core
+    type: long
+    format: string
+    description: Process id.
+    example: 4242
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: 'Process name.
+
+      Sometimes called program name or similar.'
+    example: ssh
+  - name: ppid
+    level: extended
+    type: long
+    format: string
+    description: Parent process' pid.
+    example: 4241
+  - name: parent
+    type: group
+    fields:
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      default_field: false
+    - name: title
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      default_field: false
+  - name: title
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: 'Process title.
+
+      The proctitle, some times the same as process name. Can also be different: for
+      example a browser setting its title to the web page currently opened.'
+- name: rule
+  type: group
+  fields:
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: The name of the rule or signature generating the event.
+    example: BLOCK_DNS_over_TLS
+    default_field: false
+- name: user_agent
+  type: group
+  fields:
+  - name: original
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+    description: Unparsed user_agent string.
+    example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15
+      (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
+- name: http
+  type: group
+  fields:
+  - name: response
+    type: group
+    fields:
+    - name: body
+      type: group
+      fields:
+      - name: content
+        level: extended
+        type: keyword
+        ignore_above: 1024
+        multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+        description: The full HTTP response body.
+        example: Hello world
+  - name: request
+    type: group
+    fields:
+    - name: referrer
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Referrer for this HTTP request.
+      example: https://blog.example.com/
+    - name: method
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'HTTP request method.
+
+        The field value must be normalized to lowercase for querying. See the documentation
+        section "Implementing ECS".'
+      example: get, post, put
+- name: geo
+  type: group
+  fields:
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'User-defined description of a location, at the level of granularity
+      they care about.
+
+      Could be the name of their data centers, the floor number, if this describes
+      a local physical entity, city names.
+
+      Not typically used in automated geolocation.'
+    example: boston-dc
+  - name: country_name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Country name.
+    example: Canada
+  - name: city_name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: City name.
+    example: Montreal
+  - name: region_name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Region name.
+    example: Quebec
+- name: dns
+  type: group
+  fields:
+  - name: question
+    type: group
+    fields:
+    - name: type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The type of record being queried.
+      example: AAAA
+  - name: answers
+    type: group
+    fields:
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The domain name to which this resource record pertains.
+
+        If a chain of CNAME is being resolved, each answer''s `name` should be the
+        one that corresponds with the answer''s `data`. It should not simply be the
+        original `question.name` repeated.'
+      example: www.google.com
+    - name: type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The type of data contained in this resource record.
+      example: CNAME
diff --git a/packages/cylance/0.1.0/dataset/protect/fields/fields.yml b/packages/cylance/0.1.0/dataset/protect/fields/fields.yml
new file mode 100644
index 0000000000..2abc947fe7
--- /dev/null
+++ b/packages/cylance/0.1.0/dataset/protect/fields/fields.yml
@@ -0,0 +1,1939 @@
+- name: rsa
+  type: group
+  fields:
+  - name: internal
+    type: group
+    fields:
+    - name: msg
+      type: keyword
+      description: This key is used to capture the raw message that comes into the
+        Log Decoder
+    - name: messageid
+      type: keyword
+    - name: event_desc
+      type: keyword
+    - name: message
+      type: keyword
+      description: This key captures the contents of instant messages
+    - name: time
+      type: date
+      description: This is the time at which a session hits a NetWitness Decoder.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness.
+    - name: level
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: msg_id
+      type: keyword
+      description: This is the Message ID1 value that identifies the exact log parser
+        definition which parses a particular log session. This key should never be
+        used to parse Meta data from a session (Logs/Packets) Directly, this is a
+        Reserved key in NetWitness
+    - name: msg_vid
+      type: keyword
+      description: This is the Message ID2 value that identifies the exact log parser
+        definition which parses a particular log session. This key should never be
+        used to parse Meta data from a session (Logs/Packets) Directly, this is a
+        Reserved key in NetWitness
+    - name: data
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: obj_server
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: obj_val
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: resource
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: obj_id
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: statement
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: audit_class
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: entry
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: hcode
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: inode
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: resource_class
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: dead
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: feed_desc
+      type: keyword
+      description: This is used to capture the description of the feed. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: feed_name
+      type: keyword
+      description: This is used to capture the name of the feed. This key should never
+        be used to parse Meta data from a session (Logs/Packets) Directly, this is
+        a Reserved key in NetWitness
+    - name: cid
+      type: keyword
+      description: This is the unique identifier used to identify a NetWitness Concentrator.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: device_class
+      type: keyword
+      description: This is the Classification of the Log Event Source under a predefined
+        fixed set of Event Source Classifications. This key should never be used to
+        parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
+        key in NetWitness
+    - name: device_group
+      type: keyword
+      description: This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_host
+      type: keyword
+      description: This is the Hostname of the log Event Source sending the logs to
+        NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_ip
+      type: ip
+      description: This is the IPv4 address of the Log Event Source sending the logs
+        to NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_ipv6
+      type: ip
+      description: This is the IPv6 address of the Log Event Source sending the logs
+        to NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_type
+      type: keyword
+      description: This is the name of the log parser which parsed a given session.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: device_type_id
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: did
+      type: keyword
+      description: This is the unique identifier used to identify a NetWitness Decoder.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: entropy_req
+      type: long
+      description: This key is only used by the Entropy Parser, the Meta Type can
+        be either UInt16 or Float32 based on the configuration
+    - name: entropy_res
+      type: long
+      description: This key is only used by the Entropy Parser, the Meta Type can
+        be either UInt16 or Float32 based on the configuration
+    - name: event_name
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: feed_category
+      type: keyword
+      description: This is used to capture the category of the feed. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: forward_ip
+      type: ip
+      description: This key should be used to capture the IPV4 address of a relay
+        system which forwarded the events from the original system to NetWitness.
+    - name: forward_ipv6
+      type: ip
+      description: This key is used to capture the IPV6 address of a relay system
+        which forwarded the events from the original system to NetWitness. This key
+        should never be used to parse Meta data from a session (Logs/Packets) Directly,
+        this is a Reserved key in NetWitness
+    - name: header_id
+      type: keyword
+      description: This is the Header ID value that identifies the exact log parser
+        header definition that parses a particular log session. This key should never
+        be used to parse Meta data from a session (Logs/Packets) Directly, this is
+        a Reserved key in NetWitness
+    - name: lc_cid
+      type: keyword
+      description: This is a unique Identifier of a Log Collector. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: lc_ctime
+      type: date
+      description: This is the time at which a log is collected in a NetWitness Log
+        Collector. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: mcb_req
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        request is simply which byte for each side (0 thru 255) was seen the most
+    - name: mcb_res
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        response is simply which byte for each side (0 thru 255) was seen the most
+    - name: mcbc_req
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        count is the number of times the most common byte (above) was seen in the
+        session streams
+    - name: mcbc_res
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        count is the number of times the most common byte (above) was seen in the
+        session streams
+    - name: medium
+      type: long
+      description: "This key is used to identify if it\u2019s a log/packet session\
+        \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
+        \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
+        \ 32 = log, 33 = correlation session, &lt; 32 is packet session"
+    - name: node_name
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: nwe_callback_id
+      type: keyword
+      description: This key denotes that event is endpoint related
+    - name: parse_error
+      type: keyword
+      description: This is a special key that stores any Meta key validation error
+        found while parsing a log session. This key should never be used to parse
+        Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
+        NetWitness
+    - name: payload_req
+      type: long
+      description: This key is only used by the Entropy Parser, the payload size metrics
+        are the payload sizes of each session side at the time of parsing. However,
+        in order to keep
+    - name: payload_res
+      type: long
+      description: This key is only used by the Entropy Parser, the payload size metrics
+        are the payload sizes of each session side at the time of parsing. However,
+        in order to keep
+    - name: process_vid_dst
+      type: keyword
+      description: Endpoint generates and uses a unique virtual ID to identify any
+        similar group of process. This ID represents the target process.
+    - name: process_vid_src
+      type: keyword
+      description: Endpoint generates and uses a unique virtual ID to identify any
+        similar group of process. This ID represents the source process.
+    - name: rid
+      type: long
+      description: This is a special ID of the Remote Session created by NetWitness
+        Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: session_split
+      type: keyword
+      description: This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: site
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: size
+      type: long
+      description: This is the size of the session as seen by the NetWitness Decoder.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: sourcefile
+      type: keyword
+      description: This is the name of the log file or PCAPs that can be imported
+        into NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: ubc_req
+      type: long
+      description: This key is only used by the Entropy Parser, Unique byte count
+        is the number of unique bytes seen in each stream. 256 would mean all byte
+        values of 0 thru 255 were seen at least once
+    - name: ubc_res
+      type: long
+      description: This key is only used by the Entropy Parser, Unique byte count
+        is the number of unique bytes seen in each stream. 256 would mean all byte
+        values of 0 thru 255 were seen at least once
+    - name: word
+      type: keyword
+      description: This is used by the Word Parsing technology to capture the first
+        5 character of every word in an unparsed log
+  - name: time
+    type: group
+    fields:
+    - name: event_time
+      type: date
+      description: This key is used to capture the time mentioned in a raw session
+        that represents the actual time an event occured in a standard normalized
+        form
+    - name: duration_time
+      type: double
+      description: This key is used to capture the normalized duration/lifetime in
+        seconds.
+    - name: event_time_str
+      type: keyword
+      description: This key is used to capture the incomplete time mentioned in a
+        session as a string
+    - name: starttime
+      type: date
+      description: This key is used to capture the Start time mentioned in a session
+        in a standard form
+    - name: month
+      type: keyword
+    - name: day
+      type: keyword
+    - name: endtime
+      type: date
+      description: This key is used to capture the End time mentioned in a session
+        in a standard form
+    - name: timezone
+      type: keyword
+      description: This key is used to capture the timezone of the Event Time
+    - name: duration_str
+      type: keyword
+      description: A text string version of the duration
+    - name: date
+      type: keyword
+    - name: year
+      type: keyword
+    - name: recorded_time
+      type: date
+      description: The event time as recorded by the system the event is collected
+        from. The usage scenario is a multi-tier application where the management
+        layer of the system records it's own timestamp at the time of collection from
+        its child nodes. Must be in timestamp format.
+    - name: datetime
+      type: keyword
+    - name: effective_time
+      type: date
+      description: This key is the effective time referenced by an individual event
+        in a Standard Timestamp format
+    - name: expire_time
+      type: date
+      description: This key is the timestamp that explicitly refers to an expiration.
+    - name: process_time
+      type: keyword
+      description: Deprecated, use duration.time
+    - name: hour
+      type: keyword
+    - name: min
+      type: keyword
+    - name: timestamp
+      type: keyword
+    - name: event_queue_time
+      type: date
+      description: This key is the Time that the event was queued.
+    - name: p_time1
+      type: keyword
+    - name: tzone
+      type: keyword
+    - name: eventtime
+      type: keyword
+    - name: gmtdate
+      type: keyword
+    - name: gmttime
+      type: keyword
+    - name: p_date
+      type: keyword
+    - name: p_month
+      type: keyword
+    - name: p_time
+      type: keyword
+    - name: p_time2
+      type: keyword
+    - name: p_year
+      type: keyword
+    - name: expire_time_str
+      type: keyword
+      description: This key is used to capture incomplete timestamp that explicitly
+        refers to an expiration.
+    - name: stamp
+      type: date
+      description: Deprecated key defined only in table map.
+  - name: misc
+    type: group
+    fields:
+    - name: action
+      type: keyword
+    - name: result
+      type: keyword
+      description: This key is used to capture the outcome/result string value of
+        an action in a session.
+    - name: severity
+      type: keyword
+      description: This key is used to capture the severity given the session
+    - name: event_type
+      type: keyword
+      description: This key captures the event category type as specified by the event
+        source.
+    - name: reference_id
+      type: keyword
+      description: This key is used to capture an event id from the session directly
+    - name: version
+      type: keyword
+      description: This key captures Version of the application or OS which is generating
+        the event.
+    - name: disposition
+      type: keyword
+      description: This key captures the The end state of an action.
+    - name: result_code
+      type: keyword
+      description: This key is used to capture the outcome/result numeric value of
+        an action in a session
+    - name: category
+      type: keyword
+      description: This key is used to capture the category of an event given by the
+        vendor in the session
+    - name: obj_name
+      type: keyword
+      description: This is used to capture name of object
+    - name: obj_type
+      type: keyword
+      description: This is used to capture type of object
+    - name: event_source
+      type: keyword
+      description: "This key captures Source of the event that\u2019s not a hostname"
+    - name: log_session_id
+      type: keyword
+      description: This key is used to capture a sessionid from the session directly
+    - name: group
+      type: keyword
+      description: This key captures the Group Name value
+    - name: policy_name
+      type: keyword
+      description: This key is used to capture the Policy Name only.
+    - name: rule_name
+      type: keyword
+      description: This key captures the Rule Name
+    - name: context
+      type: keyword
+      description: This key captures Information which adds additional context to
+        the event.
+    - name: change_new
+      type: keyword
+      description: "This key is used to capture the new values of the attribute that\u2019\
+        s changing in a session"
+    - name: space
+      type: keyword
+    - name: client
+      type: keyword
+      description: This key is used to capture only the name of the client application
+        requesting resources of the server. See the user.agent meta key for capture
+        of the specific user agent identifier or browser identification string.
+    - name: msgIdPart1
+      type: keyword
+    - name: msgIdPart2
+      type: keyword
+    - name: change_old
+      type: keyword
+      description: "This key is used to capture the old value of the attribute that\u2019\
+        s changing in a session"
+    - name: operation_id
+      type: keyword
+      description: An alert number or operation number. The values should be unique
+        and non-repeating.
+    - name: event_state
+      type: keyword
+      description: This key captures the current state of the object/item referenced
+        within the event. Describing an on-going event.
+    - name: group_object
+      type: keyword
+      description: This key captures a collection/grouping of entities. Specific usage
+    - name: node
+      type: keyword
+      description: Common use case is the node name within a cluster. The cluster
+        name is reflected by the host name.
+    - name: rule
+      type: keyword
+      description: This key captures the Rule number
+    - name: device_name
+      type: keyword
+      description: 'This is used to capture name of the Device associated with the
+        node Like: a physical disk, printer, etc'
+    - name: param
+      type: keyword
+      description: This key is the parameters passed as part of a command or application,
+        etc.
+    - name: change_attrib
+      type: keyword
+      description: "This key is used to capture the name of the attribute that\u2019\
+        s changing in a session"
+    - name: event_computer
+      type: keyword
+      description: This key is a windows only concept, where this key is used to capture
+        fully qualified domain name in a windows log.
+    - name: reference_id1
+      type: keyword
+      description: This key is for Linked ID to be used as an addition to "reference.id"
+    - name: event_log
+      type: keyword
+      description: This key captures the Name of the event log
+    - name: OS
+      type: keyword
+      description: This key captures the Name of the Operating System
+    - name: terminal
+      type: keyword
+      description: This key captures the Terminal Names only
+    - name: msgIdPart3
+      type: keyword
+    - name: filter
+      type: keyword
+      description: This key captures Filter used to reduce result set
+    - name: serial_number
+      type: keyword
+      description: This key is the Serial number associated with a physical asset.
+    - name: checksum
+      type: keyword
+      description: This key is used to capture the checksum or hash of the entity
+        such as a file or process. Checksum should be used over checksum.src or checksum.dst
+        when it is unclear whether the entity is a source or target of an action.
+    - name: event_user
+      type: keyword
+      description: This key is a windows only concept, where this key is used to capture
+        combination of domain name and username in a windows log.
+    - name: virusname
+      type: keyword
+      description: This key captures the name of the virus
+    - name: content_type
+      type: keyword
+      description: This key is used to capture Content Type only.
+    - name: group_id
+      type: keyword
+      description: This key captures Group ID Number (related to the group name)
+    - name: policy_id
+      type: keyword
+      description: This key is used to capture the Policy ID only, this should be
+        a numeric value, use policy.name otherwise
+    - name: vsys
+      type: keyword
+      description: This key captures Virtual System Name
+    - name: connection_id
+      type: keyword
+      description: This key captures the Connection ID
+    - name: reference_id2
+      type: keyword
+      description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
+        or "reference.id1" value but should not be used unless the other two variables
+        are in play.
+    - name: sensor
+      type: keyword
+      description: This key captures Name of the sensor. Typically used in IDS/IPS
+        based devices
+    - name: sig_id
+      type: long
+      description: This key captures IDS/IPS Int Signature ID
+    - name: port_name
+      type: keyword
+      description: 'This key is used for Physical or logical port connection but does
+        NOT include a network port. (Example: Printer port name).'
+    - name: rule_group
+      type: keyword
+      description: This key captures the Rule group name
+    - name: risk_num
+      type: double
+      description: This key captures a Numeric Risk value
+    - name: trigger_val
+      type: keyword
+      description: This key captures the Value of the trigger or threshold condition.
+    - name: log_session_id1
+      type: keyword
+      description: This key is used to capture a Linked (Related) Session ID from
+        the session directly
+    - name: comp_version
+      type: keyword
+      description: This key captures the Version level of a sub-component of a product.
+    - name: content_version
+      type: keyword
+      description: This key captures Version level of a signature or database content.
+    - name: hardware_id
+      type: keyword
+      description: This key is used to capture unique identifier for a device or system
+        (NOT a Mac address)
+    - name: risk
+      type: keyword
+      description: This key captures the non-numeric risk value
+    - name: event_id
+      type: keyword
+    - name: reason
+      type: keyword
+    - name: status
+      type: keyword
+    - name: mail_id
+      type: keyword
+      description: This key is used to capture the mailbox id/name
+    - name: rule_uid
+      type: keyword
+      description: This key is the Unique Identifier for a rule.
+    - name: trigger_desc
+      type: keyword
+      description: This key captures the Description of the trigger or threshold condition.
+    - name: inout
+      type: keyword
+    - name: p_msgid
+      type: keyword
+    - name: data_type
+      type: keyword
+    - name: msgIdPart4
+      type: keyword
+    - name: error
+      type: keyword
+      description: This key captures All non successful Error codes or responses
+    - name: index
+      type: keyword
+    - name: listnum
+      type: keyword
+      description: This key is used to capture listname or listnumber, primarily for
+        collecting access-list
+    - name: ntype
+      type: keyword
+    - name: observed_val
+      type: keyword
+      description: This key captures the Value observed (from the perspective of the
+        device generating the log).
+    - name: policy_value
+      type: keyword
+      description: This key captures the contents of the policy. This contains details
+        about the policy
+    - name: pool_name
+      type: keyword
+      description: This key captures the name of a resource pool
+    - name: rule_template
+      type: keyword
+      description: A default set of parameters which are overlayed onto a rule (or
+        rulename) which efffectively constitutes a template
+    - name: count
+      type: keyword
+    - name: number
+      type: keyword
+    - name: sigcat
+      type: keyword
+    - name: type
+      type: keyword
+    - name: comments
+      type: keyword
+      description: Comment information provided in the log message
+    - name: doc_number
+      type: long
+      description: This key captures File Identification number
+    - name: expected_val
+      type: keyword
+      description: This key captures the Value expected (from the perspective of the
+        device generating the log).
+    - name: job_num
+      type: keyword
+      description: This key captures the Job Number
+    - name: spi_dst
+      type: keyword
+      description: Destination SPI Index
+    - name: spi_src
+      type: keyword
+      description: Source SPI Index
+    - name: code
+      type: keyword
+    - name: agent_id
+      type: keyword
+      description: This key is used to capture agent id
+    - name: message_body
+      type: keyword
+      description: This key captures the The contents of the message body.
+    - name: phone
+      type: keyword
+    - name: sig_id_str
+      type: keyword
+      description: This key captures a string object of the sigid variable.
+    - name: cmd
+      type: keyword
+    - name: misc
+      type: keyword
+    - name: name
+      type: keyword
+    - name: cpu
+      type: long
+      description: This key is the CPU time used in the execution of the event being
+        recorded.
+    - name: event_desc
+      type: keyword
+      description: This key is used to capture a description of an event available
+        directly or inferred
+    - name: sig_id1
+      type: long
+      description: This key captures IDS/IPS Int Signature ID. This must be linked
+        to the sig.id
+    - name: im_buddyid
+      type: keyword
+    - name: im_client
+      type: keyword
+    - name: im_userid
+      type: keyword
+    - name: pid
+      type: keyword
+    - name: priority
+      type: keyword
+    - name: context_subject
+      type: keyword
+      description: This key is to be used in an audit context where the subject is
+        the object being identified
+    - name: context_target
+      type: keyword
+    - name: cve
+      type: keyword
+      description: This key captures CVE (Common Vulnerabilities and Exposures) -
+        an identifier for known information security vulnerabilities.
+    - name: fcatnum
+      type: keyword
+      description: This key captures Filter Category Number. Legacy Usage
+    - name: library
+      type: keyword
+      description: This key is used to capture library information in mainframe devices
+    - name: parent_node
+      type: keyword
+      description: This key captures the Parent Node Name. Must be related to node
+        variable.
+    - name: risk_info
+      type: keyword
+      description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: tcp_flags
+      type: long
+      description: This key is captures the TCP flags set in any packet of session
+    - name: tos
+      type: long
+      description: This key describes the type of service
+    - name: vm_target
+      type: keyword
+      description: VMWare Target **VMWARE** only varaible.
+    - name: workspace
+      type: keyword
+      description: This key captures Workspace Description
+    - name: command
+      type: keyword
+    - name: event_category
+      type: keyword
+    - name: facilityname
+      type: keyword
+    - name: forensic_info
+      type: keyword
+    - name: jobname
+      type: keyword
+    - name: mode
+      type: keyword
+    - name: policy
+      type: keyword
+    - name: policy_waiver
+      type: keyword
+    - name: second
+      type: keyword
+    - name: space1
+      type: keyword
+    - name: subcategory
+      type: keyword
+    - name: tbdstr2
+      type: keyword
+    - name: alert_id
+      type: keyword
+      description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: checksum_dst
+      type: keyword
+      description: This key is used to capture the checksum or hash of the the target
+        entity such as a process or file.
+    - name: checksum_src
+      type: keyword
+      description: This key is used to capture the checksum or hash of the source
+        entity such as a file or process.
+    - name: fresult
+      type: long
+      description: This key captures the Filter Result
+    - name: payload_dst
+      type: keyword
+      description: This key is used to capture destination payload
+    - name: payload_src
+      type: keyword
+      description: This key is used to capture source payload
+    - name: pool_id
+      type: keyword
+      description: This key captures the identifier (typically numeric field) of a
+        resource pool
+    - name: process_id_val
+      type: keyword
+      description: This key is a failure key for Process ID when it is not an integer
+        value
+    - name: risk_num_comm
+      type: double
+      description: This key captures Risk Number Community
+    - name: risk_num_next
+      type: double
+      description: This key captures Risk Number NextGen
+    - name: risk_num_sand
+      type: double
+      description: This key captures Risk Number SandBox
+    - name: risk_num_static
+      type: double
+      description: This key captures Risk Number Static
+    - name: risk_suspicious
+      type: keyword
+      description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: risk_warning
+      type: keyword
+      description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: snmp_oid
+      type: keyword
+      description: SNMP Object Identifier
+    - name: sql
+      type: keyword
+      description: This key captures the SQL query
+    - name: vuln_ref
+      type: keyword
+      description: This key captures the Vulnerability Reference details
+    - name: acl_id
+      type: keyword
+    - name: acl_op
+      type: keyword
+    - name: acl_pos
+      type: keyword
+    - name: acl_table
+      type: keyword
+    - name: admin
+      type: keyword
+    - name: alarm_id
+      type: keyword
+    - name: alarmname
+      type: keyword
+    - name: app_id
+      type: keyword
+    - name: audit
+      type: keyword
+    - name: audit_object
+      type: keyword
+    - name: auditdata
+      type: keyword
+    - name: benchmark
+      type: keyword
+    - name: bypass
+      type: keyword
+    - name: cache
+      type: keyword
+    - name: cache_hit
+      type: keyword
+    - name: cefversion
+      type: keyword
+    - name: cfg_attr
+      type: keyword
+    - name: cfg_obj
+      type: keyword
+    - name: cfg_path
+      type: keyword
+    - name: changes
+      type: keyword
+    - name: client_ip
+      type: keyword
+    - name: clustermembers
+      type: keyword
+    - name: cn_acttimeout
+      type: keyword
+    - name: cn_asn_src
+      type: keyword
+    - name: cn_bgpv4nxthop
+      type: keyword
+    - name: cn_ctr_dst_code
+      type: keyword
+    - name: cn_dst_tos
+      type: keyword
+    - name: cn_dst_vlan
+      type: keyword
+    - name: cn_engine_id
+      type: keyword
+    - name: cn_engine_type
+      type: keyword
+    - name: cn_f_switch
+      type: keyword
+    - name: cn_flowsampid
+      type: keyword
+    - name: cn_flowsampintv
+      type: keyword
+    - name: cn_flowsampmode
+      type: keyword
+    - name: cn_inacttimeout
+      type: keyword
+    - name: cn_inpermbyts
+      type: keyword
+    - name: cn_inpermpckts
+      type: keyword
+    - name: cn_invalid
+      type: keyword
+    - name: cn_ip_proto_ver
+      type: keyword
+    - name: cn_ipv4_ident
+      type: keyword
+    - name: cn_l_switch
+      type: keyword
+    - name: cn_log_did
+      type: keyword
+    - name: cn_log_rid
+      type: keyword
+    - name: cn_max_ttl
+      type: keyword
+    - name: cn_maxpcktlen
+      type: keyword
+    - name: cn_min_ttl
+      type: keyword
+    - name: cn_minpcktlen
+      type: keyword
+    - name: cn_mpls_lbl_1
+      type: keyword
+    - name: cn_mpls_lbl_10
+      type: keyword
+    - name: cn_mpls_lbl_2
+      type: keyword
+    - name: cn_mpls_lbl_3
+      type: keyword
+    - name: cn_mpls_lbl_4
+      type: keyword
+    - name: cn_mpls_lbl_5
+      type: keyword
+    - name: cn_mpls_lbl_6
+      type: keyword
+    - name: cn_mpls_lbl_7
+      type: keyword
+    - name: cn_mpls_lbl_8
+      type: keyword
+    - name: cn_mpls_lbl_9
+      type: keyword
+    - name: cn_mplstoplabel
+      type: keyword
+    - name: cn_mplstoplabip
+      type: keyword
+    - name: cn_mul_dst_byt
+      type: keyword
+    - name: cn_mul_dst_pks
+      type: keyword
+    - name: cn_muligmptype
+      type: keyword
+    - name: cn_sampalgo
+      type: keyword
+    - name: cn_sampint
+      type: keyword
+    - name: cn_seqctr
+      type: keyword
+    - name: cn_spackets
+      type: keyword
+    - name: cn_src_tos
+      type: keyword
+    - name: cn_src_vlan
+      type: keyword
+    - name: cn_sysuptime
+      type: keyword
+    - name: cn_template_id
+      type: keyword
+    - name: cn_totbytsexp
+      type: keyword
+    - name: cn_totflowexp
+      type: keyword
+    - name: cn_totpcktsexp
+      type: keyword
+    - name: cn_unixnanosecs
+      type: keyword
+    - name: cn_v6flowlabel
+      type: keyword
+    - name: cn_v6optheaders
+      type: keyword
+    - name: comp_class
+      type: keyword
+    - name: comp_name
+      type: keyword
+    - name: comp_rbytes
+      type: keyword
+    - name: comp_sbytes
+      type: keyword
+    - name: cpu_data
+      type: keyword
+    - name: criticality
+      type: keyword
+    - name: cs_agency_dst
+      type: keyword
+    - name: cs_analyzedby
+      type: keyword
+    - name: cs_av_other
+      type: keyword
+    - name: cs_av_primary
+      type: keyword
+    - name: cs_av_secondary
+      type: keyword
+    - name: cs_bgpv6nxthop
+      type: keyword
+    - name: cs_bit9status
+      type: keyword
+    - name: cs_context
+      type: keyword
+    - name: cs_control
+      type: keyword
+    - name: cs_data
+      type: keyword
+    - name: cs_datecret
+      type: keyword
+    - name: cs_dst_tld
+      type: keyword
+    - name: cs_eth_dst_ven
+      type: keyword
+    - name: cs_eth_src_ven
+      type: keyword
+    - name: cs_event_uuid
+      type: keyword
+    - name: cs_filetype
+      type: keyword
+    - name: cs_fld
+      type: keyword
+    - name: cs_if_desc
+      type: keyword
+    - name: cs_if_name
+      type: keyword
+    - name: cs_ip_next_hop
+      type: keyword
+    - name: cs_ipv4dstpre
+      type: keyword
+    - name: cs_ipv4srcpre
+      type: keyword
+    - name: cs_lifetime
+      type: keyword
+    - name: cs_log_medium
+      type: keyword
+    - name: cs_loginname
+      type: keyword
+    - name: cs_modulescore
+      type: keyword
+    - name: cs_modulesign
+      type: keyword
+    - name: cs_opswatresult
+      type: keyword
+    - name: cs_payload
+      type: keyword
+    - name: cs_registrant
+      type: keyword
+    - name: cs_registrar
+      type: keyword
+    - name: cs_represult
+      type: keyword
+    - name: cs_rpayload
+      type: keyword
+    - name: cs_sampler_name
+      type: keyword
+    - name: cs_sourcemodule
+      type: keyword
+    - name: cs_streams
+      type: keyword
+    - name: cs_targetmodule
+      type: keyword
+    - name: cs_v6nxthop
+      type: keyword
+    - name: cs_whois_server
+      type: keyword
+    - name: cs_yararesult
+      type: keyword
+    - name: description
+      type: keyword
+    - name: devvendor
+      type: keyword
+    - name: distance
+      type: keyword
+    - name: dstburb
+      type: keyword
+    - name: edomain
+      type: keyword
+    - name: edomaub
+      type: keyword
+    - name: euid
+      type: keyword
+    - name: facility
+      type: keyword
+    - name: finterface
+      type: keyword
+    - name: flags
+      type: keyword
+    - name: gaddr
+      type: keyword
+    - name: id3
+      type: keyword
+    - name: im_buddyname
+      type: keyword
+    - name: im_croomid
+      type: keyword
+    - name: im_croomtype
+      type: keyword
+    - name: im_members
+      type: keyword
+    - name: im_username
+      type: keyword
+    - name: ipkt
+      type: keyword
+    - name: ipscat
+      type: keyword
+    - name: ipspri
+      type: keyword
+    - name: latitude
+      type: keyword
+    - name: linenum
+      type: keyword
+    - name: list_name
+      type: keyword
+    - name: load_data
+      type: keyword
+    - name: location_floor
+      type: keyword
+    - name: location_mark
+      type: keyword
+    - name: log_id
+      type: keyword
+    - name: log_type
+      type: keyword
+    - name: logid
+      type: keyword
+    - name: logip
+      type: keyword
+    - name: logname
+      type: keyword
+    - name: longitude
+      type: keyword
+    - name: lport
+      type: keyword
+    - name: mbug_data
+      type: keyword
+    - name: misc_name
+      type: keyword
+    - name: msg_type
+      type: keyword
+    - name: msgid
+      type: keyword
+    - name: netsessid
+      type: keyword
+    - name: num
+      type: keyword
+    - name: number1
+      type: keyword
+    - name: number2
+      type: keyword
+    - name: nwwn
+      type: keyword
+    - name: object
+      type: keyword
+    - name: operation
+      type: keyword
+    - name: opkt
+      type: keyword
+    - name: orig_from
+      type: keyword
+    - name: owner_id
+      type: keyword
+    - name: p_action
+      type: keyword
+    - name: p_filter
+      type: keyword
+    - name: p_group_object
+      type: keyword
+    - name: p_id
+      type: keyword
+    - name: p_msgid1
+      type: keyword
+    - name: p_msgid2
+      type: keyword
+    - name: p_result1
+      type: keyword
+    - name: password_chg
+      type: keyword
+    - name: password_expire
+      type: keyword
+    - name: permgranted
+      type: keyword
+    - name: permwanted
+      type: keyword
+    - name: pgid
+      type: keyword
+    - name: policyUUID
+      type: keyword
+    - name: prog_asp_num
+      type: keyword
+    - name: program
+      type: keyword
+    - name: real_data
+      type: keyword
+    - name: rec_asp_device
+      type: keyword
+    - name: rec_asp_num
+      type: keyword
+    - name: rec_library
+      type: keyword
+    - name: recordnum
+      type: keyword
+    - name: ruid
+      type: keyword
+    - name: sburb
+      type: keyword
+    - name: sdomain_fld
+      type: keyword
+    - name: sec
+      type: keyword
+    - name: sensorname
+      type: keyword
+    - name: seqnum
+      type: keyword
+    - name: session
+      type: keyword
+    - name: sessiontype
+      type: keyword
+    - name: sigUUID
+      type: keyword
+    - name: spi
+      type: keyword
+    - name: srcburb
+      type: keyword
+    - name: srcdom
+      type: keyword
+    - name: srcservice
+      type: keyword
+    - name: state
+      type: keyword
+    - name: status1
+      type: keyword
+    - name: svcno
+      type: keyword
+    - name: system
+      type: keyword
+    - name: tbdstr1
+      type: keyword
+    - name: tgtdom
+      type: keyword
+    - name: tgtdomain
+      type: keyword
+    - name: threshold
+      type: keyword
+    - name: type1
+      type: keyword
+    - name: udb_class
+      type: keyword
+    - name: url_fld
+      type: keyword
+    - name: user_div
+      type: keyword
+    - name: userid
+      type: keyword
+    - name: username_fld
+      type: keyword
+    - name: utcstamp
+      type: keyword
+    - name: v_instafname
+      type: keyword
+    - name: virt_data
+      type: keyword
+    - name: vpnid
+      type: keyword
+    - name: autorun_type
+      type: keyword
+      description: This is used to capture Auto Run type
+    - name: cc_number
+      type: long
+      description: Valid Credit Card Numbers only
+    - name: content
+      type: keyword
+      description: This key captures the content type from protocol headers
+    - name: ein_number
+      type: long
+      description: Employee Identification Numbers only
+    - name: found
+      type: keyword
+      description: This is used to capture the results of regex match
+    - name: language
+      type: keyword
+      description: This is used to capture list of languages the client support and
+        what it prefers
+    - name: lifetime
+      type: long
+      description: This key is used to capture the session lifetime in seconds.
+    - name: link
+      type: keyword
+      description: This key is used to link the sessions together. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: match
+      type: keyword
+      description: This key is for regex match name from search.ini
+    - name: param_dst
+      type: keyword
+      description: This key captures the command line/launch argument of the target
+        process or file
+    - name: param_src
+      type: keyword
+      description: This key captures source parameter
+    - name: search_text
+      type: keyword
+      description: This key captures the Search Text used
+    - name: sig_name
+      type: keyword
+      description: This key is used to capture the Signature Name only.
+    - name: snmp_value
+      type: keyword
+      description: SNMP set request value
+    - name: streams
+      type: long
+      description: This key captures number of streams in session
+  - name: db
+    type: group
+    fields:
+    - name: index
+      type: keyword
+      description: This key captures IndexID of the index.
+    - name: instance
+      type: keyword
+      description: This key is used to capture the database server instance name
+    - name: database
+      type: keyword
+      description: This key is used to capture the name of a database or an instance
+        as seen in a session
+    - name: transact_id
+      type: keyword
+      description: This key captures the SQL transantion ID of the current session
+    - name: permissions
+      type: keyword
+      description: This key captures permission or privilege level assigned to a resource.
+    - name: table_name
+      type: keyword
+      description: This key is used to capture the table name
+    - name: db_id
+      type: keyword
+      description: This key is used to capture the unique identifier for a database
+    - name: db_pid
+      type: long
+      description: This key captures the process id of a connection with database
+        server
+    - name: lread
+      type: long
+      description: This key is used for the number of logical reads
+    - name: lwrite
+      type: long
+      description: This key is used for the number of logical writes
+    - name: pread
+      type: long
+      description: This key is used for the number of physical writes
+  - name: network
+    type: group
+    fields:
+    - name: alias_host
+      type: keyword
+      description: This key should be used when the source or destination context
+        of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
+        that isnt ad.computer.
+    - name: domain
+      type: keyword
+    - name: host_dst
+      type: keyword
+      description: "This key should only be used when it\u2019s a Destination Hostname"
+    - name: network_service
+      type: keyword
+      description: This is used to capture layer 7 protocols/service names
+    - name: interface
+      type: keyword
+      description: This key should be used when the source or destination context
+        of an interface is not clear
+    - name: network_port
+      type: long
+      description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
+        used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
+    - name: eth_host
+      type: keyword
+      description: Deprecated, use alias.mac
+    - name: sinterface
+      type: keyword
+      description: "This key should only be used when it\u2019s a Source Interface"
+    - name: dinterface
+      type: keyword
+      description: "This key should only be used when it\u2019s a Destination Interface"
+    - name: vlan
+      type: long
+      description: This key should only be used to capture the ID of the Virtual LAN
+    - name: zone_src
+      type: keyword
+      description: "This key should only be used when it\u2019s a Source Zone."
+    - name: zone
+      type: keyword
+      description: This key should be used when the source or destination context
+        of a Zone is not clear
+    - name: zone_dst
+      type: keyword
+      description: "This key should only be used when it\u2019s a Destination Zone."
+    - name: gateway
+      type: keyword
+      description: This key is used to capture the IP Address of the gateway
+    - name: icmp_type
+      type: long
+      description: This key is used to capture the ICMP type only
+    - name: mask
+      type: keyword
+      description: This key is used to capture the device network IPmask.
+    - name: icmp_code
+      type: long
+      description: This key is used to capture the ICMP code only
+    - name: protocol_detail
+      type: keyword
+      description: This key should be used to capture additional protocol information
+    - name: dmask
+      type: keyword
+      description: This key is used for Destionation Device network mask
+    - name: port
+      type: long
+      description: This key should only be used to capture a Network Port when the
+        directionality is not clear
+    - name: smask
+      type: keyword
+      description: This key is used for capturing source Network Mask
+    - name: netname
+      type: keyword
+      description: This key is used to capture the network name associated with an
+        IP range. This is configured by the end user.
+    - name: paddr
+      type: ip
+      description: Deprecated
+    - name: faddr
+      type: keyword
+    - name: lhost
+      type: keyword
+    - name: origin
+      type: keyword
+    - name: remote_domain_id
+      type: keyword
+    - name: addr
+      type: keyword
+    - name: dns_a_record
+      type: keyword
+    - name: dns_ptr_record
+      type: keyword
+    - name: fhost
+      type: keyword
+    - name: fport
+      type: keyword
+    - name: laddr
+      type: keyword
+    - name: linterface
+      type: keyword
+    - name: phost
+      type: keyword
+    - name: ad_computer_dst
+      type: keyword
+      description: Deprecated, use host.dst
+    - name: eth_type
+      type: long
+      description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
+        Only
+    - name: ip_proto
+      type: long
+      description: This key should be used to capture the Protocol number, all the
+        protocol nubers are converted into string in UI
+    - name: dns_cname_record
+      type: keyword
+    - name: dns_id
+      type: keyword
+    - name: dns_opcode
+      type: keyword
+    - name: dns_resp
+      type: keyword
+    - name: dns_type
+      type: keyword
+    - name: domain1
+      type: keyword
+    - name: host_type
+      type: keyword
+    - name: packet_length
+      type: keyword
+    - name: host_orig
+      type: keyword
+      description: This is used to capture the original hostname in case of a Forwarding
+        Agent or a Proxy in between.
+    - name: rpayload
+      type: keyword
+      description: This key is used to capture the total number of payload bytes seen
+        in the retransmitted packets.
+    - name: vlan_name
+      type: keyword
+      description: This key should only be used to capture the name of the Virtual
+        LAN
+  - name: investigations
+    type: group
+    fields:
+    - name: ec_activity
+      type: keyword
+      description: This key captures the particular event activity(Ex:Logoff)
+    - name: ec_theme
+      type: keyword
+      description: This key captures the Theme of a particular Event(Ex:Authentication)
+    - name: ec_subject
+      type: keyword
+      description: This key captures the Subject of a particular Event(Ex:User)
+    - name: ec_outcome
+      type: keyword
+      description: This key captures the outcome of a particular Event(Ex:Success)
+    - name: event_cat
+      type: long
+      description: This key captures the Event category number
+    - name: event_cat_name
+      type: keyword
+      description: This key captures the event category name corresponding to the
+        event cat code
+    - name: event_vcat
+      type: keyword
+      description: This is a vendor supplied category. This should be used in situations
+        where the vendor has adopted their own event_category taxonomy.
+    - name: analysis_file
+      type: keyword
+      description: This is used to capture all indicators used in a File Analysis.
+        This key should be used to capture an analysis of a file
+    - name: analysis_service
+      type: keyword
+      description: This is used to capture all indicators used in a Service Analysis.
+        This key should be used to capture an analysis of a service
+    - name: analysis_session
+      type: keyword
+      description: This is used to capture all indicators used for a Session Analysis.
+        This key should be used to capture an analysis of a session
+    - name: boc
+      type: keyword
+      description: This is used to capture behaviour of compromise
+    - name: eoc
+      type: keyword
+      description: This is used to capture Enablers of Compromise
+    - name: inv_category
+      type: keyword
+      description: This used to capture investigation category
+    - name: inv_context
+      type: keyword
+      description: This used to capture investigation context
+    - name: ioc
+      type: keyword
+      description: This is key capture indicator of compromise
+  - name: counters
+    type: group
+    fields:
+    - name: dclass_c1
+      type: long
+      description: This is a generic counter key that should be used with the label
+        dclass.c1.str only
+    - name: dclass_c2
+      type: long
+      description: This is a generic counter key that should be used with the label
+        dclass.c2.str only
+    - name: event_counter
+      type: long
+      description: This is used to capture the number of times an event repeated
+    - name: dclass_r1
+      type: keyword
+      description: This is a generic ratio key that should be used with the label
+        dclass.r1.str only
+    - name: dclass_c3
+      type: long
+      description: This is a generic counter key that should be used with the label
+        dclass.c3.str only
+    - name: dclass_c1_str
+      type: keyword
+      description: This is a generic counter string key that should be used with the
+        label dclass.c1 only
+    - name: dclass_c2_str
+      type: keyword
+      description: This is a generic counter string key that should be used with the
+        label dclass.c2 only
+    - name: dclass_r1_str
+      type: keyword
+      description: This is a generic ratio string key that should be used with the
+        label dclass.r1 only
+    - name: dclass_r2
+      type: keyword
+      description: This is a generic ratio key that should be used with the label
+        dclass.r2.str only
+    - name: dclass_c3_str
+      type: keyword
+      description: This is a generic counter string key that should be used with the
+        label dclass.c3 only
+    - name: dclass_r3
+      type: keyword
+      description: This is a generic ratio key that should be used with the label
+        dclass.r3.str only
+    - name: dclass_r2_str
+      type: keyword
+      description: This is a generic ratio string key that should be used with the
+        label dclass.r2 only
+    - name: dclass_r3_str
+      type: keyword
+      description: This is a generic ratio string key that should be used with the
+        label dclass.r3 only
+  - name: identity
+    type: group
+    fields:
+    - name: auth_method
+      type: keyword
+      description: This key is used to capture authentication methods used only
+    - name: user_role
+      type: keyword
+      description: This key is used to capture the Role of a user only
+    - name: dn
+      type: keyword
+      description: X.500 (LDAP) Distinguished Name
+    - name: logon_type
+      type: keyword
+      description: This key is used to capture the type of logon method used.
+    - name: profile
+      type: keyword
+      description: This key is used to capture the user profile
+    - name: accesses
+      type: keyword
+      description: This key is used to capture actual privileges used in accessing
+        an object
+    - name: realm
+      type: keyword
+      description: Radius realm or similar grouping of accounts
+    - name: user_sid_dst
+      type: keyword
+      description: This key captures Destination User Session ID
+    - name: dn_src
+      type: keyword
+      description: An X.500 (LDAP) Distinguished name that is used in a context that
+        indicates a Source dn
+    - name: org
+      type: keyword
+      description: This key captures the User organization
+    - name: dn_dst
+      type: keyword
+      description: An X.500 (LDAP) Distinguished name that used in a context that
+        indicates a Destination dn
+    - name: firstname
+      type: keyword
+      description: This key is for First Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: lastname
+      type: keyword
+      description: This key is for Last Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: user_dept
+      type: keyword
+      description: User's Department Names only
+    - name: user_sid_src
+      type: keyword
+      description: This key captures Source User Session ID
+    - name: federated_sp
+      type: keyword
+      description: This key is the Federated Service Provider. This is the application
+        requesting authentication.
+    - name: federated_idp
+      type: keyword
+      description: This key is the federated Identity Provider. This is the server
+        providing the authentication.
+    - name: logon_type_desc
+      type: keyword
+      description: This key is used to capture the textual description of an integer
+        logon type as stored in the meta key 'logon.type'.
+    - name: middlename
+      type: keyword
+      description: This key is for Middle Names only, this is used for Healthcare
+        predominantly to capture Patients information
+    - name: password
+      type: keyword
+      description: This key is for Passwords seen in any session, plain text or encrypted
+    - name: host_role
+      type: keyword
+      description: This key should only be used to capture the role of a Host Machine
+    - name: ldap
+      type: keyword
+      description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
+        t have a clear query or response context"
+    - name: ldap_query
+      type: keyword
+      description: This key is the Search criteria from an LDAP search
+    - name: ldap_response
+      type: keyword
+      description: This key is to capture Results from an LDAP search
+    - name: owner
+      type: keyword
+      description: This is used to capture username the process or service is running
+        as, the author of the task
+    - name: service_account
+      type: keyword
+      description: This key is a windows specific key, used for capturing name of
+        the account a service (referenced in the event) is running under. Legacy Usage
+  - name: email
+    type: group
+    fields:
+    - name: email_dst
+      type: keyword
+      description: This key is used to capture the Destination email address only,
+        when the destination context is not clear use email
+    - name: email_src
+      type: keyword
+      description: This key is used to capture the source email address only, when
+        the source context is not clear use email
+    - name: subject
+      type: keyword
+      description: This key is used to capture the subject string from an Email only.
+    - name: email
+      type: keyword
+      description: This key is used to capture a generic email address where the source
+        or destination context is not clear
+    - name: trans_from
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: trans_to
+      type: keyword
+      description: Deprecated key defined only in table map.
+  - name: file
+    type: group
+    fields:
+    - name: privilege
+      type: keyword
+      description: Deprecated, use permissions
+    - name: attachment
+      type: keyword
+      description: This key captures the attachment file name
+    - name: filesystem
+      type: keyword
+    - name: binary
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: filename_dst
+      type: keyword
+      description: This is used to capture name of the file targeted by the action
+    - name: filename_src
+      type: keyword
+      description: This is used to capture name of the parent filename, the file which
+        performed the action
+    - name: filename_tmp
+      type: keyword
+    - name: directory_dst
+      type: keyword
+      description: <span>This key is used to capture the directory of the target process
+        or file</span>
+    - name: directory_src
+      type: keyword
+      description: This key is used to capture the directory of the source process
+        or file
+    - name: file_entropy
+      type: double
+      description: This is used to capture entropy vale of a file
+    - name: file_vendor
+      type: keyword
+      description: This is used to capture Company name of file located in version_info
+    - name: task_name
+      type: keyword
+      description: This is used to capture name of the task
+  - name: web
+    type: group
+    fields:
+    - name: fqdn
+      type: keyword
+      description: Fully Qualified Domain Names
+    - name: web_cookie
+      type: keyword
+      description: This key is used to capture the Web cookies specifically.
+    - name: alias_host
+      type: keyword
+    - name: reputation_num
+      type: double
+      description: Reputation Number of an entity. Typically used for Web Domains
+    - name: web_ref_domain
+      type: keyword
+      description: Web referer's domain
+    - name: web_ref_query
+      type: keyword
+      description: This key captures Web referer's query portion of the URL
+    - name: remote_domain
+      type: keyword
+    - name: web_ref_page
+      type: keyword
+      description: This key captures Web referer's page information
+    - name: web_ref_root
+      type: keyword
+      description: Web referer's root URL path
+    - name: cn_asn_dst
+      type: keyword
+    - name: cn_rpackets
+      type: keyword
+    - name: urlpage
+      type: keyword
+    - name: urlroot
+      type: keyword
+    - name: p_url
+      type: keyword
+    - name: p_user_agent
+      type: keyword
+    - name: p_web_cookie
+      type: keyword
+    - name: p_web_method
+      type: keyword
+    - name: p_web_referer
+      type: keyword
+    - name: web_extension_tmp
+      type: keyword
+    - name: web_page
+      type: keyword
+  - name: threat
+    type: group
+    fields:
+    - name: threat_category
+      type: keyword
+      description: This key captures Threat Name/Threat Category/Categorization of
+        alert
+    - name: threat_desc
+      type: keyword
+      description: This key is used to capture the threat description from the session
+        directly or inferred
+    - name: alert
+      type: keyword
+      description: This key is used to capture name of the alert
+    - name: threat_source
+      type: keyword
+      description: This key is used to capture source of the threat
+  - name: crypto
+    type: group
+    fields:
+    - name: crypto
+      type: keyword
+      description: This key is used to capture the Encryption Type or Encryption Key
+        only
+    - name: cipher_src
+      type: keyword
+      description: This key is for Source (Client) Cipher
+    - name: cert_subject
+      type: keyword
+      description: This key is used to capture the Certificate organization only
+    - name: peer
+      type: keyword
+      description: This key is for Encryption peer's IP Address
+    - name: cipher_size_src
+      type: long
+      description: This key captures Source (Client) Cipher Size
+    - name: ike
+      type: keyword
+      description: IKE negotiation phase.
+    - name: scheme
+      type: keyword
+      description: This key captures the Encryption scheme used
+    - name: peer_id
+      type: keyword
+      description: "This key is for Encryption peer\u2019s identity"
+    - name: sig_type
+      type: keyword
+      description: This key captures the Signature Type
+    - name: cert_issuer
+      type: keyword
+    - name: cert_host_name
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: cert_error
+      type: keyword
+      description: This key captures the Certificate Error String
+    - name: cipher_dst
+      type: keyword
+      description: This key is for Destination (Server) Cipher
+    - name: cipher_size_dst
+      type: long
+      description: This key captures Destination (Server) Cipher Size
+    - name: ssl_ver_src
+      type: keyword
+      description: Deprecated, use version
+    - name: d_certauth
+      type: keyword
+    - name: s_certauth
+      type: keyword
+    - name: ike_cookie1
+      type: keyword
+      description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
+    - name: ike_cookie2
+      type: keyword
+      description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
+    - name: cert_checksum
+      type: keyword
+    - name: cert_host_cat
+      type: keyword
+      description: This key is used for the hostname category value of a certificate
+    - name: cert_serial
+      type: keyword
+      description: This key is used to capture the Certificate serial number only
+    - name: cert_status
+      type: keyword
+      description: This key captures Certificate validation status
+    - name: ssl_ver_dst
+      type: keyword
+      description: Deprecated, use version
+    - name: cert_keysize
+      type: keyword
+    - name: cert_username
+      type: keyword
+    - name: https_insact
+      type: keyword
+    - name: https_valid
+      type: keyword
+    - name: cert_ca
+      type: keyword
+      description: This key is used to capture the Certificate signing authority only
+    - name: cert_common
+      type: keyword
+      description: This key is used to capture the Certificate common name only
+  - name: wireless
+    type: group
+    fields:
+    - name: wlan_ssid
+      type: keyword
+      description: This key is used to capture the ssid of a Wireless Session
+    - name: access_point
+      type: keyword
+      description: This key is used to capture the access point name.
+    - name: wlan_channel
+      type: long
+      description: This is used to capture the channel names
+    - name: wlan_name
+      type: keyword
+      description: This key captures either WLAN number/name
+  - name: storage
+    type: group
+    fields:
+    - name: disk_volume
+      type: keyword
+      description: A unique name assigned to logical units (volumes) within a physical
+        disk
+    - name: lun
+      type: keyword
+      description: Logical Unit Number.This key is a very useful concept in Storage.
+    - name: pwwn
+      type: keyword
+      description: This uniquely identifies a port on a HBA.
+  - name: physical
+    type: group
+    fields:
+    - name: org_dst
+      type: keyword
+      description: This is used to capture the destination organization based on the
+        GEOPIP Maxmind database.
+    - name: org_src
+      type: keyword
+      description: This is used to capture the source organization based on the GEOPIP
+        Maxmind database.
+  - name: healthcare
+    type: group
+    fields:
+    - name: patient_fname
+      type: keyword
+      description: This key is for First Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: patient_id
+      type: keyword
+      description: This key captures the unique ID for a patient
+    - name: patient_lname
+      type: keyword
+      description: This key is for Last Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: patient_mname
+      type: keyword
+      description: This key is for Middle Names only, this is used for Healthcare
+        predominantly to capture Patients information
+  - name: endpoint
+    type: group
+    fields:
+    - name: host_state
+      type: keyword
+      description: This key is used to capture the current state of the machine, such
+        as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
+        disabled</strong> and so on
+    - name: registry_key
+      type: keyword
+      description: This key captures the path to the registry key
+    - name: registry_value
+      type: keyword
+      description: This key captures values or decorators used within a registry entry
diff --git a/packages/cylance/0.1.0/dataset/protect/manifest.yml b/packages/cylance/0.1.0/dataset/protect/manifest.yml
new file mode 100644
index 0000000000..e5c696f32f
--- /dev/null
+++ b/packages/cylance/0.1.0/dataset/protect/manifest.yml
@@ -0,0 +1,155 @@
+title: CylanceProtect logs
+release: experimental
+type: logs
+streams:
+- input: udp
+  title: CylanceProtect logs
+  description: Collect CylanceProtect logs
+  template_path: udp.yml.hbs
+  vars:
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - cylance-protect
+      - forwarded
+  - name: udp_host
+    type: text
+    title: UDP host to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: localhost
+  - name: udp_port
+    type: integer
+    title: UDP port to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: 9508
+  - name: tz_offset
+    type: text
+    title: Timezone offset (+HH:mm format)
+    required: false
+    show_user: true
+    default: "local"
+  - name: rsa_fields
+    type: bool
+    title: Add non-ECS fields
+    required: false
+    show_user: true
+    default: true
+  - name: keep_raw_fields
+    type: bool
+    title: Keep raw parser fields
+    required: false
+    show_user: false
+    default: false
+  - name: debug
+    type: bool
+    title: Enable debug logging
+    required: false
+    show_user: false
+    default: false
+
+- input: tcp
+  title: CylanceProtect logs
+  description: Collect CylanceProtect logs
+  template_path: tcp.yml.hbs
+  vars:
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - cylance-protect
+      - forwarded
+  - name: tcp_host
+    type: text
+    title: TCP host to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: localhost
+  - name: tcp_port
+    type: integer
+    title: TCP port to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: 9508
+  - name: tz_offset
+    type: text
+    title: Timezone offset (+HH:mm format)
+    required: false
+    show_user: true
+    default: "local"
+  - name: rsa_fields
+    type: bool
+    title: Add non-ECS fields
+    required: false
+    show_user: true
+    default: true
+  - name: keep_raw_fields
+    type: bool
+    title: Keep raw parser fields
+    required: false
+    show_user: false
+    default: false
+  - name: debug
+    type: bool
+    title: Enable debug logging
+    required: false
+    show_user: false
+    default: false
+
+- input: file
+  title: CylanceProtect logs
+  description: Collect CylanceProtect logs from file
+  vars:
+  - name: paths
+    type: text
+    title: Paths
+    multi: true
+    required: true
+    show_user: true
+    default:
+      - /var/log/cylance-protect.log
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - cylance-protect
+      - forwarded
+  - name: tz_offset
+    type: text
+    title: Timezone offset (+HH:mm format)
+    required: false
+    show_user: true
+    default: "local"
+  - name: rsa_fields
+    type: bool
+    title: Add non-ECS fields
+    required: false
+    show_user: true
+    default: true
+  - name: keep_raw_fields
+    type: bool
+    title: Keep raw parser fields
+    required: false
+    show_user: false
+    default: false
+  - name: debug
+    type: bool
+    title: Enable debug logging
+    required: false
+    show_user: false
+    default: false
diff --git a/packages/cylance/0.1.0/docs/README.md b/packages/cylance/0.1.0/docs/README.md
new file mode 100644
index 0000000000..261b05f3a0
--- /dev/null
+++ b/packages/cylance/0.1.0/docs/README.md
@@ -0,0 +1,780 @@
+# Cylance integration
+
+This integration is for Cylance device's logs. It includes the following
+datasets for receiving logs over syslog or read from a file:
+- `protect` dataset: supports CylanceProtect logs.
+
+### Protect
+
+The `protect` dataset collects CylanceProtect logs.
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
+| dataset.name | Dataset name. | constant_keyword |
+| dataset.namespace | Dataset namespace. | constant_keyword |
+| dataset.type | Dataset type. | constant_keyword |
+| datastream.dataset | Datastream dataset. | constant_keyword |
+| datastream.namespace | Datastream namespace. | constant_keyword |
+| datastream.type | Datastream type. | constant_keyword |
+| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| destination.bytes | Bytes sent from the destination to the source. | long |
+| destination.domain | Destination domain. | keyword |
+| destination.geo.city_name | City name. | keyword |
+| destination.geo.country_name | Country name. | keyword |
+| destination.geo.location.lat |  | double |
+| destination.geo.location.lon |  | double |
+| destination.ip | IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses. | ip |
+| destination.mac | MAC address of the destination. | keyword |
+| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip |
+| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long |
+| destination.port | Port of the destination. | long |
+| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword |
+| dns.answers.type | The type of data contained in this resource record. | keyword |
+| dns.question.type | The type of record being queried. | keyword |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword |
+| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword |
+| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword |
+| file.extension | File extension. | keyword |
+| file.name | Name of the file including the extension, without the directory. | keyword |
+| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword |
+| file.size | File size in bytes. Only relevant when `file.type` is "file". | long |
+| file.type | File type (file, dir, or symlink). | keyword |
+| geo.city_name | City name. | keyword |
+| geo.country_name | Country name. | keyword |
+| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| geo.region_name | Region name. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| http.request.method | HTTP request method. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| http.request.referrer | Referrer for this HTTP request. | keyword |
+| http.response.body.content | The full HTTP response body. | keyword |
+| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword |
+| log.original | This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. | keyword |
+| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long |
+| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. | long |
+| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text |
+| network.application | A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long |
+| network.direction | Direction of the network traffic. Recommended values are: * inbound * outbound * internal * external * unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view. When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. | keyword |
+| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip |
+| network.interface.name |  | keyword |
+| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long |
+| network.protocol | L7 Network protocol name. ex. http, lumberjack, transport protocol. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| observer.egress.interface.name | Interface name as reported by the system. | keyword |
+| observer.ingress.interface.name | Interface name as reported by the system. | keyword |
+| observer.product | The product name of the observer. | keyword |
+| observer.version | Observer version. | keyword |
+| process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.parent.name | Process name. Sometimes called program name or similar. | keyword |
+| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword |
+| process.pid | Process id. | long |
+| process.ppid | Parent process' pid. | long |
+| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword |
+| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long |
+| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword |
+| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long |
+| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword |
+| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long |
+| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword |
+| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword |
+| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword |
+| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword |
+| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword |
+| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword |
+| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword |
+| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long |
+| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword |
+| rsa.crypto.cert_checksum |  | keyword |
+| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword |
+| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword |
+| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword |
+| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword |
+| rsa.crypto.cert_issuer |  | keyword |
+| rsa.crypto.cert_keysize |  | keyword |
+| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword |
+| rsa.crypto.cert_status | This key captures Certificate validation status | keyword |
+| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword |
+| rsa.crypto.cert_username |  | keyword |
+| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword |
+| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long |
+| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long |
+| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword |
+| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword |
+| rsa.crypto.d_certauth |  | keyword |
+| rsa.crypto.https_insact |  | keyword |
+| rsa.crypto.https_valid |  | keyword |
+| rsa.crypto.ike | IKE negotiation phase. | keyword |
+| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword |
+| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword |
+| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword |
+| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword |
+| rsa.crypto.s_certauth |  | keyword |
+| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword |
+| rsa.crypto.sig_type | This key captures the Signature Type | keyword |
+| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword |
+| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword |
+| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword |
+| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword |
+| rsa.db.db_pid | This key captures the process id of a connection with database server | long |
+| rsa.db.index | This key captures IndexID of the index. | keyword |
+| rsa.db.instance | This key is used to capture the database server instance name | keyword |
+| rsa.db.lread | This key is used for the number of logical reads | long |
+| rsa.db.lwrite | This key is used for the number of logical writes | long |
+| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword |
+| rsa.db.pread | This key is used for the number of physical writes | long |
+| rsa.db.table_name | This key is used to capture the table name | keyword |
+| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword |
+| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword |
+| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword |
+| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword |
+| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword |
+| rsa.email.trans_from | Deprecated key defined only in table map. | keyword |
+| rsa.email.trans_to | Deprecated key defined only in table map. | keyword |
+| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall disabled</strong> and so on | keyword |
+| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword |
+| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword |
+| rsa.file.attachment | This key captures the attachment file name | keyword |
+| rsa.file.binary | Deprecated key defined only in table map. | keyword |
+| rsa.file.directory_dst | <span>This key is used to capture the directory of the target process or file</span> | keyword |
+| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword |
+| rsa.file.file_entropy | This is used to capture entropy vale of a file | double |
+| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword |
+| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword |
+| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword |
+| rsa.file.filename_tmp |  | keyword |
+| rsa.file.filesystem |  | keyword |
+| rsa.file.privilege | Deprecated, use permissions | keyword |
+| rsa.file.task_name | This is used to capture name of the task | keyword |
+| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword |
+| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword |
+| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword |
+| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword |
+| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword |
+| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword |
+| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword |
+| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword |
+| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword |
+| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword |
+| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword |
+| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword |
+| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword |
+| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword |
+| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.org | This key captures the User organization | keyword |
+| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword |
+| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword |
+| rsa.identity.profile | This key is used to capture the user profile | keyword |
+| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword |
+| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword |
+| rsa.identity.user_dept | User's Department Names only | keyword |
+| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword |
+| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword |
+| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword |
+| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword |
+| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.data | Deprecated key defined only in table map. | keyword |
+| rsa.internal.dead | Deprecated key defined only in table map. | long |
+| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_type_id | Deprecated key defined only in table map. | long |
+| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long |
+| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long |
+| rsa.internal.entry | Deprecated key defined only in table map. | keyword |
+| rsa.internal.event_desc |  | keyword |
+| rsa.internal.event_name | Deprecated key defined only in table map. | keyword |
+| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip |
+| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.hcode | Deprecated key defined only in table map. | keyword |
+| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.inode | Deprecated key defined only in table map. | long |
+| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date |
+| rsa.internal.level | Deprecated key defined only in table map. | long |
+| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long |
+| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long |
+| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long |
+| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long |
+| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, &lt; 32 is packet session | long |
+| rsa.internal.message | This key captures the contents of instant messages | keyword |
+| rsa.internal.messageid |  | keyword |
+| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword |
+| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.node_name | Deprecated key defined only in table map. | keyword |
+| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword |
+| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword |
+| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword |
+| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword |
+| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long |
+| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long |
+| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword |
+| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword |
+| rsa.internal.resource | Deprecated key defined only in table map. | keyword |
+| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword |
+| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long |
+| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.site | Deprecated key defined only in table map. | keyword |
+| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long |
+| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.statement | Deprecated key defined only in table map. | keyword |
+| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date |
+| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long |
+| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long |
+| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword |
+| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword |
+| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword |
+| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword |
+| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword |
+| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword |
+| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword |
+| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword |
+| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword |
+| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword |
+| rsa.investigations.event_cat | This key captures the Event category number | long |
+| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword |
+| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword |
+| rsa.investigations.inv_category | This used to capture investigation category | keyword |
+| rsa.investigations.inv_context | This used to capture investigation context | keyword |
+| rsa.investigations.ioc | This is key capture indicator of compromise | keyword |
+| rsa.misc.OS | This key captures the Name of the Operating System | keyword |
+| rsa.misc.acl_id |  | keyword |
+| rsa.misc.acl_op |  | keyword |
+| rsa.misc.acl_pos |  | keyword |
+| rsa.misc.acl_table |  | keyword |
+| rsa.misc.action |  | keyword |
+| rsa.misc.admin |  | keyword |
+| rsa.misc.agent_id | This key is used to capture agent id | keyword |
+| rsa.misc.alarm_id |  | keyword |
+| rsa.misc.alarmname |  | keyword |
+| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.app_id |  | keyword |
+| rsa.misc.audit |  | keyword |
+| rsa.misc.audit_object |  | keyword |
+| rsa.misc.auditdata |  | keyword |
+| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword |
+| rsa.misc.benchmark |  | keyword |
+| rsa.misc.bypass |  | keyword |
+| rsa.misc.cache |  | keyword |
+| rsa.misc.cache_hit |  | keyword |
+| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword |
+| rsa.misc.cc_number | Valid Credit Card Numbers only | long |
+| rsa.misc.cefversion |  | keyword |
+| rsa.misc.cfg_attr |  | keyword |
+| rsa.misc.cfg_obj |  | keyword |
+| rsa.misc.cfg_path |  | keyword |
+| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword |
+| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword |
+| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword |
+| rsa.misc.changes |  | keyword |
+| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword |
+| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword |
+| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword |
+| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword |
+| rsa.misc.client_ip |  | keyword |
+| rsa.misc.clustermembers |  | keyword |
+| rsa.misc.cmd |  | keyword |
+| rsa.misc.cn_acttimeout |  | keyword |
+| rsa.misc.cn_asn_src |  | keyword |
+| rsa.misc.cn_bgpv4nxthop |  | keyword |
+| rsa.misc.cn_ctr_dst_code |  | keyword |
+| rsa.misc.cn_dst_tos |  | keyword |
+| rsa.misc.cn_dst_vlan |  | keyword |
+| rsa.misc.cn_engine_id |  | keyword |
+| rsa.misc.cn_engine_type |  | keyword |
+| rsa.misc.cn_f_switch |  | keyword |
+| rsa.misc.cn_flowsampid |  | keyword |
+| rsa.misc.cn_flowsampintv |  | keyword |
+| rsa.misc.cn_flowsampmode |  | keyword |
+| rsa.misc.cn_inacttimeout |  | keyword |
+| rsa.misc.cn_inpermbyts |  | keyword |
+| rsa.misc.cn_inpermpckts |  | keyword |
+| rsa.misc.cn_invalid |  | keyword |
+| rsa.misc.cn_ip_proto_ver |  | keyword |
+| rsa.misc.cn_ipv4_ident |  | keyword |
+| rsa.misc.cn_l_switch |  | keyword |
+| rsa.misc.cn_log_did |  | keyword |
+| rsa.misc.cn_log_rid |  | keyword |
+| rsa.misc.cn_max_ttl |  | keyword |
+| rsa.misc.cn_maxpcktlen |  | keyword |
+| rsa.misc.cn_min_ttl |  | keyword |
+| rsa.misc.cn_minpcktlen |  | keyword |
+| rsa.misc.cn_mpls_lbl_1 |  | keyword |
+| rsa.misc.cn_mpls_lbl_10 |  | keyword |
+| rsa.misc.cn_mpls_lbl_2 |  | keyword |
+| rsa.misc.cn_mpls_lbl_3 |  | keyword |
+| rsa.misc.cn_mpls_lbl_4 |  | keyword |
+| rsa.misc.cn_mpls_lbl_5 |  | keyword |
+| rsa.misc.cn_mpls_lbl_6 |  | keyword |
+| rsa.misc.cn_mpls_lbl_7 |  | keyword |
+| rsa.misc.cn_mpls_lbl_8 |  | keyword |
+| rsa.misc.cn_mpls_lbl_9 |  | keyword |
+| rsa.misc.cn_mplstoplabel |  | keyword |
+| rsa.misc.cn_mplstoplabip |  | keyword |
+| rsa.misc.cn_mul_dst_byt |  | keyword |
+| rsa.misc.cn_mul_dst_pks |  | keyword |
+| rsa.misc.cn_muligmptype |  | keyword |
+| rsa.misc.cn_sampalgo |  | keyword |
+| rsa.misc.cn_sampint |  | keyword |
+| rsa.misc.cn_seqctr |  | keyword |
+| rsa.misc.cn_spackets |  | keyword |
+| rsa.misc.cn_src_tos |  | keyword |
+| rsa.misc.cn_src_vlan |  | keyword |
+| rsa.misc.cn_sysuptime |  | keyword |
+| rsa.misc.cn_template_id |  | keyword |
+| rsa.misc.cn_totbytsexp |  | keyword |
+| rsa.misc.cn_totflowexp |  | keyword |
+| rsa.misc.cn_totpcktsexp |  | keyword |
+| rsa.misc.cn_unixnanosecs |  | keyword |
+| rsa.misc.cn_v6flowlabel |  | keyword |
+| rsa.misc.cn_v6optheaders |  | keyword |
+| rsa.misc.code |  | keyword |
+| rsa.misc.command |  | keyword |
+| rsa.misc.comments | Comment information provided in the log message | keyword |
+| rsa.misc.comp_class |  | keyword |
+| rsa.misc.comp_name |  | keyword |
+| rsa.misc.comp_rbytes |  | keyword |
+| rsa.misc.comp_sbytes |  | keyword |
+| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword |
+| rsa.misc.connection_id | This key captures the Connection ID | keyword |
+| rsa.misc.content | This key captures the content type from protocol headers | keyword |
+| rsa.misc.content_type | This key is used to capture Content Type only. | keyword |
+| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword |
+| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword |
+| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword |
+| rsa.misc.context_target |  | keyword |
+| rsa.misc.count |  | keyword |
+| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long |
+| rsa.misc.cpu_data |  | keyword |
+| rsa.misc.criticality |  | keyword |
+| rsa.misc.cs_agency_dst |  | keyword |
+| rsa.misc.cs_analyzedby |  | keyword |
+| rsa.misc.cs_av_other |  | keyword |
+| rsa.misc.cs_av_primary |  | keyword |
+| rsa.misc.cs_av_secondary |  | keyword |
+| rsa.misc.cs_bgpv6nxthop |  | keyword |
+| rsa.misc.cs_bit9status |  | keyword |
+| rsa.misc.cs_context |  | keyword |
+| rsa.misc.cs_control |  | keyword |
+| rsa.misc.cs_data |  | keyword |
+| rsa.misc.cs_datecret |  | keyword |
+| rsa.misc.cs_dst_tld |  | keyword |
+| rsa.misc.cs_eth_dst_ven |  | keyword |
+| rsa.misc.cs_eth_src_ven |  | keyword |
+| rsa.misc.cs_event_uuid |  | keyword |
+| rsa.misc.cs_filetype |  | keyword |
+| rsa.misc.cs_fld |  | keyword |
+| rsa.misc.cs_if_desc |  | keyword |
+| rsa.misc.cs_if_name |  | keyword |
+| rsa.misc.cs_ip_next_hop |  | keyword |
+| rsa.misc.cs_ipv4dstpre |  | keyword |
+| rsa.misc.cs_ipv4srcpre |  | keyword |
+| rsa.misc.cs_lifetime |  | keyword |
+| rsa.misc.cs_log_medium |  | keyword |
+| rsa.misc.cs_loginname |  | keyword |
+| rsa.misc.cs_modulescore |  | keyword |
+| rsa.misc.cs_modulesign |  | keyword |
+| rsa.misc.cs_opswatresult |  | keyword |
+| rsa.misc.cs_payload |  | keyword |
+| rsa.misc.cs_registrant |  | keyword |
+| rsa.misc.cs_registrar |  | keyword |
+| rsa.misc.cs_represult |  | keyword |
+| rsa.misc.cs_rpayload |  | keyword |
+| rsa.misc.cs_sampler_name |  | keyword |
+| rsa.misc.cs_sourcemodule |  | keyword |
+| rsa.misc.cs_streams |  | keyword |
+| rsa.misc.cs_targetmodule |  | keyword |
+| rsa.misc.cs_v6nxthop |  | keyword |
+| rsa.misc.cs_whois_server |  | keyword |
+| rsa.misc.cs_yararesult |  | keyword |
+| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword |
+| rsa.misc.data_type |  | keyword |
+| rsa.misc.description |  | keyword |
+| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword |
+| rsa.misc.devvendor |  | keyword |
+| rsa.misc.disposition | This key captures the The end state of an action. | keyword |
+| rsa.misc.distance |  | keyword |
+| rsa.misc.doc_number | This key captures File Identification number | long |
+| rsa.misc.dstburb |  | keyword |
+| rsa.misc.edomain |  | keyword |
+| rsa.misc.edomaub |  | keyword |
+| rsa.misc.ein_number | Employee Identification Numbers only | long |
+| rsa.misc.error | This key captures All non successful Error codes or responses | keyword |
+| rsa.misc.euid |  | keyword |
+| rsa.misc.event_category |  | keyword |
+| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword |
+| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword |
+| rsa.misc.event_id |  | keyword |
+| rsa.misc.event_log | This key captures the Name of the event log | keyword |
+| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword |
+| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword |
+| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword |
+| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword |
+| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword |
+| rsa.misc.facility |  | keyword |
+| rsa.misc.facilityname |  | keyword |
+| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword |
+| rsa.misc.filter | This key captures Filter used to reduce result set | keyword |
+| rsa.misc.finterface |  | keyword |
+| rsa.misc.flags |  | keyword |
+| rsa.misc.forensic_info |  | keyword |
+| rsa.misc.found | This is used to capture the results of regex match | keyword |
+| rsa.misc.fresult | This key captures the Filter Result | long |
+| rsa.misc.gaddr |  | keyword |
+| rsa.misc.group | This key captures the Group Name value | keyword |
+| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword |
+| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword |
+| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword |
+| rsa.misc.id3 |  | keyword |
+| rsa.misc.im_buddyid |  | keyword |
+| rsa.misc.im_buddyname |  | keyword |
+| rsa.misc.im_client |  | keyword |
+| rsa.misc.im_croomid |  | keyword |
+| rsa.misc.im_croomtype |  | keyword |
+| rsa.misc.im_members |  | keyword |
+| rsa.misc.im_userid |  | keyword |
+| rsa.misc.im_username |  | keyword |
+| rsa.misc.index |  | keyword |
+| rsa.misc.inout |  | keyword |
+| rsa.misc.ipkt |  | keyword |
+| rsa.misc.ipscat |  | keyword |
+| rsa.misc.ipspri |  | keyword |
+| rsa.misc.job_num | This key captures the Job Number | keyword |
+| rsa.misc.jobname |  | keyword |
+| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword |
+| rsa.misc.latitude |  | keyword |
+| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword |
+| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long |
+| rsa.misc.linenum |  | keyword |
+| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.misc.list_name |  | keyword |
+| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword |
+| rsa.misc.load_data |  | keyword |
+| rsa.misc.location_floor |  | keyword |
+| rsa.misc.location_mark |  | keyword |
+| rsa.misc.log_id |  | keyword |
+| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword |
+| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword |
+| rsa.misc.log_type |  | keyword |
+| rsa.misc.logid |  | keyword |
+| rsa.misc.logip |  | keyword |
+| rsa.misc.logname |  | keyword |
+| rsa.misc.longitude |  | keyword |
+| rsa.misc.lport |  | keyword |
+| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword |
+| rsa.misc.match | This key is for regex match name from search.ini | keyword |
+| rsa.misc.mbug_data |  | keyword |
+| rsa.misc.message_body | This key captures the The contents of the message body. | keyword |
+| rsa.misc.misc |  | keyword |
+| rsa.misc.misc_name |  | keyword |
+| rsa.misc.mode |  | keyword |
+| rsa.misc.msgIdPart1 |  | keyword |
+| rsa.misc.msgIdPart2 |  | keyword |
+| rsa.misc.msgIdPart3 |  | keyword |
+| rsa.misc.msgIdPart4 |  | keyword |
+| rsa.misc.msg_type |  | keyword |
+| rsa.misc.msgid |  | keyword |
+| rsa.misc.name |  | keyword |
+| rsa.misc.netsessid |  | keyword |
+| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword |
+| rsa.misc.ntype |  | keyword |
+| rsa.misc.num |  | keyword |
+| rsa.misc.number |  | keyword |
+| rsa.misc.number1 |  | keyword |
+| rsa.misc.number2 |  | keyword |
+| rsa.misc.nwwn |  | keyword |
+| rsa.misc.obj_name | This is used to capture name of object | keyword |
+| rsa.misc.obj_type | This is used to capture type of object | keyword |
+| rsa.misc.object |  | keyword |
+| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword |
+| rsa.misc.operation |  | keyword |
+| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword |
+| rsa.misc.opkt |  | keyword |
+| rsa.misc.orig_from |  | keyword |
+| rsa.misc.owner_id |  | keyword |
+| rsa.misc.p_action |  | keyword |
+| rsa.misc.p_filter |  | keyword |
+| rsa.misc.p_group_object |  | keyword |
+| rsa.misc.p_id |  | keyword |
+| rsa.misc.p_msgid |  | keyword |
+| rsa.misc.p_msgid1 |  | keyword |
+| rsa.misc.p_msgid2 |  | keyword |
+| rsa.misc.p_result1 |  | keyword |
+| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword |
+| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword |
+| rsa.misc.param_src | This key captures source parameter | keyword |
+| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword |
+| rsa.misc.password_chg |  | keyword |
+| rsa.misc.password_expire |  | keyword |
+| rsa.misc.payload_dst | This key is used to capture destination payload | keyword |
+| rsa.misc.payload_src | This key is used to capture source payload | keyword |
+| rsa.misc.permgranted |  | keyword |
+| rsa.misc.permwanted |  | keyword |
+| rsa.misc.pgid |  | keyword |
+| rsa.misc.phone |  | keyword |
+| rsa.misc.pid |  | keyword |
+| rsa.misc.policy |  | keyword |
+| rsa.misc.policyUUID |  | keyword |
+| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword |
+| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword |
+| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword |
+| rsa.misc.policy_waiver |  | keyword |
+| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword |
+| rsa.misc.pool_name | This key captures the name of a resource pool | keyword |
+| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword |
+| rsa.misc.priority |  | keyword |
+| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword |
+| rsa.misc.prog_asp_num |  | keyword |
+| rsa.misc.program |  | keyword |
+| rsa.misc.real_data |  | keyword |
+| rsa.misc.reason |  | keyword |
+| rsa.misc.rec_asp_device |  | keyword |
+| rsa.misc.rec_asp_num |  | keyword |
+| rsa.misc.rec_library |  | keyword |
+| rsa.misc.recordnum |  | keyword |
+| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword |
+| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword |
+| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword |
+| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword |
+| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword |
+| rsa.misc.risk | This key captures the non-numeric risk value | keyword |
+| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.risk_num | This key captures a Numeric Risk value | double |
+| rsa.misc.risk_num_comm | This key captures Risk Number Community | double |
+| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double |
+| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double |
+| rsa.misc.risk_num_static | This key captures Risk Number Static | double |
+| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.ruid |  | keyword |
+| rsa.misc.rule | This key captures the Rule number | keyword |
+| rsa.misc.rule_group | This key captures the Rule group name | keyword |
+| rsa.misc.rule_name | This key captures the Rule Name | keyword |
+| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword |
+| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword |
+| rsa.misc.sburb |  | keyword |
+| rsa.misc.sdomain_fld |  | keyword |
+| rsa.misc.search_text | This key captures the Search Text used | keyword |
+| rsa.misc.sec |  | keyword |
+| rsa.misc.second |  | keyword |
+| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword |
+| rsa.misc.sensorname |  | keyword |
+| rsa.misc.seqnum |  | keyword |
+| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword |
+| rsa.misc.session |  | keyword |
+| rsa.misc.sessiontype |  | keyword |
+| rsa.misc.severity | This key is used to capture the severity given the session | keyword |
+| rsa.misc.sigUUID |  | keyword |
+| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long |
+| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long |
+| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword |
+| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword |
+| rsa.misc.sigcat |  | keyword |
+| rsa.misc.snmp_oid | SNMP Object Identifier | keyword |
+| rsa.misc.snmp_value | SNMP set request value | keyword |
+| rsa.misc.space |  | keyword |
+| rsa.misc.space1 |  | keyword |
+| rsa.misc.spi |  | keyword |
+| rsa.misc.spi_dst | Destination SPI Index | keyword |
+| rsa.misc.spi_src | Source SPI Index | keyword |
+| rsa.misc.sql | This key captures the SQL query | keyword |
+| rsa.misc.srcburb |  | keyword |
+| rsa.misc.srcdom |  | keyword |
+| rsa.misc.srcservice |  | keyword |
+| rsa.misc.state |  | keyword |
+| rsa.misc.status |  | keyword |
+| rsa.misc.status1 |  | keyword |
+| rsa.misc.streams | This key captures number of streams in session | long |
+| rsa.misc.subcategory |  | keyword |
+| rsa.misc.svcno |  | keyword |
+| rsa.misc.system |  | keyword |
+| rsa.misc.tbdstr1 |  | keyword |
+| rsa.misc.tbdstr2 |  | keyword |
+| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long |
+| rsa.misc.terminal | This key captures the Terminal Names only | keyword |
+| rsa.misc.tgtdom |  | keyword |
+| rsa.misc.tgtdomain |  | keyword |
+| rsa.misc.threshold |  | keyword |
+| rsa.misc.tos | This key describes the type of service | long |
+| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword |
+| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword |
+| rsa.misc.type |  | keyword |
+| rsa.misc.type1 |  | keyword |
+| rsa.misc.udb_class |  | keyword |
+| rsa.misc.url_fld |  | keyword |
+| rsa.misc.user_div |  | keyword |
+| rsa.misc.userid |  | keyword |
+| rsa.misc.username_fld |  | keyword |
+| rsa.misc.utcstamp |  | keyword |
+| rsa.misc.v_instafname |  | keyword |
+| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword |
+| rsa.misc.virt_data |  | keyword |
+| rsa.misc.virusname | This key captures the name of the virus | keyword |
+| rsa.misc.vm_target | VMWare Target **VMWARE** only varaible. | keyword |
+| rsa.misc.vpnid |  | keyword |
+| rsa.misc.vsys | This key captures Virtual System Name | keyword |
+| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword |
+| rsa.misc.workspace | This key captures Workspace Description | keyword |
+| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword |
+| rsa.network.addr |  | keyword |
+| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword |
+| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword |
+| rsa.network.dmask | This key is used for Destionation Device network mask | keyword |
+| rsa.network.dns_a_record |  | keyword |
+| rsa.network.dns_cname_record |  | keyword |
+| rsa.network.dns_id |  | keyword |
+| rsa.network.dns_opcode |  | keyword |
+| rsa.network.dns_ptr_record |  | keyword |
+| rsa.network.dns_resp |  | keyword |
+| rsa.network.dns_type |  | keyword |
+| rsa.network.domain |  | keyword |
+| rsa.network.domain1 |  | keyword |
+| rsa.network.eth_host | Deprecated, use alias.mac | keyword |
+| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long |
+| rsa.network.faddr |  | keyword |
+| rsa.network.fhost |  | keyword |
+| rsa.network.fport |  | keyword |
+| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword |
+| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword |
+| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword |
+| rsa.network.host_type |  | keyword |
+| rsa.network.icmp_code | This key is used to capture the ICMP code only | long |
+| rsa.network.icmp_type | This key is used to capture the ICMP type only | long |
+| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword |
+| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long |
+| rsa.network.laddr |  | keyword |
+| rsa.network.lhost |  | keyword |
+| rsa.network.linterface |  | keyword |
+| rsa.network.mask | This key is used to capture the device network IPmask. | keyword |
+| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword |
+| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long |
+| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword |
+| rsa.network.origin |  | keyword |
+| rsa.network.packet_length |  | keyword |
+| rsa.network.paddr | Deprecated | ip |
+| rsa.network.phost |  | keyword |
+| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long |
+| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword |
+| rsa.network.remote_domain_id |  | keyword |
+| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword |
+| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword |
+| rsa.network.smask | This key is used for capturing source Network Mask | keyword |
+| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long |
+| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword |
+| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword |
+| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword |
+| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword |
+| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword |
+| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword |
+| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword |
+| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword |
+| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword |
+| rsa.threat.alert | This key is used to capture name of the alert | keyword |
+| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword |
+| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword |
+| rsa.threat.threat_source | This key is used to capture source of the threat | keyword |
+| rsa.time.date |  | keyword |
+| rsa.time.datetime |  | keyword |
+| rsa.time.day |  | keyword |
+| rsa.time.duration_str | A text string version of the duration | keyword |
+| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double |
+| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date |
+| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date |
+| rsa.time.event_queue_time | This key is the Time that the event was queued. | date |
+| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date |
+| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword |
+| rsa.time.eventtime |  | keyword |
+| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date |
+| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword |
+| rsa.time.gmtdate |  | keyword |
+| rsa.time.gmttime |  | keyword |
+| rsa.time.hour |  | keyword |
+| rsa.time.min |  | keyword |
+| rsa.time.month |  | keyword |
+| rsa.time.p_date |  | keyword |
+| rsa.time.p_month |  | keyword |
+| rsa.time.p_time |  | keyword |
+| rsa.time.p_time1 |  | keyword |
+| rsa.time.p_time2 |  | keyword |
+| rsa.time.p_year |  | keyword |
+| rsa.time.process_time | Deprecated, use duration.time | keyword |
+| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date |
+| rsa.time.stamp | Deprecated key defined only in table map. | date |
+| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date |
+| rsa.time.timestamp |  | keyword |
+| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword |
+| rsa.time.tzone |  | keyword |
+| rsa.time.year |  | keyword |
+| rsa.web.alias_host |  | keyword |
+| rsa.web.cn_asn_dst |  | keyword |
+| rsa.web.cn_rpackets |  | keyword |
+| rsa.web.fqdn | Fully Qualified Domain Names | keyword |
+| rsa.web.p_url |  | keyword |
+| rsa.web.p_user_agent |  | keyword |
+| rsa.web.p_web_cookie |  | keyword |
+| rsa.web.p_web_method |  | keyword |
+| rsa.web.p_web_referer |  | keyword |
+| rsa.web.remote_domain |  | keyword |
+| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double |
+| rsa.web.urlpage |  | keyword |
+| rsa.web.urlroot |  | keyword |
+| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword |
+| rsa.web.web_extension_tmp |  | keyword |
+| rsa.web.web_page |  | keyword |
+| rsa.web.web_ref_domain | Web referer's domain | keyword |
+| rsa.web.web_ref_page | This key captures Web referer's page information | keyword |
+| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword |
+| rsa.web.web_ref_root | Web referer's root URL path | keyword |
+| rsa.wireless.access_point | This key is used to capture the access point name. | keyword |
+| rsa.wireless.wlan_channel | This is used to capture the channel names | long |
+| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword |
+| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword |
+| rule.name | The name of the rule or signature generating the event. | keyword |
+| server.domain | Server domain. | keyword |
+| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword |
+| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.bytes | Bytes sent from the source to the destination. | long |
+| source.domain | Source domain. | keyword |
+| source.geo.city_name | City name. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location.lat |  | double |
+| source.geo.location.lon |  | double |
+| source.ip | IP address of the source. Can be one or multiple IPv4 or IPv6 addresses. | ip |
+| source.mac | MAC address of the source. | keyword |
+| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip |
+| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long |
+| source.port | Port of the source. | long |
+| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. | keyword |
+| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | keyword |
+| url.path | Path of the request, such as "/search". | keyword |
+| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword |
+| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.google.com" is "google.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword |
+| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword |
+| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| user.full_name | User's full name, if available. | keyword |
+| user.id | Unique identifiers of the user. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user_agent.original | Unparsed user_agent string. | keyword |
diff --git a/packages/cylance/0.1.0/img/logo.svg b/packages/cylance/0.1.0/img/logo.svg
new file mode 100644
index 0000000000..ccd6004d19
--- /dev/null
+++ b/packages/cylance/0.1.0/img/logo.svg
@@ -0,0 +1,82 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Generator: Adobe Illustrator 23.0.3, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 404.3 147.1" style="enable-background:new 0 0 404.3 147.1;" xml:space="preserve">
+<style type="text/css">
+	.st0{fill:#2EEF37;}
+</style>
+<title>Cylance_BB_Logo_RGB_Vert_Black</title>
+<g>
+	<g id="Layer_1-2">
+		<path d="M189.3,48.8c-5.8,0-8.1-4.8-8.1-8.4c0-6,4-11.3,9.9-11.3c6.3,0,7.9,4.7,8,5.6h9.3c0.6-3.5-2.2-14.2-17-14.2
+			c-10.8,0-19.4,8.6-19.4,20.2c0,9.4,5.9,16.7,16.8,16.7c13.6,0,17.3-10.7,17.7-13.3h-9.8C195.4,47,192.5,48.8,189.3,48.8z"/>
+		<path d="M132.8,10.4H124l-7.2,33.5c-0.3,1.3-0.4,2.7-0.4,4c0,7.3,5.7,9.5,10.2,9.5c1.2,0,2.3-0.1,3.5-0.3c0.1-0.7,1.5-7,1.6-7.3
+			c-0.2,0-1.2,0.1-2.3,0.1c-3.2,0-4.3-1.4-4.3-3.2c0.1-1.3,0.3-2.5,0.6-3.7C126.2,40.8,132.8,10.4,132.8,10.4z"/>
+		<polygon points="249.5,20.6 237.3,20.6 221.6,34.8 226.9,10.3 218.1,10.3 208.1,56.7 216.9,56.7 219.3,45.4 224.7,41.1 
+			232.2,56.7 242,56.7 231.4,35.8 		"/>
+		<path d="M115.7,21.1c0-4.1-3-10.8-15.1-10.8H83.9c0,0-6.2,28.7-7,32c-1.8,8,3.2,14.3,12.5,14.3h5c11,0,18.2-6.5,18.2-14.2
+			c0.2-4.3-2.5-8.2-6.5-9.6C107.2,32.6,115.7,30.2,115.7,21.1z M94.1,48.1H85l2.4-11.2h8.1c6.2,0,7.6,2.8,7.6,4.9
+			C103.1,45.4,100,48.1,94.1,48.1z M98.5,28.3h-9.3l2-9.4h8.9c4.2,0,5.9,1.9,5.9,4.2C106.1,25.9,103.6,28.3,98.5,28.3z"/>
+		<path d="M284.2,21.1c0-4.1-3-10.8-15.1-10.8h-16.7c0,0-6.2,28.7-6.9,32c-1.8,8,3.2,14.3,12.5,14.3h5c11,0,18.2-6.5,18.2-14.2
+			c0.2-4.3-2.5-8.2-6.5-9.6C275.7,32.6,284.2,30.2,284.2,21.1z M262.6,48.1h-9.2l2.4-11.2h8.1c6.2,0,7.6,2.8,7.6,4.9
+			C271.6,45.4,268.6,48.1,262.6,48.1z M267.1,28.3h-9.3l2-9.4h8.9c4.2,0,5.9,1.9,5.9,4.2C274.6,25.9,272.1,28.3,267.1,28.3
+			L267.1,28.3z"/>
+		<path d="M347.4,29.1c0.2-1.2,1.5-6.8,1.8-8.1c-1.4-0.2-2.9-0.3-4.3-0.3c-9.3,0-15.7,5.5-17.8,15.9c-0.9,4.5-4.3,20.2-4.3,20.2h8.8
+			c0,0,3.2-14.9,4.2-19.6c1.3-6.1,4.6-8.2,9-8.2C345.5,28.9,346.5,29,347.4,29.1z"/>
+		<path d="M394.5,20.6L381,44.1l-3.1-23.5h-10.1c-11.6,0-17.6,5.3-19.7,15.4c-1.1,5.1-4.5,20.6-4.5,20.6h8.8c0,0,3.2-14.8,4.5-20.8
+			c1.2-5.8,5.5-7.6,10.2-6.6l1.8-8.5c1.4,8.1,5.5,33.9,5.5,33.9l-9.2,15.8h9.4L404,20.6H394.5z"/>
+		<path d="M155.6,20.5c-13.7,0-17.7,9.9-18.3,11.4h9.9c0.2-0.4,2.5-3.8,8.1-3.8c3.5,0,5.3,1.3,5.3,2.8c0,2.2-3.5,2.7-9.6,3.6
+			c-10.5,1.5-17.1,4.8-17.1,12.3c0,5.4,4.4,10.6,12.4,10.6c3.9,0.1,7.6-1.5,10.3-4.3c0,1,0.1,2.4,0.2,3.5h9.1
+			c-0.7-3.1-0.6-6.3,0.1-9.4c0.6-2.5,2.2-9.8,3-13.8C170.4,25.9,166.2,20.5,155.6,20.5z M158.2,42.3c-1,4.4-5.5,7.2-10.4,7.2
+			c-3.1,0-4.9-1.7-4.9-3.7c0-1.7,1.5-3.6,7.5-4.5l8.3-1.3C158.6,40.7,158.4,41.6,158.2,42.3L158.2,42.3z"/>
+		<path d="M304.5,20.5c-10.6,0-19,8.9-19,19.4c0,10.2,6.1,17.5,17,17.5c13.4,0,17-10.5,17.3-11.5h-10c-0.3,0.7-2.5,3.7-7.2,3.7
+			c-6.9,0-8.4-5.8-8.3-7.4H321c0.5-1.8,0.7-3.6,0.8-5.5C321.8,28.2,316,20.5,304.5,20.5z M295.6,35c1.3-3.9,4.9-6.5,9-6.5
+			c5.9,0,8.1,3.6,7.9,6.5H295.6z"/>
+		<path d="M14.5,0H5.7L3.2,11.6h9.2c7.2,0,9.2-3.4,9.2-6.6C21.6,2.8,20.2,0,14.5,0z"/>
+		<path d="M38.2,0h-8.8l-2.5,11.6h9.2c7.2,0,9.2-3.4,9.2-6.6C45.3,2.8,44,0,38.2,0z"/>
+		<path d="M11.3,17.4H2.5L0,29h9.2c7.2,0,9.2-3.4,9.2-6.5C18.4,20.2,17,17.4,11.3,17.4z"/>
+		<path d="M35,17.4h-8.8L23.7,29h9.2c7.2,0,9.2-3.4,9.2-6.5C42.1,20.2,40.8,17.4,35,17.4z"/>
+		<path d="M59.9,10.4h-8.8L48.6,22h9.2c7.2,0,9.3-3.4,9.3-6.6C67,13.2,65.6,10.4,59.9,10.4z"/>
+		<path d="M56.5,28.5h-8.8l-2.5,11.6h9.2c7.2,0,9.2-3.4,9.2-6.5C63.5,31.3,62.2,28.5,56.5,28.5z"/>
+		<path d="M31.6,35.6h-8.8l-2.5,11.6h9.2c7.2,0,9.2-3.4,9.2-6.5C38.7,38.4,37.4,35.6,31.6,35.6z"/>
+		<path d="M399.9,53.1c2.4,0,4.3,2,4.3,4.4c0,2.4-2,4.3-4.4,4.3c-2.4,0-4.3-2-4.3-4.3C395.5,55,397.5,53.1,399.9,53.1
+			C399.9,53.1,399.9,53.1,399.9,53.1 M399.9,53.8c-2-0.1-3.7,1.5-3.7,3.5c-0.1,2,1.5,3.7,3.5,3.7c2,0.1,3.7-1.5,3.7-3.5
+			c0,0,0-0.1,0-0.1c0-1.9-1.5-3.6-3.4-3.6C400,53.8,399.9,53.8,399.9,53.8 M399,59.9h-0.8v-5h1.9c1.2,0,1.8,0.4,1.8,1.4
+			c0,0.7-0.5,1.3-1.2,1.4c0,0,0,0-0.1,0l1.4,2.2h-0.8l-1.3-2.2H399V59.9z M399,57.1h0.9c0.9,0,1.2-0.3,1.2-0.8s-0.2-0.8-1.1-0.8h-1
+			L399,57.1z"/>
+		<path class="st0" d="M399.9,138.4c2.4,0,4.3,2,4.3,4.4c0,2.4-2,4.3-4.4,4.3c-2.4,0-4.3-2-4.3-4.3
+			C395.5,140.3,397.4,138.3,399.9,138.4C399.8,138.3,399.9,138.3,399.9,138.4 M399.9,139.1c-2,0-3.7,1.5-3.7,3.5
+			c0,2,1.5,3.7,3.5,3.7s3.7-1.5,3.7-3.5c0,0,0-0.1,0-0.1c0.1-1.9-1.5-3.6-3.4-3.6C400,139.1,399.9,139.1,399.9,139.1 M399,145.2
+			h-0.8v-5h1.9c1.2,0,1.8,0.4,1.8,1.4c0,0.7-0.5,1.3-1.2,1.4c0,0,0,0-0.1,0l1.4,2.2h-0.8l-1.3-2.2H399L399,145.2z M399,142.4h0.9
+			c0.9,0,1.2-0.3,1.2-0.8s-0.2-0.8-1.1-0.8h-1L399,142.4z"/>
+		<path class="st0" d="M274.6,113.7h-1.3c-0.6,0-1,0.5-1,1v25.8c0.1,1.7-1.3,3.1-3,3.2c-0.1,0-0.3,0-0.4,0c-0.9,0-1.7-0.4-2.3-1.1
+			L242.3,116c-1.2-1.4-3-2.2-4.9-2.2c-3.7,0-6.8,3.3-6.8,7.3v25c0.1,0.6,0.5,1,1.1,1h1.3c0.5,0,1-0.5,1.1-1v-25c0-2.2,1.5-4,3.4-4
+			c0.9,0,1.7,0.4,2.3,1.1l24.2,26.6c1.2,1.4,3,2.2,4.9,2.2c4,0,6.8-2.7,6.8-6.5v-25.8C275.6,114.2,275.2,113.8,274.6,113.7"/>
+		<path class="st0" d="M38.2,143.7H6.8c-1.9,0-3.4-1.8-3.4-4v-18.8c0-1,0.4-1.9,1-2.7c0.6-0.7,1.4-1.1,2.3-1.1h31.5
+			c0.6,0,1.1-0.5,1.1-1.1v-1.3c-0.1-0.6-0.5-1-1.1-1H6.8c-1.9,0-3.6,0.8-4.9,2.2c-1.2,1.3-1.8,3-1.9,4.8v18.9
+			c-0.1,3.9,2.9,7.1,6.8,7.3h31.5c0.6,0,1-0.4,1.1-1v-1.3C39.3,144.2,38.8,143.7,38.2,143.7"/>
+		<path class="st0" d="M151.6,143.7h-31.4c-1.9,0-3.4-1.8-3.4-4v-24.8c0-0.6-0.5-1.1-1.1-1.1h-1.3c-0.6,0-1.1,0.5-1.1,1.1v24.8
+			c-0.1,3.9,2.9,7.2,6.8,7.3h31.5c0.6,0,1.1-0.5,1.1-1.1v-1.2C152.7,144.1,152.2,143.7,151.6,143.7"/>
+		<path class="st0" d="M330.8,143.7h-31.5c-1.9,0-3.4-1.8-3.4-4v-18.8c0-1,0.4-1.9,1-2.7c0.6-0.7,1.4-1.1,2.3-1.1l31.5,0.1
+			c0.6,0,1.1-0.5,1.1-1.1v-1.2c-0.1-0.6-0.5-1-1.1-1l-31.5-0.1c-1.8,0-3.6,0.8-4.8,2.2c-1.2,1.3-1.8,3-1.9,4.8v18.9
+			c-0.1,3.9,2.9,7.2,6.8,7.3h31.5c0.6,0,1.1-0.5,1.1-1.1v-1.3C331.8,144.1,331.3,143.7,330.8,143.7"/>
+		<path class="st0" d="M388,144.7c-0.1-0.6-0.5-1-1.1-1h-31.4c-1.9,0-3.4-1.8-3.4-4v-18.8c0-1,0.4-1.9,1-2.7
+			c0.6-0.7,1.4-1.1,2.3-1.1H387c0.6,0,1.1-0.5,1.1-1.1v-1.2c-0.1-0.6-0.5-1-1.1-1h-31.5c-1.9,0-3.6,0.8-4.9,2.2
+			c-1.2,1.3-1.8,3-1.9,4.8v18.9c-0.1,3.9,2.9,7.2,6.8,7.3H387c0.6,0,1-0.5,1-1.1V144.7z"/>
+		<path class="st0" d="M77.4,129.4L58.9,114c-0.2-0.1-0.5-0.2-0.7-0.2c-0.3,0-0.7,0.1-0.9,0.4l-0.8,1c-0.4,0.4-0.3,1,0.1,1.4
+			c0,0,0.1,0.1,0.1,0.1l17.8,14.9V146c0,0.6,0.6,1.1,1.2,1.1H77c0.6,0,1.1-0.5,1.2-1.1v-15.3C78.1,130.2,77.9,129.7,77.4,129.4"/>
+		<path class="st0" d="M96.4,113.3c-0.2-0.2-0.5-0.4-0.8-0.4c-0.2,0-0.5,0.1-0.7,0.2l-14.8,12.2c-0.4,0.4-0.5,1-0.2,1.5l1,1
+			c0.2,0.2,0.5,0.4,0.9,0.4c0.2,0,0.5-0.1,0.7-0.2l14.6-12.2c0.4-0.4,0.5-1,0.2-1.5L96.4,113.3z"/>
+		<path class="st0" d="M213.8,145.4c-0.3-0.6-15.5-27.7-15.5-27.7c-2-3.6-6.5-4.9-10.2-2.9c-1.2,0.7-2.3,1.7-2.9,2.9l-15.5,27.7
+			c-0.3,0.5-0.2,1.2,0.3,1.5c0.1,0.1,0.3,0.2,0.5,0.2c0.1,0,0.1,0,0.2,0h1c0.2,0,0.3,0,0.5-0.1l0.1-0.1c0.1-0.1,0.2-0.1,0.3-0.2
+			v-0.1c0,0,14.5-25.6,15.6-27.3c1-2,3.5-2.7,5.4-1.7c0.7,0.4,1.3,1,1.7,1.7c1.1,1.7,15.6,27.3,15.6,27.3v0.1
+			c0.1,0.1,0.2,0.2,0.3,0.2l0.1,0.1c0.2,0.1,0.3,0.1,0.5,0.1h1c0.1,0,0.1,0,0.2,0c0.6-0.1,1-0.5,1-1.1
+			C214,145.7,213.9,145.5,213.8,145.4"/>
+		<path class="st0" d="M375.2,128.7h-17c-0.6,0-1,0.5-1,1.1v1.2c0.1,0.6,0.5,1,1.1,1h17c0.6,0,1-0.5,1.1-1.1v-1.2
+			C376.3,129.2,375.8,128.8,375.2,128.7"/>
+		<g>
+			<rect y="84.7" width="402.2" height="2.2"/>
+		</g>
+	</g>
+</g>
+</svg>
diff --git a/packages/cylance/0.1.0/manifest.yml b/packages/cylance/0.1.0/manifest.yml
new file mode 100644
index 0000000000..0fa72760ef
--- /dev/null
+++ b/packages/cylance/0.1.0/manifest.yml
@@ -0,0 +1,36 @@
+format_version: 1.0.0
+name: cylance
+title: CylanceProtect
+version: 0.1.0
+description: CylanceProtect Integration
+categories: ["security"]
+release: experimental
+removable: true
+license: basic
+type: integration
+conditions:
+    kibana:
+        version: '>=7.9.0'
+    elasticsearch:
+        version: '>=7.9.0'
+config_templates:
+- name: protect
+  title: CylanceProtect
+  description: Collect CylanceProtect logs from syslog or a file.
+  inputs:
+      - type: udp
+        title: Collect logs from CylanceProtect via UDP
+        description: Collecting syslog from CylanceProtect via UDP
+      - type: tcp
+        title: Collect logs from CylanceProtect via TCP
+        description: Collecting syslog from CylanceProtect via TCP
+      - type: file
+        title: Collect logs from CylanceProtect via file
+        description: Collecting syslog from CylanceProtect via file.
+# No icon
+icons:
+ - src: /img/logo.svg
+   title: CylanceProtect logo
+   size: 32x32
+   type: image/svg+xml
+
diff --git a/packages/f5/0.1.0/dataset/bigipapm/agent/stream/stream.yml.hbs b/packages/f5/0.1.0/dataset/bigipapm/agent/stream/stream.yml.hbs
new file mode 100644
index 0000000000..ba8d07fb16
--- /dev/null
+++ b/packages/f5/0.1.0/dataset/bigipapm/agent/stream/stream.yml.hbs
@@ -0,0 +1,3452 @@
+paths:
+{{#each paths as |path i|}}
+  - {{path}}
+{{/each}}
+exclude_files: [".gz$"]
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "F5"
+        product: "Big-IP"
+        type: "Access"
+publisher_pipeline.disable_host: true
+
+processors:
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.error(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(populate_fields);
+      	builder.Add(restore_flags);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var dup1 = setc("eventcategory","1801030000");
+      
+      var dup2 = setf("msg","$MSG");
+      
+      var dup3 = setc("eventcategory","1801020000");
+      
+      var dup4 = match("MESSAGE#10:01490010/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{p0}");
+      
+      var dup5 = setc("eventcategory","1801000000");
+      
+      var dup6 = setc("eventcategory","1801010000");
+      
+      var dup7 = setc("eventcategory","1502000000");
+      
+      var dup8 = setc("eventcategory","1805010000");
+      
+      var dup9 = setc("eventcategory","1803000000");
+      
+      var dup10 = setc("eventcategory","1803030000");
+      
+      var dup11 = setc("disposition"," Successful");
+      
+      var dup12 = setc("dclass_counter1_string"," Logon Attempt");
+      
+      var dup13 = setc("eventcategory","1204000000");
+      
+      var dup14 = date_time({
+      	dest: "event_time",
+      	args: ["fld20"],
+      	fmts: [
+      		[dD,dc("/"),dB,dc("/"),dW,dc(":"),dN,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup15 = setc("eventcategory","1605000000");
+      
+      var dup16 = setc("eventcategory","1612000000");
+      
+      var dup17 = date_time({
+      	dest: "event_time",
+      	args: ["fld1","fld2","fld3"],
+      	fmts: [
+      		[dB,dF,dN,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup18 = match("MESSAGE#0:01490502", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{event_description}", processor_chain([
+      	dup1,
+      	dup2,
+      ]));
+      
+      var dup19 = match("MESSAGE#58:crond:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: (%{username}) CMD (%{action})", processor_chain([
+      	dup15,
+      	dup2,
+      ]));
+      
+      var dup20 = match("MESSAGE#67:014d0001:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{info}", processor_chain([
+      	dup5,
+      	dup2,
+      ]));
+      
+      var hdr1 = match("HEADER#0:0001", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{hfld3}[%{hfld4}]: %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0001"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hmonth"),
+      			constant(" "),
+      			field("hdate"),
+      			constant(" "),
+      			field("htime"),
+      			constant(" "),
+      			field("hfld1"),
+      			constant(" "),
+      			field("hfld2"),
+      			constant(" "),
+      			field("hfld3"),
+      			constant("["),
+      			field("hfld4"),
+      			constant("]: "),
+      			field("messageid"),
+      			constant(": "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr2 = match("HEADER#1:0002", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{hfld3}: %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0002"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hmonth"),
+      			constant(" "),
+      			field("hdate"),
+      			constant(" "),
+      			field("htime"),
+      			constant(" "),
+      			field("hfld1"),
+      			constant(" "),
+      			field("hfld2"),
+      			constant(" "),
+      			field("hfld3"),
+      			constant(": "),
+      			field("messageid"),
+      			constant(": "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr3 = match("HEADER#2:0003", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{hfld3}: [%{messageid}]%{payload}", processor_chain([
+      	setc("header_id","0003"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hmonth"),
+      			constant(" "),
+      			field("hdate"),
+      			constant(" "),
+      			field("htime"),
+      			constant(" "),
+      			field("hfld1"),
+      			constant(" "),
+      			field("hfld2"),
+      			constant(" "),
+      			field("hfld3"),
+      			constant(": ["),
+      			field("messageid"),
+      			constant("]"),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr4 = match("HEADER#3:0004", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{messageid}[%{hfld3}]:%{payload}", processor_chain([
+      	setc("header_id","0004"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hmonth"),
+      			constant(" "),
+      			field("hdate"),
+      			constant(" "),
+      			field("htime"),
+      			constant(" "),
+      			field("hfld1"),
+      			constant(" "),
+      			field("hfld2"),
+      			constant(" "),
+      			field("messageid"),
+      			constant("["),
+      			field("hfld3"),
+      			constant("]:"),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr5 = match("HEADER#4:0005", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{messageid}:%{payload}", processor_chain([
+      	setc("header_id","0005"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hmonth"),
+      			constant(" "),
+      			field("hdate"),
+      			constant(" "),
+      			field("htime"),
+      			constant(" "),
+      			field("hfld1"),
+      			constant(" "),
+      			field("hfld2"),
+      			constant(" "),
+      			field("messageid"),
+      			constant(":"),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr6 = match("HEADER#5:0006", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{hfld3}[%{hfld4}]: %{messageid->} /%{payload}", processor_chain([
+      	setc("header_id","0006"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hmonth"),
+      			constant(" "),
+      			field("hdate"),
+      			constant(" "),
+      			field("htime"),
+      			constant(" "),
+      			field("hfld1"),
+      			constant(" "),
+      			field("hfld2"),
+      			constant(" "),
+      			field("hfld3"),
+      			constant("["),
+      			field("hfld4"),
+      			constant("]: "),
+      			field("messageid"),
+      			constant(" /"),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var select1 = linear_select([
+      	hdr1,
+      	hdr2,
+      	hdr3,
+      	hdr4,
+      	hdr5,
+      	hdr6,
+      ]);
+      
+      var msg1 = msg("01490502", dup18);
+      
+      var part1 = match("MESSAGE#1:01490521", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Session statistics - bytes in:%{rbytes}, bytes out: %{sbytes}", processor_chain([
+      	dup3,
+      	dup2,
+      ]));
+      
+      var msg2 = msg("01490521", part1);
+      
+      var part2 = match("MESSAGE#2:01490506", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Received User-Agent header: %{user_agent}", processor_chain([
+      	dup3,
+      	dup2,
+      ]));
+      
+      var msg3 = msg("01490506", part2);
+      
+      var part3 = match("MESSAGE#3:01490113:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.server.network.name is %{fqdn}", processor_chain([
+      	dup3,
+      	dup2,
+      ]));
+      
+      var msg4 = msg("01490113:01", part3);
+      
+      var part4 = match("MESSAGE#4:01490113:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.server.network.port is %{network_port}", processor_chain([
+      	dup3,
+      	dup2,
+      ]));
+      
+      var msg5 = msg("01490113:02", part4);
+      
+      var part5 = match("MESSAGE#5:01490113:03", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.server.listener.name is %{service}", processor_chain([
+      	dup3,
+      	dup2,
+      ]));
+      
+      var msg6 = msg("01490113:03", part5);
+      
+      var part6 = match("MESSAGE#6:01490113:04", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.server.network.protocol is %{network_service}", processor_chain([
+      	dup3,
+      	dup2,
+      ]));
+      
+      var msg7 = msg("01490113:04", part6);
+      
+      var part7 = match("MESSAGE#7:01490113:05", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.user.agent is %{info}", processor_chain([
+      	dup3,
+      	dup2,
+      ]));
+      
+      var msg8 = msg("01490113:05", part7);
+      
+      var part8 = match("MESSAGE#8:01490113:06", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.user.clientip is %{saddr}", processor_chain([
+      	dup3,
+      	dup2,
+      ]));
+      
+      var msg9 = msg("01490113:06", part8);
+      
+      var part9 = match("MESSAGE#9:01490113", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.%{info}", processor_chain([
+      	dup3,
+      	dup2,
+      ]));
+      
+      var msg10 = msg("01490113", part9);
+      
+      var select2 = linear_select([
+      	msg4,
+      	msg5,
+      	msg6,
+      	msg7,
+      	msg8,
+      	msg9,
+      	msg10,
+      ]);
+      
+      var part10 = match("MESSAGE#10:01490010/1_0", "nwparser.p0", "%{fld10}:%{fld11}:%{sessionid}: Username '%{p0}");
+      
+      var part11 = match("MESSAGE#10:01490010/1_1", "nwparser.p0", "%{sessionid}: Username '%{p0}");
+      
+      var select3 = linear_select([
+      	part10,
+      	part11,
+      ]);
+      
+      var part12 = match("MESSAGE#10:01490010/2", "nwparser.p0", "%{username}'");
+      
+      var all1 = all_match({
+      	processors: [
+      		dup4,
+      		select3,
+      		part12,
+      	],
+      	on_success: processor_chain([
+      		setc("eventcategory","1401000000"),
+      		dup2,
+      	]),
+      });
+      
+      var msg11 = msg("01490010", all1);
+      
+      var part13 = match("MESSAGE#11:01490009", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: ACL '%{policyname}' assigned", processor_chain([
+      	setc("eventcategory","1501020000"),
+      	dup2,
+      ]));
+      
+      var msg12 = msg("01490009", part13);
+      
+      var part14 = match("MESSAGE#12:01490102", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Access policy result: %{result}", processor_chain([
+      	setc("eventcategory","1501000000"),
+      	dup2,
+      ]));
+      
+      var msg13 = msg("01490102", part14);
+      
+      var part15 = match("MESSAGE#13:01490000:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{authmethod->} authentication for user %{username->} using config %{fld8}", processor_chain([
+      	dup5,
+      	dup2,
+      ]));
+      
+      var msg14 = msg("01490000:02", part15);
+      
+      var part16 = match("MESSAGE#14:01490000:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: found HTTP %{resultcode->} in response header", processor_chain([
+      	dup6,
+      	dup2,
+      ]));
+      
+      var msg15 = msg("01490000:01", part16);
+      
+      var part17 = match("MESSAGE#15:01490000", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{filename->} func: \"%{action}\" line: %{fld8->} Msg: %{result}", processor_chain([
+      	dup5,
+      	dup2,
+      ]));
+      
+      var msg16 = msg("01490000", part17);
+      
+      var part18 = match("MESSAGE#16:01490000:03", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{event_description}", processor_chain([
+      	dup5,
+      	dup2,
+      ]));
+      
+      var msg17 = msg("01490000:03", part18);
+      
+      var select4 = linear_select([
+      	msg14,
+      	msg15,
+      	msg16,
+      	msg17,
+      ]);
+      
+      var part19 = match("MESSAGE#17:01490004", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{fld8}: Executed agent '%{application}', return value %{resultcode}", processor_chain([
+      	dup5,
+      	dup2,
+      ]));
+      
+      var msg18 = msg("01490004", part19);
+      
+      var part20 = match("MESSAGE#18:01490500/1_0", "nwparser.p0", "%{fld10}:%{fld11}:%{sessionid}: New session from client IP %{p0}");
+      
+      var part21 = match("MESSAGE#18:01490500/1_1", "nwparser.p0", "%{sessionid}: New session from client IP %{p0}");
+      
+      var select5 = linear_select([
+      	part20,
+      	part21,
+      ]);
+      
+      var part22 = match("MESSAGE#18:01490500/2", "nwparser.p0", "%{saddr->} (ST=%{location_state}/CC=%{location_country}/C=%{location_city}) at VIP %{p0}");
+      
+      var part23 = match("MESSAGE#18:01490500/3_0", "nwparser.p0", "%{daddr->} Listener %{fld8->} (Reputation=%{category})");
+      
+      var part24 = match("MESSAGE#18:01490500/3_1", "nwparser.p0", "%{daddr->} Listener %{fld8}");
+      
+      var part25 = match("MESSAGE#18:01490500/3_2", "nwparser.p0", "%{daddr}");
+      
+      var select6 = linear_select([
+      	part23,
+      	part24,
+      	part25,
+      ]);
+      
+      var all2 = all_match({
+      	processors: [
+      		dup4,
+      		select5,
+      		part22,
+      		select6,
+      	],
+      	on_success: processor_chain([
+      		dup3,
+      		dup2,
+      	]),
+      });
+      
+      var msg19 = msg("01490500", all2);
+      
+      var part26 = match("MESSAGE#19:01490005", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Following rule %{fld8->} from item %{fld9->} to ending %{fld10}", processor_chain([
+      	dup7,
+      	dup2,
+      ]));
+      
+      var msg20 = msg("01490005", part26);
+      
+      var part27 = match("MESSAGE#20:01490006", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Following rule %{fld8->} from item '%{fld9}' to item '%{fld10}'", processor_chain([
+      	dup7,
+      	dup2,
+      ]));
+      
+      var msg21 = msg("01490006", part27);
+      
+      var part28 = match("MESSAGE#21:01490007", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Session variable '%{change_attribute}' set to %{change_new}", processor_chain([
+      	dup7,
+      	dup2,
+      ]));
+      
+      var msg22 = msg("01490007", part28);
+      
+      var part29 = match("MESSAGE#22:01490008", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Connectivity resource %{application->} assigned", processor_chain([
+      	dup3,
+      	dup2,
+      ]));
+      
+      var msg23 = msg("01490008", part29);
+      
+      var part30 = match("MESSAGE#23:01490514", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{fld8}: Access encountered error: %{result}. File: %{filename}, Function: %{action}, Line: %{fld9}", processor_chain([
+      	dup6,
+      	dup2,
+      ]));
+      
+      var msg24 = msg("01490514", part30);
+      
+      var part31 = match("MESSAGE#24:01490505", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{event_description}", processor_chain([
+      	dup5,
+      	dup2,
+      ]));
+      
+      var msg25 = msg("01490505", part31);
+      
+      var msg26 = msg("01490501", dup18);
+      
+      var msg27 = msg("01490520", dup18);
+      
+      var part32 = match("MESSAGE#27:01490142", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{event_description}", processor_chain([
+      	setc("eventcategory","1609000000"),
+      	dup2,
+      ]));
+      
+      var msg28 = msg("01490142", part32);
+      
+      var part33 = match("MESSAGE#28:01490504", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{fqdn->} can not be resolved.", processor_chain([
+      	dup8,
+      	dup2,
+      ]));
+      
+      var msg29 = msg("01490504", part33);
+      
+      var part34 = match("MESSAGE#29:01490538", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{fld8}: Configuration snapshot deleted by Access.", processor_chain([
+      	dup8,
+      	dup2,
+      ]));
+      
+      var msg30 = msg("01490538", part34);
+      
+      var part35 = match("MESSAGE#30:01490107:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{fld8}' failed: Clients credentials have been revoked, principal name: %{username}@%{fqdn}. %{result->} %{fld9}", processor_chain([
+      	dup9,
+      	dup2,
+      ]));
+      
+      var msg31 = msg("01490107:01", part35);
+      
+      var part36 = match("MESSAGE#31:01490107", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{username}' failed in %{action}: %{result->} %{fld8}", processor_chain([
+      	dup9,
+      	dup2,
+      ]));
+      
+      var msg32 = msg("01490107", part36);
+      
+      var part37 = match("MESSAGE#32:01490107:02/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{username}' failed: %{p0}");
+      
+      var part38 = match("MESSAGE#32:01490107:02/1_0", "nwparser.p0", "Client '%{fqdn}' not found in Kerberos database, principal name:%{fld10->} %{p0}");
+      
+      var part39 = match("MESSAGE#32:01490107:02/1_1", "nwparser.p0", "%{result->} %{p0}");
+      
+      var select7 = linear_select([
+      	part38,
+      	part39,
+      ]);
+      
+      var part40 = match("MESSAGE#32:01490107:02/2", "nwparser.p0", "%{info}");
+      
+      var all3 = all_match({
+      	processors: [
+      		part37,
+      		select7,
+      		part40,
+      	],
+      	on_success: processor_chain([
+      		dup9,
+      		dup2,
+      	]),
+      });
+      
+      var msg33 = msg("01490107:02", all3);
+      
+      var select8 = linear_select([
+      	msg31,
+      	msg32,
+      	msg33,
+      ]);
+      
+      var part41 = match("MESSAGE#33:01490106", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{username}' failed in %{action}: Preauthentication failed, principal name: %{fld8}. %{result->} %{fld9}", processor_chain([
+      	dup9,
+      	dup2,
+      ]));
+      
+      var msg34 = msg("01490106", part41);
+      
+      var part42 = match("MESSAGE#34:01490106:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{username}' failed: Preauthentication failed, principal name: %{fld8}. %{result->} %{fld9}", processor_chain([
+      	dup9,
+      	dup2,
+      ]));
+      
+      var msg35 = msg("01490106:01", part42);
+      
+      var select9 = linear_select([
+      	msg34,
+      	msg35,
+      ]);
+      
+      var part43 = match("MESSAGE#35:01490128", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Webtop %{application->} assigned", processor_chain([
+      	dup5,
+      	dup2,
+      ]));
+      
+      var msg36 = msg("01490128", part43);
+      
+      var part44 = match("MESSAGE#36:01490101", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Access profile: %{fld8->} configuration has been applied. Newly active generation count is: %{dclass_counter1}", processor_chain([
+      	dup10,
+      	dup2,
+      	setc("dclass_counter1_string","Newly active generation count"),
+      ]));
+      
+      var msg37 = msg("01490101", part44);
+      
+      var part45 = match("MESSAGE#37:01490103", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Retry Username '%{username}'", processor_chain([
+      	dup10,
+      	dup2,
+      ]));
+      
+      var msg38 = msg("01490103", part45);
+      
+      var part46 = match("MESSAGE#38:01490115", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Following rule %{rulename->} from item %{fld9->} to terminalout %{fld10}", processor_chain([
+      	dup7,
+      	dup2,
+      ]));
+      
+      var msg39 = msg("01490115", part46);
+      
+      var part47 = match("MESSAGE#39:01490017", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD agent: Auth (logon attempt:%{dclass_counter1}): authenticate with '%{username}' successful", processor_chain([
+      	dup7,
+      	dup2,
+      	dup11,
+      	dup12,
+      ]));
+      
+      var msg40 = msg("01490017", part47);
+      
+      var part48 = match("MESSAGE#41:01490017:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD agent: Auth (logon attempt:%{dclass_counter1}): authenticate with '%{username}' failed", processor_chain([
+      	dup7,
+      	dup2,
+      	setc("disposition"," Failed"),
+      	dup12,
+      ]));
+      
+      var msg41 = msg("01490017:01", part48);
+      
+      var select10 = linear_select([
+      	msg40,
+      	msg41,
+      ]);
+      
+      var part49 = match("MESSAGE#40:01490013", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD agent: Retrieving AAA server: %{fld8}", processor_chain([
+      	dup7,
+      	dup2,
+      ]));
+      
+      var msg42 = msg("01490013", part49);
+      
+      var part50 = match("MESSAGE#42:01490019", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD agent: Query: query with '(sAMAccountName=%{username})' successful", processor_chain([
+      	dup7,
+      	dup2,
+      	dup11,
+      ]));
+      
+      var msg43 = msg("01490019", part50);
+      
+      var part51 = match("MESSAGE#43:01490544", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Received client info - %{web_referer}", processor_chain([
+      	dup7,
+      	dup2,
+      ]));
+      
+      var msg44 = msg("01490544", part51);
+      
+      var part52 = match("MESSAGE#44:01490511", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Initializing Access profile %{fld8->} with max concurrent user sessions limit: %{dclass_counter1}", processor_chain([
+      	dup7,
+      	dup2,
+      	setc("dclass_counter1_string"," Max Concurrent User Sessions Limit"),
+      ]));
+      
+      var msg45 = msg("01490511", part52);
+      
+      var part53 = match("MESSAGE#45:014d0002", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: %{sessionid}: SSOv2 Logon succeeded, config %{fld8->} form %{fld9}", processor_chain([
+      	dup7,
+      	dup2,
+      	setc("disposition","Succeeded"),
+      ]));
+      
+      var msg46 = msg("014d0002", part53);
+      
+      var part54 = match("MESSAGE#46:014d0002:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: %{sessionid}: SSOv2 Logon failed, config %{fld8->} form %{fld9}", processor_chain([
+      	dup7,
+      	dup2,
+      	setc("disposition","Failed"),
+      ]));
+      
+      var msg47 = msg("014d0002:01", part54);
+      
+      var select11 = linear_select([
+      	msg46,
+      	msg47,
+      ]);
+      
+      var part55 = match("MESSAGE#47:01490079", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: %{sessionid}: Access policy '%{fld8}' configuration has changed.Access profile '%{fld9}' configuration changes need to be applied for the new configuration", processor_chain([
+      	dup7,
+      	dup2,
+      ]));
+      
+      var msg48 = msg("01490079", part55);
+      
+      var part56 = match("MESSAGE#48:01490165", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Access profile: %{fld8->} initialized with configuration snapshot catalog: %{fld9}", processor_chain([
+      	dup7,
+      	dup2,
+      ]));
+      
+      var msg49 = msg("01490165", part56);
+      
+      var part57 = match("MESSAGE#49:01490166", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Current snapshot ID: %{fld8->} retrieved from session db for access profile: %{fld9}", processor_chain([
+      	dup7,
+      	dup2,
+      ]));
+      
+      var msg50 = msg("01490166", part57);
+      
+      var part58 = match("MESSAGE#50:01490167", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Current snapshot ID: %{fld8->} updated inside session db for access profile: %{fld9}", processor_chain([
+      	dup7,
+      	dup2,
+      ]));
+      
+      var msg51 = msg("01490167", part58);
+      
+      var part59 = match("MESSAGE#51:01490169", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Snapshot catalog entry: %{fld8->} added for access profile: %{fld9}", processor_chain([
+      	dup7,
+      	dup2,
+      ]));
+      
+      var msg52 = msg("01490169", part59);
+      
+      var part60 = match("MESSAGE#52:0149016a", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Initiating snapshot creation: %{fld8->} for access profile: %{fld9}", processor_chain([
+      	dup7,
+      	dup2,
+      ]));
+      
+      var msg53 = msg("0149016a", part60);
+      
+      var part61 = match("MESSAGE#53:0149016b", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Completed snapshot creation: %{fld8->} for access profile: %{fld9}", processor_chain([
+      	dup7,
+      	dup2,
+      ]));
+      
+      var msg54 = msg("0149016b", part61);
+      
+      var part62 = match("MESSAGE#54:ssl_acc/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: [%{event_type}] %{saddr->} - %{p0}");
+      
+      var part63 = match("MESSAGE#54:ssl_acc/1_0", "nwparser.p0", "- %{p0}");
+      
+      var part64 = match("MESSAGE#54:ssl_acc/1_1", "nwparser.p0", "%{username->} %{p0}");
+      
+      var select12 = linear_select([
+      	part63,
+      	part64,
+      ]);
+      
+      var part65 = match("MESSAGE#54:ssl_acc/2", "nwparser.p0", "%{}[%{fld20->} %{timezone}] \"%{url}\" %{resultcode->} %{rbytes}");
+      
+      var all4 = all_match({
+      	processors: [
+      		part62,
+      		select12,
+      		part65,
+      	],
+      	on_success: processor_chain([
+      		dup13,
+      		dup14,
+      		dup2,
+      	]),
+      });
+      
+      var msg55 = msg("ssl_acc", all4);
+      
+      var part66 = match("MESSAGE#55:ssl_req", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: [%{event_type}]%{space}[%{fld20->} %{timezone}] %{saddr->} %{protocol->} %{encryption_type->} \"%{url}\" %{rbytes}", processor_chain([
+      	dup13,
+      	dup14,
+      	dup2,
+      ]));
+      
+      var msg56 = msg("ssl_req", part66);
+      
+      var part67 = match("MESSAGE#56:acc", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: [%{event_type}]%{space}[%{fld20->} %{timezone}] \"%{web_method->} %{url->} %{version}\" %{resultcode->} %{rbytes->} \"%{fld7}\" \"%{user_agent}\"", processor_chain([
+      	dup13,
+      	dup14,
+      	dup2,
+      ]));
+      
+      var msg57 = msg("acc", part67);
+      
+      var part68 = match("MESSAGE#57:crond", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{username}(%{sessionid}): %{action}", processor_chain([
+      	dup15,
+      	dup2,
+      ]));
+      
+      var msg58 = msg("crond", part68);
+      
+      var msg59 = msg("crond:01", dup19);
+      
+      var part69 = match("MESSAGE#59:crond:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: (%{username}) %{info}", processor_chain([
+      	dup15,
+      	dup2,
+      ]));
+      
+      var msg60 = msg("crond:02", part69);
+      
+      var select13 = linear_select([
+      	msg58,
+      	msg59,
+      	msg60,
+      ]);
+      
+      var part70 = match("MESSAGE#60:sSMTP", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{info}", processor_chain([
+      	setc("eventcategory","1207000000"),
+      	dup2,
+      ]));
+      
+      var msg61 = msg("sSMTP", part70);
+      
+      var part71 = match("MESSAGE#61:01420002", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{fld5}: AUDIT - pid=%{parent_pid->} user=%{username->} folder=%{directory->} module=%{fld6->} status=%{result->} cmd_data=%{info}", processor_chain([
+      	dup16,
+      	dup2,
+      ]));
+      
+      var msg62 = msg("01420002", part71);
+      
+      var part72 = match("MESSAGE#62:syslog-ng", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{info}", processor_chain([
+      	dup15,
+      	dup2,
+      ]));
+      
+      var msg63 = msg("syslog-ng", part72);
+      
+      var part73 = match("MESSAGE#63:syslog-ng:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}: %{info}", processor_chain([
+      	dup15,
+      	dup2,
+      ]));
+      
+      var msg64 = msg("syslog-ng:01", part73);
+      
+      var select14 = linear_select([
+      	msg63,
+      	msg64,
+      ]);
+      
+      var part74 = match("MESSAGE#64:auditd", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{info}", processor_chain([
+      	dup16,
+      	dup2,
+      ]));
+      
+      var msg65 = msg("auditd", part74);
+      
+      var part75 = match("MESSAGE#65:014d0001", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: ssoMethod: %{authmethod->} usernameSource: %{fld9->} passwordSource: %{fld10->} ntlmdomain: %{c_domain}", processor_chain([
+      	dup5,
+      	dup2,
+      ]));
+      
+      var msg66 = msg("014d0001", part75);
+      
+      var part76 = match("MESSAGE#66:014d0001:01/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: ctx: %{fld9}, %{p0}");
+      
+      var part77 = match("MESSAGE#66:014d0001:01/1_0", "nwparser.p0", "SERVER %{p0}");
+      
+      var part78 = match("MESSAGE#66:014d0001:01/1_1", "nwparser.p0", "CLIENT %{p0}");
+      
+      var select15 = linear_select([
+      	part77,
+      	part78,
+      ]);
+      
+      var part79 = match("MESSAGE#66:014d0001:01/2", "nwparser.p0", ": %{info}");
+      
+      var all5 = all_match({
+      	processors: [
+      		part76,
+      		select15,
+      		part79,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		dup2,
+      	]),
+      });
+      
+      var msg67 = msg("014d0001:01", all5);
+      
+      var msg68 = msg("014d0001:02", dup20);
+      
+      var select16 = linear_select([
+      	msg66,
+      	msg67,
+      	msg68,
+      ]);
+      
+      var msg69 = msg("014d0044", dup20);
+      
+      var part80 = match("MESSAGE#69:01490549/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Assigned PPP Dynamic IPv4: %{stransaddr->} Tunnel Type: %{group->} %{fld8->} Resource: %{rulename->} Client IP: %{p0}");
+      
+      var part81 = match("MESSAGE#69:01490549/1_0", "nwparser.p0", "%{saddr->} - %{fld9->} ");
+      
+      var part82 = match("MESSAGE#69:01490549/1_1", "nwparser.p0", " %{saddr}");
+      
+      var select17 = linear_select([
+      	part81,
+      	part82,
+      ]);
+      
+      var all6 = all_match({
+      	processors: [
+      		part80,
+      		select17,
+      	],
+      	on_success: processor_chain([
+      		dup3,
+      		dup2,
+      	]),
+      });
+      
+      var msg70 = msg("01490549", all6);
+      
+      var part83 = match("MESSAGE#70:01490547", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: Access Profile %{rulename}: %{result->} for %{saddr}", processor_chain([
+      	dup3,
+      	dup2,
+      ]));
+      
+      var msg71 = msg("01490547", part83);
+      
+      var part84 = match("MESSAGE#71:01490517", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{result}", processor_chain([
+      	dup3,
+      	dup2,
+      ]));
+      
+      var msg72 = msg("01490517", part84);
+      
+      var part85 = match("MESSAGE#72:011f0005", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{result->} (Client side: vip=%{url->} profile=%{protocol->} pool=%{fld8->} client_ip=%{saddr})", processor_chain([
+      	dup3,
+      	dup2,
+      ]));
+      
+      var msg73 = msg("011f0005", part85);
+      
+      var part86 = match("MESSAGE#73:014d0048", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7->} %{rulename->} \u003c\u003c%{event_description}>: APM_EVENT=%{action->} | %{username->} | %{fld8->} ***%{result}***", processor_chain([
+      	dup3,
+      	dup2,
+      ]));
+      
+      var msg74 = msg("014d0048", part86);
+      
+      var part87 = match("MESSAGE#74:error", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: [%{fld7}] [client %{saddr}] %{result}: %{url}", processor_chain([
+      	dup3,
+      	dup2,
+      ]));
+      
+      var msg75 = msg("error", part87);
+      
+      var msg76 = msg("CROND:03", dup19);
+      
+      var part88 = match("MESSAGE#76:01260009", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]:%{fld7}:%{fld6}: Connection error:%{event_description}", processor_chain([
+      	dup6,
+      	dup2,
+      ]));
+      
+      var msg77 = msg("01260009", part88);
+      
+      var part89 = match("MESSAGE#77:apmd:04", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} %{severity->} %{agent}[%{process_id}]: %{fld4->} /Common/home_agent_tca:Common:%{fld5}: %{fld6->} - Hostname: %{shost->} Type: %{fld7->} Version: %{version->} Platform: %{os->} CPU: %{fld8->} Mode:%{fld9}", processor_chain([
+      	dup15,
+      	dup2,
+      	dup17,
+      ]));
+      
+      var msg78 = msg("apmd:04", part89);
+      
+      var part90 = match("MESSAGE#78:apmd:03", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} %{severity->} %{agent}[%{process_id}]: %{fld4->} /Common/home_agent_tca:Common:%{fld5}: RADIUS module: parseResponse(): Access-Reject packet from host %{saddr}:%{sport->} %{fld7}", processor_chain([
+      	dup9,
+      	dup2,
+      	dup17,
+      ]));
+      
+      var msg79 = msg("apmd:03", part90);
+      
+      var part91 = match("MESSAGE#79:apmd:02/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} %{severity->} %{agent}[%{process_id}]: %{fld4->} /Common/home_agent_tca:Common:%{fld5}: RADIUS module: authentication with '%{username}' failed: %{p0}");
+      
+      var part92 = match("MESSAGE#79:apmd:02/1_0", "nwparser.p0", "%{fld6->} from host %{saddr}:%{sport->} %{fld7}");
+      
+      var part93 = match("MESSAGE#79:apmd:02/1_1", "nwparser.p0", " %{fld8}");
+      
+      var select18 = linear_select([
+      	part92,
+      	part93,
+      ]);
+      
+      var all7 = all_match({
+      	processors: [
+      		part91,
+      		select18,
+      	],
+      	on_success: processor_chain([
+      		dup9,
+      		dup2,
+      		dup17,
+      	]),
+      });
+      
+      var msg80 = msg("apmd:02", all7);
+      
+      var part94 = match("MESSAGE#80:apmd", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} %{severity->} %{agent}[%{process_id}]:%{info}", processor_chain([
+      	dup15,
+      	dup2,
+      	dup17,
+      ]));
+      
+      var msg81 = msg("apmd", part94);
+      
+      var select19 = linear_select([
+      	msg78,
+      	msg79,
+      	msg80,
+      	msg81,
+      ]);
+      
+      var chain1 = processor_chain([
+      	select1,
+      	msgid_select({
+      		"011f0005": msg73,
+      		"01260009": msg77,
+      		"01420002": msg62,
+      		"01490000": select4,
+      		"01490004": msg18,
+      		"01490005": msg20,
+      		"01490006": msg21,
+      		"01490007": msg22,
+      		"01490008": msg23,
+      		"01490009": msg12,
+      		"01490010": msg11,
+      		"01490013": msg42,
+      		"01490017": select10,
+      		"01490019": msg43,
+      		"01490079": msg48,
+      		"01490101": msg37,
+      		"01490102": msg13,
+      		"01490103": msg38,
+      		"01490106": select9,
+      		"01490107": select8,
+      		"01490113": select2,
+      		"01490115": msg39,
+      		"01490128": msg36,
+      		"01490142": msg28,
+      		"01490165": msg49,
+      		"01490166": msg50,
+      		"01490167": msg51,
+      		"01490169": msg52,
+      		"0149016a": msg53,
+      		"0149016b": msg54,
+      		"01490500": msg19,
+      		"01490501": msg26,
+      		"01490502": msg1,
+      		"01490504": msg29,
+      		"01490505": msg25,
+      		"01490506": msg3,
+      		"01490511": msg45,
+      		"01490514": msg24,
+      		"01490517": msg72,
+      		"01490520": msg27,
+      		"01490521": msg2,
+      		"01490538": msg30,
+      		"01490544": msg44,
+      		"01490547": msg71,
+      		"01490549": msg70,
+      		"014d0001": select16,
+      		"014d0002": select11,
+      		"014d0044": msg69,
+      		"CROND": msg76,
+      		"Rule": msg74,
+      		"acc": msg57,
+      		"apmd": select19,
+      		"auditd": msg65,
+      		"crond": select13,
+      		"error": msg75,
+      		"sSMTP": msg61,
+      		"ssl_acc": msg55,
+      		"ssl_req": msg56,
+      		"syslog-ng": select14,
+      	}),
+      ]);
+      
+      var part95 = match("MESSAGE#10:01490010/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{p0}");
+      
+      var part96 = match("MESSAGE#0:01490502", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{event_description}", processor_chain([
+      	dup1,
+      	dup2,
+      ]));
+      
+      var part97 = match("MESSAGE#58:crond:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: (%{username}) CMD (%{action})", processor_chain([
+      	dup15,
+      	dup2,
+      ]));
+      
+      var part98 = match("MESSAGE#67:014d0001:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{info}", processor_chain([
+      	dup5,
+      	dup2,
+      ]));
+      
+- community_id:
+- add_locale: ~
+- add_fields:
+    target: ''
+    fields:
+        ecs.version: 1.5.0
diff --git a/packages/f5/0.1.0/dataset/bigipapm/agent/stream/tcp.yml.hbs b/packages/f5/0.1.0/dataset/bigipapm/agent/stream/tcp.yml.hbs
new file mode 100644
index 0000000000..68b24e5d64
--- /dev/null
+++ b/packages/f5/0.1.0/dataset/bigipapm/agent/stream/tcp.yml.hbs
@@ -0,0 +1,3449 @@
+tcp:
+host: "{{tcp_host}}:{{tcp_port}}"
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "F5"
+        product: "Big-IP"
+        type: "Access"
+publisher_pipeline.disable_host: true
+
+processors:
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.error(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(populate_fields);
+      	builder.Add(restore_flags);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var dup1 = setc("eventcategory","1801030000");
+      
+      var dup2 = setf("msg","$MSG");
+      
+      var dup3 = setc("eventcategory","1801020000");
+      
+      var dup4 = match("MESSAGE#10:01490010/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{p0}");
+      
+      var dup5 = setc("eventcategory","1801000000");
+      
+      var dup6 = setc("eventcategory","1801010000");
+      
+      var dup7 = setc("eventcategory","1502000000");
+      
+      var dup8 = setc("eventcategory","1805010000");
+      
+      var dup9 = setc("eventcategory","1803000000");
+      
+      var dup10 = setc("eventcategory","1803030000");
+      
+      var dup11 = setc("disposition"," Successful");
+      
+      var dup12 = setc("dclass_counter1_string"," Logon Attempt");
+      
+      var dup13 = setc("eventcategory","1204000000");
+      
+      var dup14 = date_time({
+      	dest: "event_time",
+      	args: ["fld20"],
+      	fmts: [
+      		[dD,dc("/"),dB,dc("/"),dW,dc(":"),dN,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup15 = setc("eventcategory","1605000000");
+      
+      var dup16 = setc("eventcategory","1612000000");
+      
+      var dup17 = date_time({
+      	dest: "event_time",
+      	args: ["fld1","fld2","fld3"],
+      	fmts: [
+      		[dB,dF,dN,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup18 = match("MESSAGE#0:01490502", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{event_description}", processor_chain([
+      	dup1,
+      	dup2,
+      ]));
+      
+      var dup19 = match("MESSAGE#58:crond:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: (%{username}) CMD (%{action})", processor_chain([
+      	dup15,
+      	dup2,
+      ]));
+      
+      var dup20 = match("MESSAGE#67:014d0001:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{info}", processor_chain([
+      	dup5,
+      	dup2,
+      ]));
+      
+      var hdr1 = match("HEADER#0:0001", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{hfld3}[%{hfld4}]: %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0001"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hmonth"),
+      			constant(" "),
+      			field("hdate"),
+      			constant(" "),
+      			field("htime"),
+      			constant(" "),
+      			field("hfld1"),
+      			constant(" "),
+      			field("hfld2"),
+      			constant(" "),
+      			field("hfld3"),
+      			constant("["),
+      			field("hfld4"),
+      			constant("]: "),
+      			field("messageid"),
+      			constant(": "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr2 = match("HEADER#1:0002", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{hfld3}: %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0002"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hmonth"),
+      			constant(" "),
+      			field("hdate"),
+      			constant(" "),
+      			field("htime"),
+      			constant(" "),
+      			field("hfld1"),
+      			constant(" "),
+      			field("hfld2"),
+      			constant(" "),
+      			field("hfld3"),
+      			constant(": "),
+      			field("messageid"),
+      			constant(": "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr3 = match("HEADER#2:0003", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{hfld3}: [%{messageid}]%{payload}", processor_chain([
+      	setc("header_id","0003"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hmonth"),
+      			constant(" "),
+      			field("hdate"),
+      			constant(" "),
+      			field("htime"),
+      			constant(" "),
+      			field("hfld1"),
+      			constant(" "),
+      			field("hfld2"),
+      			constant(" "),
+      			field("hfld3"),
+      			constant(": ["),
+      			field("messageid"),
+      			constant("]"),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr4 = match("HEADER#3:0004", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{messageid}[%{hfld3}]:%{payload}", processor_chain([
+      	setc("header_id","0004"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hmonth"),
+      			constant(" "),
+      			field("hdate"),
+      			constant(" "),
+      			field("htime"),
+      			constant(" "),
+      			field("hfld1"),
+      			constant(" "),
+      			field("hfld2"),
+      			constant(" "),
+      			field("messageid"),
+      			constant("["),
+      			field("hfld3"),
+      			constant("]:"),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr5 = match("HEADER#4:0005", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{messageid}:%{payload}", processor_chain([
+      	setc("header_id","0005"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hmonth"),
+      			constant(" "),
+      			field("hdate"),
+      			constant(" "),
+      			field("htime"),
+      			constant(" "),
+      			field("hfld1"),
+      			constant(" "),
+      			field("hfld2"),
+      			constant(" "),
+      			field("messageid"),
+      			constant(":"),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr6 = match("HEADER#5:0006", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{hfld3}[%{hfld4}]: %{messageid->} /%{payload}", processor_chain([
+      	setc("header_id","0006"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hmonth"),
+      			constant(" "),
+      			field("hdate"),
+      			constant(" "),
+      			field("htime"),
+      			constant(" "),
+      			field("hfld1"),
+      			constant(" "),
+      			field("hfld2"),
+      			constant(" "),
+      			field("hfld3"),
+      			constant("["),
+      			field("hfld4"),
+      			constant("]: "),
+      			field("messageid"),
+      			constant(" /"),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var select1 = linear_select([
+      	hdr1,
+      	hdr2,
+      	hdr3,
+      	hdr4,
+      	hdr5,
+      	hdr6,
+      ]);
+      
+      var msg1 = msg("01490502", dup18);
+      
+      var part1 = match("MESSAGE#1:01490521", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Session statistics - bytes in:%{rbytes}, bytes out: %{sbytes}", processor_chain([
+      	dup3,
+      	dup2,
+      ]));
+      
+      var msg2 = msg("01490521", part1);
+      
+      var part2 = match("MESSAGE#2:01490506", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Received User-Agent header: %{user_agent}", processor_chain([
+      	dup3,
+      	dup2,
+      ]));
+      
+      var msg3 = msg("01490506", part2);
+      
+      var part3 = match("MESSAGE#3:01490113:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.server.network.name is %{fqdn}", processor_chain([
+      	dup3,
+      	dup2,
+      ]));
+      
+      var msg4 = msg("01490113:01", part3);
+      
+      var part4 = match("MESSAGE#4:01490113:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.server.network.port is %{network_port}", processor_chain([
+      	dup3,
+      	dup2,
+      ]));
+      
+      var msg5 = msg("01490113:02", part4);
+      
+      var part5 = match("MESSAGE#5:01490113:03", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.server.listener.name is %{service}", processor_chain([
+      	dup3,
+      	dup2,
+      ]));
+      
+      var msg6 = msg("01490113:03", part5);
+      
+      var part6 = match("MESSAGE#6:01490113:04", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.server.network.protocol is %{network_service}", processor_chain([
+      	dup3,
+      	dup2,
+      ]));
+      
+      var msg7 = msg("01490113:04", part6);
+      
+      var part7 = match("MESSAGE#7:01490113:05", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.user.agent is %{info}", processor_chain([
+      	dup3,
+      	dup2,
+      ]));
+      
+      var msg8 = msg("01490113:05", part7);
+      
+      var part8 = match("MESSAGE#8:01490113:06", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.user.clientip is %{saddr}", processor_chain([
+      	dup3,
+      	dup2,
+      ]));
+      
+      var msg9 = msg("01490113:06", part8);
+      
+      var part9 = match("MESSAGE#9:01490113", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.%{info}", processor_chain([
+      	dup3,
+      	dup2,
+      ]));
+      
+      var msg10 = msg("01490113", part9);
+      
+      var select2 = linear_select([
+      	msg4,
+      	msg5,
+      	msg6,
+      	msg7,
+      	msg8,
+      	msg9,
+      	msg10,
+      ]);
+      
+      var part10 = match("MESSAGE#10:01490010/1_0", "nwparser.p0", "%{fld10}:%{fld11}:%{sessionid}: Username '%{p0}");
+      
+      var part11 = match("MESSAGE#10:01490010/1_1", "nwparser.p0", "%{sessionid}: Username '%{p0}");
+      
+      var select3 = linear_select([
+      	part10,
+      	part11,
+      ]);
+      
+      var part12 = match("MESSAGE#10:01490010/2", "nwparser.p0", "%{username}'");
+      
+      var all1 = all_match({
+      	processors: [
+      		dup4,
+      		select3,
+      		part12,
+      	],
+      	on_success: processor_chain([
+      		setc("eventcategory","1401000000"),
+      		dup2,
+      	]),
+      });
+      
+      var msg11 = msg("01490010", all1);
+      
+      var part13 = match("MESSAGE#11:01490009", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: ACL '%{policyname}' assigned", processor_chain([
+      	setc("eventcategory","1501020000"),
+      	dup2,
+      ]));
+      
+      var msg12 = msg("01490009", part13);
+      
+      var part14 = match("MESSAGE#12:01490102", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Access policy result: %{result}", processor_chain([
+      	setc("eventcategory","1501000000"),
+      	dup2,
+      ]));
+      
+      var msg13 = msg("01490102", part14);
+      
+      var part15 = match("MESSAGE#13:01490000:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{authmethod->} authentication for user %{username->} using config %{fld8}", processor_chain([
+      	dup5,
+      	dup2,
+      ]));
+      
+      var msg14 = msg("01490000:02", part15);
+      
+      var part16 = match("MESSAGE#14:01490000:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: found HTTP %{resultcode->} in response header", processor_chain([
+      	dup6,
+      	dup2,
+      ]));
+      
+      var msg15 = msg("01490000:01", part16);
+      
+      var part17 = match("MESSAGE#15:01490000", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{filename->} func: \"%{action}\" line: %{fld8->} Msg: %{result}", processor_chain([
+      	dup5,
+      	dup2,
+      ]));
+      
+      var msg16 = msg("01490000", part17);
+      
+      var part18 = match("MESSAGE#16:01490000:03", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{event_description}", processor_chain([
+      	dup5,
+      	dup2,
+      ]));
+      
+      var msg17 = msg("01490000:03", part18);
+      
+      var select4 = linear_select([
+      	msg14,
+      	msg15,
+      	msg16,
+      	msg17,
+      ]);
+      
+      var part19 = match("MESSAGE#17:01490004", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{fld8}: Executed agent '%{application}', return value %{resultcode}", processor_chain([
+      	dup5,
+      	dup2,
+      ]));
+      
+      var msg18 = msg("01490004", part19);
+      
+      var part20 = match("MESSAGE#18:01490500/1_0", "nwparser.p0", "%{fld10}:%{fld11}:%{sessionid}: New session from client IP %{p0}");
+      
+      var part21 = match("MESSAGE#18:01490500/1_1", "nwparser.p0", "%{sessionid}: New session from client IP %{p0}");
+      
+      var select5 = linear_select([
+      	part20,
+      	part21,
+      ]);
+      
+      var part22 = match("MESSAGE#18:01490500/2", "nwparser.p0", "%{saddr->} (ST=%{location_state}/CC=%{location_country}/C=%{location_city}) at VIP %{p0}");
+      
+      var part23 = match("MESSAGE#18:01490500/3_0", "nwparser.p0", "%{daddr->} Listener %{fld8->} (Reputation=%{category})");
+      
+      var part24 = match("MESSAGE#18:01490500/3_1", "nwparser.p0", "%{daddr->} Listener %{fld8}");
+      
+      var part25 = match("MESSAGE#18:01490500/3_2", "nwparser.p0", "%{daddr}");
+      
+      var select6 = linear_select([
+      	part23,
+      	part24,
+      	part25,
+      ]);
+      
+      var all2 = all_match({
+      	processors: [
+      		dup4,
+      		select5,
+      		part22,
+      		select6,
+      	],
+      	on_success: processor_chain([
+      		dup3,
+      		dup2,
+      	]),
+      });
+      
+      var msg19 = msg("01490500", all2);
+      
+      var part26 = match("MESSAGE#19:01490005", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Following rule %{fld8->} from item %{fld9->} to ending %{fld10}", processor_chain([
+      	dup7,
+      	dup2,
+      ]));
+      
+      var msg20 = msg("01490005", part26);
+      
+      var part27 = match("MESSAGE#20:01490006", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Following rule %{fld8->} from item '%{fld9}' to item '%{fld10}'", processor_chain([
+      	dup7,
+      	dup2,
+      ]));
+      
+      var msg21 = msg("01490006", part27);
+      
+      var part28 = match("MESSAGE#21:01490007", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Session variable '%{change_attribute}' set to %{change_new}", processor_chain([
+      	dup7,
+      	dup2,
+      ]));
+      
+      var msg22 = msg("01490007", part28);
+      
+      var part29 = match("MESSAGE#22:01490008", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Connectivity resource %{application->} assigned", processor_chain([
+      	dup3,
+      	dup2,
+      ]));
+      
+      var msg23 = msg("01490008", part29);
+      
+      var part30 = match("MESSAGE#23:01490514", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{fld8}: Access encountered error: %{result}. File: %{filename}, Function: %{action}, Line: %{fld9}", processor_chain([
+      	dup6,
+      	dup2,
+      ]));
+      
+      var msg24 = msg("01490514", part30);
+      
+      var part31 = match("MESSAGE#24:01490505", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{event_description}", processor_chain([
+      	dup5,
+      	dup2,
+      ]));
+      
+      var msg25 = msg("01490505", part31);
+      
+      var msg26 = msg("01490501", dup18);
+      
+      var msg27 = msg("01490520", dup18);
+      
+      var part32 = match("MESSAGE#27:01490142", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{event_description}", processor_chain([
+      	setc("eventcategory","1609000000"),
+      	dup2,
+      ]));
+      
+      var msg28 = msg("01490142", part32);
+      
+      var part33 = match("MESSAGE#28:01490504", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{fqdn->} can not be resolved.", processor_chain([
+      	dup8,
+      	dup2,
+      ]));
+      
+      var msg29 = msg("01490504", part33);
+      
+      var part34 = match("MESSAGE#29:01490538", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{fld8}: Configuration snapshot deleted by Access.", processor_chain([
+      	dup8,
+      	dup2,
+      ]));
+      
+      var msg30 = msg("01490538", part34);
+      
+      var part35 = match("MESSAGE#30:01490107:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{fld8}' failed: Clients credentials have been revoked, principal name: %{username}@%{fqdn}. %{result->} %{fld9}", processor_chain([
+      	dup9,
+      	dup2,
+      ]));
+      
+      var msg31 = msg("01490107:01", part35);
+      
+      var part36 = match("MESSAGE#31:01490107", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{username}' failed in %{action}: %{result->} %{fld8}", processor_chain([
+      	dup9,
+      	dup2,
+      ]));
+      
+      var msg32 = msg("01490107", part36);
+      
+      var part37 = match("MESSAGE#32:01490107:02/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{username}' failed: %{p0}");
+      
+      var part38 = match("MESSAGE#32:01490107:02/1_0", "nwparser.p0", "Client '%{fqdn}' not found in Kerberos database, principal name:%{fld10->} %{p0}");
+      
+      var part39 = match("MESSAGE#32:01490107:02/1_1", "nwparser.p0", "%{result->} %{p0}");
+      
+      var select7 = linear_select([
+      	part38,
+      	part39,
+      ]);
+      
+      var part40 = match("MESSAGE#32:01490107:02/2", "nwparser.p0", "%{info}");
+      
+      var all3 = all_match({
+      	processors: [
+      		part37,
+      		select7,
+      		part40,
+      	],
+      	on_success: processor_chain([
+      		dup9,
+      		dup2,
+      	]),
+      });
+      
+      var msg33 = msg("01490107:02", all3);
+      
+      var select8 = linear_select([
+      	msg31,
+      	msg32,
+      	msg33,
+      ]);
+      
+      var part41 = match("MESSAGE#33:01490106", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{username}' failed in %{action}: Preauthentication failed, principal name: %{fld8}. %{result->} %{fld9}", processor_chain([
+      	dup9,
+      	dup2,
+      ]));
+      
+      var msg34 = msg("01490106", part41);
+      
+      var part42 = match("MESSAGE#34:01490106:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{username}' failed: Preauthentication failed, principal name: %{fld8}. %{result->} %{fld9}", processor_chain([
+      	dup9,
+      	dup2,
+      ]));
+      
+      var msg35 = msg("01490106:01", part42);
+      
+      var select9 = linear_select([
+      	msg34,
+      	msg35,
+      ]);
+      
+      var part43 = match("MESSAGE#35:01490128", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Webtop %{application->} assigned", processor_chain([
+      	dup5,
+      	dup2,
+      ]));
+      
+      var msg36 = msg("01490128", part43);
+      
+      var part44 = match("MESSAGE#36:01490101", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Access profile: %{fld8->} configuration has been applied. Newly active generation count is: %{dclass_counter1}", processor_chain([
+      	dup10,
+      	dup2,
+      	setc("dclass_counter1_string","Newly active generation count"),
+      ]));
+      
+      var msg37 = msg("01490101", part44);
+      
+      var part45 = match("MESSAGE#37:01490103", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Retry Username '%{username}'", processor_chain([
+      	dup10,
+      	dup2,
+      ]));
+      
+      var msg38 = msg("01490103", part45);
+      
+      var part46 = match("MESSAGE#38:01490115", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Following rule %{rulename->} from item %{fld9->} to terminalout %{fld10}", processor_chain([
+      	dup7,
+      	dup2,
+      ]));
+      
+      var msg39 = msg("01490115", part46);
+      
+      var part47 = match("MESSAGE#39:01490017", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD agent: Auth (logon attempt:%{dclass_counter1}): authenticate with '%{username}' successful", processor_chain([
+      	dup7,
+      	dup2,
+      	dup11,
+      	dup12,
+      ]));
+      
+      var msg40 = msg("01490017", part47);
+      
+      var part48 = match("MESSAGE#41:01490017:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD agent: Auth (logon attempt:%{dclass_counter1}): authenticate with '%{username}' failed", processor_chain([
+      	dup7,
+      	dup2,
+      	setc("disposition"," Failed"),
+      	dup12,
+      ]));
+      
+      var msg41 = msg("01490017:01", part48);
+      
+      var select10 = linear_select([
+      	msg40,
+      	msg41,
+      ]);
+      
+      var part49 = match("MESSAGE#40:01490013", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD agent: Retrieving AAA server: %{fld8}", processor_chain([
+      	dup7,
+      	dup2,
+      ]));
+      
+      var msg42 = msg("01490013", part49);
+      
+      var part50 = match("MESSAGE#42:01490019", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD agent: Query: query with '(sAMAccountName=%{username})' successful", processor_chain([
+      	dup7,
+      	dup2,
+      	dup11,
+      ]));
+      
+      var msg43 = msg("01490019", part50);
+      
+      var part51 = match("MESSAGE#43:01490544", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Received client info - %{web_referer}", processor_chain([
+      	dup7,
+      	dup2,
+      ]));
+      
+      var msg44 = msg("01490544", part51);
+      
+      var part52 = match("MESSAGE#44:01490511", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Initializing Access profile %{fld8->} with max concurrent user sessions limit: %{dclass_counter1}", processor_chain([
+      	dup7,
+      	dup2,
+      	setc("dclass_counter1_string"," Max Concurrent User Sessions Limit"),
+      ]));
+      
+      var msg45 = msg("01490511", part52);
+      
+      var part53 = match("MESSAGE#45:014d0002", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: %{sessionid}: SSOv2 Logon succeeded, config %{fld8->} form %{fld9}", processor_chain([
+      	dup7,
+      	dup2,
+      	setc("disposition","Succeeded"),
+      ]));
+      
+      var msg46 = msg("014d0002", part53);
+      
+      var part54 = match("MESSAGE#46:014d0002:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: %{sessionid}: SSOv2 Logon failed, config %{fld8->} form %{fld9}", processor_chain([
+      	dup7,
+      	dup2,
+      	setc("disposition","Failed"),
+      ]));
+      
+      var msg47 = msg("014d0002:01", part54);
+      
+      var select11 = linear_select([
+      	msg46,
+      	msg47,
+      ]);
+      
+      var part55 = match("MESSAGE#47:01490079", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: %{sessionid}: Access policy '%{fld8}' configuration has changed.Access profile '%{fld9}' configuration changes need to be applied for the new configuration", processor_chain([
+      	dup7,
+      	dup2,
+      ]));
+      
+      var msg48 = msg("01490079", part55);
+      
+      var part56 = match("MESSAGE#48:01490165", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Access profile: %{fld8->} initialized with configuration snapshot catalog: %{fld9}", processor_chain([
+      	dup7,
+      	dup2,
+      ]));
+      
+      var msg49 = msg("01490165", part56);
+      
+      var part57 = match("MESSAGE#49:01490166", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Current snapshot ID: %{fld8->} retrieved from session db for access profile: %{fld9}", processor_chain([
+      	dup7,
+      	dup2,
+      ]));
+      
+      var msg50 = msg("01490166", part57);
+      
+      var part58 = match("MESSAGE#50:01490167", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Current snapshot ID: %{fld8->} updated inside session db for access profile: %{fld9}", processor_chain([
+      	dup7,
+      	dup2,
+      ]));
+      
+      var msg51 = msg("01490167", part58);
+      
+      var part59 = match("MESSAGE#51:01490169", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Snapshot catalog entry: %{fld8->} added for access profile: %{fld9}", processor_chain([
+      	dup7,
+      	dup2,
+      ]));
+      
+      var msg52 = msg("01490169", part59);
+      
+      var part60 = match("MESSAGE#52:0149016a", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Initiating snapshot creation: %{fld8->} for access profile: %{fld9}", processor_chain([
+      	dup7,
+      	dup2,
+      ]));
+      
+      var msg53 = msg("0149016a", part60);
+      
+      var part61 = match("MESSAGE#53:0149016b", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Completed snapshot creation: %{fld8->} for access profile: %{fld9}", processor_chain([
+      	dup7,
+      	dup2,
+      ]));
+      
+      var msg54 = msg("0149016b", part61);
+      
+      var part62 = match("MESSAGE#54:ssl_acc/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: [%{event_type}] %{saddr->} - %{p0}");
+      
+      var part63 = match("MESSAGE#54:ssl_acc/1_0", "nwparser.p0", "- %{p0}");
+      
+      var part64 = match("MESSAGE#54:ssl_acc/1_1", "nwparser.p0", "%{username->} %{p0}");
+      
+      var select12 = linear_select([
+      	part63,
+      	part64,
+      ]);
+      
+      var part65 = match("MESSAGE#54:ssl_acc/2", "nwparser.p0", "%{}[%{fld20->} %{timezone}] \"%{url}\" %{resultcode->} %{rbytes}");
+      
+      var all4 = all_match({
+      	processors: [
+      		part62,
+      		select12,
+      		part65,
+      	],
+      	on_success: processor_chain([
+      		dup13,
+      		dup14,
+      		dup2,
+      	]),
+      });
+      
+      var msg55 = msg("ssl_acc", all4);
+      
+      var part66 = match("MESSAGE#55:ssl_req", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: [%{event_type}]%{space}[%{fld20->} %{timezone}] %{saddr->} %{protocol->} %{encryption_type->} \"%{url}\" %{rbytes}", processor_chain([
+      	dup13,
+      	dup14,
+      	dup2,
+      ]));
+      
+      var msg56 = msg("ssl_req", part66);
+      
+      var part67 = match("MESSAGE#56:acc", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: [%{event_type}]%{space}[%{fld20->} %{timezone}] \"%{web_method->} %{url->} %{version}\" %{resultcode->} %{rbytes->} \"%{fld7}\" \"%{user_agent}\"", processor_chain([
+      	dup13,
+      	dup14,
+      	dup2,
+      ]));
+      
+      var msg57 = msg("acc", part67);
+      
+      var part68 = match("MESSAGE#57:crond", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{username}(%{sessionid}): %{action}", processor_chain([
+      	dup15,
+      	dup2,
+      ]));
+      
+      var msg58 = msg("crond", part68);
+      
+      var msg59 = msg("crond:01", dup19);
+      
+      var part69 = match("MESSAGE#59:crond:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: (%{username}) %{info}", processor_chain([
+      	dup15,
+      	dup2,
+      ]));
+      
+      var msg60 = msg("crond:02", part69);
+      
+      var select13 = linear_select([
+      	msg58,
+      	msg59,
+      	msg60,
+      ]);
+      
+      var part70 = match("MESSAGE#60:sSMTP", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{info}", processor_chain([
+      	setc("eventcategory","1207000000"),
+      	dup2,
+      ]));
+      
+      var msg61 = msg("sSMTP", part70);
+      
+      var part71 = match("MESSAGE#61:01420002", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{fld5}: AUDIT - pid=%{parent_pid->} user=%{username->} folder=%{directory->} module=%{fld6->} status=%{result->} cmd_data=%{info}", processor_chain([
+      	dup16,
+      	dup2,
+      ]));
+      
+      var msg62 = msg("01420002", part71);
+      
+      var part72 = match("MESSAGE#62:syslog-ng", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{info}", processor_chain([
+      	dup15,
+      	dup2,
+      ]));
+      
+      var msg63 = msg("syslog-ng", part72);
+      
+      var part73 = match("MESSAGE#63:syslog-ng:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}: %{info}", processor_chain([
+      	dup15,
+      	dup2,
+      ]));
+      
+      var msg64 = msg("syslog-ng:01", part73);
+      
+      var select14 = linear_select([
+      	msg63,
+      	msg64,
+      ]);
+      
+      var part74 = match("MESSAGE#64:auditd", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{info}", processor_chain([
+      	dup16,
+      	dup2,
+      ]));
+      
+      var msg65 = msg("auditd", part74);
+      
+      var part75 = match("MESSAGE#65:014d0001", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: ssoMethod: %{authmethod->} usernameSource: %{fld9->} passwordSource: %{fld10->} ntlmdomain: %{c_domain}", processor_chain([
+      	dup5,
+      	dup2,
+      ]));
+      
+      var msg66 = msg("014d0001", part75);
+      
+      var part76 = match("MESSAGE#66:014d0001:01/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: ctx: %{fld9}, %{p0}");
+      
+      var part77 = match("MESSAGE#66:014d0001:01/1_0", "nwparser.p0", "SERVER %{p0}");
+      
+      var part78 = match("MESSAGE#66:014d0001:01/1_1", "nwparser.p0", "CLIENT %{p0}");
+      
+      var select15 = linear_select([
+      	part77,
+      	part78,
+      ]);
+      
+      var part79 = match("MESSAGE#66:014d0001:01/2", "nwparser.p0", ": %{info}");
+      
+      var all5 = all_match({
+      	processors: [
+      		part76,
+      		select15,
+      		part79,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		dup2,
+      	]),
+      });
+      
+      var msg67 = msg("014d0001:01", all5);
+      
+      var msg68 = msg("014d0001:02", dup20);
+      
+      var select16 = linear_select([
+      	msg66,
+      	msg67,
+      	msg68,
+      ]);
+      
+      var msg69 = msg("014d0044", dup20);
+      
+      var part80 = match("MESSAGE#69:01490549/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Assigned PPP Dynamic IPv4: %{stransaddr->} Tunnel Type: %{group->} %{fld8->} Resource: %{rulename->} Client IP: %{p0}");
+      
+      var part81 = match("MESSAGE#69:01490549/1_0", "nwparser.p0", "%{saddr->} - %{fld9->} ");
+      
+      var part82 = match("MESSAGE#69:01490549/1_1", "nwparser.p0", " %{saddr}");
+      
+      var select17 = linear_select([
+      	part81,
+      	part82,
+      ]);
+      
+      var all6 = all_match({
+      	processors: [
+      		part80,
+      		select17,
+      	],
+      	on_success: processor_chain([
+      		dup3,
+      		dup2,
+      	]),
+      });
+      
+      var msg70 = msg("01490549", all6);
+      
+      var part83 = match("MESSAGE#70:01490547", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: Access Profile %{rulename}: %{result->} for %{saddr}", processor_chain([
+      	dup3,
+      	dup2,
+      ]));
+      
+      var msg71 = msg("01490547", part83);
+      
+      var part84 = match("MESSAGE#71:01490517", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{result}", processor_chain([
+      	dup3,
+      	dup2,
+      ]));
+      
+      var msg72 = msg("01490517", part84);
+      
+      var part85 = match("MESSAGE#72:011f0005", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{result->} (Client side: vip=%{url->} profile=%{protocol->} pool=%{fld8->} client_ip=%{saddr})", processor_chain([
+      	dup3,
+      	dup2,
+      ]));
+      
+      var msg73 = msg("011f0005", part85);
+      
+      var part86 = match("MESSAGE#73:014d0048", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7->} %{rulename->} \u003c\u003c%{event_description}>: APM_EVENT=%{action->} | %{username->} | %{fld8->} ***%{result}***", processor_chain([
+      	dup3,
+      	dup2,
+      ]));
+      
+      var msg74 = msg("014d0048", part86);
+      
+      var part87 = match("MESSAGE#74:error", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: [%{fld7}] [client %{saddr}] %{result}: %{url}", processor_chain([
+      	dup3,
+      	dup2,
+      ]));
+      
+      var msg75 = msg("error", part87);
+      
+      var msg76 = msg("CROND:03", dup19);
+      
+      var part88 = match("MESSAGE#76:01260009", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]:%{fld7}:%{fld6}: Connection error:%{event_description}", processor_chain([
+      	dup6,
+      	dup2,
+      ]));
+      
+      var msg77 = msg("01260009", part88);
+      
+      var part89 = match("MESSAGE#77:apmd:04", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} %{severity->} %{agent}[%{process_id}]: %{fld4->} /Common/home_agent_tca:Common:%{fld5}: %{fld6->} - Hostname: %{shost->} Type: %{fld7->} Version: %{version->} Platform: %{os->} CPU: %{fld8->} Mode:%{fld9}", processor_chain([
+      	dup15,
+      	dup2,
+      	dup17,
+      ]));
+      
+      var msg78 = msg("apmd:04", part89);
+      
+      var part90 = match("MESSAGE#78:apmd:03", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} %{severity->} %{agent}[%{process_id}]: %{fld4->} /Common/home_agent_tca:Common:%{fld5}: RADIUS module: parseResponse(): Access-Reject packet from host %{saddr}:%{sport->} %{fld7}", processor_chain([
+      	dup9,
+      	dup2,
+      	dup17,
+      ]));
+      
+      var msg79 = msg("apmd:03", part90);
+      
+      var part91 = match("MESSAGE#79:apmd:02/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} %{severity->} %{agent}[%{process_id}]: %{fld4->} /Common/home_agent_tca:Common:%{fld5}: RADIUS module: authentication with '%{username}' failed: %{p0}");
+      
+      var part92 = match("MESSAGE#79:apmd:02/1_0", "nwparser.p0", "%{fld6->} from host %{saddr}:%{sport->} %{fld7}");
+      
+      var part93 = match("MESSAGE#79:apmd:02/1_1", "nwparser.p0", " %{fld8}");
+      
+      var select18 = linear_select([
+      	part92,
+      	part93,
+      ]);
+      
+      var all7 = all_match({
+      	processors: [
+      		part91,
+      		select18,
+      	],
+      	on_success: processor_chain([
+      		dup9,
+      		dup2,
+      		dup17,
+      	]),
+      });
+      
+      var msg80 = msg("apmd:02", all7);
+      
+      var part94 = match("MESSAGE#80:apmd", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} %{severity->} %{agent}[%{process_id}]:%{info}", processor_chain([
+      	dup15,
+      	dup2,
+      	dup17,
+      ]));
+      
+      var msg81 = msg("apmd", part94);
+      
+      var select19 = linear_select([
+      	msg78,
+      	msg79,
+      	msg80,
+      	msg81,
+      ]);
+      
+      var chain1 = processor_chain([
+      	select1,
+      	msgid_select({
+      		"011f0005": msg73,
+      		"01260009": msg77,
+      		"01420002": msg62,
+      		"01490000": select4,
+      		"01490004": msg18,
+      		"01490005": msg20,
+      		"01490006": msg21,
+      		"01490007": msg22,
+      		"01490008": msg23,
+      		"01490009": msg12,
+      		"01490010": msg11,
+      		"01490013": msg42,
+      		"01490017": select10,
+      		"01490019": msg43,
+      		"01490079": msg48,
+      		"01490101": msg37,
+      		"01490102": msg13,
+      		"01490103": msg38,
+      		"01490106": select9,
+      		"01490107": select8,
+      		"01490113": select2,
+      		"01490115": msg39,
+      		"01490128": msg36,
+      		"01490142": msg28,
+      		"01490165": msg49,
+      		"01490166": msg50,
+      		"01490167": msg51,
+      		"01490169": msg52,
+      		"0149016a": msg53,
+      		"0149016b": msg54,
+      		"01490500": msg19,
+      		"01490501": msg26,
+      		"01490502": msg1,
+      		"01490504": msg29,
+      		"01490505": msg25,
+      		"01490506": msg3,
+      		"01490511": msg45,
+      		"01490514": msg24,
+      		"01490517": msg72,
+      		"01490520": msg27,
+      		"01490521": msg2,
+      		"01490538": msg30,
+      		"01490544": msg44,
+      		"01490547": msg71,
+      		"01490549": msg70,
+      		"014d0001": select16,
+      		"014d0002": select11,
+      		"014d0044": msg69,
+      		"CROND": msg76,
+      		"Rule": msg74,
+      		"acc": msg57,
+      		"apmd": select19,
+      		"auditd": msg65,
+      		"crond": select13,
+      		"error": msg75,
+      		"sSMTP": msg61,
+      		"ssl_acc": msg55,
+      		"ssl_req": msg56,
+      		"syslog-ng": select14,
+      	}),
+      ]);
+      
+      var part95 = match("MESSAGE#10:01490010/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{p0}");
+      
+      var part96 = match("MESSAGE#0:01490502", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{event_description}", processor_chain([
+      	dup1,
+      	dup2,
+      ]));
+      
+      var part97 = match("MESSAGE#58:crond:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: (%{username}) CMD (%{action})", processor_chain([
+      	dup15,
+      	dup2,
+      ]));
+      
+      var part98 = match("MESSAGE#67:014d0001:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{info}", processor_chain([
+      	dup5,
+      	dup2,
+      ]));
+      
+- community_id:
+- add_locale: ~
+- add_fields:
+    target: ''
+    fields:
+        ecs.version: 1.5.0
diff --git a/packages/f5/0.1.0/dataset/bigipapm/agent/stream/udp.yml.hbs b/packages/f5/0.1.0/dataset/bigipapm/agent/stream/udp.yml.hbs
new file mode 100644
index 0000000000..b006a27203
--- /dev/null
+++ b/packages/f5/0.1.0/dataset/bigipapm/agent/stream/udp.yml.hbs
@@ -0,0 +1,3449 @@
+udp:
+host: "{{udp_host}}:{{udp_port}}"
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "F5"
+        product: "Big-IP"
+        type: "Access"
+publisher_pipeline.disable_host: true
+
+processors:
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.error(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(populate_fields);
+      	builder.Add(restore_flags);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var dup1 = setc("eventcategory","1801030000");
+      
+      var dup2 = setf("msg","$MSG");
+      
+      var dup3 = setc("eventcategory","1801020000");
+      
+      var dup4 = match("MESSAGE#10:01490010/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{p0}");
+      
+      var dup5 = setc("eventcategory","1801000000");
+      
+      var dup6 = setc("eventcategory","1801010000");
+      
+      var dup7 = setc("eventcategory","1502000000");
+      
+      var dup8 = setc("eventcategory","1805010000");
+      
+      var dup9 = setc("eventcategory","1803000000");
+      
+      var dup10 = setc("eventcategory","1803030000");
+      
+      var dup11 = setc("disposition"," Successful");
+      
+      var dup12 = setc("dclass_counter1_string"," Logon Attempt");
+      
+      var dup13 = setc("eventcategory","1204000000");
+      
+      var dup14 = date_time({
+      	dest: "event_time",
+      	args: ["fld20"],
+      	fmts: [
+      		[dD,dc("/"),dB,dc("/"),dW,dc(":"),dN,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup15 = setc("eventcategory","1605000000");
+      
+      var dup16 = setc("eventcategory","1612000000");
+      
+      var dup17 = date_time({
+      	dest: "event_time",
+      	args: ["fld1","fld2","fld3"],
+      	fmts: [
+      		[dB,dF,dN,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup18 = match("MESSAGE#0:01490502", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{event_description}", processor_chain([
+      	dup1,
+      	dup2,
+      ]));
+      
+      var dup19 = match("MESSAGE#58:crond:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: (%{username}) CMD (%{action})", processor_chain([
+      	dup15,
+      	dup2,
+      ]));
+      
+      var dup20 = match("MESSAGE#67:014d0001:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{info}", processor_chain([
+      	dup5,
+      	dup2,
+      ]));
+      
+      var hdr1 = match("HEADER#0:0001", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{hfld3}[%{hfld4}]: %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0001"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hmonth"),
+      			constant(" "),
+      			field("hdate"),
+      			constant(" "),
+      			field("htime"),
+      			constant(" "),
+      			field("hfld1"),
+      			constant(" "),
+      			field("hfld2"),
+      			constant(" "),
+      			field("hfld3"),
+      			constant("["),
+      			field("hfld4"),
+      			constant("]: "),
+      			field("messageid"),
+      			constant(": "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr2 = match("HEADER#1:0002", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{hfld3}: %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0002"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hmonth"),
+      			constant(" "),
+      			field("hdate"),
+      			constant(" "),
+      			field("htime"),
+      			constant(" "),
+      			field("hfld1"),
+      			constant(" "),
+      			field("hfld2"),
+      			constant(" "),
+      			field("hfld3"),
+      			constant(": "),
+      			field("messageid"),
+      			constant(": "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr3 = match("HEADER#2:0003", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{hfld3}: [%{messageid}]%{payload}", processor_chain([
+      	setc("header_id","0003"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hmonth"),
+      			constant(" "),
+      			field("hdate"),
+      			constant(" "),
+      			field("htime"),
+      			constant(" "),
+      			field("hfld1"),
+      			constant(" "),
+      			field("hfld2"),
+      			constant(" "),
+      			field("hfld3"),
+      			constant(": ["),
+      			field("messageid"),
+      			constant("]"),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr4 = match("HEADER#3:0004", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{messageid}[%{hfld3}]:%{payload}", processor_chain([
+      	setc("header_id","0004"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hmonth"),
+      			constant(" "),
+      			field("hdate"),
+      			constant(" "),
+      			field("htime"),
+      			constant(" "),
+      			field("hfld1"),
+      			constant(" "),
+      			field("hfld2"),
+      			constant(" "),
+      			field("messageid"),
+      			constant("["),
+      			field("hfld3"),
+      			constant("]:"),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr5 = match("HEADER#4:0005", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{messageid}:%{payload}", processor_chain([
+      	setc("header_id","0005"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hmonth"),
+      			constant(" "),
+      			field("hdate"),
+      			constant(" "),
+      			field("htime"),
+      			constant(" "),
+      			field("hfld1"),
+      			constant(" "),
+      			field("hfld2"),
+      			constant(" "),
+      			field("messageid"),
+      			constant(":"),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr6 = match("HEADER#5:0006", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{hfld3}[%{hfld4}]: %{messageid->} /%{payload}", processor_chain([
+      	setc("header_id","0006"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hmonth"),
+      			constant(" "),
+      			field("hdate"),
+      			constant(" "),
+      			field("htime"),
+      			constant(" "),
+      			field("hfld1"),
+      			constant(" "),
+      			field("hfld2"),
+      			constant(" "),
+      			field("hfld3"),
+      			constant("["),
+      			field("hfld4"),
+      			constant("]: "),
+      			field("messageid"),
+      			constant(" /"),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var select1 = linear_select([
+      	hdr1,
+      	hdr2,
+      	hdr3,
+      	hdr4,
+      	hdr5,
+      	hdr6,
+      ]);
+      
+      var msg1 = msg("01490502", dup18);
+      
+      var part1 = match("MESSAGE#1:01490521", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Session statistics - bytes in:%{rbytes}, bytes out: %{sbytes}", processor_chain([
+      	dup3,
+      	dup2,
+      ]));
+      
+      var msg2 = msg("01490521", part1);
+      
+      var part2 = match("MESSAGE#2:01490506", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Received User-Agent header: %{user_agent}", processor_chain([
+      	dup3,
+      	dup2,
+      ]));
+      
+      var msg3 = msg("01490506", part2);
+      
+      var part3 = match("MESSAGE#3:01490113:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.server.network.name is %{fqdn}", processor_chain([
+      	dup3,
+      	dup2,
+      ]));
+      
+      var msg4 = msg("01490113:01", part3);
+      
+      var part4 = match("MESSAGE#4:01490113:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.server.network.port is %{network_port}", processor_chain([
+      	dup3,
+      	dup2,
+      ]));
+      
+      var msg5 = msg("01490113:02", part4);
+      
+      var part5 = match("MESSAGE#5:01490113:03", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.server.listener.name is %{service}", processor_chain([
+      	dup3,
+      	dup2,
+      ]));
+      
+      var msg6 = msg("01490113:03", part5);
+      
+      var part6 = match("MESSAGE#6:01490113:04", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.server.network.protocol is %{network_service}", processor_chain([
+      	dup3,
+      	dup2,
+      ]));
+      
+      var msg7 = msg("01490113:04", part6);
+      
+      var part7 = match("MESSAGE#7:01490113:05", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.user.agent is %{info}", processor_chain([
+      	dup3,
+      	dup2,
+      ]));
+      
+      var msg8 = msg("01490113:05", part7);
+      
+      var part8 = match("MESSAGE#8:01490113:06", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.user.clientip is %{saddr}", processor_chain([
+      	dup3,
+      	dup2,
+      ]));
+      
+      var msg9 = msg("01490113:06", part8);
+      
+      var part9 = match("MESSAGE#9:01490113", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.%{info}", processor_chain([
+      	dup3,
+      	dup2,
+      ]));
+      
+      var msg10 = msg("01490113", part9);
+      
+      var select2 = linear_select([
+      	msg4,
+      	msg5,
+      	msg6,
+      	msg7,
+      	msg8,
+      	msg9,
+      	msg10,
+      ]);
+      
+      var part10 = match("MESSAGE#10:01490010/1_0", "nwparser.p0", "%{fld10}:%{fld11}:%{sessionid}: Username '%{p0}");
+      
+      var part11 = match("MESSAGE#10:01490010/1_1", "nwparser.p0", "%{sessionid}: Username '%{p0}");
+      
+      var select3 = linear_select([
+      	part10,
+      	part11,
+      ]);
+      
+      var part12 = match("MESSAGE#10:01490010/2", "nwparser.p0", "%{username}'");
+      
+      var all1 = all_match({
+      	processors: [
+      		dup4,
+      		select3,
+      		part12,
+      	],
+      	on_success: processor_chain([
+      		setc("eventcategory","1401000000"),
+      		dup2,
+      	]),
+      });
+      
+      var msg11 = msg("01490010", all1);
+      
+      var part13 = match("MESSAGE#11:01490009", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: ACL '%{policyname}' assigned", processor_chain([
+      	setc("eventcategory","1501020000"),
+      	dup2,
+      ]));
+      
+      var msg12 = msg("01490009", part13);
+      
+      var part14 = match("MESSAGE#12:01490102", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Access policy result: %{result}", processor_chain([
+      	setc("eventcategory","1501000000"),
+      	dup2,
+      ]));
+      
+      var msg13 = msg("01490102", part14);
+      
+      var part15 = match("MESSAGE#13:01490000:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{authmethod->} authentication for user %{username->} using config %{fld8}", processor_chain([
+      	dup5,
+      	dup2,
+      ]));
+      
+      var msg14 = msg("01490000:02", part15);
+      
+      var part16 = match("MESSAGE#14:01490000:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: found HTTP %{resultcode->} in response header", processor_chain([
+      	dup6,
+      	dup2,
+      ]));
+      
+      var msg15 = msg("01490000:01", part16);
+      
+      var part17 = match("MESSAGE#15:01490000", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{filename->} func: \"%{action}\" line: %{fld8->} Msg: %{result}", processor_chain([
+      	dup5,
+      	dup2,
+      ]));
+      
+      var msg16 = msg("01490000", part17);
+      
+      var part18 = match("MESSAGE#16:01490000:03", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{event_description}", processor_chain([
+      	dup5,
+      	dup2,
+      ]));
+      
+      var msg17 = msg("01490000:03", part18);
+      
+      var select4 = linear_select([
+      	msg14,
+      	msg15,
+      	msg16,
+      	msg17,
+      ]);
+      
+      var part19 = match("MESSAGE#17:01490004", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{fld8}: Executed agent '%{application}', return value %{resultcode}", processor_chain([
+      	dup5,
+      	dup2,
+      ]));
+      
+      var msg18 = msg("01490004", part19);
+      
+      var part20 = match("MESSAGE#18:01490500/1_0", "nwparser.p0", "%{fld10}:%{fld11}:%{sessionid}: New session from client IP %{p0}");
+      
+      var part21 = match("MESSAGE#18:01490500/1_1", "nwparser.p0", "%{sessionid}: New session from client IP %{p0}");
+      
+      var select5 = linear_select([
+      	part20,
+      	part21,
+      ]);
+      
+      var part22 = match("MESSAGE#18:01490500/2", "nwparser.p0", "%{saddr->} (ST=%{location_state}/CC=%{location_country}/C=%{location_city}) at VIP %{p0}");
+      
+      var part23 = match("MESSAGE#18:01490500/3_0", "nwparser.p0", "%{daddr->} Listener %{fld8->} (Reputation=%{category})");
+      
+      var part24 = match("MESSAGE#18:01490500/3_1", "nwparser.p0", "%{daddr->} Listener %{fld8}");
+      
+      var part25 = match("MESSAGE#18:01490500/3_2", "nwparser.p0", "%{daddr}");
+      
+      var select6 = linear_select([
+      	part23,
+      	part24,
+      	part25,
+      ]);
+      
+      var all2 = all_match({
+      	processors: [
+      		dup4,
+      		select5,
+      		part22,
+      		select6,
+      	],
+      	on_success: processor_chain([
+      		dup3,
+      		dup2,
+      	]),
+      });
+      
+      var msg19 = msg("01490500", all2);
+      
+      var part26 = match("MESSAGE#19:01490005", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Following rule %{fld8->} from item %{fld9->} to ending %{fld10}", processor_chain([
+      	dup7,
+      	dup2,
+      ]));
+      
+      var msg20 = msg("01490005", part26);
+      
+      var part27 = match("MESSAGE#20:01490006", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Following rule %{fld8->} from item '%{fld9}' to item '%{fld10}'", processor_chain([
+      	dup7,
+      	dup2,
+      ]));
+      
+      var msg21 = msg("01490006", part27);
+      
+      var part28 = match("MESSAGE#21:01490007", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Session variable '%{change_attribute}' set to %{change_new}", processor_chain([
+      	dup7,
+      	dup2,
+      ]));
+      
+      var msg22 = msg("01490007", part28);
+      
+      var part29 = match("MESSAGE#22:01490008", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Connectivity resource %{application->} assigned", processor_chain([
+      	dup3,
+      	dup2,
+      ]));
+      
+      var msg23 = msg("01490008", part29);
+      
+      var part30 = match("MESSAGE#23:01490514", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{fld8}: Access encountered error: %{result}. File: %{filename}, Function: %{action}, Line: %{fld9}", processor_chain([
+      	dup6,
+      	dup2,
+      ]));
+      
+      var msg24 = msg("01490514", part30);
+      
+      var part31 = match("MESSAGE#24:01490505", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{event_description}", processor_chain([
+      	dup5,
+      	dup2,
+      ]));
+      
+      var msg25 = msg("01490505", part31);
+      
+      var msg26 = msg("01490501", dup18);
+      
+      var msg27 = msg("01490520", dup18);
+      
+      var part32 = match("MESSAGE#27:01490142", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{event_description}", processor_chain([
+      	setc("eventcategory","1609000000"),
+      	dup2,
+      ]));
+      
+      var msg28 = msg("01490142", part32);
+      
+      var part33 = match("MESSAGE#28:01490504", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{fqdn->} can not be resolved.", processor_chain([
+      	dup8,
+      	dup2,
+      ]));
+      
+      var msg29 = msg("01490504", part33);
+      
+      var part34 = match("MESSAGE#29:01490538", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{fld8}: Configuration snapshot deleted by Access.", processor_chain([
+      	dup8,
+      	dup2,
+      ]));
+      
+      var msg30 = msg("01490538", part34);
+      
+      var part35 = match("MESSAGE#30:01490107:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{fld8}' failed: Clients credentials have been revoked, principal name: %{username}@%{fqdn}. %{result->} %{fld9}", processor_chain([
+      	dup9,
+      	dup2,
+      ]));
+      
+      var msg31 = msg("01490107:01", part35);
+      
+      var part36 = match("MESSAGE#31:01490107", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{username}' failed in %{action}: %{result->} %{fld8}", processor_chain([
+      	dup9,
+      	dup2,
+      ]));
+      
+      var msg32 = msg("01490107", part36);
+      
+      var part37 = match("MESSAGE#32:01490107:02/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{username}' failed: %{p0}");
+      
+      var part38 = match("MESSAGE#32:01490107:02/1_0", "nwparser.p0", "Client '%{fqdn}' not found in Kerberos database, principal name:%{fld10->} %{p0}");
+      
+      var part39 = match("MESSAGE#32:01490107:02/1_1", "nwparser.p0", "%{result->} %{p0}");
+      
+      var select7 = linear_select([
+      	part38,
+      	part39,
+      ]);
+      
+      var part40 = match("MESSAGE#32:01490107:02/2", "nwparser.p0", "%{info}");
+      
+      var all3 = all_match({
+      	processors: [
+      		part37,
+      		select7,
+      		part40,
+      	],
+      	on_success: processor_chain([
+      		dup9,
+      		dup2,
+      	]),
+      });
+      
+      var msg33 = msg("01490107:02", all3);
+      
+      var select8 = linear_select([
+      	msg31,
+      	msg32,
+      	msg33,
+      ]);
+      
+      var part41 = match("MESSAGE#33:01490106", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{username}' failed in %{action}: Preauthentication failed, principal name: %{fld8}. %{result->} %{fld9}", processor_chain([
+      	dup9,
+      	dup2,
+      ]));
+      
+      var msg34 = msg("01490106", part41);
+      
+      var part42 = match("MESSAGE#34:01490106:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{username}' failed: Preauthentication failed, principal name: %{fld8}. %{result->} %{fld9}", processor_chain([
+      	dup9,
+      	dup2,
+      ]));
+      
+      var msg35 = msg("01490106:01", part42);
+      
+      var select9 = linear_select([
+      	msg34,
+      	msg35,
+      ]);
+      
+      var part43 = match("MESSAGE#35:01490128", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Webtop %{application->} assigned", processor_chain([
+      	dup5,
+      	dup2,
+      ]));
+      
+      var msg36 = msg("01490128", part43);
+      
+      var part44 = match("MESSAGE#36:01490101", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Access profile: %{fld8->} configuration has been applied. Newly active generation count is: %{dclass_counter1}", processor_chain([
+      	dup10,
+      	dup2,
+      	setc("dclass_counter1_string","Newly active generation count"),
+      ]));
+      
+      var msg37 = msg("01490101", part44);
+      
+      var part45 = match("MESSAGE#37:01490103", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Retry Username '%{username}'", processor_chain([
+      	dup10,
+      	dup2,
+      ]));
+      
+      var msg38 = msg("01490103", part45);
+      
+      var part46 = match("MESSAGE#38:01490115", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Following rule %{rulename->} from item %{fld9->} to terminalout %{fld10}", processor_chain([
+      	dup7,
+      	dup2,
+      ]));
+      
+      var msg39 = msg("01490115", part46);
+      
+      var part47 = match("MESSAGE#39:01490017", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD agent: Auth (logon attempt:%{dclass_counter1}): authenticate with '%{username}' successful", processor_chain([
+      	dup7,
+      	dup2,
+      	dup11,
+      	dup12,
+      ]));
+      
+      var msg40 = msg("01490017", part47);
+      
+      var part48 = match("MESSAGE#41:01490017:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD agent: Auth (logon attempt:%{dclass_counter1}): authenticate with '%{username}' failed", processor_chain([
+      	dup7,
+      	dup2,
+      	setc("disposition"," Failed"),
+      	dup12,
+      ]));
+      
+      var msg41 = msg("01490017:01", part48);
+      
+      var select10 = linear_select([
+      	msg40,
+      	msg41,
+      ]);
+      
+      var part49 = match("MESSAGE#40:01490013", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD agent: Retrieving AAA server: %{fld8}", processor_chain([
+      	dup7,
+      	dup2,
+      ]));
+      
+      var msg42 = msg("01490013", part49);
+      
+      var part50 = match("MESSAGE#42:01490019", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD agent: Query: query with '(sAMAccountName=%{username})' successful", processor_chain([
+      	dup7,
+      	dup2,
+      	dup11,
+      ]));
+      
+      var msg43 = msg("01490019", part50);
+      
+      var part51 = match("MESSAGE#43:01490544", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Received client info - %{web_referer}", processor_chain([
+      	dup7,
+      	dup2,
+      ]));
+      
+      var msg44 = msg("01490544", part51);
+      
+      var part52 = match("MESSAGE#44:01490511", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Initializing Access profile %{fld8->} with max concurrent user sessions limit: %{dclass_counter1}", processor_chain([
+      	dup7,
+      	dup2,
+      	setc("dclass_counter1_string"," Max Concurrent User Sessions Limit"),
+      ]));
+      
+      var msg45 = msg("01490511", part52);
+      
+      var part53 = match("MESSAGE#45:014d0002", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: %{sessionid}: SSOv2 Logon succeeded, config %{fld8->} form %{fld9}", processor_chain([
+      	dup7,
+      	dup2,
+      	setc("disposition","Succeeded"),
+      ]));
+      
+      var msg46 = msg("014d0002", part53);
+      
+      var part54 = match("MESSAGE#46:014d0002:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: %{sessionid}: SSOv2 Logon failed, config %{fld8->} form %{fld9}", processor_chain([
+      	dup7,
+      	dup2,
+      	setc("disposition","Failed"),
+      ]));
+      
+      var msg47 = msg("014d0002:01", part54);
+      
+      var select11 = linear_select([
+      	msg46,
+      	msg47,
+      ]);
+      
+      var part55 = match("MESSAGE#47:01490079", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: %{sessionid}: Access policy '%{fld8}' configuration has changed.Access profile '%{fld9}' configuration changes need to be applied for the new configuration", processor_chain([
+      	dup7,
+      	dup2,
+      ]));
+      
+      var msg48 = msg("01490079", part55);
+      
+      var part56 = match("MESSAGE#48:01490165", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Access profile: %{fld8->} initialized with configuration snapshot catalog: %{fld9}", processor_chain([
+      	dup7,
+      	dup2,
+      ]));
+      
+      var msg49 = msg("01490165", part56);
+      
+      var part57 = match("MESSAGE#49:01490166", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Current snapshot ID: %{fld8->} retrieved from session db for access profile: %{fld9}", processor_chain([
+      	dup7,
+      	dup2,
+      ]));
+      
+      var msg50 = msg("01490166", part57);
+      
+      var part58 = match("MESSAGE#50:01490167", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Current snapshot ID: %{fld8->} updated inside session db for access profile: %{fld9}", processor_chain([
+      	dup7,
+      	dup2,
+      ]));
+      
+      var msg51 = msg("01490167", part58);
+      
+      var part59 = match("MESSAGE#51:01490169", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Snapshot catalog entry: %{fld8->} added for access profile: %{fld9}", processor_chain([
+      	dup7,
+      	dup2,
+      ]));
+      
+      var msg52 = msg("01490169", part59);
+      
+      var part60 = match("MESSAGE#52:0149016a", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Initiating snapshot creation: %{fld8->} for access profile: %{fld9}", processor_chain([
+      	dup7,
+      	dup2,
+      ]));
+      
+      var msg53 = msg("0149016a", part60);
+      
+      var part61 = match("MESSAGE#53:0149016b", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Completed snapshot creation: %{fld8->} for access profile: %{fld9}", processor_chain([
+      	dup7,
+      	dup2,
+      ]));
+      
+      var msg54 = msg("0149016b", part61);
+      
+      var part62 = match("MESSAGE#54:ssl_acc/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: [%{event_type}] %{saddr->} - %{p0}");
+      
+      var part63 = match("MESSAGE#54:ssl_acc/1_0", "nwparser.p0", "- %{p0}");
+      
+      var part64 = match("MESSAGE#54:ssl_acc/1_1", "nwparser.p0", "%{username->} %{p0}");
+      
+      var select12 = linear_select([
+      	part63,
+      	part64,
+      ]);
+      
+      var part65 = match("MESSAGE#54:ssl_acc/2", "nwparser.p0", "%{}[%{fld20->} %{timezone}] \"%{url}\" %{resultcode->} %{rbytes}");
+      
+      var all4 = all_match({
+      	processors: [
+      		part62,
+      		select12,
+      		part65,
+      	],
+      	on_success: processor_chain([
+      		dup13,
+      		dup14,
+      		dup2,
+      	]),
+      });
+      
+      var msg55 = msg("ssl_acc", all4);
+      
+      var part66 = match("MESSAGE#55:ssl_req", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: [%{event_type}]%{space}[%{fld20->} %{timezone}] %{saddr->} %{protocol->} %{encryption_type->} \"%{url}\" %{rbytes}", processor_chain([
+      	dup13,
+      	dup14,
+      	dup2,
+      ]));
+      
+      var msg56 = msg("ssl_req", part66);
+      
+      var part67 = match("MESSAGE#56:acc", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: [%{event_type}]%{space}[%{fld20->} %{timezone}] \"%{web_method->} %{url->} %{version}\" %{resultcode->} %{rbytes->} \"%{fld7}\" \"%{user_agent}\"", processor_chain([
+      	dup13,
+      	dup14,
+      	dup2,
+      ]));
+      
+      var msg57 = msg("acc", part67);
+      
+      var part68 = match("MESSAGE#57:crond", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{username}(%{sessionid}): %{action}", processor_chain([
+      	dup15,
+      	dup2,
+      ]));
+      
+      var msg58 = msg("crond", part68);
+      
+      var msg59 = msg("crond:01", dup19);
+      
+      var part69 = match("MESSAGE#59:crond:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: (%{username}) %{info}", processor_chain([
+      	dup15,
+      	dup2,
+      ]));
+      
+      var msg60 = msg("crond:02", part69);
+      
+      var select13 = linear_select([
+      	msg58,
+      	msg59,
+      	msg60,
+      ]);
+      
+      var part70 = match("MESSAGE#60:sSMTP", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{info}", processor_chain([
+      	setc("eventcategory","1207000000"),
+      	dup2,
+      ]));
+      
+      var msg61 = msg("sSMTP", part70);
+      
+      var part71 = match("MESSAGE#61:01420002", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{fld5}: AUDIT - pid=%{parent_pid->} user=%{username->} folder=%{directory->} module=%{fld6->} status=%{result->} cmd_data=%{info}", processor_chain([
+      	dup16,
+      	dup2,
+      ]));
+      
+      var msg62 = msg("01420002", part71);
+      
+      var part72 = match("MESSAGE#62:syslog-ng", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{info}", processor_chain([
+      	dup15,
+      	dup2,
+      ]));
+      
+      var msg63 = msg("syslog-ng", part72);
+      
+      var part73 = match("MESSAGE#63:syslog-ng:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}: %{info}", processor_chain([
+      	dup15,
+      	dup2,
+      ]));
+      
+      var msg64 = msg("syslog-ng:01", part73);
+      
+      var select14 = linear_select([
+      	msg63,
+      	msg64,
+      ]);
+      
+      var part74 = match("MESSAGE#64:auditd", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{info}", processor_chain([
+      	dup16,
+      	dup2,
+      ]));
+      
+      var msg65 = msg("auditd", part74);
+      
+      var part75 = match("MESSAGE#65:014d0001", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: ssoMethod: %{authmethod->} usernameSource: %{fld9->} passwordSource: %{fld10->} ntlmdomain: %{c_domain}", processor_chain([
+      	dup5,
+      	dup2,
+      ]));
+      
+      var msg66 = msg("014d0001", part75);
+      
+      var part76 = match("MESSAGE#66:014d0001:01/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: ctx: %{fld9}, %{p0}");
+      
+      var part77 = match("MESSAGE#66:014d0001:01/1_0", "nwparser.p0", "SERVER %{p0}");
+      
+      var part78 = match("MESSAGE#66:014d0001:01/1_1", "nwparser.p0", "CLIENT %{p0}");
+      
+      var select15 = linear_select([
+      	part77,
+      	part78,
+      ]);
+      
+      var part79 = match("MESSAGE#66:014d0001:01/2", "nwparser.p0", ": %{info}");
+      
+      var all5 = all_match({
+      	processors: [
+      		part76,
+      		select15,
+      		part79,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		dup2,
+      	]),
+      });
+      
+      var msg67 = msg("014d0001:01", all5);
+      
+      var msg68 = msg("014d0001:02", dup20);
+      
+      var select16 = linear_select([
+      	msg66,
+      	msg67,
+      	msg68,
+      ]);
+      
+      var msg69 = msg("014d0044", dup20);
+      
+      var part80 = match("MESSAGE#69:01490549/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Assigned PPP Dynamic IPv4: %{stransaddr->} Tunnel Type: %{group->} %{fld8->} Resource: %{rulename->} Client IP: %{p0}");
+      
+      var part81 = match("MESSAGE#69:01490549/1_0", "nwparser.p0", "%{saddr->} - %{fld9->} ");
+      
+      var part82 = match("MESSAGE#69:01490549/1_1", "nwparser.p0", " %{saddr}");
+      
+      var select17 = linear_select([
+      	part81,
+      	part82,
+      ]);
+      
+      var all6 = all_match({
+      	processors: [
+      		part80,
+      		select17,
+      	],
+      	on_success: processor_chain([
+      		dup3,
+      		dup2,
+      	]),
+      });
+      
+      var msg70 = msg("01490549", all6);
+      
+      var part83 = match("MESSAGE#70:01490547", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: Access Profile %{rulename}: %{result->} for %{saddr}", processor_chain([
+      	dup3,
+      	dup2,
+      ]));
+      
+      var msg71 = msg("01490547", part83);
+      
+      var part84 = match("MESSAGE#71:01490517", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{result}", processor_chain([
+      	dup3,
+      	dup2,
+      ]));
+      
+      var msg72 = msg("01490517", part84);
+      
+      var part85 = match("MESSAGE#72:011f0005", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{result->} (Client side: vip=%{url->} profile=%{protocol->} pool=%{fld8->} client_ip=%{saddr})", processor_chain([
+      	dup3,
+      	dup2,
+      ]));
+      
+      var msg73 = msg("011f0005", part85);
+      
+      var part86 = match("MESSAGE#73:014d0048", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7->} %{rulename->} \u003c\u003c%{event_description}>: APM_EVENT=%{action->} | %{username->} | %{fld8->} ***%{result}***", processor_chain([
+      	dup3,
+      	dup2,
+      ]));
+      
+      var msg74 = msg("014d0048", part86);
+      
+      var part87 = match("MESSAGE#74:error", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: [%{fld7}] [client %{saddr}] %{result}: %{url}", processor_chain([
+      	dup3,
+      	dup2,
+      ]));
+      
+      var msg75 = msg("error", part87);
+      
+      var msg76 = msg("CROND:03", dup19);
+      
+      var part88 = match("MESSAGE#76:01260009", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]:%{fld7}:%{fld6}: Connection error:%{event_description}", processor_chain([
+      	dup6,
+      	dup2,
+      ]));
+      
+      var msg77 = msg("01260009", part88);
+      
+      var part89 = match("MESSAGE#77:apmd:04", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} %{severity->} %{agent}[%{process_id}]: %{fld4->} /Common/home_agent_tca:Common:%{fld5}: %{fld6->} - Hostname: %{shost->} Type: %{fld7->} Version: %{version->} Platform: %{os->} CPU: %{fld8->} Mode:%{fld9}", processor_chain([
+      	dup15,
+      	dup2,
+      	dup17,
+      ]));
+      
+      var msg78 = msg("apmd:04", part89);
+      
+      var part90 = match("MESSAGE#78:apmd:03", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} %{severity->} %{agent}[%{process_id}]: %{fld4->} /Common/home_agent_tca:Common:%{fld5}: RADIUS module: parseResponse(): Access-Reject packet from host %{saddr}:%{sport->} %{fld7}", processor_chain([
+      	dup9,
+      	dup2,
+      	dup17,
+      ]));
+      
+      var msg79 = msg("apmd:03", part90);
+      
+      var part91 = match("MESSAGE#79:apmd:02/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} %{severity->} %{agent}[%{process_id}]: %{fld4->} /Common/home_agent_tca:Common:%{fld5}: RADIUS module: authentication with '%{username}' failed: %{p0}");
+      
+      var part92 = match("MESSAGE#79:apmd:02/1_0", "nwparser.p0", "%{fld6->} from host %{saddr}:%{sport->} %{fld7}");
+      
+      var part93 = match("MESSAGE#79:apmd:02/1_1", "nwparser.p0", " %{fld8}");
+      
+      var select18 = linear_select([
+      	part92,
+      	part93,
+      ]);
+      
+      var all7 = all_match({
+      	processors: [
+      		part91,
+      		select18,
+      	],
+      	on_success: processor_chain([
+      		dup9,
+      		dup2,
+      		dup17,
+      	]),
+      });
+      
+      var msg80 = msg("apmd:02", all7);
+      
+      var part94 = match("MESSAGE#80:apmd", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} %{severity->} %{agent}[%{process_id}]:%{info}", processor_chain([
+      	dup15,
+      	dup2,
+      	dup17,
+      ]));
+      
+      var msg81 = msg("apmd", part94);
+      
+      var select19 = linear_select([
+      	msg78,
+      	msg79,
+      	msg80,
+      	msg81,
+      ]);
+      
+      var chain1 = processor_chain([
+      	select1,
+      	msgid_select({
+      		"011f0005": msg73,
+      		"01260009": msg77,
+      		"01420002": msg62,
+      		"01490000": select4,
+      		"01490004": msg18,
+      		"01490005": msg20,
+      		"01490006": msg21,
+      		"01490007": msg22,
+      		"01490008": msg23,
+      		"01490009": msg12,
+      		"01490010": msg11,
+      		"01490013": msg42,
+      		"01490017": select10,
+      		"01490019": msg43,
+      		"01490079": msg48,
+      		"01490101": msg37,
+      		"01490102": msg13,
+      		"01490103": msg38,
+      		"01490106": select9,
+      		"01490107": select8,
+      		"01490113": select2,
+      		"01490115": msg39,
+      		"01490128": msg36,
+      		"01490142": msg28,
+      		"01490165": msg49,
+      		"01490166": msg50,
+      		"01490167": msg51,
+      		"01490169": msg52,
+      		"0149016a": msg53,
+      		"0149016b": msg54,
+      		"01490500": msg19,
+      		"01490501": msg26,
+      		"01490502": msg1,
+      		"01490504": msg29,
+      		"01490505": msg25,
+      		"01490506": msg3,
+      		"01490511": msg45,
+      		"01490514": msg24,
+      		"01490517": msg72,
+      		"01490520": msg27,
+      		"01490521": msg2,
+      		"01490538": msg30,
+      		"01490544": msg44,
+      		"01490547": msg71,
+      		"01490549": msg70,
+      		"014d0001": select16,
+      		"014d0002": select11,
+      		"014d0044": msg69,
+      		"CROND": msg76,
+      		"Rule": msg74,
+      		"acc": msg57,
+      		"apmd": select19,
+      		"auditd": msg65,
+      		"crond": select13,
+      		"error": msg75,
+      		"sSMTP": msg61,
+      		"ssl_acc": msg55,
+      		"ssl_req": msg56,
+      		"syslog-ng": select14,
+      	}),
+      ]);
+      
+      var part95 = match("MESSAGE#10:01490010/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{p0}");
+      
+      var part96 = match("MESSAGE#0:01490502", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{event_description}", processor_chain([
+      	dup1,
+      	dup2,
+      ]));
+      
+      var part97 = match("MESSAGE#58:crond:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: (%{username}) CMD (%{action})", processor_chain([
+      	dup15,
+      	dup2,
+      ]));
+      
+      var part98 = match("MESSAGE#67:014d0001:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{info}", processor_chain([
+      	dup5,
+      	dup2,
+      ]));
+      
+- community_id:
+- add_locale: ~
+- add_fields:
+    target: ''
+    fields:
+        ecs.version: 1.5.0
diff --git a/packages/f5/0.1.0/dataset/bigipapm/elasticsearch/ingest_pipeline/default.yml b/packages/f5/0.1.0/dataset/bigipapm/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 0000000000..0ea72c6ba4
--- /dev/null
+++ b/packages/f5/0.1.0/dataset/bigipapm/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,55 @@
+---
+description: Pipeline for Big-IP Access Policy Manager
+
+processors:
+  # User agent
+  - user_agent:
+        field: user_agent.original
+        ignore_missing: true
+  # IP Geolocation Lookup
+  - geoip:
+        field: source.ip
+        target_field: source.geo
+        ignore_missing: true
+  - geoip:
+        field: destination.ip
+        target_field: destination.geo
+        ignore_missing: true
+
+  # IP Autonomous System (AS) Lookup
+  - geoip:
+        database_file: GeoLite2-ASN.mmdb
+        field: source.ip
+        target_field: source.as
+        properties:
+            - asn
+            - organization_name
+        ignore_missing: true
+  - geoip:
+        database_file: GeoLite2-ASN.mmdb
+        field: destination.ip
+        target_field: destination.as
+        properties:
+            - asn
+            - organization_name
+        ignore_missing: true
+  - rename:
+        field: source.as.asn
+        target_field: source.as.number
+        ignore_missing: true
+  - rename:
+        field: source.as.organization_name
+        target_field: source.as.organization.name
+        ignore_missing: true
+  - rename:
+        field: destination.as.asn
+        target_field: destination.as.number
+        ignore_missing: true
+  - rename:
+        field: destination.as.organization_name
+        target_field: destination.as.organization.name
+        ignore_missing: true
+on_failure:
+  - append:
+        field: error.message
+        value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/f5/0.1.0/dataset/bigipapm/fields/base-fields.yml b/packages/f5/0.1.0/dataset/bigipapm/fields/base-fields.yml
new file mode 100644
index 0000000000..b294eaf20e
--- /dev/null
+++ b/packages/f5/0.1.0/dataset/bigipapm/fields/base-fields.yml
@@ -0,0 +1,26 @@
+- name: datastream.type
+  type: constant_keyword
+  description: Datastream type.
+- name: datastream.dataset
+  type: constant_keyword
+  description: Datastream dataset.
+- name: datastream.namespace
+  type: constant_keyword
+  description: Datastream namespace.
+
+- name: dataset.type
+  type: constant_keyword
+  description: >
+    Dataset type.
+- name: dataset.name
+  type: constant_keyword
+  description: >
+    Dataset name.
+- name: dataset.namespace
+  type: constant_keyword
+  description: >
+    Dataset namespace.
+- name: "@timestamp"
+  type: date
+  description: >
+    Event timestamp.
diff --git a/packages/f5/0.1.0/dataset/bigipapm/fields/ecs.yml b/packages/f5/0.1.0/dataset/bigipapm/fields/ecs.yml
new file mode 100644
index 0000000000..92af91c339
--- /dev/null
+++ b/packages/f5/0.1.0/dataset/bigipapm/fields/ecs.yml
@@ -0,0 +1,836 @@
+- name: log
+  type: group
+  fields:
+  - name: original
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'This is the original log message and contains the full log message
+      before splitting it up in multiple parts.
+
+      In contrast to the `message` field which can contain an extracted part of the
+      log message, this field contains the original, full log message. It can have
+      already some modifications applied like encoding or new lines removed to clean
+      up the log message.
+
+      This field is not indexed and doc_values are disabled so it can''t be queried
+      but the value can be retrieved from `_source`.'
+    example: Sep 19 08:26:10 localhost My log
+  - name: level
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Original log level of the log event.
+
+      If the source of the event provides a log level or textual severity, this is
+      the one that goes in `log.level`. If your source doesn''t specify one, you may
+      put your event transport''s severity here (e.g. Syslog severity).
+
+      Some examples are `warn`, `err`, `i`, `informational`.'
+    example: error
+  - name: syslog
+    type: group
+    fields:
+    - name: priority
+      level: extended
+      type: long
+      format: string
+      description: 'Syslog numeric priority of the event, if available.
+
+        According to RFCs 5424 and 3164, the priority is 8 * facility + severity.
+        This number is therefore expected to contain a value between 0 and 191.'
+      example: 135
+    - name: facility
+      type: group
+      fields:
+      - name: code
+        level: extended
+        type: long
+        format: string
+        description: 'The Syslog numeric facility of the log event, if available.
+
+          According to RFCs 5424 and 3164, this value should be an integer between
+          0 and 23.'
+        example: 23
+    - name: severity
+      type: group
+      fields:
+      - name: code
+        level: extended
+        type: long
+        description: 'The Syslog numeric severity of the log event, if available.
+
+          If the event source publishing via Syslog provides a different numeric severity
+          value (e.g. firewall, IDS), your source''s numeric severity should go to
+          `event.severity`. If the event source does not specify a distinct severity,
+          you can optionally copy the Syslog severity to `event.severity`.'
+        example: 3
+- name: event
+  type: group
+  fields:
+  - name: code
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Identification code for this event, if one exists.
+
+      Some event sources use event codes to identify messages unambiguously, regardless
+      of message language or wording adjustments over time. An example of this is
+      the Windows Event ID.'
+    example: 4648
+  - name: action
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'The action captured by the event.
+
+      This describes the information in the event. It is more specific than `event.category`.
+      Examples are `group-add`, `process-started`, `file-created`. The value is normally
+      defined by the implementer.'
+    example: user-password-change
+  - name: outcome
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'This is one of four ECS Categorization Fields, and indicates the
+      lowest level in the ECS category hierarchy.
+
+      `event.outcome` simply denotes whether the event represents a success or a failure
+      from the perspective of the entity that produced the event.
+
+      Note that when a single transaction is described in multiple events, each event
+      may populate different values of `event.outcome`, according to their perspective.
+
+      Also note that in the case of a compound event (a single event that contains
+      multiple logical events), this field should be populated with the value that
+      best captures the overall success or failure from the perspective of the event
+      producer.
+
+      Further note that not all events will have an associated outcome. For example,
+      this field is generally not populated for metric events, events with `event.type:info`,
+      or any events for which an outcome does not make logical sense.'
+    example: success
+  - name: category
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'This is one of four ECS Categorization Fields, and indicates the
+      second level in the ECS category hierarchy.
+
+      `event.category` represents the "big buckets" of ECS categories. For example,
+      filtering on `event.category:process` yields all events relating to process
+      activity. This field is closely related to `event.type`, which is used as a
+      subcategory.
+
+      This field is an array. This will allow proper categorization of some events
+      that fall in multiple categories.'
+    example: authentication
+  - name: timezone
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'This field should be populated when the event''s timestamp does
+      not include timezone information already (e.g. default Syslog timestamps). It''s
+      optional otherwise.
+
+      Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated
+      (e.g. "EST") or an HH:mm differential (e.g. "-05:00").'
+- name: '@timestamp'
+  level: core
+  required: true
+  type: date
+  description: 'Date/time when the event originated.
+
+    This is the date/time extracted from the event, typically representing when the
+    event was generated by the source.
+
+    If the event source has no original timestamp, this value is typically populated
+    by the first time the event was received by the pipeline.
+
+    Required field for all events.'
+  example: '2016-05-23T08:05:34.853Z'
+- name: user
+  type: group
+  fields:
+  - name: name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: Short name or login of the user.
+    example: albert
+  - name: full_name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: User's full name, if available.
+    example: Albert Einstein
+  - name: domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Name of the directory the user is a member of.
+
+      For example, an LDAP or Active Directory domain name.'
+  - name: id
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Unique identifiers of the user.
+- name: message
+  level: core
+  type: text
+  description: 'For log events the message field contains the log message, optimized
+    for viewing in a log viewer.
+
+    For structured logs without an original message field, other fields can be concatenated
+    to form a human-readable summary of the event.
+
+    If multiple messages exist, they can be combined into one message.'
+  example: Hello World
+- name: source
+  type: group
+  fields:
+  - name: ip
+    level: core
+    type: ip
+    description: 'IP address of the source.
+
+      Can be one or multiple IPv4 or IPv6 addresses.'
+  - name: port
+    level: core
+    type: long
+    format: string
+    description: Port of the source.
+  - name: address
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Some event source addresses are defined ambiguously. The event will
+      sometimes list an IP, a domain or a unix socket.  You should always store the
+      raw address in the `.address` field.
+
+      Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+      is.'
+  - name: mac
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: MAC address of the source.
+  - name: bytes
+    level: core
+    type: long
+    format: bytes
+    description: Bytes sent from the source to the destination.
+    example: 184
+  - name: nat
+    type: group
+    fields:
+    - name: ip
+      level: extended
+      type: ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+    - name: port
+      level: extended
+      type: long
+      format: string
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+  - name: domain
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Source domain.
+  - name: geo
+    type: group
+    fields:
+    - name: country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+    - name: location
+      type: group
+      fields:
+      - type: double
+        name: lat
+      - type: double
+        name: lon
+    - name: city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+- name: host
+  type: group
+  fields:
+  - name: name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Name of the host.
+
+      It can contain what `hostname` returns on Unix systems, the fully qualified
+      domain name, or a name specified by the user. The sender decides which value
+      to use.'
+  - name: ip
+    level: core
+    type: ip
+    description: Host ip addresses.
+  - name: hostname
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Hostname of the host.
+
+      It normally contains what the `hostname` command returns on the host machine.'
+  - name: mac
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Host mac addresses.
+- name: destination
+  type: group
+  fields:
+  - name: ip
+    level: core
+    type: ip
+    description: 'IP address of the destination.
+
+      Can be one or multiple IPv4 or IPv6 addresses.'
+  - name: port
+    level: core
+    type: long
+    format: string
+    description: Port of the destination.
+  - name: address
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Some event destination addresses are defined ambiguously. The event
+      will sometimes list an IP, a domain or a unix socket.  You should always store
+      the raw address in the `.address` field.
+
+      Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+      is.'
+  - name: bytes
+    level: core
+    type: long
+    format: bytes
+    description: Bytes sent from the destination to the source.
+    example: 184
+  - name: mac
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: MAC address of the destination.
+  - name: nat
+    type: group
+    fields:
+    - name: ip
+      level: extended
+      type: ip
+      description: 'Translated ip of destination based NAT sessions (e.g. internet
+        to private DMZ)
+
+        Typically used with load balancers, firewalls, or routers.'
+    - name: port
+      level: extended
+      type: long
+      format: string
+      description: 'Port the source session is translated to by NAT Device.
+
+        Typically used with load balancers, firewalls, or routers.'
+  - name: domain
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Destination domain.
+  - name: geo
+    type: group
+    fields:
+    - name: country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+    - name: location
+      type: group
+      fields:
+      - type: double
+        name: lat
+      - type: double
+        name: lon
+    - name: city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+- name: network
+  type: group
+  fields:
+  - name: protocol
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'L7 Network protocol name. ex. http, lumberjack, transport protocol.
+
+      The field value must be normalized to lowercase for querying. See the documentation
+      section "Implementing ECS".'
+    example: http
+  - name: application
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'A name given to an application level protocol. This can be arbitrarily
+      assigned for things like microservices, but also apply to things like skype,
+      icq, facebook, twitter. This would be used in situations where the vendor or
+      service can be decoded such as from the source/dest IP owners, ports, or wire
+      format.
+
+      The field value must be normalized to lowercase for querying. See the documentation
+      section "Implementing ECS".'
+    example: aim
+  - name: interface
+    type: group
+    fields:
+    - type: keyword
+      name: name
+  - name: bytes
+    level: core
+    type: long
+    format: bytes
+    description: 'Total bytes transferred in both directions.
+
+      If `source.bytes` and `destination.bytes` are known, `network.bytes` is their
+      sum.'
+    example: 368
+  - name: direction
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: "Direction of the network traffic.\nRecommended values are:\n  *\
+      \ inbound\n  * outbound\n  * internal\n  * external\n  * unknown\n\nWhen mapping\
+      \ events from a host-based monitoring context, populate this field from the\
+      \ host's point of view.\nWhen mapping events from a network or perimeter-based\
+      \ monitoring context, populate this field from the point of view of your network\
+      \ perimeter."
+    example: inbound
+  - name: packets
+    level: core
+    type: long
+    description: 'Total packets transferred in both directions.
+
+      If `source.packets` and `destination.packets` are known, `network.packets` is
+      their sum.'
+    example: 24
+  - name: forwarded_ip
+    level: core
+    type: ip
+    description: Host IP address when the source IP address is the proxy.
+    example: 192.1.1.2
+- name: observer
+  type: group
+  fields:
+  - name: version
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Observer version.
+  - name: product
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: The product name of the observer.
+    example: s200
+  - name: ingress
+    type: group
+    fields:
+    - name: interface
+      type: group
+      fields:
+      - name: name
+        level: extended
+        type: keyword
+        ignore_above: 1024
+        description: Interface name as reported by the system.
+        example: eth0
+        default_field: false
+  - name: egress
+    type: group
+    fields:
+    - name: interface
+      type: group
+      fields:
+      - name: name
+        level: extended
+        type: keyword
+        ignore_above: 1024
+        description: Interface name as reported by the system.
+        example: eth0
+        default_field: false
+- name: file
+  type: group
+  fields:
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: Name of the file including the extension, without the directory.
+    example: example.png
+  - name: directory
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: Directory where the file is located. It should include the drive
+      letter, when appropriate.
+    example: /home/alice
+  - name: size
+    level: extended
+    type: long
+    description: 'File size in bytes.
+
+      Only relevant when `file.type` is "file".'
+    example: 16384
+  - name: type
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: File type (file, dir, or symlink).
+    example: file
+  - name: extension
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: File extension.
+    example: png
+  - name: path
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: Full path to the file, including the file name. It should include
+      the drive letter, when appropriate.
+    example: /home/alice/example.png
+  - name: attributes
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Array of file attributes.
+
+      Attributes names will vary by platform. Here''s a non-exhaustive list of values
+      that are expected in this field: archive, compressed, directory, encrypted,
+      execute, hidden, read, readonly, system, write.'
+    example: '["readonly", "system"]'
+    default_field: false
+- name: url
+  type: group
+  fields:
+  - name: original
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: 'Unmodified original url as seen in the event source.
+
+      Note that in network monitoring, the observed URL may be a full URL, whereas
+      in access logs, the URL is often just represented as a path.
+
+      This field is meant to represent the URL as it was observed, complete or not.'
+    example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
+  - name: query
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'The query field describes the query string of the request, such
+      as "q=elasticsearch".
+
+      The `?` is excluded from the query string. If a URL contains no `?`, there is
+      no query field. If there is a `?` but no query, the query field exists with
+      an empty string. The `exists` query can be used to differentiate between the
+      two cases.'
+  - name: domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Domain of the url, such as "www.elastic.co".
+
+      In some cases a URL may refer to an IP and/or port directly, without a domain
+      name. In this case, the IP address would go to the `domain` field.'
+    example: www.elastic.co
+  - name: path
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: Path of the request, such as "/search".
+  - name: top_level_domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'The effective top level domain (eTLD), also known as the domain
+      suffix, is the last part of the domain name. For example, the top level domain
+      for google.com is "com".
+
+      This value can be determined precisely with a list like the public suffix list
+      (http://publicsuffix.org). Trying to approximate this by simply taking the last
+      label will not work well for effective TLDs such as "co.uk".'
+    example: co.uk
+  - name: registered_domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'The highest registered url domain, stripped of the subdomain.
+
+      For example, the registered domain for "foo.google.com" is "google.com".
+
+      This value can be determined precisely with a list like the public suffix list
+      (http://publicsuffix.org). Trying to approximate this by simply taking the last
+      two labels will not work well for TLDs such as "co.uk".'
+    example: google.com
+- name: service
+  type: group
+  fields:
+  - name: name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Name of the service data is collected from.
+
+      The name of the service is normally user given. This allows for distributed
+      services that run on multiple hosts to correlate the related instances based
+      on the name.
+
+      In the case of Elasticsearch the `service.name` could contain the cluster name.
+      For Beats the `service.name` is by default a copy of the `service.type` field
+      if no name is specified.'
+    example: elasticsearch-metrics
+- name: server
+  type: group
+  fields:
+  - name: domain
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Server domain.
+- name: process
+  type: group
+  fields:
+  - name: pid
+    level: core
+    type: long
+    format: string
+    description: Process id.
+    example: 4242
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: 'Process name.
+
+      Sometimes called program name or similar.'
+    example: ssh
+  - name: ppid
+    level: extended
+    type: long
+    format: string
+    description: Parent process' pid.
+    example: 4241
+  - name: parent
+    type: group
+    fields:
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      default_field: false
+    - name: title
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      default_field: false
+  - name: title
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: 'Process title.
+
+      The proctitle, some times the same as process name. Can also be different: for
+      example a browser setting its title to the web page currently opened.'
+- name: rule
+  type: group
+  fields:
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: The name of the rule or signature generating the event.
+    example: BLOCK_DNS_over_TLS
+    default_field: false
+- name: user_agent
+  type: group
+  fields:
+  - name: original
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+    description: Unparsed user_agent string.
+    example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15
+      (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
+- name: http
+  type: group
+  fields:
+  - name: response
+    type: group
+    fields:
+    - name: body
+      type: group
+      fields:
+      - name: content
+        level: extended
+        type: keyword
+        ignore_above: 1024
+        multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+        description: The full HTTP response body.
+        example: Hello world
+  - name: request
+    type: group
+    fields:
+    - name: referrer
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Referrer for this HTTP request.
+      example: https://blog.example.com/
+    - name: method
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'HTTP request method.
+
+        The field value must be normalized to lowercase for querying. See the documentation
+        section "Implementing ECS".'
+      example: get, post, put
+- name: geo
+  type: group
+  fields:
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'User-defined description of a location, at the level of granularity
+      they care about.
+
+      Could be the name of their data centers, the floor number, if this describes
+      a local physical entity, city names.
+
+      Not typically used in automated geolocation.'
+    example: boston-dc
+  - name: country_name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Country name.
+    example: Canada
+  - name: city_name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: City name.
+    example: Montreal
+  - name: region_name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Region name.
+    example: Quebec
+- name: dns
+  type: group
+  fields:
+  - name: question
+    type: group
+    fields:
+    - name: type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The type of record being queried.
+      example: AAAA
+  - name: answers
+    type: group
+    fields:
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The domain name to which this resource record pertains.
+
+        If a chain of CNAME is being resolved, each answer''s `name` should be the
+        one that corresponds with the answer''s `data`. It should not simply be the
+        original `question.name` repeated.'
+      example: www.google.com
+    - name: type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The type of data contained in this resource record.
+      example: CNAME
diff --git a/packages/f5/0.1.0/dataset/bigipapm/fields/fields.yml b/packages/f5/0.1.0/dataset/bigipapm/fields/fields.yml
new file mode 100644
index 0000000000..2abc947fe7
--- /dev/null
+++ b/packages/f5/0.1.0/dataset/bigipapm/fields/fields.yml
@@ -0,0 +1,1939 @@
+- name: rsa
+  type: group
+  fields:
+  - name: internal
+    type: group
+    fields:
+    - name: msg
+      type: keyword
+      description: This key is used to capture the raw message that comes into the
+        Log Decoder
+    - name: messageid
+      type: keyword
+    - name: event_desc
+      type: keyword
+    - name: message
+      type: keyword
+      description: This key captures the contents of instant messages
+    - name: time
+      type: date
+      description: This is the time at which a session hits a NetWitness Decoder.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness.
+    - name: level
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: msg_id
+      type: keyword
+      description: This is the Message ID1 value that identifies the exact log parser
+        definition which parses a particular log session. This key should never be
+        used to parse Meta data from a session (Logs/Packets) Directly, this is a
+        Reserved key in NetWitness
+    - name: msg_vid
+      type: keyword
+      description: This is the Message ID2 value that identifies the exact log parser
+        definition which parses a particular log session. This key should never be
+        used to parse Meta data from a session (Logs/Packets) Directly, this is a
+        Reserved key in NetWitness
+    - name: data
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: obj_server
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: obj_val
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: resource
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: obj_id
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: statement
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: audit_class
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: entry
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: hcode
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: inode
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: resource_class
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: dead
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: feed_desc
+      type: keyword
+      description: This is used to capture the description of the feed. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: feed_name
+      type: keyword
+      description: This is used to capture the name of the feed. This key should never
+        be used to parse Meta data from a session (Logs/Packets) Directly, this is
+        a Reserved key in NetWitness
+    - name: cid
+      type: keyword
+      description: This is the unique identifier used to identify a NetWitness Concentrator.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: device_class
+      type: keyword
+      description: This is the Classification of the Log Event Source under a predefined
+        fixed set of Event Source Classifications. This key should never be used to
+        parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
+        key in NetWitness
+    - name: device_group
+      type: keyword
+      description: This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_host
+      type: keyword
+      description: This is the Hostname of the log Event Source sending the logs to
+        NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_ip
+      type: ip
+      description: This is the IPv4 address of the Log Event Source sending the logs
+        to NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_ipv6
+      type: ip
+      description: This is the IPv6 address of the Log Event Source sending the logs
+        to NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_type
+      type: keyword
+      description: This is the name of the log parser which parsed a given session.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: device_type_id
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: did
+      type: keyword
+      description: This is the unique identifier used to identify a NetWitness Decoder.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: entropy_req
+      type: long
+      description: This key is only used by the Entropy Parser, the Meta Type can
+        be either UInt16 or Float32 based on the configuration
+    - name: entropy_res
+      type: long
+      description: This key is only used by the Entropy Parser, the Meta Type can
+        be either UInt16 or Float32 based on the configuration
+    - name: event_name
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: feed_category
+      type: keyword
+      description: This is used to capture the category of the feed. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: forward_ip
+      type: ip
+      description: This key should be used to capture the IPV4 address of a relay
+        system which forwarded the events from the original system to NetWitness.
+    - name: forward_ipv6
+      type: ip
+      description: This key is used to capture the IPV6 address of a relay system
+        which forwarded the events from the original system to NetWitness. This key
+        should never be used to parse Meta data from a session (Logs/Packets) Directly,
+        this is a Reserved key in NetWitness
+    - name: header_id
+      type: keyword
+      description: This is the Header ID value that identifies the exact log parser
+        header definition that parses a particular log session. This key should never
+        be used to parse Meta data from a session (Logs/Packets) Directly, this is
+        a Reserved key in NetWitness
+    - name: lc_cid
+      type: keyword
+      description: This is a unique Identifier of a Log Collector. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: lc_ctime
+      type: date
+      description: This is the time at which a log is collected in a NetWitness Log
+        Collector. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: mcb_req
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        request is simply which byte for each side (0 thru 255) was seen the most
+    - name: mcb_res
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        response is simply which byte for each side (0 thru 255) was seen the most
+    - name: mcbc_req
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        count is the number of times the most common byte (above) was seen in the
+        session streams
+    - name: mcbc_res
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        count is the number of times the most common byte (above) was seen in the
+        session streams
+    - name: medium
+      type: long
+      description: "This key is used to identify if it\u2019s a log/packet session\
+        \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
+        \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
+        \ 32 = log, 33 = correlation session, &lt; 32 is packet session"
+    - name: node_name
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: nwe_callback_id
+      type: keyword
+      description: This key denotes that event is endpoint related
+    - name: parse_error
+      type: keyword
+      description: This is a special key that stores any Meta key validation error
+        found while parsing a log session. This key should never be used to parse
+        Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
+        NetWitness
+    - name: payload_req
+      type: long
+      description: This key is only used by the Entropy Parser, the payload size metrics
+        are the payload sizes of each session side at the time of parsing. However,
+        in order to keep
+    - name: payload_res
+      type: long
+      description: This key is only used by the Entropy Parser, the payload size metrics
+        are the payload sizes of each session side at the time of parsing. However,
+        in order to keep
+    - name: process_vid_dst
+      type: keyword
+      description: Endpoint generates and uses a unique virtual ID to identify any
+        similar group of process. This ID represents the target process.
+    - name: process_vid_src
+      type: keyword
+      description: Endpoint generates and uses a unique virtual ID to identify any
+        similar group of process. This ID represents the source process.
+    - name: rid
+      type: long
+      description: This is a special ID of the Remote Session created by NetWitness
+        Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: session_split
+      type: keyword
+      description: This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: site
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: size
+      type: long
+      description: This is the size of the session as seen by the NetWitness Decoder.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: sourcefile
+      type: keyword
+      description: This is the name of the log file or PCAPs that can be imported
+        into NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: ubc_req
+      type: long
+      description: This key is only used by the Entropy Parser, Unique byte count
+        is the number of unique bytes seen in each stream. 256 would mean all byte
+        values of 0 thru 255 were seen at least once
+    - name: ubc_res
+      type: long
+      description: This key is only used by the Entropy Parser, Unique byte count
+        is the number of unique bytes seen in each stream. 256 would mean all byte
+        values of 0 thru 255 were seen at least once
+    - name: word
+      type: keyword
+      description: This is used by the Word Parsing technology to capture the first
+        5 character of every word in an unparsed log
+  - name: time
+    type: group
+    fields:
+    - name: event_time
+      type: date
+      description: This key is used to capture the time mentioned in a raw session
+        that represents the actual time an event occured in a standard normalized
+        form
+    - name: duration_time
+      type: double
+      description: This key is used to capture the normalized duration/lifetime in
+        seconds.
+    - name: event_time_str
+      type: keyword
+      description: This key is used to capture the incomplete time mentioned in a
+        session as a string
+    - name: starttime
+      type: date
+      description: This key is used to capture the Start time mentioned in a session
+        in a standard form
+    - name: month
+      type: keyword
+    - name: day
+      type: keyword
+    - name: endtime
+      type: date
+      description: This key is used to capture the End time mentioned in a session
+        in a standard form
+    - name: timezone
+      type: keyword
+      description: This key is used to capture the timezone of the Event Time
+    - name: duration_str
+      type: keyword
+      description: A text string version of the duration
+    - name: date
+      type: keyword
+    - name: year
+      type: keyword
+    - name: recorded_time
+      type: date
+      description: The event time as recorded by the system the event is collected
+        from. The usage scenario is a multi-tier application where the management
+        layer of the system records it's own timestamp at the time of collection from
+        its child nodes. Must be in timestamp format.
+    - name: datetime
+      type: keyword
+    - name: effective_time
+      type: date
+      description: This key is the effective time referenced by an individual event
+        in a Standard Timestamp format
+    - name: expire_time
+      type: date
+      description: This key is the timestamp that explicitly refers to an expiration.
+    - name: process_time
+      type: keyword
+      description: Deprecated, use duration.time
+    - name: hour
+      type: keyword
+    - name: min
+      type: keyword
+    - name: timestamp
+      type: keyword
+    - name: event_queue_time
+      type: date
+      description: This key is the Time that the event was queued.
+    - name: p_time1
+      type: keyword
+    - name: tzone
+      type: keyword
+    - name: eventtime
+      type: keyword
+    - name: gmtdate
+      type: keyword
+    - name: gmttime
+      type: keyword
+    - name: p_date
+      type: keyword
+    - name: p_month
+      type: keyword
+    - name: p_time
+      type: keyword
+    - name: p_time2
+      type: keyword
+    - name: p_year
+      type: keyword
+    - name: expire_time_str
+      type: keyword
+      description: This key is used to capture incomplete timestamp that explicitly
+        refers to an expiration.
+    - name: stamp
+      type: date
+      description: Deprecated key defined only in table map.
+  - name: misc
+    type: group
+    fields:
+    - name: action
+      type: keyword
+    - name: result
+      type: keyword
+      description: This key is used to capture the outcome/result string value of
+        an action in a session.
+    - name: severity
+      type: keyword
+      description: This key is used to capture the severity given the session
+    - name: event_type
+      type: keyword
+      description: This key captures the event category type as specified by the event
+        source.
+    - name: reference_id
+      type: keyword
+      description: This key is used to capture an event id from the session directly
+    - name: version
+      type: keyword
+      description: This key captures Version of the application or OS which is generating
+        the event.
+    - name: disposition
+      type: keyword
+      description: This key captures the The end state of an action.
+    - name: result_code
+      type: keyword
+      description: This key is used to capture the outcome/result numeric value of
+        an action in a session
+    - name: category
+      type: keyword
+      description: This key is used to capture the category of an event given by the
+        vendor in the session
+    - name: obj_name
+      type: keyword
+      description: This is used to capture name of object
+    - name: obj_type
+      type: keyword
+      description: This is used to capture type of object
+    - name: event_source
+      type: keyword
+      description: "This key captures Source of the event that\u2019s not a hostname"
+    - name: log_session_id
+      type: keyword
+      description: This key is used to capture a sessionid from the session directly
+    - name: group
+      type: keyword
+      description: This key captures the Group Name value
+    - name: policy_name
+      type: keyword
+      description: This key is used to capture the Policy Name only.
+    - name: rule_name
+      type: keyword
+      description: This key captures the Rule Name
+    - name: context
+      type: keyword
+      description: This key captures Information which adds additional context to
+        the event.
+    - name: change_new
+      type: keyword
+      description: "This key is used to capture the new values of the attribute that\u2019\
+        s changing in a session"
+    - name: space
+      type: keyword
+    - name: client
+      type: keyword
+      description: This key is used to capture only the name of the client application
+        requesting resources of the server. See the user.agent meta key for capture
+        of the specific user agent identifier or browser identification string.
+    - name: msgIdPart1
+      type: keyword
+    - name: msgIdPart2
+      type: keyword
+    - name: change_old
+      type: keyword
+      description: "This key is used to capture the old value of the attribute that\u2019\
+        s changing in a session"
+    - name: operation_id
+      type: keyword
+      description: An alert number or operation number. The values should be unique
+        and non-repeating.
+    - name: event_state
+      type: keyword
+      description: This key captures the current state of the object/item referenced
+        within the event. Describing an on-going event.
+    - name: group_object
+      type: keyword
+      description: This key captures a collection/grouping of entities. Specific usage
+    - name: node
+      type: keyword
+      description: Common use case is the node name within a cluster. The cluster
+        name is reflected by the host name.
+    - name: rule
+      type: keyword
+      description: This key captures the Rule number
+    - name: device_name
+      type: keyword
+      description: 'This is used to capture name of the Device associated with the
+        node Like: a physical disk, printer, etc'
+    - name: param
+      type: keyword
+      description: This key is the parameters passed as part of a command or application,
+        etc.
+    - name: change_attrib
+      type: keyword
+      description: "This key is used to capture the name of the attribute that\u2019\
+        s changing in a session"
+    - name: event_computer
+      type: keyword
+      description: This key is a windows only concept, where this key is used to capture
+        fully qualified domain name in a windows log.
+    - name: reference_id1
+      type: keyword
+      description: This key is for Linked ID to be used as an addition to "reference.id"
+    - name: event_log
+      type: keyword
+      description: This key captures the Name of the event log
+    - name: OS
+      type: keyword
+      description: This key captures the Name of the Operating System
+    - name: terminal
+      type: keyword
+      description: This key captures the Terminal Names only
+    - name: msgIdPart3
+      type: keyword
+    - name: filter
+      type: keyword
+      description: This key captures Filter used to reduce result set
+    - name: serial_number
+      type: keyword
+      description: This key is the Serial number associated with a physical asset.
+    - name: checksum
+      type: keyword
+      description: This key is used to capture the checksum or hash of the entity
+        such as a file or process. Checksum should be used over checksum.src or checksum.dst
+        when it is unclear whether the entity is a source or target of an action.
+    - name: event_user
+      type: keyword
+      description: This key is a windows only concept, where this key is used to capture
+        combination of domain name and username in a windows log.
+    - name: virusname
+      type: keyword
+      description: This key captures the name of the virus
+    - name: content_type
+      type: keyword
+      description: This key is used to capture Content Type only.
+    - name: group_id
+      type: keyword
+      description: This key captures Group ID Number (related to the group name)
+    - name: policy_id
+      type: keyword
+      description: This key is used to capture the Policy ID only, this should be
+        a numeric value, use policy.name otherwise
+    - name: vsys
+      type: keyword
+      description: This key captures Virtual System Name
+    - name: connection_id
+      type: keyword
+      description: This key captures the Connection ID
+    - name: reference_id2
+      type: keyword
+      description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
+        or "reference.id1" value but should not be used unless the other two variables
+        are in play.
+    - name: sensor
+      type: keyword
+      description: This key captures Name of the sensor. Typically used in IDS/IPS
+        based devices
+    - name: sig_id
+      type: long
+      description: This key captures IDS/IPS Int Signature ID
+    - name: port_name
+      type: keyword
+      description: 'This key is used for Physical or logical port connection but does
+        NOT include a network port. (Example: Printer port name).'
+    - name: rule_group
+      type: keyword
+      description: This key captures the Rule group name
+    - name: risk_num
+      type: double
+      description: This key captures a Numeric Risk value
+    - name: trigger_val
+      type: keyword
+      description: This key captures the Value of the trigger or threshold condition.
+    - name: log_session_id1
+      type: keyword
+      description: This key is used to capture a Linked (Related) Session ID from
+        the session directly
+    - name: comp_version
+      type: keyword
+      description: This key captures the Version level of a sub-component of a product.
+    - name: content_version
+      type: keyword
+      description: This key captures Version level of a signature or database content.
+    - name: hardware_id
+      type: keyword
+      description: This key is used to capture unique identifier for a device or system
+        (NOT a Mac address)
+    - name: risk
+      type: keyword
+      description: This key captures the non-numeric risk value
+    - name: event_id
+      type: keyword
+    - name: reason
+      type: keyword
+    - name: status
+      type: keyword
+    - name: mail_id
+      type: keyword
+      description: This key is used to capture the mailbox id/name
+    - name: rule_uid
+      type: keyword
+      description: This key is the Unique Identifier for a rule.
+    - name: trigger_desc
+      type: keyword
+      description: This key captures the Description of the trigger or threshold condition.
+    - name: inout
+      type: keyword
+    - name: p_msgid
+      type: keyword
+    - name: data_type
+      type: keyword
+    - name: msgIdPart4
+      type: keyword
+    - name: error
+      type: keyword
+      description: This key captures All non successful Error codes or responses
+    - name: index
+      type: keyword
+    - name: listnum
+      type: keyword
+      description: This key is used to capture listname or listnumber, primarily for
+        collecting access-list
+    - name: ntype
+      type: keyword
+    - name: observed_val
+      type: keyword
+      description: This key captures the Value observed (from the perspective of the
+        device generating the log).
+    - name: policy_value
+      type: keyword
+      description: This key captures the contents of the policy. This contains details
+        about the policy
+    - name: pool_name
+      type: keyword
+      description: This key captures the name of a resource pool
+    - name: rule_template
+      type: keyword
+      description: A default set of parameters which are overlayed onto a rule (or
+        rulename) which efffectively constitutes a template
+    - name: count
+      type: keyword
+    - name: number
+      type: keyword
+    - name: sigcat
+      type: keyword
+    - name: type
+      type: keyword
+    - name: comments
+      type: keyword
+      description: Comment information provided in the log message
+    - name: doc_number
+      type: long
+      description: This key captures File Identification number
+    - name: expected_val
+      type: keyword
+      description: This key captures the Value expected (from the perspective of the
+        device generating the log).
+    - name: job_num
+      type: keyword
+      description: This key captures the Job Number
+    - name: spi_dst
+      type: keyword
+      description: Destination SPI Index
+    - name: spi_src
+      type: keyword
+      description: Source SPI Index
+    - name: code
+      type: keyword
+    - name: agent_id
+      type: keyword
+      description: This key is used to capture agent id
+    - name: message_body
+      type: keyword
+      description: This key captures the The contents of the message body.
+    - name: phone
+      type: keyword
+    - name: sig_id_str
+      type: keyword
+      description: This key captures a string object of the sigid variable.
+    - name: cmd
+      type: keyword
+    - name: misc
+      type: keyword
+    - name: name
+      type: keyword
+    - name: cpu
+      type: long
+      description: This key is the CPU time used in the execution of the event being
+        recorded.
+    - name: event_desc
+      type: keyword
+      description: This key is used to capture a description of an event available
+        directly or inferred
+    - name: sig_id1
+      type: long
+      description: This key captures IDS/IPS Int Signature ID. This must be linked
+        to the sig.id
+    - name: im_buddyid
+      type: keyword
+    - name: im_client
+      type: keyword
+    - name: im_userid
+      type: keyword
+    - name: pid
+      type: keyword
+    - name: priority
+      type: keyword
+    - name: context_subject
+      type: keyword
+      description: This key is to be used in an audit context where the subject is
+        the object being identified
+    - name: context_target
+      type: keyword
+    - name: cve
+      type: keyword
+      description: This key captures CVE (Common Vulnerabilities and Exposures) -
+        an identifier for known information security vulnerabilities.
+    - name: fcatnum
+      type: keyword
+      description: This key captures Filter Category Number. Legacy Usage
+    - name: library
+      type: keyword
+      description: This key is used to capture library information in mainframe devices
+    - name: parent_node
+      type: keyword
+      description: This key captures the Parent Node Name. Must be related to node
+        variable.
+    - name: risk_info
+      type: keyword
+      description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: tcp_flags
+      type: long
+      description: This key is captures the TCP flags set in any packet of session
+    - name: tos
+      type: long
+      description: This key describes the type of service
+    - name: vm_target
+      type: keyword
+      description: VMWare Target **VMWARE** only varaible.
+    - name: workspace
+      type: keyword
+      description: This key captures Workspace Description
+    - name: command
+      type: keyword
+    - name: event_category
+      type: keyword
+    - name: facilityname
+      type: keyword
+    - name: forensic_info
+      type: keyword
+    - name: jobname
+      type: keyword
+    - name: mode
+      type: keyword
+    - name: policy
+      type: keyword
+    - name: policy_waiver
+      type: keyword
+    - name: second
+      type: keyword
+    - name: space1
+      type: keyword
+    - name: subcategory
+      type: keyword
+    - name: tbdstr2
+      type: keyword
+    - name: alert_id
+      type: keyword
+      description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: checksum_dst
+      type: keyword
+      description: This key is used to capture the checksum or hash of the the target
+        entity such as a process or file.
+    - name: checksum_src
+      type: keyword
+      description: This key is used to capture the checksum or hash of the source
+        entity such as a file or process.
+    - name: fresult
+      type: long
+      description: This key captures the Filter Result
+    - name: payload_dst
+      type: keyword
+      description: This key is used to capture destination payload
+    - name: payload_src
+      type: keyword
+      description: This key is used to capture source payload
+    - name: pool_id
+      type: keyword
+      description: This key captures the identifier (typically numeric field) of a
+        resource pool
+    - name: process_id_val
+      type: keyword
+      description: This key is a failure key for Process ID when it is not an integer
+        value
+    - name: risk_num_comm
+      type: double
+      description: This key captures Risk Number Community
+    - name: risk_num_next
+      type: double
+      description: This key captures Risk Number NextGen
+    - name: risk_num_sand
+      type: double
+      description: This key captures Risk Number SandBox
+    - name: risk_num_static
+      type: double
+      description: This key captures Risk Number Static
+    - name: risk_suspicious
+      type: keyword
+      description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: risk_warning
+      type: keyword
+      description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: snmp_oid
+      type: keyword
+      description: SNMP Object Identifier
+    - name: sql
+      type: keyword
+      description: This key captures the SQL query
+    - name: vuln_ref
+      type: keyword
+      description: This key captures the Vulnerability Reference details
+    - name: acl_id
+      type: keyword
+    - name: acl_op
+      type: keyword
+    - name: acl_pos
+      type: keyword
+    - name: acl_table
+      type: keyword
+    - name: admin
+      type: keyword
+    - name: alarm_id
+      type: keyword
+    - name: alarmname
+      type: keyword
+    - name: app_id
+      type: keyword
+    - name: audit
+      type: keyword
+    - name: audit_object
+      type: keyword
+    - name: auditdata
+      type: keyword
+    - name: benchmark
+      type: keyword
+    - name: bypass
+      type: keyword
+    - name: cache
+      type: keyword
+    - name: cache_hit
+      type: keyword
+    - name: cefversion
+      type: keyword
+    - name: cfg_attr
+      type: keyword
+    - name: cfg_obj
+      type: keyword
+    - name: cfg_path
+      type: keyword
+    - name: changes
+      type: keyword
+    - name: client_ip
+      type: keyword
+    - name: clustermembers
+      type: keyword
+    - name: cn_acttimeout
+      type: keyword
+    - name: cn_asn_src
+      type: keyword
+    - name: cn_bgpv4nxthop
+      type: keyword
+    - name: cn_ctr_dst_code
+      type: keyword
+    - name: cn_dst_tos
+      type: keyword
+    - name: cn_dst_vlan
+      type: keyword
+    - name: cn_engine_id
+      type: keyword
+    - name: cn_engine_type
+      type: keyword
+    - name: cn_f_switch
+      type: keyword
+    - name: cn_flowsampid
+      type: keyword
+    - name: cn_flowsampintv
+      type: keyword
+    - name: cn_flowsampmode
+      type: keyword
+    - name: cn_inacttimeout
+      type: keyword
+    - name: cn_inpermbyts
+      type: keyword
+    - name: cn_inpermpckts
+      type: keyword
+    - name: cn_invalid
+      type: keyword
+    - name: cn_ip_proto_ver
+      type: keyword
+    - name: cn_ipv4_ident
+      type: keyword
+    - name: cn_l_switch
+      type: keyword
+    - name: cn_log_did
+      type: keyword
+    - name: cn_log_rid
+      type: keyword
+    - name: cn_max_ttl
+      type: keyword
+    - name: cn_maxpcktlen
+      type: keyword
+    - name: cn_min_ttl
+      type: keyword
+    - name: cn_minpcktlen
+      type: keyword
+    - name: cn_mpls_lbl_1
+      type: keyword
+    - name: cn_mpls_lbl_10
+      type: keyword
+    - name: cn_mpls_lbl_2
+      type: keyword
+    - name: cn_mpls_lbl_3
+      type: keyword
+    - name: cn_mpls_lbl_4
+      type: keyword
+    - name: cn_mpls_lbl_5
+      type: keyword
+    - name: cn_mpls_lbl_6
+      type: keyword
+    - name: cn_mpls_lbl_7
+      type: keyword
+    - name: cn_mpls_lbl_8
+      type: keyword
+    - name: cn_mpls_lbl_9
+      type: keyword
+    - name: cn_mplstoplabel
+      type: keyword
+    - name: cn_mplstoplabip
+      type: keyword
+    - name: cn_mul_dst_byt
+      type: keyword
+    - name: cn_mul_dst_pks
+      type: keyword
+    - name: cn_muligmptype
+      type: keyword
+    - name: cn_sampalgo
+      type: keyword
+    - name: cn_sampint
+      type: keyword
+    - name: cn_seqctr
+      type: keyword
+    - name: cn_spackets
+      type: keyword
+    - name: cn_src_tos
+      type: keyword
+    - name: cn_src_vlan
+      type: keyword
+    - name: cn_sysuptime
+      type: keyword
+    - name: cn_template_id
+      type: keyword
+    - name: cn_totbytsexp
+      type: keyword
+    - name: cn_totflowexp
+      type: keyword
+    - name: cn_totpcktsexp
+      type: keyword
+    - name: cn_unixnanosecs
+      type: keyword
+    - name: cn_v6flowlabel
+      type: keyword
+    - name: cn_v6optheaders
+      type: keyword
+    - name: comp_class
+      type: keyword
+    - name: comp_name
+      type: keyword
+    - name: comp_rbytes
+      type: keyword
+    - name: comp_sbytes
+      type: keyword
+    - name: cpu_data
+      type: keyword
+    - name: criticality
+      type: keyword
+    - name: cs_agency_dst
+      type: keyword
+    - name: cs_analyzedby
+      type: keyword
+    - name: cs_av_other
+      type: keyword
+    - name: cs_av_primary
+      type: keyword
+    - name: cs_av_secondary
+      type: keyword
+    - name: cs_bgpv6nxthop
+      type: keyword
+    - name: cs_bit9status
+      type: keyword
+    - name: cs_context
+      type: keyword
+    - name: cs_control
+      type: keyword
+    - name: cs_data
+      type: keyword
+    - name: cs_datecret
+      type: keyword
+    - name: cs_dst_tld
+      type: keyword
+    - name: cs_eth_dst_ven
+      type: keyword
+    - name: cs_eth_src_ven
+      type: keyword
+    - name: cs_event_uuid
+      type: keyword
+    - name: cs_filetype
+      type: keyword
+    - name: cs_fld
+      type: keyword
+    - name: cs_if_desc
+      type: keyword
+    - name: cs_if_name
+      type: keyword
+    - name: cs_ip_next_hop
+      type: keyword
+    - name: cs_ipv4dstpre
+      type: keyword
+    - name: cs_ipv4srcpre
+      type: keyword
+    - name: cs_lifetime
+      type: keyword
+    - name: cs_log_medium
+      type: keyword
+    - name: cs_loginname
+      type: keyword
+    - name: cs_modulescore
+      type: keyword
+    - name: cs_modulesign
+      type: keyword
+    - name: cs_opswatresult
+      type: keyword
+    - name: cs_payload
+      type: keyword
+    - name: cs_registrant
+      type: keyword
+    - name: cs_registrar
+      type: keyword
+    - name: cs_represult
+      type: keyword
+    - name: cs_rpayload
+      type: keyword
+    - name: cs_sampler_name
+      type: keyword
+    - name: cs_sourcemodule
+      type: keyword
+    - name: cs_streams
+      type: keyword
+    - name: cs_targetmodule
+      type: keyword
+    - name: cs_v6nxthop
+      type: keyword
+    - name: cs_whois_server
+      type: keyword
+    - name: cs_yararesult
+      type: keyword
+    - name: description
+      type: keyword
+    - name: devvendor
+      type: keyword
+    - name: distance
+      type: keyword
+    - name: dstburb
+      type: keyword
+    - name: edomain
+      type: keyword
+    - name: edomaub
+      type: keyword
+    - name: euid
+      type: keyword
+    - name: facility
+      type: keyword
+    - name: finterface
+      type: keyword
+    - name: flags
+      type: keyword
+    - name: gaddr
+      type: keyword
+    - name: id3
+      type: keyword
+    - name: im_buddyname
+      type: keyword
+    - name: im_croomid
+      type: keyword
+    - name: im_croomtype
+      type: keyword
+    - name: im_members
+      type: keyword
+    - name: im_username
+      type: keyword
+    - name: ipkt
+      type: keyword
+    - name: ipscat
+      type: keyword
+    - name: ipspri
+      type: keyword
+    - name: latitude
+      type: keyword
+    - name: linenum
+      type: keyword
+    - name: list_name
+      type: keyword
+    - name: load_data
+      type: keyword
+    - name: location_floor
+      type: keyword
+    - name: location_mark
+      type: keyword
+    - name: log_id
+      type: keyword
+    - name: log_type
+      type: keyword
+    - name: logid
+      type: keyword
+    - name: logip
+      type: keyword
+    - name: logname
+      type: keyword
+    - name: longitude
+      type: keyword
+    - name: lport
+      type: keyword
+    - name: mbug_data
+      type: keyword
+    - name: misc_name
+      type: keyword
+    - name: msg_type
+      type: keyword
+    - name: msgid
+      type: keyword
+    - name: netsessid
+      type: keyword
+    - name: num
+      type: keyword
+    - name: number1
+      type: keyword
+    - name: number2
+      type: keyword
+    - name: nwwn
+      type: keyword
+    - name: object
+      type: keyword
+    - name: operation
+      type: keyword
+    - name: opkt
+      type: keyword
+    - name: orig_from
+      type: keyword
+    - name: owner_id
+      type: keyword
+    - name: p_action
+      type: keyword
+    - name: p_filter
+      type: keyword
+    - name: p_group_object
+      type: keyword
+    - name: p_id
+      type: keyword
+    - name: p_msgid1
+      type: keyword
+    - name: p_msgid2
+      type: keyword
+    - name: p_result1
+      type: keyword
+    - name: password_chg
+      type: keyword
+    - name: password_expire
+      type: keyword
+    - name: permgranted
+      type: keyword
+    - name: permwanted
+      type: keyword
+    - name: pgid
+      type: keyword
+    - name: policyUUID
+      type: keyword
+    - name: prog_asp_num
+      type: keyword
+    - name: program
+      type: keyword
+    - name: real_data
+      type: keyword
+    - name: rec_asp_device
+      type: keyword
+    - name: rec_asp_num
+      type: keyword
+    - name: rec_library
+      type: keyword
+    - name: recordnum
+      type: keyword
+    - name: ruid
+      type: keyword
+    - name: sburb
+      type: keyword
+    - name: sdomain_fld
+      type: keyword
+    - name: sec
+      type: keyword
+    - name: sensorname
+      type: keyword
+    - name: seqnum
+      type: keyword
+    - name: session
+      type: keyword
+    - name: sessiontype
+      type: keyword
+    - name: sigUUID
+      type: keyword
+    - name: spi
+      type: keyword
+    - name: srcburb
+      type: keyword
+    - name: srcdom
+      type: keyword
+    - name: srcservice
+      type: keyword
+    - name: state
+      type: keyword
+    - name: status1
+      type: keyword
+    - name: svcno
+      type: keyword
+    - name: system
+      type: keyword
+    - name: tbdstr1
+      type: keyword
+    - name: tgtdom
+      type: keyword
+    - name: tgtdomain
+      type: keyword
+    - name: threshold
+      type: keyword
+    - name: type1
+      type: keyword
+    - name: udb_class
+      type: keyword
+    - name: url_fld
+      type: keyword
+    - name: user_div
+      type: keyword
+    - name: userid
+      type: keyword
+    - name: username_fld
+      type: keyword
+    - name: utcstamp
+      type: keyword
+    - name: v_instafname
+      type: keyword
+    - name: virt_data
+      type: keyword
+    - name: vpnid
+      type: keyword
+    - name: autorun_type
+      type: keyword
+      description: This is used to capture Auto Run type
+    - name: cc_number
+      type: long
+      description: Valid Credit Card Numbers only
+    - name: content
+      type: keyword
+      description: This key captures the content type from protocol headers
+    - name: ein_number
+      type: long
+      description: Employee Identification Numbers only
+    - name: found
+      type: keyword
+      description: This is used to capture the results of regex match
+    - name: language
+      type: keyword
+      description: This is used to capture list of languages the client support and
+        what it prefers
+    - name: lifetime
+      type: long
+      description: This key is used to capture the session lifetime in seconds.
+    - name: link
+      type: keyword
+      description: This key is used to link the sessions together. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: match
+      type: keyword
+      description: This key is for regex match name from search.ini
+    - name: param_dst
+      type: keyword
+      description: This key captures the command line/launch argument of the target
+        process or file
+    - name: param_src
+      type: keyword
+      description: This key captures source parameter
+    - name: search_text
+      type: keyword
+      description: This key captures the Search Text used
+    - name: sig_name
+      type: keyword
+      description: This key is used to capture the Signature Name only.
+    - name: snmp_value
+      type: keyword
+      description: SNMP set request value
+    - name: streams
+      type: long
+      description: This key captures number of streams in session
+  - name: db
+    type: group
+    fields:
+    - name: index
+      type: keyword
+      description: This key captures IndexID of the index.
+    - name: instance
+      type: keyword
+      description: This key is used to capture the database server instance name
+    - name: database
+      type: keyword
+      description: This key is used to capture the name of a database or an instance
+        as seen in a session
+    - name: transact_id
+      type: keyword
+      description: This key captures the SQL transantion ID of the current session
+    - name: permissions
+      type: keyword
+      description: This key captures permission or privilege level assigned to a resource.
+    - name: table_name
+      type: keyword
+      description: This key is used to capture the table name
+    - name: db_id
+      type: keyword
+      description: This key is used to capture the unique identifier for a database
+    - name: db_pid
+      type: long
+      description: This key captures the process id of a connection with database
+        server
+    - name: lread
+      type: long
+      description: This key is used for the number of logical reads
+    - name: lwrite
+      type: long
+      description: This key is used for the number of logical writes
+    - name: pread
+      type: long
+      description: This key is used for the number of physical writes
+  - name: network
+    type: group
+    fields:
+    - name: alias_host
+      type: keyword
+      description: This key should be used when the source or destination context
+        of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
+        that isnt ad.computer.
+    - name: domain
+      type: keyword
+    - name: host_dst
+      type: keyword
+      description: "This key should only be used when it\u2019s a Destination Hostname"
+    - name: network_service
+      type: keyword
+      description: This is used to capture layer 7 protocols/service names
+    - name: interface
+      type: keyword
+      description: This key should be used when the source or destination context
+        of an interface is not clear
+    - name: network_port
+      type: long
+      description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
+        used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
+    - name: eth_host
+      type: keyword
+      description: Deprecated, use alias.mac
+    - name: sinterface
+      type: keyword
+      description: "This key should only be used when it\u2019s a Source Interface"
+    - name: dinterface
+      type: keyword
+      description: "This key should only be used when it\u2019s a Destination Interface"
+    - name: vlan
+      type: long
+      description: This key should only be used to capture the ID of the Virtual LAN
+    - name: zone_src
+      type: keyword
+      description: "This key should only be used when it\u2019s a Source Zone."
+    - name: zone
+      type: keyword
+      description: This key should be used when the source or destination context
+        of a Zone is not clear
+    - name: zone_dst
+      type: keyword
+      description: "This key should only be used when it\u2019s a Destination Zone."
+    - name: gateway
+      type: keyword
+      description: This key is used to capture the IP Address of the gateway
+    - name: icmp_type
+      type: long
+      description: This key is used to capture the ICMP type only
+    - name: mask
+      type: keyword
+      description: This key is used to capture the device network IPmask.
+    - name: icmp_code
+      type: long
+      description: This key is used to capture the ICMP code only
+    - name: protocol_detail
+      type: keyword
+      description: This key should be used to capture additional protocol information
+    - name: dmask
+      type: keyword
+      description: This key is used for Destionation Device network mask
+    - name: port
+      type: long
+      description: This key should only be used to capture a Network Port when the
+        directionality is not clear
+    - name: smask
+      type: keyword
+      description: This key is used for capturing source Network Mask
+    - name: netname
+      type: keyword
+      description: This key is used to capture the network name associated with an
+        IP range. This is configured by the end user.
+    - name: paddr
+      type: ip
+      description: Deprecated
+    - name: faddr
+      type: keyword
+    - name: lhost
+      type: keyword
+    - name: origin
+      type: keyword
+    - name: remote_domain_id
+      type: keyword
+    - name: addr
+      type: keyword
+    - name: dns_a_record
+      type: keyword
+    - name: dns_ptr_record
+      type: keyword
+    - name: fhost
+      type: keyword
+    - name: fport
+      type: keyword
+    - name: laddr
+      type: keyword
+    - name: linterface
+      type: keyword
+    - name: phost
+      type: keyword
+    - name: ad_computer_dst
+      type: keyword
+      description: Deprecated, use host.dst
+    - name: eth_type
+      type: long
+      description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
+        Only
+    - name: ip_proto
+      type: long
+      description: This key should be used to capture the Protocol number, all the
+        protocol nubers are converted into string in UI
+    - name: dns_cname_record
+      type: keyword
+    - name: dns_id
+      type: keyword
+    - name: dns_opcode
+      type: keyword
+    - name: dns_resp
+      type: keyword
+    - name: dns_type
+      type: keyword
+    - name: domain1
+      type: keyword
+    - name: host_type
+      type: keyword
+    - name: packet_length
+      type: keyword
+    - name: host_orig
+      type: keyword
+      description: This is used to capture the original hostname in case of a Forwarding
+        Agent or a Proxy in between.
+    - name: rpayload
+      type: keyword
+      description: This key is used to capture the total number of payload bytes seen
+        in the retransmitted packets.
+    - name: vlan_name
+      type: keyword
+      description: This key should only be used to capture the name of the Virtual
+        LAN
+  - name: investigations
+    type: group
+    fields:
+    - name: ec_activity
+      type: keyword
+      description: This key captures the particular event activity(Ex:Logoff)
+    - name: ec_theme
+      type: keyword
+      description: This key captures the Theme of a particular Event(Ex:Authentication)
+    - name: ec_subject
+      type: keyword
+      description: This key captures the Subject of a particular Event(Ex:User)
+    - name: ec_outcome
+      type: keyword
+      description: This key captures the outcome of a particular Event(Ex:Success)
+    - name: event_cat
+      type: long
+      description: This key captures the Event category number
+    - name: event_cat_name
+      type: keyword
+      description: This key captures the event category name corresponding to the
+        event cat code
+    - name: event_vcat
+      type: keyword
+      description: This is a vendor supplied category. This should be used in situations
+        where the vendor has adopted their own event_category taxonomy.
+    - name: analysis_file
+      type: keyword
+      description: This is used to capture all indicators used in a File Analysis.
+        This key should be used to capture an analysis of a file
+    - name: analysis_service
+      type: keyword
+      description: This is used to capture all indicators used in a Service Analysis.
+        This key should be used to capture an analysis of a service
+    - name: analysis_session
+      type: keyword
+      description: This is used to capture all indicators used for a Session Analysis.
+        This key should be used to capture an analysis of a session
+    - name: boc
+      type: keyword
+      description: This is used to capture behaviour of compromise
+    - name: eoc
+      type: keyword
+      description: This is used to capture Enablers of Compromise
+    - name: inv_category
+      type: keyword
+      description: This used to capture investigation category
+    - name: inv_context
+      type: keyword
+      description: This used to capture investigation context
+    - name: ioc
+      type: keyword
+      description: This is key capture indicator of compromise
+  - name: counters
+    type: group
+    fields:
+    - name: dclass_c1
+      type: long
+      description: This is a generic counter key that should be used with the label
+        dclass.c1.str only
+    - name: dclass_c2
+      type: long
+      description: This is a generic counter key that should be used with the label
+        dclass.c2.str only
+    - name: event_counter
+      type: long
+      description: This is used to capture the number of times an event repeated
+    - name: dclass_r1
+      type: keyword
+      description: This is a generic ratio key that should be used with the label
+        dclass.r1.str only
+    - name: dclass_c3
+      type: long
+      description: This is a generic counter key that should be used with the label
+        dclass.c3.str only
+    - name: dclass_c1_str
+      type: keyword
+      description: This is a generic counter string key that should be used with the
+        label dclass.c1 only
+    - name: dclass_c2_str
+      type: keyword
+      description: This is a generic counter string key that should be used with the
+        label dclass.c2 only
+    - name: dclass_r1_str
+      type: keyword
+      description: This is a generic ratio string key that should be used with the
+        label dclass.r1 only
+    - name: dclass_r2
+      type: keyword
+      description: This is a generic ratio key that should be used with the label
+        dclass.r2.str only
+    - name: dclass_c3_str
+      type: keyword
+      description: This is a generic counter string key that should be used with the
+        label dclass.c3 only
+    - name: dclass_r3
+      type: keyword
+      description: This is a generic ratio key that should be used with the label
+        dclass.r3.str only
+    - name: dclass_r2_str
+      type: keyword
+      description: This is a generic ratio string key that should be used with the
+        label dclass.r2 only
+    - name: dclass_r3_str
+      type: keyword
+      description: This is a generic ratio string key that should be used with the
+        label dclass.r3 only
+  - name: identity
+    type: group
+    fields:
+    - name: auth_method
+      type: keyword
+      description: This key is used to capture authentication methods used only
+    - name: user_role
+      type: keyword
+      description: This key is used to capture the Role of a user only
+    - name: dn
+      type: keyword
+      description: X.500 (LDAP) Distinguished Name
+    - name: logon_type
+      type: keyword
+      description: This key is used to capture the type of logon method used.
+    - name: profile
+      type: keyword
+      description: This key is used to capture the user profile
+    - name: accesses
+      type: keyword
+      description: This key is used to capture actual privileges used in accessing
+        an object
+    - name: realm
+      type: keyword
+      description: Radius realm or similar grouping of accounts
+    - name: user_sid_dst
+      type: keyword
+      description: This key captures Destination User Session ID
+    - name: dn_src
+      type: keyword
+      description: An X.500 (LDAP) Distinguished name that is used in a context that
+        indicates a Source dn
+    - name: org
+      type: keyword
+      description: This key captures the User organization
+    - name: dn_dst
+      type: keyword
+      description: An X.500 (LDAP) Distinguished name that used in a context that
+        indicates a Destination dn
+    - name: firstname
+      type: keyword
+      description: This key is for First Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: lastname
+      type: keyword
+      description: This key is for Last Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: user_dept
+      type: keyword
+      description: User's Department Names only
+    - name: user_sid_src
+      type: keyword
+      description: This key captures Source User Session ID
+    - name: federated_sp
+      type: keyword
+      description: This key is the Federated Service Provider. This is the application
+        requesting authentication.
+    - name: federated_idp
+      type: keyword
+      description: This key is the federated Identity Provider. This is the server
+        providing the authentication.
+    - name: logon_type_desc
+      type: keyword
+      description: This key is used to capture the textual description of an integer
+        logon type as stored in the meta key 'logon.type'.
+    - name: middlename
+      type: keyword
+      description: This key is for Middle Names only, this is used for Healthcare
+        predominantly to capture Patients information
+    - name: password
+      type: keyword
+      description: This key is for Passwords seen in any session, plain text or encrypted
+    - name: host_role
+      type: keyword
+      description: This key should only be used to capture the role of a Host Machine
+    - name: ldap
+      type: keyword
+      description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
+        t have a clear query or response context"
+    - name: ldap_query
+      type: keyword
+      description: This key is the Search criteria from an LDAP search
+    - name: ldap_response
+      type: keyword
+      description: This key is to capture Results from an LDAP search
+    - name: owner
+      type: keyword
+      description: This is used to capture username the process or service is running
+        as, the author of the task
+    - name: service_account
+      type: keyword
+      description: This key is a windows specific key, used for capturing name of
+        the account a service (referenced in the event) is running under. Legacy Usage
+  - name: email
+    type: group
+    fields:
+    - name: email_dst
+      type: keyword
+      description: This key is used to capture the Destination email address only,
+        when the destination context is not clear use email
+    - name: email_src
+      type: keyword
+      description: This key is used to capture the source email address only, when
+        the source context is not clear use email
+    - name: subject
+      type: keyword
+      description: This key is used to capture the subject string from an Email only.
+    - name: email
+      type: keyword
+      description: This key is used to capture a generic email address where the source
+        or destination context is not clear
+    - name: trans_from
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: trans_to
+      type: keyword
+      description: Deprecated key defined only in table map.
+  - name: file
+    type: group
+    fields:
+    - name: privilege
+      type: keyword
+      description: Deprecated, use permissions
+    - name: attachment
+      type: keyword
+      description: This key captures the attachment file name
+    - name: filesystem
+      type: keyword
+    - name: binary
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: filename_dst
+      type: keyword
+      description: This is used to capture name of the file targeted by the action
+    - name: filename_src
+      type: keyword
+      description: This is used to capture name of the parent filename, the file which
+        performed the action
+    - name: filename_tmp
+      type: keyword
+    - name: directory_dst
+      type: keyword
+      description: <span>This key is used to capture the directory of the target process
+        or file</span>
+    - name: directory_src
+      type: keyword
+      description: This key is used to capture the directory of the source process
+        or file
+    - name: file_entropy
+      type: double
+      description: This is used to capture entropy vale of a file
+    - name: file_vendor
+      type: keyword
+      description: This is used to capture Company name of file located in version_info
+    - name: task_name
+      type: keyword
+      description: This is used to capture name of the task
+  - name: web
+    type: group
+    fields:
+    - name: fqdn
+      type: keyword
+      description: Fully Qualified Domain Names
+    - name: web_cookie
+      type: keyword
+      description: This key is used to capture the Web cookies specifically.
+    - name: alias_host
+      type: keyword
+    - name: reputation_num
+      type: double
+      description: Reputation Number of an entity. Typically used for Web Domains
+    - name: web_ref_domain
+      type: keyword
+      description: Web referer's domain
+    - name: web_ref_query
+      type: keyword
+      description: This key captures Web referer's query portion of the URL
+    - name: remote_domain
+      type: keyword
+    - name: web_ref_page
+      type: keyword
+      description: This key captures Web referer's page information
+    - name: web_ref_root
+      type: keyword
+      description: Web referer's root URL path
+    - name: cn_asn_dst
+      type: keyword
+    - name: cn_rpackets
+      type: keyword
+    - name: urlpage
+      type: keyword
+    - name: urlroot
+      type: keyword
+    - name: p_url
+      type: keyword
+    - name: p_user_agent
+      type: keyword
+    - name: p_web_cookie
+      type: keyword
+    - name: p_web_method
+      type: keyword
+    - name: p_web_referer
+      type: keyword
+    - name: web_extension_tmp
+      type: keyword
+    - name: web_page
+      type: keyword
+  - name: threat
+    type: group
+    fields:
+    - name: threat_category
+      type: keyword
+      description: This key captures Threat Name/Threat Category/Categorization of
+        alert
+    - name: threat_desc
+      type: keyword
+      description: This key is used to capture the threat description from the session
+        directly or inferred
+    - name: alert
+      type: keyword
+      description: This key is used to capture name of the alert
+    - name: threat_source
+      type: keyword
+      description: This key is used to capture source of the threat
+  - name: crypto
+    type: group
+    fields:
+    - name: crypto
+      type: keyword
+      description: This key is used to capture the Encryption Type or Encryption Key
+        only
+    - name: cipher_src
+      type: keyword
+      description: This key is for Source (Client) Cipher
+    - name: cert_subject
+      type: keyword
+      description: This key is used to capture the Certificate organization only
+    - name: peer
+      type: keyword
+      description: This key is for Encryption peer's IP Address
+    - name: cipher_size_src
+      type: long
+      description: This key captures Source (Client) Cipher Size
+    - name: ike
+      type: keyword
+      description: IKE negotiation phase.
+    - name: scheme
+      type: keyword
+      description: This key captures the Encryption scheme used
+    - name: peer_id
+      type: keyword
+      description: "This key is for Encryption peer\u2019s identity"
+    - name: sig_type
+      type: keyword
+      description: This key captures the Signature Type
+    - name: cert_issuer
+      type: keyword
+    - name: cert_host_name
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: cert_error
+      type: keyword
+      description: This key captures the Certificate Error String
+    - name: cipher_dst
+      type: keyword
+      description: This key is for Destination (Server) Cipher
+    - name: cipher_size_dst
+      type: long
+      description: This key captures Destination (Server) Cipher Size
+    - name: ssl_ver_src
+      type: keyword
+      description: Deprecated, use version
+    - name: d_certauth
+      type: keyword
+    - name: s_certauth
+      type: keyword
+    - name: ike_cookie1
+      type: keyword
+      description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
+    - name: ike_cookie2
+      type: keyword
+      description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
+    - name: cert_checksum
+      type: keyword
+    - name: cert_host_cat
+      type: keyword
+      description: This key is used for the hostname category value of a certificate
+    - name: cert_serial
+      type: keyword
+      description: This key is used to capture the Certificate serial number only
+    - name: cert_status
+      type: keyword
+      description: This key captures Certificate validation status
+    - name: ssl_ver_dst
+      type: keyword
+      description: Deprecated, use version
+    - name: cert_keysize
+      type: keyword
+    - name: cert_username
+      type: keyword
+    - name: https_insact
+      type: keyword
+    - name: https_valid
+      type: keyword
+    - name: cert_ca
+      type: keyword
+      description: This key is used to capture the Certificate signing authority only
+    - name: cert_common
+      type: keyword
+      description: This key is used to capture the Certificate common name only
+  - name: wireless
+    type: group
+    fields:
+    - name: wlan_ssid
+      type: keyword
+      description: This key is used to capture the ssid of a Wireless Session
+    - name: access_point
+      type: keyword
+      description: This key is used to capture the access point name.
+    - name: wlan_channel
+      type: long
+      description: This is used to capture the channel names
+    - name: wlan_name
+      type: keyword
+      description: This key captures either WLAN number/name
+  - name: storage
+    type: group
+    fields:
+    - name: disk_volume
+      type: keyword
+      description: A unique name assigned to logical units (volumes) within a physical
+        disk
+    - name: lun
+      type: keyword
+      description: Logical Unit Number.This key is a very useful concept in Storage.
+    - name: pwwn
+      type: keyword
+      description: This uniquely identifies a port on a HBA.
+  - name: physical
+    type: group
+    fields:
+    - name: org_dst
+      type: keyword
+      description: This is used to capture the destination organization based on the
+        GEOPIP Maxmind database.
+    - name: org_src
+      type: keyword
+      description: This is used to capture the source organization based on the GEOPIP
+        Maxmind database.
+  - name: healthcare
+    type: group
+    fields:
+    - name: patient_fname
+      type: keyword
+      description: This key is for First Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: patient_id
+      type: keyword
+      description: This key captures the unique ID for a patient
+    - name: patient_lname
+      type: keyword
+      description: This key is for Last Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: patient_mname
+      type: keyword
+      description: This key is for Middle Names only, this is used for Healthcare
+        predominantly to capture Patients information
+  - name: endpoint
+    type: group
+    fields:
+    - name: host_state
+      type: keyword
+      description: This key is used to capture the current state of the machine, such
+        as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
+        disabled</strong> and so on
+    - name: registry_key
+      type: keyword
+      description: This key captures the path to the registry key
+    - name: registry_value
+      type: keyword
+      description: This key captures values or decorators used within a registry entry
diff --git a/packages/f5/0.1.0/dataset/bigipapm/manifest.yml b/packages/f5/0.1.0/dataset/bigipapm/manifest.yml
new file mode 100644
index 0000000000..e59490bfd5
--- /dev/null
+++ b/packages/f5/0.1.0/dataset/bigipapm/manifest.yml
@@ -0,0 +1,155 @@
+title: Big-IP Access Policy Manager logs
+release: experimental
+type: logs
+streams:
+- input: udp
+  title: Big-IP Access Policy Manager logs
+  description: Collect Big-IP Access Policy Manager logs
+  template_path: udp.yml.hbs
+  vars:
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - f5-bigipapm
+      - forwarded
+  - name: udp_host
+    type: text
+    title: UDP host to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: localhost
+  - name: udp_port
+    type: integer
+    title: UDP port to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: 9504
+  - name: tz_offset
+    type: text
+    title: Timezone offset (+HH:mm format)
+    required: false
+    show_user: true
+    default: "local"
+  - name: rsa_fields
+    type: bool
+    title: Add non-ECS fields
+    required: false
+    show_user: true
+    default: true
+  - name: keep_raw_fields
+    type: bool
+    title: Keep raw parser fields
+    required: false
+    show_user: false
+    default: false
+  - name: debug
+    type: bool
+    title: Enable debug logging
+    required: false
+    show_user: false
+    default: false
+
+- input: tcp
+  title: Big-IP Access Policy Manager logs
+  description: Collect Big-IP Access Policy Manager logs
+  template_path: tcp.yml.hbs
+  vars:
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - f5-bigipapm
+      - forwarded
+  - name: tcp_host
+    type: text
+    title: TCP host to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: localhost
+  - name: tcp_port
+    type: integer
+    title: TCP port to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: 9504
+  - name: tz_offset
+    type: text
+    title: Timezone offset (+HH:mm format)
+    required: false
+    show_user: true
+    default: "local"
+  - name: rsa_fields
+    type: bool
+    title: Add non-ECS fields
+    required: false
+    show_user: true
+    default: true
+  - name: keep_raw_fields
+    type: bool
+    title: Keep raw parser fields
+    required: false
+    show_user: false
+    default: false
+  - name: debug
+    type: bool
+    title: Enable debug logging
+    required: false
+    show_user: false
+    default: false
+
+- input: file
+  title: Big-IP Access Policy Manager logs
+  description: Collect Big-IP Access Policy Manager logs from file
+  vars:
+  - name: paths
+    type: text
+    title: Paths
+    multi: true
+    required: true
+    show_user: true
+    default:
+      - /var/log/f5-bigipapm.log
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - f5-bigipapm
+      - forwarded
+  - name: tz_offset
+    type: text
+    title: Timezone offset (+HH:mm format)
+    required: false
+    show_user: true
+    default: "local"
+  - name: rsa_fields
+    type: bool
+    title: Add non-ECS fields
+    required: false
+    show_user: true
+    default: true
+  - name: keep_raw_fields
+    type: bool
+    title: Keep raw parser fields
+    required: false
+    show_user: false
+    default: false
+  - name: debug
+    type: bool
+    title: Enable debug logging
+    required: false
+    show_user: false
+    default: false
diff --git a/packages/f5/0.1.0/docs/README.md b/packages/f5/0.1.0/docs/README.md
new file mode 100644
index 0000000000..988c91c6fa
--- /dev/null
+++ b/packages/f5/0.1.0/docs/README.md
@@ -0,0 +1,780 @@
+# F5 integration
+
+This integration is for F5 device's logs. It includes the following
+datasets for receiving logs over syslog or read from a file:
+- `bigipapm` dataset: supports Big-IP Access Policy Manager logs.
+
+### Bigipapm
+
+The `bigipapm` dataset collects Big-IP Access Policy Manager logs.
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
+| dataset.name | Dataset name. | constant_keyword |
+| dataset.namespace | Dataset namespace. | constant_keyword |
+| dataset.type | Dataset type. | constant_keyword |
+| datastream.dataset | Datastream dataset. | constant_keyword |
+| datastream.namespace | Datastream namespace. | constant_keyword |
+| datastream.type | Datastream type. | constant_keyword |
+| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| destination.bytes | Bytes sent from the destination to the source. | long |
+| destination.domain | Destination domain. | keyword |
+| destination.geo.city_name | City name. | keyword |
+| destination.geo.country_name | Country name. | keyword |
+| destination.geo.location.lat |  | double |
+| destination.geo.location.lon |  | double |
+| destination.ip | IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses. | ip |
+| destination.mac | MAC address of the destination. | keyword |
+| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip |
+| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long |
+| destination.port | Port of the destination. | long |
+| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword |
+| dns.answers.type | The type of data contained in this resource record. | keyword |
+| dns.question.type | The type of record being queried. | keyword |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword |
+| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword |
+| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword |
+| file.extension | File extension. | keyword |
+| file.name | Name of the file including the extension, without the directory. | keyword |
+| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword |
+| file.size | File size in bytes. Only relevant when `file.type` is "file". | long |
+| file.type | File type (file, dir, or symlink). | keyword |
+| geo.city_name | City name. | keyword |
+| geo.country_name | Country name. | keyword |
+| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| geo.region_name | Region name. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| http.request.method | HTTP request method. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| http.request.referrer | Referrer for this HTTP request. | keyword |
+| http.response.body.content | The full HTTP response body. | keyword |
+| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword |
+| log.original | This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. | keyword |
+| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long |
+| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. | long |
+| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text |
+| network.application | A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long |
+| network.direction | Direction of the network traffic. Recommended values are: * inbound * outbound * internal * external * unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view. When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. | keyword |
+| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip |
+| network.interface.name |  | keyword |
+| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long |
+| network.protocol | L7 Network protocol name. ex. http, lumberjack, transport protocol. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| observer.egress.interface.name | Interface name as reported by the system. | keyword |
+| observer.ingress.interface.name | Interface name as reported by the system. | keyword |
+| observer.product | The product name of the observer. | keyword |
+| observer.version | Observer version. | keyword |
+| process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.parent.name | Process name. Sometimes called program name or similar. | keyword |
+| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword |
+| process.pid | Process id. | long |
+| process.ppid | Parent process' pid. | long |
+| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword |
+| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long |
+| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword |
+| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long |
+| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword |
+| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long |
+| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword |
+| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword |
+| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword |
+| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword |
+| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword |
+| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword |
+| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword |
+| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long |
+| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword |
+| rsa.crypto.cert_checksum |  | keyword |
+| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword |
+| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword |
+| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword |
+| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword |
+| rsa.crypto.cert_issuer |  | keyword |
+| rsa.crypto.cert_keysize |  | keyword |
+| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword |
+| rsa.crypto.cert_status | This key captures Certificate validation status | keyword |
+| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword |
+| rsa.crypto.cert_username |  | keyword |
+| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword |
+| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long |
+| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long |
+| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword |
+| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword |
+| rsa.crypto.d_certauth |  | keyword |
+| rsa.crypto.https_insact |  | keyword |
+| rsa.crypto.https_valid |  | keyword |
+| rsa.crypto.ike | IKE negotiation phase. | keyword |
+| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword |
+| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword |
+| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword |
+| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword |
+| rsa.crypto.s_certauth |  | keyword |
+| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword |
+| rsa.crypto.sig_type | This key captures the Signature Type | keyword |
+| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword |
+| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword |
+| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword |
+| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword |
+| rsa.db.db_pid | This key captures the process id of a connection with database server | long |
+| rsa.db.index | This key captures IndexID of the index. | keyword |
+| rsa.db.instance | This key is used to capture the database server instance name | keyword |
+| rsa.db.lread | This key is used for the number of logical reads | long |
+| rsa.db.lwrite | This key is used for the number of logical writes | long |
+| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword |
+| rsa.db.pread | This key is used for the number of physical writes | long |
+| rsa.db.table_name | This key is used to capture the table name | keyword |
+| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword |
+| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword |
+| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword |
+| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword |
+| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword |
+| rsa.email.trans_from | Deprecated key defined only in table map. | keyword |
+| rsa.email.trans_to | Deprecated key defined only in table map. | keyword |
+| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall disabled</strong> and so on | keyword |
+| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword |
+| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword |
+| rsa.file.attachment | This key captures the attachment file name | keyword |
+| rsa.file.binary | Deprecated key defined only in table map. | keyword |
+| rsa.file.directory_dst | <span>This key is used to capture the directory of the target process or file</span> | keyword |
+| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword |
+| rsa.file.file_entropy | This is used to capture entropy vale of a file | double |
+| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword |
+| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword |
+| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword |
+| rsa.file.filename_tmp |  | keyword |
+| rsa.file.filesystem |  | keyword |
+| rsa.file.privilege | Deprecated, use permissions | keyword |
+| rsa.file.task_name | This is used to capture name of the task | keyword |
+| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword |
+| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword |
+| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword |
+| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword |
+| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword |
+| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword |
+| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword |
+| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword |
+| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword |
+| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword |
+| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword |
+| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword |
+| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword |
+| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword |
+| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.org | This key captures the User organization | keyword |
+| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword |
+| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword |
+| rsa.identity.profile | This key is used to capture the user profile | keyword |
+| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword |
+| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword |
+| rsa.identity.user_dept | User's Department Names only | keyword |
+| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword |
+| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword |
+| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword |
+| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword |
+| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.data | Deprecated key defined only in table map. | keyword |
+| rsa.internal.dead | Deprecated key defined only in table map. | long |
+| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_type_id | Deprecated key defined only in table map. | long |
+| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long |
+| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long |
+| rsa.internal.entry | Deprecated key defined only in table map. | keyword |
+| rsa.internal.event_desc |  | keyword |
+| rsa.internal.event_name | Deprecated key defined only in table map. | keyword |
+| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip |
+| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.hcode | Deprecated key defined only in table map. | keyword |
+| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.inode | Deprecated key defined only in table map. | long |
+| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date |
+| rsa.internal.level | Deprecated key defined only in table map. | long |
+| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long |
+| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long |
+| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long |
+| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long |
+| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, &lt; 32 is packet session | long |
+| rsa.internal.message | This key captures the contents of instant messages | keyword |
+| rsa.internal.messageid |  | keyword |
+| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword |
+| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.node_name | Deprecated key defined only in table map. | keyword |
+| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword |
+| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword |
+| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword |
+| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword |
+| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long |
+| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long |
+| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword |
+| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword |
+| rsa.internal.resource | Deprecated key defined only in table map. | keyword |
+| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword |
+| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long |
+| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.site | Deprecated key defined only in table map. | keyword |
+| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long |
+| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.statement | Deprecated key defined only in table map. | keyword |
+| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date |
+| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long |
+| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long |
+| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword |
+| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword |
+| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword |
+| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword |
+| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword |
+| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword |
+| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword |
+| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword |
+| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword |
+| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword |
+| rsa.investigations.event_cat | This key captures the Event category number | long |
+| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword |
+| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword |
+| rsa.investigations.inv_category | This used to capture investigation category | keyword |
+| rsa.investigations.inv_context | This used to capture investigation context | keyword |
+| rsa.investigations.ioc | This is key capture indicator of compromise | keyword |
+| rsa.misc.OS | This key captures the Name of the Operating System | keyword |
+| rsa.misc.acl_id |  | keyword |
+| rsa.misc.acl_op |  | keyword |
+| rsa.misc.acl_pos |  | keyword |
+| rsa.misc.acl_table |  | keyword |
+| rsa.misc.action |  | keyword |
+| rsa.misc.admin |  | keyword |
+| rsa.misc.agent_id | This key is used to capture agent id | keyword |
+| rsa.misc.alarm_id |  | keyword |
+| rsa.misc.alarmname |  | keyword |
+| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.app_id |  | keyword |
+| rsa.misc.audit |  | keyword |
+| rsa.misc.audit_object |  | keyword |
+| rsa.misc.auditdata |  | keyword |
+| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword |
+| rsa.misc.benchmark |  | keyword |
+| rsa.misc.bypass |  | keyword |
+| rsa.misc.cache |  | keyword |
+| rsa.misc.cache_hit |  | keyword |
+| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword |
+| rsa.misc.cc_number | Valid Credit Card Numbers only | long |
+| rsa.misc.cefversion |  | keyword |
+| rsa.misc.cfg_attr |  | keyword |
+| rsa.misc.cfg_obj |  | keyword |
+| rsa.misc.cfg_path |  | keyword |
+| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword |
+| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword |
+| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword |
+| rsa.misc.changes |  | keyword |
+| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword |
+| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword |
+| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword |
+| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword |
+| rsa.misc.client_ip |  | keyword |
+| rsa.misc.clustermembers |  | keyword |
+| rsa.misc.cmd |  | keyword |
+| rsa.misc.cn_acttimeout |  | keyword |
+| rsa.misc.cn_asn_src |  | keyword |
+| rsa.misc.cn_bgpv4nxthop |  | keyword |
+| rsa.misc.cn_ctr_dst_code |  | keyword |
+| rsa.misc.cn_dst_tos |  | keyword |
+| rsa.misc.cn_dst_vlan |  | keyword |
+| rsa.misc.cn_engine_id |  | keyword |
+| rsa.misc.cn_engine_type |  | keyword |
+| rsa.misc.cn_f_switch |  | keyword |
+| rsa.misc.cn_flowsampid |  | keyword |
+| rsa.misc.cn_flowsampintv |  | keyword |
+| rsa.misc.cn_flowsampmode |  | keyword |
+| rsa.misc.cn_inacttimeout |  | keyword |
+| rsa.misc.cn_inpermbyts |  | keyword |
+| rsa.misc.cn_inpermpckts |  | keyword |
+| rsa.misc.cn_invalid |  | keyword |
+| rsa.misc.cn_ip_proto_ver |  | keyword |
+| rsa.misc.cn_ipv4_ident |  | keyword |
+| rsa.misc.cn_l_switch |  | keyword |
+| rsa.misc.cn_log_did |  | keyword |
+| rsa.misc.cn_log_rid |  | keyword |
+| rsa.misc.cn_max_ttl |  | keyword |
+| rsa.misc.cn_maxpcktlen |  | keyword |
+| rsa.misc.cn_min_ttl |  | keyword |
+| rsa.misc.cn_minpcktlen |  | keyword |
+| rsa.misc.cn_mpls_lbl_1 |  | keyword |
+| rsa.misc.cn_mpls_lbl_10 |  | keyword |
+| rsa.misc.cn_mpls_lbl_2 |  | keyword |
+| rsa.misc.cn_mpls_lbl_3 |  | keyword |
+| rsa.misc.cn_mpls_lbl_4 |  | keyword |
+| rsa.misc.cn_mpls_lbl_5 |  | keyword |
+| rsa.misc.cn_mpls_lbl_6 |  | keyword |
+| rsa.misc.cn_mpls_lbl_7 |  | keyword |
+| rsa.misc.cn_mpls_lbl_8 |  | keyword |
+| rsa.misc.cn_mpls_lbl_9 |  | keyword |
+| rsa.misc.cn_mplstoplabel |  | keyword |
+| rsa.misc.cn_mplstoplabip |  | keyword |
+| rsa.misc.cn_mul_dst_byt |  | keyword |
+| rsa.misc.cn_mul_dst_pks |  | keyword |
+| rsa.misc.cn_muligmptype |  | keyword |
+| rsa.misc.cn_sampalgo |  | keyword |
+| rsa.misc.cn_sampint |  | keyword |
+| rsa.misc.cn_seqctr |  | keyword |
+| rsa.misc.cn_spackets |  | keyword |
+| rsa.misc.cn_src_tos |  | keyword |
+| rsa.misc.cn_src_vlan |  | keyword |
+| rsa.misc.cn_sysuptime |  | keyword |
+| rsa.misc.cn_template_id |  | keyword |
+| rsa.misc.cn_totbytsexp |  | keyword |
+| rsa.misc.cn_totflowexp |  | keyword |
+| rsa.misc.cn_totpcktsexp |  | keyword |
+| rsa.misc.cn_unixnanosecs |  | keyword |
+| rsa.misc.cn_v6flowlabel |  | keyword |
+| rsa.misc.cn_v6optheaders |  | keyword |
+| rsa.misc.code |  | keyword |
+| rsa.misc.command |  | keyword |
+| rsa.misc.comments | Comment information provided in the log message | keyword |
+| rsa.misc.comp_class |  | keyword |
+| rsa.misc.comp_name |  | keyword |
+| rsa.misc.comp_rbytes |  | keyword |
+| rsa.misc.comp_sbytes |  | keyword |
+| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword |
+| rsa.misc.connection_id | This key captures the Connection ID | keyword |
+| rsa.misc.content | This key captures the content type from protocol headers | keyword |
+| rsa.misc.content_type | This key is used to capture Content Type only. | keyword |
+| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword |
+| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword |
+| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword |
+| rsa.misc.context_target |  | keyword |
+| rsa.misc.count |  | keyword |
+| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long |
+| rsa.misc.cpu_data |  | keyword |
+| rsa.misc.criticality |  | keyword |
+| rsa.misc.cs_agency_dst |  | keyword |
+| rsa.misc.cs_analyzedby |  | keyword |
+| rsa.misc.cs_av_other |  | keyword |
+| rsa.misc.cs_av_primary |  | keyword |
+| rsa.misc.cs_av_secondary |  | keyword |
+| rsa.misc.cs_bgpv6nxthop |  | keyword |
+| rsa.misc.cs_bit9status |  | keyword |
+| rsa.misc.cs_context |  | keyword |
+| rsa.misc.cs_control |  | keyword |
+| rsa.misc.cs_data |  | keyword |
+| rsa.misc.cs_datecret |  | keyword |
+| rsa.misc.cs_dst_tld |  | keyword |
+| rsa.misc.cs_eth_dst_ven |  | keyword |
+| rsa.misc.cs_eth_src_ven |  | keyword |
+| rsa.misc.cs_event_uuid |  | keyword |
+| rsa.misc.cs_filetype |  | keyword |
+| rsa.misc.cs_fld |  | keyword |
+| rsa.misc.cs_if_desc |  | keyword |
+| rsa.misc.cs_if_name |  | keyword |
+| rsa.misc.cs_ip_next_hop |  | keyword |
+| rsa.misc.cs_ipv4dstpre |  | keyword |
+| rsa.misc.cs_ipv4srcpre |  | keyword |
+| rsa.misc.cs_lifetime |  | keyword |
+| rsa.misc.cs_log_medium |  | keyword |
+| rsa.misc.cs_loginname |  | keyword |
+| rsa.misc.cs_modulescore |  | keyword |
+| rsa.misc.cs_modulesign |  | keyword |
+| rsa.misc.cs_opswatresult |  | keyword |
+| rsa.misc.cs_payload |  | keyword |
+| rsa.misc.cs_registrant |  | keyword |
+| rsa.misc.cs_registrar |  | keyword |
+| rsa.misc.cs_represult |  | keyword |
+| rsa.misc.cs_rpayload |  | keyword |
+| rsa.misc.cs_sampler_name |  | keyword |
+| rsa.misc.cs_sourcemodule |  | keyword |
+| rsa.misc.cs_streams |  | keyword |
+| rsa.misc.cs_targetmodule |  | keyword |
+| rsa.misc.cs_v6nxthop |  | keyword |
+| rsa.misc.cs_whois_server |  | keyword |
+| rsa.misc.cs_yararesult |  | keyword |
+| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword |
+| rsa.misc.data_type |  | keyword |
+| rsa.misc.description |  | keyword |
+| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword |
+| rsa.misc.devvendor |  | keyword |
+| rsa.misc.disposition | This key captures the The end state of an action. | keyword |
+| rsa.misc.distance |  | keyword |
+| rsa.misc.doc_number | This key captures File Identification number | long |
+| rsa.misc.dstburb |  | keyword |
+| rsa.misc.edomain |  | keyword |
+| rsa.misc.edomaub |  | keyword |
+| rsa.misc.ein_number | Employee Identification Numbers only | long |
+| rsa.misc.error | This key captures All non successful Error codes or responses | keyword |
+| rsa.misc.euid |  | keyword |
+| rsa.misc.event_category |  | keyword |
+| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword |
+| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword |
+| rsa.misc.event_id |  | keyword |
+| rsa.misc.event_log | This key captures the Name of the event log | keyword |
+| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword |
+| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword |
+| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword |
+| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword |
+| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword |
+| rsa.misc.facility |  | keyword |
+| rsa.misc.facilityname |  | keyword |
+| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword |
+| rsa.misc.filter | This key captures Filter used to reduce result set | keyword |
+| rsa.misc.finterface |  | keyword |
+| rsa.misc.flags |  | keyword |
+| rsa.misc.forensic_info |  | keyword |
+| rsa.misc.found | This is used to capture the results of regex match | keyword |
+| rsa.misc.fresult | This key captures the Filter Result | long |
+| rsa.misc.gaddr |  | keyword |
+| rsa.misc.group | This key captures the Group Name value | keyword |
+| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword |
+| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword |
+| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword |
+| rsa.misc.id3 |  | keyword |
+| rsa.misc.im_buddyid |  | keyword |
+| rsa.misc.im_buddyname |  | keyword |
+| rsa.misc.im_client |  | keyword |
+| rsa.misc.im_croomid |  | keyword |
+| rsa.misc.im_croomtype |  | keyword |
+| rsa.misc.im_members |  | keyword |
+| rsa.misc.im_userid |  | keyword |
+| rsa.misc.im_username |  | keyword |
+| rsa.misc.index |  | keyword |
+| rsa.misc.inout |  | keyword |
+| rsa.misc.ipkt |  | keyword |
+| rsa.misc.ipscat |  | keyword |
+| rsa.misc.ipspri |  | keyword |
+| rsa.misc.job_num | This key captures the Job Number | keyword |
+| rsa.misc.jobname |  | keyword |
+| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword |
+| rsa.misc.latitude |  | keyword |
+| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword |
+| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long |
+| rsa.misc.linenum |  | keyword |
+| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.misc.list_name |  | keyword |
+| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword |
+| rsa.misc.load_data |  | keyword |
+| rsa.misc.location_floor |  | keyword |
+| rsa.misc.location_mark |  | keyword |
+| rsa.misc.log_id |  | keyword |
+| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword |
+| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword |
+| rsa.misc.log_type |  | keyword |
+| rsa.misc.logid |  | keyword |
+| rsa.misc.logip |  | keyword |
+| rsa.misc.logname |  | keyword |
+| rsa.misc.longitude |  | keyword |
+| rsa.misc.lport |  | keyword |
+| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword |
+| rsa.misc.match | This key is for regex match name from search.ini | keyword |
+| rsa.misc.mbug_data |  | keyword |
+| rsa.misc.message_body | This key captures the The contents of the message body. | keyword |
+| rsa.misc.misc |  | keyword |
+| rsa.misc.misc_name |  | keyword |
+| rsa.misc.mode |  | keyword |
+| rsa.misc.msgIdPart1 |  | keyword |
+| rsa.misc.msgIdPart2 |  | keyword |
+| rsa.misc.msgIdPart3 |  | keyword |
+| rsa.misc.msgIdPart4 |  | keyword |
+| rsa.misc.msg_type |  | keyword |
+| rsa.misc.msgid |  | keyword |
+| rsa.misc.name |  | keyword |
+| rsa.misc.netsessid |  | keyword |
+| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword |
+| rsa.misc.ntype |  | keyword |
+| rsa.misc.num |  | keyword |
+| rsa.misc.number |  | keyword |
+| rsa.misc.number1 |  | keyword |
+| rsa.misc.number2 |  | keyword |
+| rsa.misc.nwwn |  | keyword |
+| rsa.misc.obj_name | This is used to capture name of object | keyword |
+| rsa.misc.obj_type | This is used to capture type of object | keyword |
+| rsa.misc.object |  | keyword |
+| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword |
+| rsa.misc.operation |  | keyword |
+| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword |
+| rsa.misc.opkt |  | keyword |
+| rsa.misc.orig_from |  | keyword |
+| rsa.misc.owner_id |  | keyword |
+| rsa.misc.p_action |  | keyword |
+| rsa.misc.p_filter |  | keyword |
+| rsa.misc.p_group_object |  | keyword |
+| rsa.misc.p_id |  | keyword |
+| rsa.misc.p_msgid |  | keyword |
+| rsa.misc.p_msgid1 |  | keyword |
+| rsa.misc.p_msgid2 |  | keyword |
+| rsa.misc.p_result1 |  | keyword |
+| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword |
+| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword |
+| rsa.misc.param_src | This key captures source parameter | keyword |
+| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword |
+| rsa.misc.password_chg |  | keyword |
+| rsa.misc.password_expire |  | keyword |
+| rsa.misc.payload_dst | This key is used to capture destination payload | keyword |
+| rsa.misc.payload_src | This key is used to capture source payload | keyword |
+| rsa.misc.permgranted |  | keyword |
+| rsa.misc.permwanted |  | keyword |
+| rsa.misc.pgid |  | keyword |
+| rsa.misc.phone |  | keyword |
+| rsa.misc.pid |  | keyword |
+| rsa.misc.policy |  | keyword |
+| rsa.misc.policyUUID |  | keyword |
+| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword |
+| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword |
+| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword |
+| rsa.misc.policy_waiver |  | keyword |
+| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword |
+| rsa.misc.pool_name | This key captures the name of a resource pool | keyword |
+| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword |
+| rsa.misc.priority |  | keyword |
+| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword |
+| rsa.misc.prog_asp_num |  | keyword |
+| rsa.misc.program |  | keyword |
+| rsa.misc.real_data |  | keyword |
+| rsa.misc.reason |  | keyword |
+| rsa.misc.rec_asp_device |  | keyword |
+| rsa.misc.rec_asp_num |  | keyword |
+| rsa.misc.rec_library |  | keyword |
+| rsa.misc.recordnum |  | keyword |
+| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword |
+| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword |
+| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword |
+| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword |
+| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword |
+| rsa.misc.risk | This key captures the non-numeric risk value | keyword |
+| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.risk_num | This key captures a Numeric Risk value | double |
+| rsa.misc.risk_num_comm | This key captures Risk Number Community | double |
+| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double |
+| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double |
+| rsa.misc.risk_num_static | This key captures Risk Number Static | double |
+| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.ruid |  | keyword |
+| rsa.misc.rule | This key captures the Rule number | keyword |
+| rsa.misc.rule_group | This key captures the Rule group name | keyword |
+| rsa.misc.rule_name | This key captures the Rule Name | keyword |
+| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword |
+| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword |
+| rsa.misc.sburb |  | keyword |
+| rsa.misc.sdomain_fld |  | keyword |
+| rsa.misc.search_text | This key captures the Search Text used | keyword |
+| rsa.misc.sec |  | keyword |
+| rsa.misc.second |  | keyword |
+| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword |
+| rsa.misc.sensorname |  | keyword |
+| rsa.misc.seqnum |  | keyword |
+| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword |
+| rsa.misc.session |  | keyword |
+| rsa.misc.sessiontype |  | keyword |
+| rsa.misc.severity | This key is used to capture the severity given the session | keyword |
+| rsa.misc.sigUUID |  | keyword |
+| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long |
+| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long |
+| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword |
+| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword |
+| rsa.misc.sigcat |  | keyword |
+| rsa.misc.snmp_oid | SNMP Object Identifier | keyword |
+| rsa.misc.snmp_value | SNMP set request value | keyword |
+| rsa.misc.space |  | keyword |
+| rsa.misc.space1 |  | keyword |
+| rsa.misc.spi |  | keyword |
+| rsa.misc.spi_dst | Destination SPI Index | keyword |
+| rsa.misc.spi_src | Source SPI Index | keyword |
+| rsa.misc.sql | This key captures the SQL query | keyword |
+| rsa.misc.srcburb |  | keyword |
+| rsa.misc.srcdom |  | keyword |
+| rsa.misc.srcservice |  | keyword |
+| rsa.misc.state |  | keyword |
+| rsa.misc.status |  | keyword |
+| rsa.misc.status1 |  | keyword |
+| rsa.misc.streams | This key captures number of streams in session | long |
+| rsa.misc.subcategory |  | keyword |
+| rsa.misc.svcno |  | keyword |
+| rsa.misc.system |  | keyword |
+| rsa.misc.tbdstr1 |  | keyword |
+| rsa.misc.tbdstr2 |  | keyword |
+| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long |
+| rsa.misc.terminal | This key captures the Terminal Names only | keyword |
+| rsa.misc.tgtdom |  | keyword |
+| rsa.misc.tgtdomain |  | keyword |
+| rsa.misc.threshold |  | keyword |
+| rsa.misc.tos | This key describes the type of service | long |
+| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword |
+| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword |
+| rsa.misc.type |  | keyword |
+| rsa.misc.type1 |  | keyword |
+| rsa.misc.udb_class |  | keyword |
+| rsa.misc.url_fld |  | keyword |
+| rsa.misc.user_div |  | keyword |
+| rsa.misc.userid |  | keyword |
+| rsa.misc.username_fld |  | keyword |
+| rsa.misc.utcstamp |  | keyword |
+| rsa.misc.v_instafname |  | keyword |
+| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword |
+| rsa.misc.virt_data |  | keyword |
+| rsa.misc.virusname | This key captures the name of the virus | keyword |
+| rsa.misc.vm_target | VMWare Target **VMWARE** only varaible. | keyword |
+| rsa.misc.vpnid |  | keyword |
+| rsa.misc.vsys | This key captures Virtual System Name | keyword |
+| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword |
+| rsa.misc.workspace | This key captures Workspace Description | keyword |
+| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword |
+| rsa.network.addr |  | keyword |
+| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword |
+| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword |
+| rsa.network.dmask | This key is used for Destionation Device network mask | keyword |
+| rsa.network.dns_a_record |  | keyword |
+| rsa.network.dns_cname_record |  | keyword |
+| rsa.network.dns_id |  | keyword |
+| rsa.network.dns_opcode |  | keyword |
+| rsa.network.dns_ptr_record |  | keyword |
+| rsa.network.dns_resp |  | keyword |
+| rsa.network.dns_type |  | keyword |
+| rsa.network.domain |  | keyword |
+| rsa.network.domain1 |  | keyword |
+| rsa.network.eth_host | Deprecated, use alias.mac | keyword |
+| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long |
+| rsa.network.faddr |  | keyword |
+| rsa.network.fhost |  | keyword |
+| rsa.network.fport |  | keyword |
+| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword |
+| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword |
+| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword |
+| rsa.network.host_type |  | keyword |
+| rsa.network.icmp_code | This key is used to capture the ICMP code only | long |
+| rsa.network.icmp_type | This key is used to capture the ICMP type only | long |
+| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword |
+| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long |
+| rsa.network.laddr |  | keyword |
+| rsa.network.lhost |  | keyword |
+| rsa.network.linterface |  | keyword |
+| rsa.network.mask | This key is used to capture the device network IPmask. | keyword |
+| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword |
+| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long |
+| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword |
+| rsa.network.origin |  | keyword |
+| rsa.network.packet_length |  | keyword |
+| rsa.network.paddr | Deprecated | ip |
+| rsa.network.phost |  | keyword |
+| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long |
+| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword |
+| rsa.network.remote_domain_id |  | keyword |
+| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword |
+| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword |
+| rsa.network.smask | This key is used for capturing source Network Mask | keyword |
+| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long |
+| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword |
+| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword |
+| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword |
+| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword |
+| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword |
+| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword |
+| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword |
+| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword |
+| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword |
+| rsa.threat.alert | This key is used to capture name of the alert | keyword |
+| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword |
+| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword |
+| rsa.threat.threat_source | This key is used to capture source of the threat | keyword |
+| rsa.time.date |  | keyword |
+| rsa.time.datetime |  | keyword |
+| rsa.time.day |  | keyword |
+| rsa.time.duration_str | A text string version of the duration | keyword |
+| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double |
+| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date |
+| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date |
+| rsa.time.event_queue_time | This key is the Time that the event was queued. | date |
+| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date |
+| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword |
+| rsa.time.eventtime |  | keyword |
+| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date |
+| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword |
+| rsa.time.gmtdate |  | keyword |
+| rsa.time.gmttime |  | keyword |
+| rsa.time.hour |  | keyword |
+| rsa.time.min |  | keyword |
+| rsa.time.month |  | keyword |
+| rsa.time.p_date |  | keyword |
+| rsa.time.p_month |  | keyword |
+| rsa.time.p_time |  | keyword |
+| rsa.time.p_time1 |  | keyword |
+| rsa.time.p_time2 |  | keyword |
+| rsa.time.p_year |  | keyword |
+| rsa.time.process_time | Deprecated, use duration.time | keyword |
+| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date |
+| rsa.time.stamp | Deprecated key defined only in table map. | date |
+| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date |
+| rsa.time.timestamp |  | keyword |
+| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword |
+| rsa.time.tzone |  | keyword |
+| rsa.time.year |  | keyword |
+| rsa.web.alias_host |  | keyword |
+| rsa.web.cn_asn_dst |  | keyword |
+| rsa.web.cn_rpackets |  | keyword |
+| rsa.web.fqdn | Fully Qualified Domain Names | keyword |
+| rsa.web.p_url |  | keyword |
+| rsa.web.p_user_agent |  | keyword |
+| rsa.web.p_web_cookie |  | keyword |
+| rsa.web.p_web_method |  | keyword |
+| rsa.web.p_web_referer |  | keyword |
+| rsa.web.remote_domain |  | keyword |
+| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double |
+| rsa.web.urlpage |  | keyword |
+| rsa.web.urlroot |  | keyword |
+| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword |
+| rsa.web.web_extension_tmp |  | keyword |
+| rsa.web.web_page |  | keyword |
+| rsa.web.web_ref_domain | Web referer's domain | keyword |
+| rsa.web.web_ref_page | This key captures Web referer's page information | keyword |
+| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword |
+| rsa.web.web_ref_root | Web referer's root URL path | keyword |
+| rsa.wireless.access_point | This key is used to capture the access point name. | keyword |
+| rsa.wireless.wlan_channel | This is used to capture the channel names | long |
+| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword |
+| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword |
+| rule.name | The name of the rule or signature generating the event. | keyword |
+| server.domain | Server domain. | keyword |
+| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword |
+| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.bytes | Bytes sent from the source to the destination. | long |
+| source.domain | Source domain. | keyword |
+| source.geo.city_name | City name. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location.lat |  | double |
+| source.geo.location.lon |  | double |
+| source.ip | IP address of the source. Can be one or multiple IPv4 or IPv6 addresses. | ip |
+| source.mac | MAC address of the source. | keyword |
+| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip |
+| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long |
+| source.port | Port of the source. | long |
+| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. | keyword |
+| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | keyword |
+| url.path | Path of the request, such as "/search". | keyword |
+| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword |
+| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.google.com" is "google.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword |
+| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword |
+| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| user.full_name | User's full name, if available. | keyword |
+| user.id | Unique identifiers of the user. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user_agent.original | Unparsed user_agent string. | keyword |
diff --git a/packages/f5/0.1.0/img/logo.svg b/packages/f5/0.1.0/img/logo.svg
new file mode 100644
index 0000000000..d985bde962
--- /dev/null
+++ b/packages/f5/0.1.0/img/logo.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1000 1000"><defs><style>.cls-1{fill:#e4002b;}.cls-2{fill:#fff;}.cls-3{fill:#e2183d;}</style></defs><title>Asset 1</title><g id="Layer_2" data-name="Layer 2"><g id="Layer_1-2" data-name="Layer 1"><g id="f5-logo-rgb"><g id="Logo-black-and-white"><path class="cls-1" d="M940.37,894.53a30.85,30.85,0,0,1,9.47,22.94,32.43,32.43,0,0,1-55.4,23.08A32,32,0,0,1,885,917.47a32.54,32.54,0,0,1,32.37-32.57A30.88,30.88,0,0,1,940.37,894.53Zm3.81-3.75a36.65,36.65,0,0,0-26.8-11,37.72,37.72,0,1,0,26.8,64.32,37.71,37.71,0,0,0,0-53.36ZM923,915.65a18.8,18.8,0,0,1-6.93.92h-6.54v-15h6.23c4,0,7,.57,8.77,1.58s2.76,3.07,2.76,6A6.38,6.38,0,0,1,923,915.65Zm-20.75,22.29h7.28V921.66h5.77c3.82,0,6.56.4,8.11,1.36,2.57,1.54,3.88,4.72,3.88,9.48v3.33l.14,1.25a2.91,2.91,0,0,1,.11.5c0,.2.06.27.19.36h6.76l-.24-.48a4.42,4.42,0,0,1-.35-2.11c-.09-1.14-.09-2.15-.09-3.07v-3.07a11.52,11.52,0,0,0-2.26-6.43c-1.54-2.21-3.95-3.51-7.19-4.08a17,17,0,0,0,6-2c2.77-1.75,4.06-4.56,4.06-8.2,0-5.18-2.06-8.73-6.4-10.49-2.39-1-6.14-1.49-11.3-1.49H902.25Z"/><path class="cls-2" d="M958.59,620.31c2.68-53.34-7.17-110.8-53.58-162.79-47.7-51.41-128.17-95-293.72-105.22,8.6-26.83,16.12-51.41,24.06-76.52,99,3.48,187.06,10.61,262,20.34,5.92-26.85,9.13-53.1,15.26-78.43Q901.2,201,888.43,185.25c-35.65-4.12-71.2-13-109.46-17.9-51.73-6.68-105.88-11.45-164.38-14.15C577.75,262.93,531.7,401,484.46,543.7,730.72,565,825.42,631.37,820.1,725c-4.91,50.57-51.14,96.55-111.93,102-72.31,4.86-105.41-24.35-127.14-56.4-19.14-28.78-38.23-57.62-58.61-89-5.54-9.23-12.85-3.23-19.44,3.21-14.92,14.48-29.1,28.15-43.84,42.28-9.48,8.24-7.37,15.32-4,22.23,13.77,32.46,26.59,62.22,39.54,91.76,21.56,13.21,122.9,31.25,198.69,25.58,51.36-4.32,115.57-24.18,168.65-64.16C914.45,761.79,952.67,707,958.59,620.31Z"/><path class="cls-2" d="M97.31,796.3q14.22,19.29,30.2,37.13c85.19,15.32,191.42,25.91,302.05,29.13-.37-11.48-.7-22.63-1-34.46-67.94-3.83-99.17-14.19-104.6-27.63-4.53-10.68-5.32-26.63-6.29-42.38-5.1-104.35-6.77-217.22-5-330.51,38-.66,75.83-1,115.53-1.43,19.24-8.77,37.34-17.44,56.54-26,0-13.72.09-26,.09-39.39C426,361,370.18,362,314.23,363.55c1.58-47.62,3.45-91.58,6.24-134.46,2-28.18,21.51-48.78,41.64-50.39,32.26-1.26,61.23,11.56,89.27,24,15.46,7.49,30.7,14.94,46.54,23.05,7.56,2,16.54,3.78,21.95-2.79,9.39-11.12,18.31-21.45,27.55-32.26,5-7.39,2.84-11.63.79-14.35-20.12-15.89-39.05-30.18-58.21-44.54-11.83-8-30.51-9.76-48.92-9.76-7.34,0-14.71.27-21.55.49-18.92,1-43,4-82.43,13.62C248.29,160.08,141.67,222,130.4,323.27c-1.45,16.53-2.66,32.9-3.73,49.81-25.08,2.11-47.91,3.92-69.46,6-1.58,19.36-2.64,38-3.52,57.59,21.82-1.28,44.58-2.42,69.94-3.52-3.76,106.16-.2,212.1,9.77,310.22,1.67,14.91,3.3,29.69,1.36,39.24C133.17,791.73,118.49,796.46,97.31,796.3Z"/><path class="cls-1" d="M912.66,217.69c-6.13,25.33-9.34,51.58-15.26,78.43-75-9.73-163.08-16.86-262-20.34-7.94,25.11-15.46,49.69-24.06,76.52,165.55,10.18,246,53.81,293.72,105.22,46.41,52,56.26,109.45,53.58,162.79C952.67,707,914.45,761.79,862,802.41c-53.08,40-117.29,59.84-168.65,64.16C617.56,872.24,516.22,854.2,494.66,841c-13-29.54-25.77-59.3-39.54-91.76-3.35-6.91-5.46-14,4-22.23,14.74-14.13,28.92-27.8,43.84-42.28,6.59-6.44,13.9-12.44,19.44-3.21,20.38,31.43,39.48,60.27,58.61,89,21.73,32.05,54.83,61.26,127.14,56.4,60.79-5.44,107-51.42,111.93-102,5.32-93.6-89.38-160-335.64-181.27C531.7,401,577.75,262.93,614.59,153.2c58.5,2.7,112.65,7.47,164.38,14.15,38.26,4.87,73.81,13.78,109.46,17.9C796.77,72.26,656.88,0,500,0,223.87,0,0,223.86,0,500A497.64,497.64,0,0,0,97.31,796.3c21.18.16,35.86-4.57,37.45-13.7,1.94-9.55.31-24.33-1.36-39.24-10-98.12-13.53-204.06-9.77-310.22-25.36,1.1-48.12,2.24-69.94,3.52.88-19.63,1.94-38.23,3.52-57.59,21.55-2.07,44.38-3.88,69.46-6,1.07-16.91,2.28-33.28,3.74-49.81C141.67,222,248.29,160.08,337.1,136.18c39.41-9.6,63.51-12.63,82.43-13.62,6.84-.22,14.21-.49,21.55-.49,18.41,0,37.09,1.72,48.92,9.76,19.16,14.36,38.09,28.65,58.22,44.54,2,2.72,4.2,7-.8,14.35-9.24,10.81-18.16,21.14-27.55,32.26-5.41,6.57-14.39,4.84-21.95,2.79-15.84-8.11-31.08-15.56-46.54-23.05-28-12.46-57-25.28-89.27-24-20.13,1.61-39.62,22.21-41.64,50.39-2.79,42.88-4.66,86.84-6.24,134.46C370.18,362,426,361,484.85,360.74c0,13.39-.09,25.67-.09,39.39-19.2,8.58-37.3,17.25-56.54,26-39.7.46-77.48.77-115.53,1.43-1.76,113.29-.09,226.16,5,330.51,1,15.75,1.76,31.7,6.29,42.38,5.43,13.44,36.66,23.8,104.6,27.63.27,11.83.6,23,1,34.46-110.63-3.22-216.86-13.81-302-29.13C219.07,935.63,352,1000,500,1000c276.15,0,500-223.87,500-500A497.6,497.6,0,0,0,912.66,217.69Z"/><path class="cls-3" d="M127.51,833.43h0v0Z"/></g></g></g></g></svg>
\ No newline at end of file
diff --git a/packages/f5/0.1.0/manifest.yml b/packages/f5/0.1.0/manifest.yml
new file mode 100644
index 0000000000..664a4775ef
--- /dev/null
+++ b/packages/f5/0.1.0/manifest.yml
@@ -0,0 +1,36 @@
+format_version: 1.0.0
+name: f5
+title: Big-IP Access Policy Manager
+version: 0.1.0
+description: Big-IP Access Policy Manager Integration
+categories: ["network","security"]
+release: experimental
+removable: true
+license: basic
+type: integration
+conditions:
+    kibana:
+        version: '>=7.9.0'
+    elasticsearch:
+        version: '>=7.9.0'
+config_templates:
+- name: bigipapm
+  title: Big-IP Access Policy Manager
+  description: Collect Big-IP Access Policy Manager logs from syslog or a file.
+  inputs:
+      - type: udp
+        title: Collect logs from Big-IP Access Policy Manager via UDP
+        description: Collecting syslog from Big-IP Access Policy Manager via UDP
+      - type: tcp
+        title: Collect logs from Big-IP Access Policy Manager via TCP
+        description: Collecting syslog from Big-IP Access Policy Manager via TCP
+      - type: file
+        title: Collect logs from Big-IP Access Policy Manager via file
+        description: Collecting syslog from Big-IP Access Policy Manager via file.
+# No icon
+icons:
+ - src: /img/logo.svg
+   title: Big-IP Access Policy Manager logo
+   size: 32x32
+   type: image/svg+xml
+
diff --git a/packages/imperva/0.1.0/dataset/securesphere/agent/stream/stream.yml.hbs b/packages/imperva/0.1.0/dataset/securesphere/agent/stream/stream.yml.hbs
new file mode 100644
index 0000000000..bbfbeb5ea8
--- /dev/null
+++ b/packages/imperva/0.1.0/dataset/securesphere/agent/stream/stream.yml.hbs
@@ -0,0 +1,2695 @@
+paths:
+{{#each paths as |path i|}}
+  - {{path}}
+{{/each}}
+exclude_files: [".gz$"]
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "Imperva"
+        product: "Secure"
+        type: "WAF"
+publisher_pipeline.disable_host: true
+
+processors:
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.error(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(populate_fields);
+      	builder.Add(restore_flags);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var dup1 = setc("eventcategory","1502000000");
+      
+      var dup2 = date_time({
+      	dest: "starttime",
+      	args: ["fld79","fld80","fld81","fld82"],
+      	fmts: [
+      		[dB,dD,dH,dc(":"),dU,dc(":"),dO,dW],
+      	],
+      });
+      
+      var dup3 = setf("msg","$MSG");
+      
+      var dup4 = date_time({
+      	dest: "starttime",
+      	args: ["fld79"],
+      	fmts: [
+      		[dW,dc("-"),dM,dc("-"),dD,dH,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup5 = setc("eventcategory","1612000000");
+      
+      var dup6 = setc("eventcategory","1401060000");
+      
+      var dup7 = setc("ec_subject","User");
+      
+      var dup8 = setc("ec_activity","Logon");
+      
+      var dup9 = setc("ec_theme","Authentication");
+      
+      var dup10 = setc("ec_outcome","Success");
+      
+      var dup11 = setc("event_type","Login");
+      
+      var dup12 = date_time({
+      	dest: "starttime",
+      	args: ["fld79","fld22","fld23","fld24"],
+      	fmts: [
+      		[dF,dR,dW,dH,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup13 = setc("dclass_counter1_string","Affected Rows");
+      
+      var dup14 = setc("eventcategory","1401030000");
+      
+      var dup15 = setc("ec_outcome","Failure");
+      
+      var dup16 = date_time({
+      	dest: "starttime",
+      	args: ["fld79"],
+      	fmts: [
+      		[dF,dR,dW,dH,dc(":"),dU,dc(":"),dO],
+      		[dW,dc("-"),dM,dc("-"),dD,dH,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup17 = setc("eventcategory","1401070000");
+      
+      var dup18 = setc("ec_activity","Logoff");
+      
+      var dup19 = setc("event_type","Logout");
+      
+      var dup20 = setc("event_type","Query");
+      
+      var hdr1 = match("HEADER#0:0001", "message", "%IMPERVA-%{messageid},%{payload}", processor_chain([
+      	setc("header_id","0001"),
+      ]));
+      
+      var select1 = linear_select([
+      	hdr1,
+      ]);
+      
+      var part1 = match("MESSAGE#0:IMPERVA_ALERT:02", "nwparser.payload", "alert#=%{operation_id},event#=%{fld7},createTime=%{fld78->} %{fld79->} %{fld80->} %{fld81->} %{timezone->} %{fld82},updateTime=%{fld8},alertSev=%{severity},group=%{group},ruleName=\"%{rulename}\",evntDesc=\"%{event_description}\",category=%{category},disposition=%{disposition},eventType=%{event_type},proto=%{protocol},srcPort=%{sport},srcIP=%{saddr},dstPort=%{dport},dstIP=%{daddr},policyName=\"%{policyname}\",occurrences=%{event_counter},httpHost=%{web_host},webMethod=%{web_method},url=\"%{url}\",webQuery=\"%{web_query}\",soapAction=%{fld83},resultCode=%{resultcode},sessionID=%{sessionid},username=%{username},addUsername=%{fld84},responseTime=%{fld85},responseSize=%{fld86},direction=%{direction},dbUsername=%{fld87},queryGroup=%{fld88},application=\"%{application}\",srcHost=%{shost},osUsername=%{c_username},schemaName=%{owner},dbName=%{db_name},hdrName=%{fld92},action=\"%{action}\",errormsg=\"%{result}\"", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      ]));
+      
+      var msg1 = msg("IMPERVA_ALERT:02", part1);
+      
+      var part2 = match("MESSAGE#1:IMPERVA_ALERT", "nwparser.payload", "alert#=%{operation_id},event#=%{fld7},createTime=%{fld79},updateTime=%{fld80},alertSev=%{severity},group=%{group},ruleName=\"%{rulename}\",evntDesc=\"%{event_description}\",category=%{category},disposition=%{disposition},eventType=%{event_type},proto=%{protocol},srcPort=%{sport},srcIP=%{saddr},dstPort=%{dport},dstIP=%{daddr},policyName=\"%{policyname}\",occurrences=%{event_counter},httpHost=%{web_host},webMethod=%{web_method},url=\"%{url}\",webQuery=\"%{web_query}\",soapAction=%{fld83},resultCode=%{resultcode},sessionID=%{sessionid},username=%{username},addUsername=%{fld84},responseTime=%{fld85},responseSize=%{fld86},direction=%{direction},dbUsername=%{fld87},queryGroup=%{fld88},application=\"%{application}\",srcHost=%{shost},osUsername=%{c_username},schemaName=%{owner},dbName=%{db_name},hdrName=%{fld92},action=\"%{action}\",errormsg=\"%{result}\"", processor_chain([
+      	dup1,
+      	dup4,
+      	dup3,
+      ]));
+      
+      var msg2 = msg("IMPERVA_ALERT", part2);
+      
+      var part3 = match("MESSAGE#2:IMPERVA_ALERT:03", "nwparser.payload", "alert#=%{operation_id},event#=%{fld7},createTime=%{fld78->} %{fld79->} %{fld80->} %{fld81->} %{timezone->} %{fld82},updateTime=%{fld8},alertSev=%{severity},group=%{group},ruleName=\"%{rulename}\",evntDesc=\"%{event_description}\",category=%{category},disposition=%{disposition},eventType=%{event_type},proto=%{protocol},srcPort=%{sport},srcIP=%{saddr},dstPort=%{dport},dstIP=%{daddr},policyName=\"%{policyname}\",occurrences=%{event_counter},httpHost=%{web_host},webMethod=%{web_method},url=\"%{url}\",webQuery=\"%{web_query}\",soapAction=%{fld83},resultCode=%{resultcode},sessionID=%{sessionid},username=%{username},addUsername=%{fld84},responseTime=%{fld85},responseSize=%{fld86},direction=%{direction},dbUsername=%{fld87},queryGroup=%{fld88},application=\"%{application}\",srcHost=%{shost},osUsername=%{c_username},schemaName=%{owner},dbName=%{db_name},hdrName=%{fld92},action=%{action}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      ]));
+      
+      var msg3 = msg("IMPERVA_ALERT:03", part3);
+      
+      var part4 = match("MESSAGE#3:IMPERVA_ALERT:01", "nwparser.payload", "alert#=%{operation_id},event#=%{fld7},createTime=%{fld79},updateTime=%{fld80},alertSev=%{severity},group=%{group},ruleName=\"%{rulename}\",evntDesc=\"%{event_description}\",category=%{category},disposition=%{disposition},eventType=%{event_type},proto=%{protocol},srcPort=%{sport},srcIP=%{saddr},dstPort=%{dport},dstIP=%{daddr},policyName=\"%{policyname}\",occurrences=%{event_counter},httpHost=%{web_host},webMethod=%{web_method},url=\"%{url}\",webQuery=\"%{web_query}\",soapAction=%{fld83},resultCode=%{resultcode},sessionID=%{sessionid},username=%{username},addUsername=%{fld84},responseTime=%{fld85},responseSize=%{fld86},direction=%{direction},dbUsername=%{fld87},queryGroup=%{fld88},application=\"%{application}\",srcHost=%{shost},osUsername=%{c_username},schemaName=%{owner},dbName=%{db_name},hdrName=%{fld92},action=%{action}", processor_chain([
+      	dup1,
+      	dup4,
+      	dup3,
+      ]));
+      
+      var msg4 = msg("IMPERVA_ALERT:01", part4);
+      
+      var part5 = match("MESSAGE#4:IMPERVA_EVENT:01", "nwparser.payload", "event#=%{fld77},createTime=%{fld78->} %{fld79->} %{fld80->} %{fld81->} %{timezone->} %{fld82},eventType=%{event_type},eventSev=%{severity},username=%{username},subsystem=%{fld7},message=\"%{event_description}\"", processor_chain([
+      	dup5,
+      	dup2,
+      	dup3,
+      ]));
+      
+      var msg5 = msg("IMPERVA_EVENT:01", part5);
+      
+      var part6 = match("MESSAGE#5:IMPERVA_EVENT", "nwparser.payload", "event#=%{fld77},createTime=%{fld79},eventType=%{event_type},eventSev=%{severity},username=%{username},subsystem=%{fld7},message=\"%{event_description}\"", processor_chain([
+      	dup5,
+      	dup4,
+      	dup3,
+      ]));
+      
+      var msg6 = msg("IMPERVA_EVENT", part6);
+      
+      var part7 = match("MESSAGE#6:IMPERVA_DATABASE_ACTIVITY:03", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([
+      	dup6,
+      	dup7,
+      	dup8,
+      	dup9,
+      	dup10,
+      	dup11,
+      	dup12,
+      	dup3,
+      	dup13,
+      ]));
+      
+      var msg7 = msg("IMPERVA_DATABASE_ACTIVITY:03", part7);
+      
+      var part8 = match("MESSAGE#7:IMPERVA_DATABASE_ACTIVITY:06", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([
+      	dup14,
+      	dup7,
+      	dup8,
+      	dup9,
+      	dup15,
+      	dup11,
+      	dup12,
+      	dup3,
+      	dup13,
+      ]));
+      
+      var msg8 = msg("IMPERVA_DATABASE_ACTIVITY:06", part8);
+      
+      var part9 = match("MESSAGE#8:IMPERVA_DATABASE_ACTIVITY:01", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([
+      	dup6,
+      	dup7,
+      	dup8,
+      	dup9,
+      	dup10,
+      	dup11,
+      	dup16,
+      	dup3,
+      	dup13,
+      ]));
+      
+      var msg9 = msg("IMPERVA_DATABASE_ACTIVITY:01", part9);
+      
+      var part10 = match("MESSAGE#9:IMPERVA_DATABASE_ACTIVITY:07", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([
+      	dup14,
+      	dup7,
+      	dup8,
+      	dup9,
+      	dup15,
+      	dup11,
+      	dup16,
+      	dup3,
+      	dup13,
+      ]));
+      
+      var msg10 = msg("IMPERVA_DATABASE_ACTIVITY:07", part10);
+      
+      var part11 = match("MESSAGE#10:IMPERVA_DATABASE_ACTIVITY:04", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Logout,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([
+      	dup17,
+      	dup7,
+      	dup18,
+      	dup9,
+      	dup10,
+      	dup19,
+      	dup12,
+      	dup3,
+      	dup13,
+      ]));
+      
+      var msg11 = msg("IMPERVA_DATABASE_ACTIVITY:04", part11);
+      
+      var part12 = match("MESSAGE#11:IMPERVA_DATABASE_ACTIVITY:08", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Logout,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([
+      	dup17,
+      	dup7,
+      	dup18,
+      	dup9,
+      	dup15,
+      	dup19,
+      	dup12,
+      	dup3,
+      	dup13,
+      ]));
+      
+      var msg12 = msg("IMPERVA_DATABASE_ACTIVITY:08", part12);
+      
+      var part13 = match("MESSAGE#12:IMPERVA_DATABASE_ACTIVITY:02", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Logout,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([
+      	dup17,
+      	dup7,
+      	dup18,
+      	dup9,
+      	dup10,
+      	dup19,
+      	dup4,
+      	dup3,
+      	dup13,
+      ]));
+      
+      var msg13 = msg("IMPERVA_DATABASE_ACTIVITY:02", part13);
+      
+      var part14 = match("MESSAGE#13:IMPERVA_DATABASE_ACTIVITY:09", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Logout,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([
+      	dup17,
+      	dup7,
+      	dup18,
+      	dup9,
+      	dup15,
+      	dup19,
+      	dup4,
+      	dup3,
+      	dup13,
+      ]));
+      
+      var msg14 = msg("IMPERVA_DATABASE_ACTIVITY:09", part14);
+      
+      var part15 = match("MESSAGE#14:IMPERVA_DATABASE_ACTIVITY:10", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Query,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86}", processor_chain([
+      	dup17,
+      	dup20,
+      	dup12,
+      	dup3,
+      	dup13,
+      ]));
+      
+      var msg15 = msg("IMPERVA_DATABASE_ACTIVITY:10", part15);
+      
+      var part16 = match("MESSAGE#15:IMPERVA_DATABASE_ACTIVITY:11", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Query,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86}", processor_chain([
+      	dup17,
+      	dup20,
+      	dup12,
+      	dup3,
+      	dup13,
+      ]));
+      
+      var msg16 = msg("IMPERVA_DATABASE_ACTIVITY:11", part16);
+      
+      var part17 = match("MESSAGE#16:IMPERVA_DATABASE_ACTIVITY:12", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},srvGroup=%{group_object},service=%{service},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=%{fld99},application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result}", processor_chain([
+      	setc("eventcategory","1401050200"),
+      	dup20,
+      	dup12,
+      	dup3,
+      	dup13,
+      ]));
+      
+      var msg17 = msg("IMPERVA_DATABASE_ACTIVITY:12", part17);
+      
+      var part18 = match("MESSAGE#17:IMPERVA_DATABASE_ACTIVITY", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=%{event_type},usrGroup=%{group},usrAuth=%{fld83},application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([
+      	setc("eventcategory","1206000000"),
+      	dup4,
+      	dup3,
+      	dup13,
+      ]));
+      
+      var msg18 = msg("IMPERVA_DATABASE_ACTIVITY", part18);
+      
+      var select2 = linear_select([
+      	msg1,
+      	msg2,
+      	msg3,
+      	msg4,
+      	msg5,
+      	msg6,
+      	msg7,
+      	msg8,
+      	msg9,
+      	msg10,
+      	msg11,
+      	msg12,
+      	msg13,
+      	msg14,
+      	msg15,
+      	msg16,
+      	msg17,
+      	msg18,
+      ]);
+      
+      var chain1 = processor_chain([
+      	select1,
+      	msgid_select({
+      		"Imperva": select2,
+      	}),
+      ]);
+      
+- community_id:
+- add_locale: ~
+- add_fields:
+    target: ''
+    fields:
+        ecs.version: 1.5.0
diff --git a/packages/imperva/0.1.0/dataset/securesphere/agent/stream/tcp.yml.hbs b/packages/imperva/0.1.0/dataset/securesphere/agent/stream/tcp.yml.hbs
new file mode 100644
index 0000000000..4e8af5be8f
--- /dev/null
+++ b/packages/imperva/0.1.0/dataset/securesphere/agent/stream/tcp.yml.hbs
@@ -0,0 +1,2692 @@
+tcp:
+host: "{{tcp_host}}:{{tcp_port}}"
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "Imperva"
+        product: "Secure"
+        type: "WAF"
+publisher_pipeline.disable_host: true
+
+processors:
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.error(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(populate_fields);
+      	builder.Add(restore_flags);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var dup1 = setc("eventcategory","1502000000");
+      
+      var dup2 = date_time({
+      	dest: "starttime",
+      	args: ["fld79","fld80","fld81","fld82"],
+      	fmts: [
+      		[dB,dD,dH,dc(":"),dU,dc(":"),dO,dW],
+      	],
+      });
+      
+      var dup3 = setf("msg","$MSG");
+      
+      var dup4 = date_time({
+      	dest: "starttime",
+      	args: ["fld79"],
+      	fmts: [
+      		[dW,dc("-"),dM,dc("-"),dD,dH,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup5 = setc("eventcategory","1612000000");
+      
+      var dup6 = setc("eventcategory","1401060000");
+      
+      var dup7 = setc("ec_subject","User");
+      
+      var dup8 = setc("ec_activity","Logon");
+      
+      var dup9 = setc("ec_theme","Authentication");
+      
+      var dup10 = setc("ec_outcome","Success");
+      
+      var dup11 = setc("event_type","Login");
+      
+      var dup12 = date_time({
+      	dest: "starttime",
+      	args: ["fld79","fld22","fld23","fld24"],
+      	fmts: [
+      		[dF,dR,dW,dH,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup13 = setc("dclass_counter1_string","Affected Rows");
+      
+      var dup14 = setc("eventcategory","1401030000");
+      
+      var dup15 = setc("ec_outcome","Failure");
+      
+      var dup16 = date_time({
+      	dest: "starttime",
+      	args: ["fld79"],
+      	fmts: [
+      		[dF,dR,dW,dH,dc(":"),dU,dc(":"),dO],
+      		[dW,dc("-"),dM,dc("-"),dD,dH,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup17 = setc("eventcategory","1401070000");
+      
+      var dup18 = setc("ec_activity","Logoff");
+      
+      var dup19 = setc("event_type","Logout");
+      
+      var dup20 = setc("event_type","Query");
+      
+      var hdr1 = match("HEADER#0:0001", "message", "%IMPERVA-%{messageid},%{payload}", processor_chain([
+      	setc("header_id","0001"),
+      ]));
+      
+      var select1 = linear_select([
+      	hdr1,
+      ]);
+      
+      var part1 = match("MESSAGE#0:IMPERVA_ALERT:02", "nwparser.payload", "alert#=%{operation_id},event#=%{fld7},createTime=%{fld78->} %{fld79->} %{fld80->} %{fld81->} %{timezone->} %{fld82},updateTime=%{fld8},alertSev=%{severity},group=%{group},ruleName=\"%{rulename}\",evntDesc=\"%{event_description}\",category=%{category},disposition=%{disposition},eventType=%{event_type},proto=%{protocol},srcPort=%{sport},srcIP=%{saddr},dstPort=%{dport},dstIP=%{daddr},policyName=\"%{policyname}\",occurrences=%{event_counter},httpHost=%{web_host},webMethod=%{web_method},url=\"%{url}\",webQuery=\"%{web_query}\",soapAction=%{fld83},resultCode=%{resultcode},sessionID=%{sessionid},username=%{username},addUsername=%{fld84},responseTime=%{fld85},responseSize=%{fld86},direction=%{direction},dbUsername=%{fld87},queryGroup=%{fld88},application=\"%{application}\",srcHost=%{shost},osUsername=%{c_username},schemaName=%{owner},dbName=%{db_name},hdrName=%{fld92},action=\"%{action}\",errormsg=\"%{result}\"", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      ]));
+      
+      var msg1 = msg("IMPERVA_ALERT:02", part1);
+      
+      var part2 = match("MESSAGE#1:IMPERVA_ALERT", "nwparser.payload", "alert#=%{operation_id},event#=%{fld7},createTime=%{fld79},updateTime=%{fld80},alertSev=%{severity},group=%{group},ruleName=\"%{rulename}\",evntDesc=\"%{event_description}\",category=%{category},disposition=%{disposition},eventType=%{event_type},proto=%{protocol},srcPort=%{sport},srcIP=%{saddr},dstPort=%{dport},dstIP=%{daddr},policyName=\"%{policyname}\",occurrences=%{event_counter},httpHost=%{web_host},webMethod=%{web_method},url=\"%{url}\",webQuery=\"%{web_query}\",soapAction=%{fld83},resultCode=%{resultcode},sessionID=%{sessionid},username=%{username},addUsername=%{fld84},responseTime=%{fld85},responseSize=%{fld86},direction=%{direction},dbUsername=%{fld87},queryGroup=%{fld88},application=\"%{application}\",srcHost=%{shost},osUsername=%{c_username},schemaName=%{owner},dbName=%{db_name},hdrName=%{fld92},action=\"%{action}\",errormsg=\"%{result}\"", processor_chain([
+      	dup1,
+      	dup4,
+      	dup3,
+      ]));
+      
+      var msg2 = msg("IMPERVA_ALERT", part2);
+      
+      var part3 = match("MESSAGE#2:IMPERVA_ALERT:03", "nwparser.payload", "alert#=%{operation_id},event#=%{fld7},createTime=%{fld78->} %{fld79->} %{fld80->} %{fld81->} %{timezone->} %{fld82},updateTime=%{fld8},alertSev=%{severity},group=%{group},ruleName=\"%{rulename}\",evntDesc=\"%{event_description}\",category=%{category},disposition=%{disposition},eventType=%{event_type},proto=%{protocol},srcPort=%{sport},srcIP=%{saddr},dstPort=%{dport},dstIP=%{daddr},policyName=\"%{policyname}\",occurrences=%{event_counter},httpHost=%{web_host},webMethod=%{web_method},url=\"%{url}\",webQuery=\"%{web_query}\",soapAction=%{fld83},resultCode=%{resultcode},sessionID=%{sessionid},username=%{username},addUsername=%{fld84},responseTime=%{fld85},responseSize=%{fld86},direction=%{direction},dbUsername=%{fld87},queryGroup=%{fld88},application=\"%{application}\",srcHost=%{shost},osUsername=%{c_username},schemaName=%{owner},dbName=%{db_name},hdrName=%{fld92},action=%{action}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      ]));
+      
+      var msg3 = msg("IMPERVA_ALERT:03", part3);
+      
+      var part4 = match("MESSAGE#3:IMPERVA_ALERT:01", "nwparser.payload", "alert#=%{operation_id},event#=%{fld7},createTime=%{fld79},updateTime=%{fld80},alertSev=%{severity},group=%{group},ruleName=\"%{rulename}\",evntDesc=\"%{event_description}\",category=%{category},disposition=%{disposition},eventType=%{event_type},proto=%{protocol},srcPort=%{sport},srcIP=%{saddr},dstPort=%{dport},dstIP=%{daddr},policyName=\"%{policyname}\",occurrences=%{event_counter},httpHost=%{web_host},webMethod=%{web_method},url=\"%{url}\",webQuery=\"%{web_query}\",soapAction=%{fld83},resultCode=%{resultcode},sessionID=%{sessionid},username=%{username},addUsername=%{fld84},responseTime=%{fld85},responseSize=%{fld86},direction=%{direction},dbUsername=%{fld87},queryGroup=%{fld88},application=\"%{application}\",srcHost=%{shost},osUsername=%{c_username},schemaName=%{owner},dbName=%{db_name},hdrName=%{fld92},action=%{action}", processor_chain([
+      	dup1,
+      	dup4,
+      	dup3,
+      ]));
+      
+      var msg4 = msg("IMPERVA_ALERT:01", part4);
+      
+      var part5 = match("MESSAGE#4:IMPERVA_EVENT:01", "nwparser.payload", "event#=%{fld77},createTime=%{fld78->} %{fld79->} %{fld80->} %{fld81->} %{timezone->} %{fld82},eventType=%{event_type},eventSev=%{severity},username=%{username},subsystem=%{fld7},message=\"%{event_description}\"", processor_chain([
+      	dup5,
+      	dup2,
+      	dup3,
+      ]));
+      
+      var msg5 = msg("IMPERVA_EVENT:01", part5);
+      
+      var part6 = match("MESSAGE#5:IMPERVA_EVENT", "nwparser.payload", "event#=%{fld77},createTime=%{fld79},eventType=%{event_type},eventSev=%{severity},username=%{username},subsystem=%{fld7},message=\"%{event_description}\"", processor_chain([
+      	dup5,
+      	dup4,
+      	dup3,
+      ]));
+      
+      var msg6 = msg("IMPERVA_EVENT", part6);
+      
+      var part7 = match("MESSAGE#6:IMPERVA_DATABASE_ACTIVITY:03", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([
+      	dup6,
+      	dup7,
+      	dup8,
+      	dup9,
+      	dup10,
+      	dup11,
+      	dup12,
+      	dup3,
+      	dup13,
+      ]));
+      
+      var msg7 = msg("IMPERVA_DATABASE_ACTIVITY:03", part7);
+      
+      var part8 = match("MESSAGE#7:IMPERVA_DATABASE_ACTIVITY:06", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([
+      	dup14,
+      	dup7,
+      	dup8,
+      	dup9,
+      	dup15,
+      	dup11,
+      	dup12,
+      	dup3,
+      	dup13,
+      ]));
+      
+      var msg8 = msg("IMPERVA_DATABASE_ACTIVITY:06", part8);
+      
+      var part9 = match("MESSAGE#8:IMPERVA_DATABASE_ACTIVITY:01", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([
+      	dup6,
+      	dup7,
+      	dup8,
+      	dup9,
+      	dup10,
+      	dup11,
+      	dup16,
+      	dup3,
+      	dup13,
+      ]));
+      
+      var msg9 = msg("IMPERVA_DATABASE_ACTIVITY:01", part9);
+      
+      var part10 = match("MESSAGE#9:IMPERVA_DATABASE_ACTIVITY:07", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([
+      	dup14,
+      	dup7,
+      	dup8,
+      	dup9,
+      	dup15,
+      	dup11,
+      	dup16,
+      	dup3,
+      	dup13,
+      ]));
+      
+      var msg10 = msg("IMPERVA_DATABASE_ACTIVITY:07", part10);
+      
+      var part11 = match("MESSAGE#10:IMPERVA_DATABASE_ACTIVITY:04", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Logout,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([
+      	dup17,
+      	dup7,
+      	dup18,
+      	dup9,
+      	dup10,
+      	dup19,
+      	dup12,
+      	dup3,
+      	dup13,
+      ]));
+      
+      var msg11 = msg("IMPERVA_DATABASE_ACTIVITY:04", part11);
+      
+      var part12 = match("MESSAGE#11:IMPERVA_DATABASE_ACTIVITY:08", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Logout,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([
+      	dup17,
+      	dup7,
+      	dup18,
+      	dup9,
+      	dup15,
+      	dup19,
+      	dup12,
+      	dup3,
+      	dup13,
+      ]));
+      
+      var msg12 = msg("IMPERVA_DATABASE_ACTIVITY:08", part12);
+      
+      var part13 = match("MESSAGE#12:IMPERVA_DATABASE_ACTIVITY:02", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Logout,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([
+      	dup17,
+      	dup7,
+      	dup18,
+      	dup9,
+      	dup10,
+      	dup19,
+      	dup4,
+      	dup3,
+      	dup13,
+      ]));
+      
+      var msg13 = msg("IMPERVA_DATABASE_ACTIVITY:02", part13);
+      
+      var part14 = match("MESSAGE#13:IMPERVA_DATABASE_ACTIVITY:09", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Logout,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([
+      	dup17,
+      	dup7,
+      	dup18,
+      	dup9,
+      	dup15,
+      	dup19,
+      	dup4,
+      	dup3,
+      	dup13,
+      ]));
+      
+      var msg14 = msg("IMPERVA_DATABASE_ACTIVITY:09", part14);
+      
+      var part15 = match("MESSAGE#14:IMPERVA_DATABASE_ACTIVITY:10", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Query,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86}", processor_chain([
+      	dup17,
+      	dup20,
+      	dup12,
+      	dup3,
+      	dup13,
+      ]));
+      
+      var msg15 = msg("IMPERVA_DATABASE_ACTIVITY:10", part15);
+      
+      var part16 = match("MESSAGE#15:IMPERVA_DATABASE_ACTIVITY:11", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Query,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86}", processor_chain([
+      	dup17,
+      	dup20,
+      	dup12,
+      	dup3,
+      	dup13,
+      ]));
+      
+      var msg16 = msg("IMPERVA_DATABASE_ACTIVITY:11", part16);
+      
+      var part17 = match("MESSAGE#16:IMPERVA_DATABASE_ACTIVITY:12", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},srvGroup=%{group_object},service=%{service},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=%{fld99},application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result}", processor_chain([
+      	setc("eventcategory","1401050200"),
+      	dup20,
+      	dup12,
+      	dup3,
+      	dup13,
+      ]));
+      
+      var msg17 = msg("IMPERVA_DATABASE_ACTIVITY:12", part17);
+      
+      var part18 = match("MESSAGE#17:IMPERVA_DATABASE_ACTIVITY", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=%{event_type},usrGroup=%{group},usrAuth=%{fld83},application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([
+      	setc("eventcategory","1206000000"),
+      	dup4,
+      	dup3,
+      	dup13,
+      ]));
+      
+      var msg18 = msg("IMPERVA_DATABASE_ACTIVITY", part18);
+      
+      var select2 = linear_select([
+      	msg1,
+      	msg2,
+      	msg3,
+      	msg4,
+      	msg5,
+      	msg6,
+      	msg7,
+      	msg8,
+      	msg9,
+      	msg10,
+      	msg11,
+      	msg12,
+      	msg13,
+      	msg14,
+      	msg15,
+      	msg16,
+      	msg17,
+      	msg18,
+      ]);
+      
+      var chain1 = processor_chain([
+      	select1,
+      	msgid_select({
+      		"Imperva": select2,
+      	}),
+      ]);
+      
+- community_id:
+- add_locale: ~
+- add_fields:
+    target: ''
+    fields:
+        ecs.version: 1.5.0
diff --git a/packages/imperva/0.1.0/dataset/securesphere/agent/stream/udp.yml.hbs b/packages/imperva/0.1.0/dataset/securesphere/agent/stream/udp.yml.hbs
new file mode 100644
index 0000000000..da3bbcb32c
--- /dev/null
+++ b/packages/imperva/0.1.0/dataset/securesphere/agent/stream/udp.yml.hbs
@@ -0,0 +1,2692 @@
+udp:
+host: "{{udp_host}}:{{udp_port}}"
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "Imperva"
+        product: "Secure"
+        type: "WAF"
+publisher_pipeline.disable_host: true
+
+processors:
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.error(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(populate_fields);
+      	builder.Add(restore_flags);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var dup1 = setc("eventcategory","1502000000");
+      
+      var dup2 = date_time({
+      	dest: "starttime",
+      	args: ["fld79","fld80","fld81","fld82"],
+      	fmts: [
+      		[dB,dD,dH,dc(":"),dU,dc(":"),dO,dW],
+      	],
+      });
+      
+      var dup3 = setf("msg","$MSG");
+      
+      var dup4 = date_time({
+      	dest: "starttime",
+      	args: ["fld79"],
+      	fmts: [
+      		[dW,dc("-"),dM,dc("-"),dD,dH,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup5 = setc("eventcategory","1612000000");
+      
+      var dup6 = setc("eventcategory","1401060000");
+      
+      var dup7 = setc("ec_subject","User");
+      
+      var dup8 = setc("ec_activity","Logon");
+      
+      var dup9 = setc("ec_theme","Authentication");
+      
+      var dup10 = setc("ec_outcome","Success");
+      
+      var dup11 = setc("event_type","Login");
+      
+      var dup12 = date_time({
+      	dest: "starttime",
+      	args: ["fld79","fld22","fld23","fld24"],
+      	fmts: [
+      		[dF,dR,dW,dH,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup13 = setc("dclass_counter1_string","Affected Rows");
+      
+      var dup14 = setc("eventcategory","1401030000");
+      
+      var dup15 = setc("ec_outcome","Failure");
+      
+      var dup16 = date_time({
+      	dest: "starttime",
+      	args: ["fld79"],
+      	fmts: [
+      		[dF,dR,dW,dH,dc(":"),dU,dc(":"),dO],
+      		[dW,dc("-"),dM,dc("-"),dD,dH,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup17 = setc("eventcategory","1401070000");
+      
+      var dup18 = setc("ec_activity","Logoff");
+      
+      var dup19 = setc("event_type","Logout");
+      
+      var dup20 = setc("event_type","Query");
+      
+      var hdr1 = match("HEADER#0:0001", "message", "%IMPERVA-%{messageid},%{payload}", processor_chain([
+      	setc("header_id","0001"),
+      ]));
+      
+      var select1 = linear_select([
+      	hdr1,
+      ]);
+      
+      var part1 = match("MESSAGE#0:IMPERVA_ALERT:02", "nwparser.payload", "alert#=%{operation_id},event#=%{fld7},createTime=%{fld78->} %{fld79->} %{fld80->} %{fld81->} %{timezone->} %{fld82},updateTime=%{fld8},alertSev=%{severity},group=%{group},ruleName=\"%{rulename}\",evntDesc=\"%{event_description}\",category=%{category},disposition=%{disposition},eventType=%{event_type},proto=%{protocol},srcPort=%{sport},srcIP=%{saddr},dstPort=%{dport},dstIP=%{daddr},policyName=\"%{policyname}\",occurrences=%{event_counter},httpHost=%{web_host},webMethod=%{web_method},url=\"%{url}\",webQuery=\"%{web_query}\",soapAction=%{fld83},resultCode=%{resultcode},sessionID=%{sessionid},username=%{username},addUsername=%{fld84},responseTime=%{fld85},responseSize=%{fld86},direction=%{direction},dbUsername=%{fld87},queryGroup=%{fld88},application=\"%{application}\",srcHost=%{shost},osUsername=%{c_username},schemaName=%{owner},dbName=%{db_name},hdrName=%{fld92},action=\"%{action}\",errormsg=\"%{result}\"", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      ]));
+      
+      var msg1 = msg("IMPERVA_ALERT:02", part1);
+      
+      var part2 = match("MESSAGE#1:IMPERVA_ALERT", "nwparser.payload", "alert#=%{operation_id},event#=%{fld7},createTime=%{fld79},updateTime=%{fld80},alertSev=%{severity},group=%{group},ruleName=\"%{rulename}\",evntDesc=\"%{event_description}\",category=%{category},disposition=%{disposition},eventType=%{event_type},proto=%{protocol},srcPort=%{sport},srcIP=%{saddr},dstPort=%{dport},dstIP=%{daddr},policyName=\"%{policyname}\",occurrences=%{event_counter},httpHost=%{web_host},webMethod=%{web_method},url=\"%{url}\",webQuery=\"%{web_query}\",soapAction=%{fld83},resultCode=%{resultcode},sessionID=%{sessionid},username=%{username},addUsername=%{fld84},responseTime=%{fld85},responseSize=%{fld86},direction=%{direction},dbUsername=%{fld87},queryGroup=%{fld88},application=\"%{application}\",srcHost=%{shost},osUsername=%{c_username},schemaName=%{owner},dbName=%{db_name},hdrName=%{fld92},action=\"%{action}\",errormsg=\"%{result}\"", processor_chain([
+      	dup1,
+      	dup4,
+      	dup3,
+      ]));
+      
+      var msg2 = msg("IMPERVA_ALERT", part2);
+      
+      var part3 = match("MESSAGE#2:IMPERVA_ALERT:03", "nwparser.payload", "alert#=%{operation_id},event#=%{fld7},createTime=%{fld78->} %{fld79->} %{fld80->} %{fld81->} %{timezone->} %{fld82},updateTime=%{fld8},alertSev=%{severity},group=%{group},ruleName=\"%{rulename}\",evntDesc=\"%{event_description}\",category=%{category},disposition=%{disposition},eventType=%{event_type},proto=%{protocol},srcPort=%{sport},srcIP=%{saddr},dstPort=%{dport},dstIP=%{daddr},policyName=\"%{policyname}\",occurrences=%{event_counter},httpHost=%{web_host},webMethod=%{web_method},url=\"%{url}\",webQuery=\"%{web_query}\",soapAction=%{fld83},resultCode=%{resultcode},sessionID=%{sessionid},username=%{username},addUsername=%{fld84},responseTime=%{fld85},responseSize=%{fld86},direction=%{direction},dbUsername=%{fld87},queryGroup=%{fld88},application=\"%{application}\",srcHost=%{shost},osUsername=%{c_username},schemaName=%{owner},dbName=%{db_name},hdrName=%{fld92},action=%{action}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      ]));
+      
+      var msg3 = msg("IMPERVA_ALERT:03", part3);
+      
+      var part4 = match("MESSAGE#3:IMPERVA_ALERT:01", "nwparser.payload", "alert#=%{operation_id},event#=%{fld7},createTime=%{fld79},updateTime=%{fld80},alertSev=%{severity},group=%{group},ruleName=\"%{rulename}\",evntDesc=\"%{event_description}\",category=%{category},disposition=%{disposition},eventType=%{event_type},proto=%{protocol},srcPort=%{sport},srcIP=%{saddr},dstPort=%{dport},dstIP=%{daddr},policyName=\"%{policyname}\",occurrences=%{event_counter},httpHost=%{web_host},webMethod=%{web_method},url=\"%{url}\",webQuery=\"%{web_query}\",soapAction=%{fld83},resultCode=%{resultcode},sessionID=%{sessionid},username=%{username},addUsername=%{fld84},responseTime=%{fld85},responseSize=%{fld86},direction=%{direction},dbUsername=%{fld87},queryGroup=%{fld88},application=\"%{application}\",srcHost=%{shost},osUsername=%{c_username},schemaName=%{owner},dbName=%{db_name},hdrName=%{fld92},action=%{action}", processor_chain([
+      	dup1,
+      	dup4,
+      	dup3,
+      ]));
+      
+      var msg4 = msg("IMPERVA_ALERT:01", part4);
+      
+      var part5 = match("MESSAGE#4:IMPERVA_EVENT:01", "nwparser.payload", "event#=%{fld77},createTime=%{fld78->} %{fld79->} %{fld80->} %{fld81->} %{timezone->} %{fld82},eventType=%{event_type},eventSev=%{severity},username=%{username},subsystem=%{fld7},message=\"%{event_description}\"", processor_chain([
+      	dup5,
+      	dup2,
+      	dup3,
+      ]));
+      
+      var msg5 = msg("IMPERVA_EVENT:01", part5);
+      
+      var part6 = match("MESSAGE#5:IMPERVA_EVENT", "nwparser.payload", "event#=%{fld77},createTime=%{fld79},eventType=%{event_type},eventSev=%{severity},username=%{username},subsystem=%{fld7},message=\"%{event_description}\"", processor_chain([
+      	dup5,
+      	dup4,
+      	dup3,
+      ]));
+      
+      var msg6 = msg("IMPERVA_EVENT", part6);
+      
+      var part7 = match("MESSAGE#6:IMPERVA_DATABASE_ACTIVITY:03", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([
+      	dup6,
+      	dup7,
+      	dup8,
+      	dup9,
+      	dup10,
+      	dup11,
+      	dup12,
+      	dup3,
+      	dup13,
+      ]));
+      
+      var msg7 = msg("IMPERVA_DATABASE_ACTIVITY:03", part7);
+      
+      var part8 = match("MESSAGE#7:IMPERVA_DATABASE_ACTIVITY:06", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([
+      	dup14,
+      	dup7,
+      	dup8,
+      	dup9,
+      	dup15,
+      	dup11,
+      	dup12,
+      	dup3,
+      	dup13,
+      ]));
+      
+      var msg8 = msg("IMPERVA_DATABASE_ACTIVITY:06", part8);
+      
+      var part9 = match("MESSAGE#8:IMPERVA_DATABASE_ACTIVITY:01", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([
+      	dup6,
+      	dup7,
+      	dup8,
+      	dup9,
+      	dup10,
+      	dup11,
+      	dup16,
+      	dup3,
+      	dup13,
+      ]));
+      
+      var msg9 = msg("IMPERVA_DATABASE_ACTIVITY:01", part9);
+      
+      var part10 = match("MESSAGE#9:IMPERVA_DATABASE_ACTIVITY:07", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([
+      	dup14,
+      	dup7,
+      	dup8,
+      	dup9,
+      	dup15,
+      	dup11,
+      	dup16,
+      	dup3,
+      	dup13,
+      ]));
+      
+      var msg10 = msg("IMPERVA_DATABASE_ACTIVITY:07", part10);
+      
+      var part11 = match("MESSAGE#10:IMPERVA_DATABASE_ACTIVITY:04", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Logout,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([
+      	dup17,
+      	dup7,
+      	dup18,
+      	dup9,
+      	dup10,
+      	dup19,
+      	dup12,
+      	dup3,
+      	dup13,
+      ]));
+      
+      var msg11 = msg("IMPERVA_DATABASE_ACTIVITY:04", part11);
+      
+      var part12 = match("MESSAGE#11:IMPERVA_DATABASE_ACTIVITY:08", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Logout,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([
+      	dup17,
+      	dup7,
+      	dup18,
+      	dup9,
+      	dup15,
+      	dup19,
+      	dup12,
+      	dup3,
+      	dup13,
+      ]));
+      
+      var msg12 = msg("IMPERVA_DATABASE_ACTIVITY:08", part12);
+      
+      var part13 = match("MESSAGE#12:IMPERVA_DATABASE_ACTIVITY:02", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Logout,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([
+      	dup17,
+      	dup7,
+      	dup18,
+      	dup9,
+      	dup10,
+      	dup19,
+      	dup4,
+      	dup3,
+      	dup13,
+      ]));
+      
+      var msg13 = msg("IMPERVA_DATABASE_ACTIVITY:02", part13);
+      
+      var part14 = match("MESSAGE#13:IMPERVA_DATABASE_ACTIVITY:09", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Logout,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([
+      	dup17,
+      	dup7,
+      	dup18,
+      	dup9,
+      	dup15,
+      	dup19,
+      	dup4,
+      	dup3,
+      	dup13,
+      ]));
+      
+      var msg14 = msg("IMPERVA_DATABASE_ACTIVITY:09", part14);
+      
+      var part15 = match("MESSAGE#14:IMPERVA_DATABASE_ACTIVITY:10", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Query,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86}", processor_chain([
+      	dup17,
+      	dup20,
+      	dup12,
+      	dup3,
+      	dup13,
+      ]));
+      
+      var msg15 = msg("IMPERVA_DATABASE_ACTIVITY:10", part15);
+      
+      var part16 = match("MESSAGE#15:IMPERVA_DATABASE_ACTIVITY:11", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Query,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86}", processor_chain([
+      	dup17,
+      	dup20,
+      	dup12,
+      	dup3,
+      	dup13,
+      ]));
+      
+      var msg16 = msg("IMPERVA_DATABASE_ACTIVITY:11", part16);
+      
+      var part17 = match("MESSAGE#16:IMPERVA_DATABASE_ACTIVITY:12", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},srvGroup=%{group_object},service=%{service},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=%{fld99},application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result}", processor_chain([
+      	setc("eventcategory","1401050200"),
+      	dup20,
+      	dup12,
+      	dup3,
+      	dup13,
+      ]));
+      
+      var msg17 = msg("IMPERVA_DATABASE_ACTIVITY:12", part17);
+      
+      var part18 = match("MESSAGE#17:IMPERVA_DATABASE_ACTIVITY", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=%{event_type},usrGroup=%{group},usrAuth=%{fld83},application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([
+      	setc("eventcategory","1206000000"),
+      	dup4,
+      	dup3,
+      	dup13,
+      ]));
+      
+      var msg18 = msg("IMPERVA_DATABASE_ACTIVITY", part18);
+      
+      var select2 = linear_select([
+      	msg1,
+      	msg2,
+      	msg3,
+      	msg4,
+      	msg5,
+      	msg6,
+      	msg7,
+      	msg8,
+      	msg9,
+      	msg10,
+      	msg11,
+      	msg12,
+      	msg13,
+      	msg14,
+      	msg15,
+      	msg16,
+      	msg17,
+      	msg18,
+      ]);
+      
+      var chain1 = processor_chain([
+      	select1,
+      	msgid_select({
+      		"Imperva": select2,
+      	}),
+      ]);
+      
+- community_id:
+- add_locale: ~
+- add_fields:
+    target: ''
+    fields:
+        ecs.version: 1.5.0
diff --git a/packages/imperva/0.1.0/dataset/securesphere/elasticsearch/ingest_pipeline/default.yml b/packages/imperva/0.1.0/dataset/securesphere/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 0000000000..4a84f2a8bc
--- /dev/null
+++ b/packages/imperva/0.1.0/dataset/securesphere/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,55 @@
+---
+description: Pipeline for Imperva SecureSphere
+
+processors:
+  # User agent
+  - user_agent:
+        field: user_agent.original
+        ignore_missing: true
+  # IP Geolocation Lookup
+  - geoip:
+        field: source.ip
+        target_field: source.geo
+        ignore_missing: true
+  - geoip:
+        field: destination.ip
+        target_field: destination.geo
+        ignore_missing: true
+
+  # IP Autonomous System (AS) Lookup
+  - geoip:
+        database_file: GeoLite2-ASN.mmdb
+        field: source.ip
+        target_field: source.as
+        properties:
+            - asn
+            - organization_name
+        ignore_missing: true
+  - geoip:
+        database_file: GeoLite2-ASN.mmdb
+        field: destination.ip
+        target_field: destination.as
+        properties:
+            - asn
+            - organization_name
+        ignore_missing: true
+  - rename:
+        field: source.as.asn
+        target_field: source.as.number
+        ignore_missing: true
+  - rename:
+        field: source.as.organization_name
+        target_field: source.as.organization.name
+        ignore_missing: true
+  - rename:
+        field: destination.as.asn
+        target_field: destination.as.number
+        ignore_missing: true
+  - rename:
+        field: destination.as.organization_name
+        target_field: destination.as.organization.name
+        ignore_missing: true
+on_failure:
+  - append:
+        field: error.message
+        value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/imperva/0.1.0/dataset/securesphere/fields/base-fields.yml b/packages/imperva/0.1.0/dataset/securesphere/fields/base-fields.yml
new file mode 100644
index 0000000000..b294eaf20e
--- /dev/null
+++ b/packages/imperva/0.1.0/dataset/securesphere/fields/base-fields.yml
@@ -0,0 +1,26 @@
+- name: datastream.type
+  type: constant_keyword
+  description: Datastream type.
+- name: datastream.dataset
+  type: constant_keyword
+  description: Datastream dataset.
+- name: datastream.namespace
+  type: constant_keyword
+  description: Datastream namespace.
+
+- name: dataset.type
+  type: constant_keyword
+  description: >
+    Dataset type.
+- name: dataset.name
+  type: constant_keyword
+  description: >
+    Dataset name.
+- name: dataset.namespace
+  type: constant_keyword
+  description: >
+    Dataset namespace.
+- name: "@timestamp"
+  type: date
+  description: >
+    Event timestamp.
diff --git a/packages/imperva/0.1.0/dataset/securesphere/fields/ecs.yml b/packages/imperva/0.1.0/dataset/securesphere/fields/ecs.yml
new file mode 100644
index 0000000000..92af91c339
--- /dev/null
+++ b/packages/imperva/0.1.0/dataset/securesphere/fields/ecs.yml
@@ -0,0 +1,836 @@
+- name: log
+  type: group
+  fields:
+  - name: original
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'This is the original log message and contains the full log message
+      before splitting it up in multiple parts.
+
+      In contrast to the `message` field which can contain an extracted part of the
+      log message, this field contains the original, full log message. It can have
+      already some modifications applied like encoding or new lines removed to clean
+      up the log message.
+
+      This field is not indexed and doc_values are disabled so it can''t be queried
+      but the value can be retrieved from `_source`.'
+    example: Sep 19 08:26:10 localhost My log
+  - name: level
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Original log level of the log event.
+
+      If the source of the event provides a log level or textual severity, this is
+      the one that goes in `log.level`. If your source doesn''t specify one, you may
+      put your event transport''s severity here (e.g. Syslog severity).
+
+      Some examples are `warn`, `err`, `i`, `informational`.'
+    example: error
+  - name: syslog
+    type: group
+    fields:
+    - name: priority
+      level: extended
+      type: long
+      format: string
+      description: 'Syslog numeric priority of the event, if available.
+
+        According to RFCs 5424 and 3164, the priority is 8 * facility + severity.
+        This number is therefore expected to contain a value between 0 and 191.'
+      example: 135
+    - name: facility
+      type: group
+      fields:
+      - name: code
+        level: extended
+        type: long
+        format: string
+        description: 'The Syslog numeric facility of the log event, if available.
+
+          According to RFCs 5424 and 3164, this value should be an integer between
+          0 and 23.'
+        example: 23
+    - name: severity
+      type: group
+      fields:
+      - name: code
+        level: extended
+        type: long
+        description: 'The Syslog numeric severity of the log event, if available.
+
+          If the event source publishing via Syslog provides a different numeric severity
+          value (e.g. firewall, IDS), your source''s numeric severity should go to
+          `event.severity`. If the event source does not specify a distinct severity,
+          you can optionally copy the Syslog severity to `event.severity`.'
+        example: 3
+- name: event
+  type: group
+  fields:
+  - name: code
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Identification code for this event, if one exists.
+
+      Some event sources use event codes to identify messages unambiguously, regardless
+      of message language or wording adjustments over time. An example of this is
+      the Windows Event ID.'
+    example: 4648
+  - name: action
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'The action captured by the event.
+
+      This describes the information in the event. It is more specific than `event.category`.
+      Examples are `group-add`, `process-started`, `file-created`. The value is normally
+      defined by the implementer.'
+    example: user-password-change
+  - name: outcome
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'This is one of four ECS Categorization Fields, and indicates the
+      lowest level in the ECS category hierarchy.
+
+      `event.outcome` simply denotes whether the event represents a success or a failure
+      from the perspective of the entity that produced the event.
+
+      Note that when a single transaction is described in multiple events, each event
+      may populate different values of `event.outcome`, according to their perspective.
+
+      Also note that in the case of a compound event (a single event that contains
+      multiple logical events), this field should be populated with the value that
+      best captures the overall success or failure from the perspective of the event
+      producer.
+
+      Further note that not all events will have an associated outcome. For example,
+      this field is generally not populated for metric events, events with `event.type:info`,
+      or any events for which an outcome does not make logical sense.'
+    example: success
+  - name: category
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'This is one of four ECS Categorization Fields, and indicates the
+      second level in the ECS category hierarchy.
+
+      `event.category` represents the "big buckets" of ECS categories. For example,
+      filtering on `event.category:process` yields all events relating to process
+      activity. This field is closely related to `event.type`, which is used as a
+      subcategory.
+
+      This field is an array. This will allow proper categorization of some events
+      that fall in multiple categories.'
+    example: authentication
+  - name: timezone
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'This field should be populated when the event''s timestamp does
+      not include timezone information already (e.g. default Syslog timestamps). It''s
+      optional otherwise.
+
+      Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated
+      (e.g. "EST") or an HH:mm differential (e.g. "-05:00").'
+- name: '@timestamp'
+  level: core
+  required: true
+  type: date
+  description: 'Date/time when the event originated.
+
+    This is the date/time extracted from the event, typically representing when the
+    event was generated by the source.
+
+    If the event source has no original timestamp, this value is typically populated
+    by the first time the event was received by the pipeline.
+
+    Required field for all events.'
+  example: '2016-05-23T08:05:34.853Z'
+- name: user
+  type: group
+  fields:
+  - name: name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: Short name or login of the user.
+    example: albert
+  - name: full_name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: User's full name, if available.
+    example: Albert Einstein
+  - name: domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Name of the directory the user is a member of.
+
+      For example, an LDAP or Active Directory domain name.'
+  - name: id
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Unique identifiers of the user.
+- name: message
+  level: core
+  type: text
+  description: 'For log events the message field contains the log message, optimized
+    for viewing in a log viewer.
+
+    For structured logs without an original message field, other fields can be concatenated
+    to form a human-readable summary of the event.
+
+    If multiple messages exist, they can be combined into one message.'
+  example: Hello World
+- name: source
+  type: group
+  fields:
+  - name: ip
+    level: core
+    type: ip
+    description: 'IP address of the source.
+
+      Can be one or multiple IPv4 or IPv6 addresses.'
+  - name: port
+    level: core
+    type: long
+    format: string
+    description: Port of the source.
+  - name: address
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Some event source addresses are defined ambiguously. The event will
+      sometimes list an IP, a domain or a unix socket.  You should always store the
+      raw address in the `.address` field.
+
+      Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+      is.'
+  - name: mac
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: MAC address of the source.
+  - name: bytes
+    level: core
+    type: long
+    format: bytes
+    description: Bytes sent from the source to the destination.
+    example: 184
+  - name: nat
+    type: group
+    fields:
+    - name: ip
+      level: extended
+      type: ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+    - name: port
+      level: extended
+      type: long
+      format: string
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+  - name: domain
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Source domain.
+  - name: geo
+    type: group
+    fields:
+    - name: country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+    - name: location
+      type: group
+      fields:
+      - type: double
+        name: lat
+      - type: double
+        name: lon
+    - name: city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+- name: host
+  type: group
+  fields:
+  - name: name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Name of the host.
+
+      It can contain what `hostname` returns on Unix systems, the fully qualified
+      domain name, or a name specified by the user. The sender decides which value
+      to use.'
+  - name: ip
+    level: core
+    type: ip
+    description: Host ip addresses.
+  - name: hostname
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Hostname of the host.
+
+      It normally contains what the `hostname` command returns on the host machine.'
+  - name: mac
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Host mac addresses.
+- name: destination
+  type: group
+  fields:
+  - name: ip
+    level: core
+    type: ip
+    description: 'IP address of the destination.
+
+      Can be one or multiple IPv4 or IPv6 addresses.'
+  - name: port
+    level: core
+    type: long
+    format: string
+    description: Port of the destination.
+  - name: address
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Some event destination addresses are defined ambiguously. The event
+      will sometimes list an IP, a domain or a unix socket.  You should always store
+      the raw address in the `.address` field.
+
+      Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+      is.'
+  - name: bytes
+    level: core
+    type: long
+    format: bytes
+    description: Bytes sent from the destination to the source.
+    example: 184
+  - name: mac
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: MAC address of the destination.
+  - name: nat
+    type: group
+    fields:
+    - name: ip
+      level: extended
+      type: ip
+      description: 'Translated ip of destination based NAT sessions (e.g. internet
+        to private DMZ)
+
+        Typically used with load balancers, firewalls, or routers.'
+    - name: port
+      level: extended
+      type: long
+      format: string
+      description: 'Port the source session is translated to by NAT Device.
+
+        Typically used with load balancers, firewalls, or routers.'
+  - name: domain
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Destination domain.
+  - name: geo
+    type: group
+    fields:
+    - name: country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+    - name: location
+      type: group
+      fields:
+      - type: double
+        name: lat
+      - type: double
+        name: lon
+    - name: city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+- name: network
+  type: group
+  fields:
+  - name: protocol
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'L7 Network protocol name. ex. http, lumberjack, transport protocol.
+
+      The field value must be normalized to lowercase for querying. See the documentation
+      section "Implementing ECS".'
+    example: http
+  - name: application
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'A name given to an application level protocol. This can be arbitrarily
+      assigned for things like microservices, but also apply to things like skype,
+      icq, facebook, twitter. This would be used in situations where the vendor or
+      service can be decoded such as from the source/dest IP owners, ports, or wire
+      format.
+
+      The field value must be normalized to lowercase for querying. See the documentation
+      section "Implementing ECS".'
+    example: aim
+  - name: interface
+    type: group
+    fields:
+    - type: keyword
+      name: name
+  - name: bytes
+    level: core
+    type: long
+    format: bytes
+    description: 'Total bytes transferred in both directions.
+
+      If `source.bytes` and `destination.bytes` are known, `network.bytes` is their
+      sum.'
+    example: 368
+  - name: direction
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: "Direction of the network traffic.\nRecommended values are:\n  *\
+      \ inbound\n  * outbound\n  * internal\n  * external\n  * unknown\n\nWhen mapping\
+      \ events from a host-based monitoring context, populate this field from the\
+      \ host's point of view.\nWhen mapping events from a network or perimeter-based\
+      \ monitoring context, populate this field from the point of view of your network\
+      \ perimeter."
+    example: inbound
+  - name: packets
+    level: core
+    type: long
+    description: 'Total packets transferred in both directions.
+
+      If `source.packets` and `destination.packets` are known, `network.packets` is
+      their sum.'
+    example: 24
+  - name: forwarded_ip
+    level: core
+    type: ip
+    description: Host IP address when the source IP address is the proxy.
+    example: 192.1.1.2
+- name: observer
+  type: group
+  fields:
+  - name: version
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Observer version.
+  - name: product
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: The product name of the observer.
+    example: s200
+  - name: ingress
+    type: group
+    fields:
+    - name: interface
+      type: group
+      fields:
+      - name: name
+        level: extended
+        type: keyword
+        ignore_above: 1024
+        description: Interface name as reported by the system.
+        example: eth0
+        default_field: false
+  - name: egress
+    type: group
+    fields:
+    - name: interface
+      type: group
+      fields:
+      - name: name
+        level: extended
+        type: keyword
+        ignore_above: 1024
+        description: Interface name as reported by the system.
+        example: eth0
+        default_field: false
+- name: file
+  type: group
+  fields:
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: Name of the file including the extension, without the directory.
+    example: example.png
+  - name: directory
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: Directory where the file is located. It should include the drive
+      letter, when appropriate.
+    example: /home/alice
+  - name: size
+    level: extended
+    type: long
+    description: 'File size in bytes.
+
+      Only relevant when `file.type` is "file".'
+    example: 16384
+  - name: type
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: File type (file, dir, or symlink).
+    example: file
+  - name: extension
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: File extension.
+    example: png
+  - name: path
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: Full path to the file, including the file name. It should include
+      the drive letter, when appropriate.
+    example: /home/alice/example.png
+  - name: attributes
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Array of file attributes.
+
+      Attributes names will vary by platform. Here''s a non-exhaustive list of values
+      that are expected in this field: archive, compressed, directory, encrypted,
+      execute, hidden, read, readonly, system, write.'
+    example: '["readonly", "system"]'
+    default_field: false
+- name: url
+  type: group
+  fields:
+  - name: original
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: 'Unmodified original url as seen in the event source.
+
+      Note that in network monitoring, the observed URL may be a full URL, whereas
+      in access logs, the URL is often just represented as a path.
+
+      This field is meant to represent the URL as it was observed, complete or not.'
+    example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
+  - name: query
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'The query field describes the query string of the request, such
+      as "q=elasticsearch".
+
+      The `?` is excluded from the query string. If a URL contains no `?`, there is
+      no query field. If there is a `?` but no query, the query field exists with
+      an empty string. The `exists` query can be used to differentiate between the
+      two cases.'
+  - name: domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Domain of the url, such as "www.elastic.co".
+
+      In some cases a URL may refer to an IP and/or port directly, without a domain
+      name. In this case, the IP address would go to the `domain` field.'
+    example: www.elastic.co
+  - name: path
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: Path of the request, such as "/search".
+  - name: top_level_domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'The effective top level domain (eTLD), also known as the domain
+      suffix, is the last part of the domain name. For example, the top level domain
+      for google.com is "com".
+
+      This value can be determined precisely with a list like the public suffix list
+      (http://publicsuffix.org). Trying to approximate this by simply taking the last
+      label will not work well for effective TLDs such as "co.uk".'
+    example: co.uk
+  - name: registered_domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'The highest registered url domain, stripped of the subdomain.
+
+      For example, the registered domain for "foo.google.com" is "google.com".
+
+      This value can be determined precisely with a list like the public suffix list
+      (http://publicsuffix.org). Trying to approximate this by simply taking the last
+      two labels will not work well for TLDs such as "co.uk".'
+    example: google.com
+- name: service
+  type: group
+  fields:
+  - name: name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Name of the service data is collected from.
+
+      The name of the service is normally user given. This allows for distributed
+      services that run on multiple hosts to correlate the related instances based
+      on the name.
+
+      In the case of Elasticsearch the `service.name` could contain the cluster name.
+      For Beats the `service.name` is by default a copy of the `service.type` field
+      if no name is specified.'
+    example: elasticsearch-metrics
+- name: server
+  type: group
+  fields:
+  - name: domain
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Server domain.
+- name: process
+  type: group
+  fields:
+  - name: pid
+    level: core
+    type: long
+    format: string
+    description: Process id.
+    example: 4242
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: 'Process name.
+
+      Sometimes called program name or similar.'
+    example: ssh
+  - name: ppid
+    level: extended
+    type: long
+    format: string
+    description: Parent process' pid.
+    example: 4241
+  - name: parent
+    type: group
+    fields:
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      default_field: false
+    - name: title
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      default_field: false
+  - name: title
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: 'Process title.
+
+      The proctitle, some times the same as process name. Can also be different: for
+      example a browser setting its title to the web page currently opened.'
+- name: rule
+  type: group
+  fields:
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: The name of the rule or signature generating the event.
+    example: BLOCK_DNS_over_TLS
+    default_field: false
+- name: user_agent
+  type: group
+  fields:
+  - name: original
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+    description: Unparsed user_agent string.
+    example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15
+      (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
+- name: http
+  type: group
+  fields:
+  - name: response
+    type: group
+    fields:
+    - name: body
+      type: group
+      fields:
+      - name: content
+        level: extended
+        type: keyword
+        ignore_above: 1024
+        multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+        description: The full HTTP response body.
+        example: Hello world
+  - name: request
+    type: group
+    fields:
+    - name: referrer
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Referrer for this HTTP request.
+      example: https://blog.example.com/
+    - name: method
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'HTTP request method.
+
+        The field value must be normalized to lowercase for querying. See the documentation
+        section "Implementing ECS".'
+      example: get, post, put
+- name: geo
+  type: group
+  fields:
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'User-defined description of a location, at the level of granularity
+      they care about.
+
+      Could be the name of their data centers, the floor number, if this describes
+      a local physical entity, city names.
+
+      Not typically used in automated geolocation.'
+    example: boston-dc
+  - name: country_name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Country name.
+    example: Canada
+  - name: city_name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: City name.
+    example: Montreal
+  - name: region_name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Region name.
+    example: Quebec
+- name: dns
+  type: group
+  fields:
+  - name: question
+    type: group
+    fields:
+    - name: type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The type of record being queried.
+      example: AAAA
+  - name: answers
+    type: group
+    fields:
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The domain name to which this resource record pertains.
+
+        If a chain of CNAME is being resolved, each answer''s `name` should be the
+        one that corresponds with the answer''s `data`. It should not simply be the
+        original `question.name` repeated.'
+      example: www.google.com
+    - name: type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The type of data contained in this resource record.
+      example: CNAME
diff --git a/packages/imperva/0.1.0/dataset/securesphere/fields/fields.yml b/packages/imperva/0.1.0/dataset/securesphere/fields/fields.yml
new file mode 100644
index 0000000000..2abc947fe7
--- /dev/null
+++ b/packages/imperva/0.1.0/dataset/securesphere/fields/fields.yml
@@ -0,0 +1,1939 @@
+- name: rsa
+  type: group
+  fields:
+  - name: internal
+    type: group
+    fields:
+    - name: msg
+      type: keyword
+      description: This key is used to capture the raw message that comes into the
+        Log Decoder
+    - name: messageid
+      type: keyword
+    - name: event_desc
+      type: keyword
+    - name: message
+      type: keyword
+      description: This key captures the contents of instant messages
+    - name: time
+      type: date
+      description: This is the time at which a session hits a NetWitness Decoder.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness.
+    - name: level
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: msg_id
+      type: keyword
+      description: This is the Message ID1 value that identifies the exact log parser
+        definition which parses a particular log session. This key should never be
+        used to parse Meta data from a session (Logs/Packets) Directly, this is a
+        Reserved key in NetWitness
+    - name: msg_vid
+      type: keyword
+      description: This is the Message ID2 value that identifies the exact log parser
+        definition which parses a particular log session. This key should never be
+        used to parse Meta data from a session (Logs/Packets) Directly, this is a
+        Reserved key in NetWitness
+    - name: data
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: obj_server
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: obj_val
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: resource
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: obj_id
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: statement
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: audit_class
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: entry
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: hcode
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: inode
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: resource_class
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: dead
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: feed_desc
+      type: keyword
+      description: This is used to capture the description of the feed. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: feed_name
+      type: keyword
+      description: This is used to capture the name of the feed. This key should never
+        be used to parse Meta data from a session (Logs/Packets) Directly, this is
+        a Reserved key in NetWitness
+    - name: cid
+      type: keyword
+      description: This is the unique identifier used to identify a NetWitness Concentrator.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: device_class
+      type: keyword
+      description: This is the Classification of the Log Event Source under a predefined
+        fixed set of Event Source Classifications. This key should never be used to
+        parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
+        key in NetWitness
+    - name: device_group
+      type: keyword
+      description: This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_host
+      type: keyword
+      description: This is the Hostname of the log Event Source sending the logs to
+        NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_ip
+      type: ip
+      description: This is the IPv4 address of the Log Event Source sending the logs
+        to NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_ipv6
+      type: ip
+      description: This is the IPv6 address of the Log Event Source sending the logs
+        to NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_type
+      type: keyword
+      description: This is the name of the log parser which parsed a given session.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: device_type_id
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: did
+      type: keyword
+      description: This is the unique identifier used to identify a NetWitness Decoder.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: entropy_req
+      type: long
+      description: This key is only used by the Entropy Parser, the Meta Type can
+        be either UInt16 or Float32 based on the configuration
+    - name: entropy_res
+      type: long
+      description: This key is only used by the Entropy Parser, the Meta Type can
+        be either UInt16 or Float32 based on the configuration
+    - name: event_name
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: feed_category
+      type: keyword
+      description: This is used to capture the category of the feed. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: forward_ip
+      type: ip
+      description: This key should be used to capture the IPV4 address of a relay
+        system which forwarded the events from the original system to NetWitness.
+    - name: forward_ipv6
+      type: ip
+      description: This key is used to capture the IPV6 address of a relay system
+        which forwarded the events from the original system to NetWitness. This key
+        should never be used to parse Meta data from a session (Logs/Packets) Directly,
+        this is a Reserved key in NetWitness
+    - name: header_id
+      type: keyword
+      description: This is the Header ID value that identifies the exact log parser
+        header definition that parses a particular log session. This key should never
+        be used to parse Meta data from a session (Logs/Packets) Directly, this is
+        a Reserved key in NetWitness
+    - name: lc_cid
+      type: keyword
+      description: This is a unique Identifier of a Log Collector. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: lc_ctime
+      type: date
+      description: This is the time at which a log is collected in a NetWitness Log
+        Collector. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: mcb_req
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        request is simply which byte for each side (0 thru 255) was seen the most
+    - name: mcb_res
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        response is simply which byte for each side (0 thru 255) was seen the most
+    - name: mcbc_req
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        count is the number of times the most common byte (above) was seen in the
+        session streams
+    - name: mcbc_res
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        count is the number of times the most common byte (above) was seen in the
+        session streams
+    - name: medium
+      type: long
+      description: "This key is used to identify if it\u2019s a log/packet session\
+        \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
+        \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
+        \ 32 = log, 33 = correlation session, &lt; 32 is packet session"
+    - name: node_name
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: nwe_callback_id
+      type: keyword
+      description: This key denotes that event is endpoint related
+    - name: parse_error
+      type: keyword
+      description: This is a special key that stores any Meta key validation error
+        found while parsing a log session. This key should never be used to parse
+        Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
+        NetWitness
+    - name: payload_req
+      type: long
+      description: This key is only used by the Entropy Parser, the payload size metrics
+        are the payload sizes of each session side at the time of parsing. However,
+        in order to keep
+    - name: payload_res
+      type: long
+      description: This key is only used by the Entropy Parser, the payload size metrics
+        are the payload sizes of each session side at the time of parsing. However,
+        in order to keep
+    - name: process_vid_dst
+      type: keyword
+      description: Endpoint generates and uses a unique virtual ID to identify any
+        similar group of process. This ID represents the target process.
+    - name: process_vid_src
+      type: keyword
+      description: Endpoint generates and uses a unique virtual ID to identify any
+        similar group of process. This ID represents the source process.
+    - name: rid
+      type: long
+      description: This is a special ID of the Remote Session created by NetWitness
+        Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: session_split
+      type: keyword
+      description: This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: site
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: size
+      type: long
+      description: This is the size of the session as seen by the NetWitness Decoder.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: sourcefile
+      type: keyword
+      description: This is the name of the log file or PCAPs that can be imported
+        into NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: ubc_req
+      type: long
+      description: This key is only used by the Entropy Parser, Unique byte count
+        is the number of unique bytes seen in each stream. 256 would mean all byte
+        values of 0 thru 255 were seen at least once
+    - name: ubc_res
+      type: long
+      description: This key is only used by the Entropy Parser, Unique byte count
+        is the number of unique bytes seen in each stream. 256 would mean all byte
+        values of 0 thru 255 were seen at least once
+    - name: word
+      type: keyword
+      description: This is used by the Word Parsing technology to capture the first
+        5 character of every word in an unparsed log
+  - name: time
+    type: group
+    fields:
+    - name: event_time
+      type: date
+      description: This key is used to capture the time mentioned in a raw session
+        that represents the actual time an event occured in a standard normalized
+        form
+    - name: duration_time
+      type: double
+      description: This key is used to capture the normalized duration/lifetime in
+        seconds.
+    - name: event_time_str
+      type: keyword
+      description: This key is used to capture the incomplete time mentioned in a
+        session as a string
+    - name: starttime
+      type: date
+      description: This key is used to capture the Start time mentioned in a session
+        in a standard form
+    - name: month
+      type: keyword
+    - name: day
+      type: keyword
+    - name: endtime
+      type: date
+      description: This key is used to capture the End time mentioned in a session
+        in a standard form
+    - name: timezone
+      type: keyword
+      description: This key is used to capture the timezone of the Event Time
+    - name: duration_str
+      type: keyword
+      description: A text string version of the duration
+    - name: date
+      type: keyword
+    - name: year
+      type: keyword
+    - name: recorded_time
+      type: date
+      description: The event time as recorded by the system the event is collected
+        from. The usage scenario is a multi-tier application where the management
+        layer of the system records it's own timestamp at the time of collection from
+        its child nodes. Must be in timestamp format.
+    - name: datetime
+      type: keyword
+    - name: effective_time
+      type: date
+      description: This key is the effective time referenced by an individual event
+        in a Standard Timestamp format
+    - name: expire_time
+      type: date
+      description: This key is the timestamp that explicitly refers to an expiration.
+    - name: process_time
+      type: keyword
+      description: Deprecated, use duration.time
+    - name: hour
+      type: keyword
+    - name: min
+      type: keyword
+    - name: timestamp
+      type: keyword
+    - name: event_queue_time
+      type: date
+      description: This key is the Time that the event was queued.
+    - name: p_time1
+      type: keyword
+    - name: tzone
+      type: keyword
+    - name: eventtime
+      type: keyword
+    - name: gmtdate
+      type: keyword
+    - name: gmttime
+      type: keyword
+    - name: p_date
+      type: keyword
+    - name: p_month
+      type: keyword
+    - name: p_time
+      type: keyword
+    - name: p_time2
+      type: keyword
+    - name: p_year
+      type: keyword
+    - name: expire_time_str
+      type: keyword
+      description: This key is used to capture incomplete timestamp that explicitly
+        refers to an expiration.
+    - name: stamp
+      type: date
+      description: Deprecated key defined only in table map.
+  - name: misc
+    type: group
+    fields:
+    - name: action
+      type: keyword
+    - name: result
+      type: keyword
+      description: This key is used to capture the outcome/result string value of
+        an action in a session.
+    - name: severity
+      type: keyword
+      description: This key is used to capture the severity given the session
+    - name: event_type
+      type: keyword
+      description: This key captures the event category type as specified by the event
+        source.
+    - name: reference_id
+      type: keyword
+      description: This key is used to capture an event id from the session directly
+    - name: version
+      type: keyword
+      description: This key captures Version of the application or OS which is generating
+        the event.
+    - name: disposition
+      type: keyword
+      description: This key captures the The end state of an action.
+    - name: result_code
+      type: keyword
+      description: This key is used to capture the outcome/result numeric value of
+        an action in a session
+    - name: category
+      type: keyword
+      description: This key is used to capture the category of an event given by the
+        vendor in the session
+    - name: obj_name
+      type: keyword
+      description: This is used to capture name of object
+    - name: obj_type
+      type: keyword
+      description: This is used to capture type of object
+    - name: event_source
+      type: keyword
+      description: "This key captures Source of the event that\u2019s not a hostname"
+    - name: log_session_id
+      type: keyword
+      description: This key is used to capture a sessionid from the session directly
+    - name: group
+      type: keyword
+      description: This key captures the Group Name value
+    - name: policy_name
+      type: keyword
+      description: This key is used to capture the Policy Name only.
+    - name: rule_name
+      type: keyword
+      description: This key captures the Rule Name
+    - name: context
+      type: keyword
+      description: This key captures Information which adds additional context to
+        the event.
+    - name: change_new
+      type: keyword
+      description: "This key is used to capture the new values of the attribute that\u2019\
+        s changing in a session"
+    - name: space
+      type: keyword
+    - name: client
+      type: keyword
+      description: This key is used to capture only the name of the client application
+        requesting resources of the server. See the user.agent meta key for capture
+        of the specific user agent identifier or browser identification string.
+    - name: msgIdPart1
+      type: keyword
+    - name: msgIdPart2
+      type: keyword
+    - name: change_old
+      type: keyword
+      description: "This key is used to capture the old value of the attribute that\u2019\
+        s changing in a session"
+    - name: operation_id
+      type: keyword
+      description: An alert number or operation number. The values should be unique
+        and non-repeating.
+    - name: event_state
+      type: keyword
+      description: This key captures the current state of the object/item referenced
+        within the event. Describing an on-going event.
+    - name: group_object
+      type: keyword
+      description: This key captures a collection/grouping of entities. Specific usage
+    - name: node
+      type: keyword
+      description: Common use case is the node name within a cluster. The cluster
+        name is reflected by the host name.
+    - name: rule
+      type: keyword
+      description: This key captures the Rule number
+    - name: device_name
+      type: keyword
+      description: 'This is used to capture name of the Device associated with the
+        node Like: a physical disk, printer, etc'
+    - name: param
+      type: keyword
+      description: This key is the parameters passed as part of a command or application,
+        etc.
+    - name: change_attrib
+      type: keyword
+      description: "This key is used to capture the name of the attribute that\u2019\
+        s changing in a session"
+    - name: event_computer
+      type: keyword
+      description: This key is a windows only concept, where this key is used to capture
+        fully qualified domain name in a windows log.
+    - name: reference_id1
+      type: keyword
+      description: This key is for Linked ID to be used as an addition to "reference.id"
+    - name: event_log
+      type: keyword
+      description: This key captures the Name of the event log
+    - name: OS
+      type: keyword
+      description: This key captures the Name of the Operating System
+    - name: terminal
+      type: keyword
+      description: This key captures the Terminal Names only
+    - name: msgIdPart3
+      type: keyword
+    - name: filter
+      type: keyword
+      description: This key captures Filter used to reduce result set
+    - name: serial_number
+      type: keyword
+      description: This key is the Serial number associated with a physical asset.
+    - name: checksum
+      type: keyword
+      description: This key is used to capture the checksum or hash of the entity
+        such as a file or process. Checksum should be used over checksum.src or checksum.dst
+        when it is unclear whether the entity is a source or target of an action.
+    - name: event_user
+      type: keyword
+      description: This key is a windows only concept, where this key is used to capture
+        combination of domain name and username in a windows log.
+    - name: virusname
+      type: keyword
+      description: This key captures the name of the virus
+    - name: content_type
+      type: keyword
+      description: This key is used to capture Content Type only.
+    - name: group_id
+      type: keyword
+      description: This key captures Group ID Number (related to the group name)
+    - name: policy_id
+      type: keyword
+      description: This key is used to capture the Policy ID only, this should be
+        a numeric value, use policy.name otherwise
+    - name: vsys
+      type: keyword
+      description: This key captures Virtual System Name
+    - name: connection_id
+      type: keyword
+      description: This key captures the Connection ID
+    - name: reference_id2
+      type: keyword
+      description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
+        or "reference.id1" value but should not be used unless the other two variables
+        are in play.
+    - name: sensor
+      type: keyword
+      description: This key captures Name of the sensor. Typically used in IDS/IPS
+        based devices
+    - name: sig_id
+      type: long
+      description: This key captures IDS/IPS Int Signature ID
+    - name: port_name
+      type: keyword
+      description: 'This key is used for Physical or logical port connection but does
+        NOT include a network port. (Example: Printer port name).'
+    - name: rule_group
+      type: keyword
+      description: This key captures the Rule group name
+    - name: risk_num
+      type: double
+      description: This key captures a Numeric Risk value
+    - name: trigger_val
+      type: keyword
+      description: This key captures the Value of the trigger or threshold condition.
+    - name: log_session_id1
+      type: keyword
+      description: This key is used to capture a Linked (Related) Session ID from
+        the session directly
+    - name: comp_version
+      type: keyword
+      description: This key captures the Version level of a sub-component of a product.
+    - name: content_version
+      type: keyword
+      description: This key captures Version level of a signature or database content.
+    - name: hardware_id
+      type: keyword
+      description: This key is used to capture unique identifier for a device or system
+        (NOT a Mac address)
+    - name: risk
+      type: keyword
+      description: This key captures the non-numeric risk value
+    - name: event_id
+      type: keyword
+    - name: reason
+      type: keyword
+    - name: status
+      type: keyword
+    - name: mail_id
+      type: keyword
+      description: This key is used to capture the mailbox id/name
+    - name: rule_uid
+      type: keyword
+      description: This key is the Unique Identifier for a rule.
+    - name: trigger_desc
+      type: keyword
+      description: This key captures the Description of the trigger or threshold condition.
+    - name: inout
+      type: keyword
+    - name: p_msgid
+      type: keyword
+    - name: data_type
+      type: keyword
+    - name: msgIdPart4
+      type: keyword
+    - name: error
+      type: keyword
+      description: This key captures All non successful Error codes or responses
+    - name: index
+      type: keyword
+    - name: listnum
+      type: keyword
+      description: This key is used to capture listname or listnumber, primarily for
+        collecting access-list
+    - name: ntype
+      type: keyword
+    - name: observed_val
+      type: keyword
+      description: This key captures the Value observed (from the perspective of the
+        device generating the log).
+    - name: policy_value
+      type: keyword
+      description: This key captures the contents of the policy. This contains details
+        about the policy
+    - name: pool_name
+      type: keyword
+      description: This key captures the name of a resource pool
+    - name: rule_template
+      type: keyword
+      description: A default set of parameters which are overlayed onto a rule (or
+        rulename) which efffectively constitutes a template
+    - name: count
+      type: keyword
+    - name: number
+      type: keyword
+    - name: sigcat
+      type: keyword
+    - name: type
+      type: keyword
+    - name: comments
+      type: keyword
+      description: Comment information provided in the log message
+    - name: doc_number
+      type: long
+      description: This key captures File Identification number
+    - name: expected_val
+      type: keyword
+      description: This key captures the Value expected (from the perspective of the
+        device generating the log).
+    - name: job_num
+      type: keyword
+      description: This key captures the Job Number
+    - name: spi_dst
+      type: keyword
+      description: Destination SPI Index
+    - name: spi_src
+      type: keyword
+      description: Source SPI Index
+    - name: code
+      type: keyword
+    - name: agent_id
+      type: keyword
+      description: This key is used to capture agent id
+    - name: message_body
+      type: keyword
+      description: This key captures the The contents of the message body.
+    - name: phone
+      type: keyword
+    - name: sig_id_str
+      type: keyword
+      description: This key captures a string object of the sigid variable.
+    - name: cmd
+      type: keyword
+    - name: misc
+      type: keyword
+    - name: name
+      type: keyword
+    - name: cpu
+      type: long
+      description: This key is the CPU time used in the execution of the event being
+        recorded.
+    - name: event_desc
+      type: keyword
+      description: This key is used to capture a description of an event available
+        directly or inferred
+    - name: sig_id1
+      type: long
+      description: This key captures IDS/IPS Int Signature ID. This must be linked
+        to the sig.id
+    - name: im_buddyid
+      type: keyword
+    - name: im_client
+      type: keyword
+    - name: im_userid
+      type: keyword
+    - name: pid
+      type: keyword
+    - name: priority
+      type: keyword
+    - name: context_subject
+      type: keyword
+      description: This key is to be used in an audit context where the subject is
+        the object being identified
+    - name: context_target
+      type: keyword
+    - name: cve
+      type: keyword
+      description: This key captures CVE (Common Vulnerabilities and Exposures) -
+        an identifier for known information security vulnerabilities.
+    - name: fcatnum
+      type: keyword
+      description: This key captures Filter Category Number. Legacy Usage
+    - name: library
+      type: keyword
+      description: This key is used to capture library information in mainframe devices
+    - name: parent_node
+      type: keyword
+      description: This key captures the Parent Node Name. Must be related to node
+        variable.
+    - name: risk_info
+      type: keyword
+      description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: tcp_flags
+      type: long
+      description: This key is captures the TCP flags set in any packet of session
+    - name: tos
+      type: long
+      description: This key describes the type of service
+    - name: vm_target
+      type: keyword
+      description: VMWare Target **VMWARE** only varaible.
+    - name: workspace
+      type: keyword
+      description: This key captures Workspace Description
+    - name: command
+      type: keyword
+    - name: event_category
+      type: keyword
+    - name: facilityname
+      type: keyword
+    - name: forensic_info
+      type: keyword
+    - name: jobname
+      type: keyword
+    - name: mode
+      type: keyword
+    - name: policy
+      type: keyword
+    - name: policy_waiver
+      type: keyword
+    - name: second
+      type: keyword
+    - name: space1
+      type: keyword
+    - name: subcategory
+      type: keyword
+    - name: tbdstr2
+      type: keyword
+    - name: alert_id
+      type: keyword
+      description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: checksum_dst
+      type: keyword
+      description: This key is used to capture the checksum or hash of the the target
+        entity such as a process or file.
+    - name: checksum_src
+      type: keyword
+      description: This key is used to capture the checksum or hash of the source
+        entity such as a file or process.
+    - name: fresult
+      type: long
+      description: This key captures the Filter Result
+    - name: payload_dst
+      type: keyword
+      description: This key is used to capture destination payload
+    - name: payload_src
+      type: keyword
+      description: This key is used to capture source payload
+    - name: pool_id
+      type: keyword
+      description: This key captures the identifier (typically numeric field) of a
+        resource pool
+    - name: process_id_val
+      type: keyword
+      description: This key is a failure key for Process ID when it is not an integer
+        value
+    - name: risk_num_comm
+      type: double
+      description: This key captures Risk Number Community
+    - name: risk_num_next
+      type: double
+      description: This key captures Risk Number NextGen
+    - name: risk_num_sand
+      type: double
+      description: This key captures Risk Number SandBox
+    - name: risk_num_static
+      type: double
+      description: This key captures Risk Number Static
+    - name: risk_suspicious
+      type: keyword
+      description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: risk_warning
+      type: keyword
+      description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: snmp_oid
+      type: keyword
+      description: SNMP Object Identifier
+    - name: sql
+      type: keyword
+      description: This key captures the SQL query
+    - name: vuln_ref
+      type: keyword
+      description: This key captures the Vulnerability Reference details
+    - name: acl_id
+      type: keyword
+    - name: acl_op
+      type: keyword
+    - name: acl_pos
+      type: keyword
+    - name: acl_table
+      type: keyword
+    - name: admin
+      type: keyword
+    - name: alarm_id
+      type: keyword
+    - name: alarmname
+      type: keyword
+    - name: app_id
+      type: keyword
+    - name: audit
+      type: keyword
+    - name: audit_object
+      type: keyword
+    - name: auditdata
+      type: keyword
+    - name: benchmark
+      type: keyword
+    - name: bypass
+      type: keyword
+    - name: cache
+      type: keyword
+    - name: cache_hit
+      type: keyword
+    - name: cefversion
+      type: keyword
+    - name: cfg_attr
+      type: keyword
+    - name: cfg_obj
+      type: keyword
+    - name: cfg_path
+      type: keyword
+    - name: changes
+      type: keyword
+    - name: client_ip
+      type: keyword
+    - name: clustermembers
+      type: keyword
+    - name: cn_acttimeout
+      type: keyword
+    - name: cn_asn_src
+      type: keyword
+    - name: cn_bgpv4nxthop
+      type: keyword
+    - name: cn_ctr_dst_code
+      type: keyword
+    - name: cn_dst_tos
+      type: keyword
+    - name: cn_dst_vlan
+      type: keyword
+    - name: cn_engine_id
+      type: keyword
+    - name: cn_engine_type
+      type: keyword
+    - name: cn_f_switch
+      type: keyword
+    - name: cn_flowsampid
+      type: keyword
+    - name: cn_flowsampintv
+      type: keyword
+    - name: cn_flowsampmode
+      type: keyword
+    - name: cn_inacttimeout
+      type: keyword
+    - name: cn_inpermbyts
+      type: keyword
+    - name: cn_inpermpckts
+      type: keyword
+    - name: cn_invalid
+      type: keyword
+    - name: cn_ip_proto_ver
+      type: keyword
+    - name: cn_ipv4_ident
+      type: keyword
+    - name: cn_l_switch
+      type: keyword
+    - name: cn_log_did
+      type: keyword
+    - name: cn_log_rid
+      type: keyword
+    - name: cn_max_ttl
+      type: keyword
+    - name: cn_maxpcktlen
+      type: keyword
+    - name: cn_min_ttl
+      type: keyword
+    - name: cn_minpcktlen
+      type: keyword
+    - name: cn_mpls_lbl_1
+      type: keyword
+    - name: cn_mpls_lbl_10
+      type: keyword
+    - name: cn_mpls_lbl_2
+      type: keyword
+    - name: cn_mpls_lbl_3
+      type: keyword
+    - name: cn_mpls_lbl_4
+      type: keyword
+    - name: cn_mpls_lbl_5
+      type: keyword
+    - name: cn_mpls_lbl_6
+      type: keyword
+    - name: cn_mpls_lbl_7
+      type: keyword
+    - name: cn_mpls_lbl_8
+      type: keyword
+    - name: cn_mpls_lbl_9
+      type: keyword
+    - name: cn_mplstoplabel
+      type: keyword
+    - name: cn_mplstoplabip
+      type: keyword
+    - name: cn_mul_dst_byt
+      type: keyword
+    - name: cn_mul_dst_pks
+      type: keyword
+    - name: cn_muligmptype
+      type: keyword
+    - name: cn_sampalgo
+      type: keyword
+    - name: cn_sampint
+      type: keyword
+    - name: cn_seqctr
+      type: keyword
+    - name: cn_spackets
+      type: keyword
+    - name: cn_src_tos
+      type: keyword
+    - name: cn_src_vlan
+      type: keyword
+    - name: cn_sysuptime
+      type: keyword
+    - name: cn_template_id
+      type: keyword
+    - name: cn_totbytsexp
+      type: keyword
+    - name: cn_totflowexp
+      type: keyword
+    - name: cn_totpcktsexp
+      type: keyword
+    - name: cn_unixnanosecs
+      type: keyword
+    - name: cn_v6flowlabel
+      type: keyword
+    - name: cn_v6optheaders
+      type: keyword
+    - name: comp_class
+      type: keyword
+    - name: comp_name
+      type: keyword
+    - name: comp_rbytes
+      type: keyword
+    - name: comp_sbytes
+      type: keyword
+    - name: cpu_data
+      type: keyword
+    - name: criticality
+      type: keyword
+    - name: cs_agency_dst
+      type: keyword
+    - name: cs_analyzedby
+      type: keyword
+    - name: cs_av_other
+      type: keyword
+    - name: cs_av_primary
+      type: keyword
+    - name: cs_av_secondary
+      type: keyword
+    - name: cs_bgpv6nxthop
+      type: keyword
+    - name: cs_bit9status
+      type: keyword
+    - name: cs_context
+      type: keyword
+    - name: cs_control
+      type: keyword
+    - name: cs_data
+      type: keyword
+    - name: cs_datecret
+      type: keyword
+    - name: cs_dst_tld
+      type: keyword
+    - name: cs_eth_dst_ven
+      type: keyword
+    - name: cs_eth_src_ven
+      type: keyword
+    - name: cs_event_uuid
+      type: keyword
+    - name: cs_filetype
+      type: keyword
+    - name: cs_fld
+      type: keyword
+    - name: cs_if_desc
+      type: keyword
+    - name: cs_if_name
+      type: keyword
+    - name: cs_ip_next_hop
+      type: keyword
+    - name: cs_ipv4dstpre
+      type: keyword
+    - name: cs_ipv4srcpre
+      type: keyword
+    - name: cs_lifetime
+      type: keyword
+    - name: cs_log_medium
+      type: keyword
+    - name: cs_loginname
+      type: keyword
+    - name: cs_modulescore
+      type: keyword
+    - name: cs_modulesign
+      type: keyword
+    - name: cs_opswatresult
+      type: keyword
+    - name: cs_payload
+      type: keyword
+    - name: cs_registrant
+      type: keyword
+    - name: cs_registrar
+      type: keyword
+    - name: cs_represult
+      type: keyword
+    - name: cs_rpayload
+      type: keyword
+    - name: cs_sampler_name
+      type: keyword
+    - name: cs_sourcemodule
+      type: keyword
+    - name: cs_streams
+      type: keyword
+    - name: cs_targetmodule
+      type: keyword
+    - name: cs_v6nxthop
+      type: keyword
+    - name: cs_whois_server
+      type: keyword
+    - name: cs_yararesult
+      type: keyword
+    - name: description
+      type: keyword
+    - name: devvendor
+      type: keyword
+    - name: distance
+      type: keyword
+    - name: dstburb
+      type: keyword
+    - name: edomain
+      type: keyword
+    - name: edomaub
+      type: keyword
+    - name: euid
+      type: keyword
+    - name: facility
+      type: keyword
+    - name: finterface
+      type: keyword
+    - name: flags
+      type: keyword
+    - name: gaddr
+      type: keyword
+    - name: id3
+      type: keyword
+    - name: im_buddyname
+      type: keyword
+    - name: im_croomid
+      type: keyword
+    - name: im_croomtype
+      type: keyword
+    - name: im_members
+      type: keyword
+    - name: im_username
+      type: keyword
+    - name: ipkt
+      type: keyword
+    - name: ipscat
+      type: keyword
+    - name: ipspri
+      type: keyword
+    - name: latitude
+      type: keyword
+    - name: linenum
+      type: keyword
+    - name: list_name
+      type: keyword
+    - name: load_data
+      type: keyword
+    - name: location_floor
+      type: keyword
+    - name: location_mark
+      type: keyword
+    - name: log_id
+      type: keyword
+    - name: log_type
+      type: keyword
+    - name: logid
+      type: keyword
+    - name: logip
+      type: keyword
+    - name: logname
+      type: keyword
+    - name: longitude
+      type: keyword
+    - name: lport
+      type: keyword
+    - name: mbug_data
+      type: keyword
+    - name: misc_name
+      type: keyword
+    - name: msg_type
+      type: keyword
+    - name: msgid
+      type: keyword
+    - name: netsessid
+      type: keyword
+    - name: num
+      type: keyword
+    - name: number1
+      type: keyword
+    - name: number2
+      type: keyword
+    - name: nwwn
+      type: keyword
+    - name: object
+      type: keyword
+    - name: operation
+      type: keyword
+    - name: opkt
+      type: keyword
+    - name: orig_from
+      type: keyword
+    - name: owner_id
+      type: keyword
+    - name: p_action
+      type: keyword
+    - name: p_filter
+      type: keyword
+    - name: p_group_object
+      type: keyword
+    - name: p_id
+      type: keyword
+    - name: p_msgid1
+      type: keyword
+    - name: p_msgid2
+      type: keyword
+    - name: p_result1
+      type: keyword
+    - name: password_chg
+      type: keyword
+    - name: password_expire
+      type: keyword
+    - name: permgranted
+      type: keyword
+    - name: permwanted
+      type: keyword
+    - name: pgid
+      type: keyword
+    - name: policyUUID
+      type: keyword
+    - name: prog_asp_num
+      type: keyword
+    - name: program
+      type: keyword
+    - name: real_data
+      type: keyword
+    - name: rec_asp_device
+      type: keyword
+    - name: rec_asp_num
+      type: keyword
+    - name: rec_library
+      type: keyword
+    - name: recordnum
+      type: keyword
+    - name: ruid
+      type: keyword
+    - name: sburb
+      type: keyword
+    - name: sdomain_fld
+      type: keyword
+    - name: sec
+      type: keyword
+    - name: sensorname
+      type: keyword
+    - name: seqnum
+      type: keyword
+    - name: session
+      type: keyword
+    - name: sessiontype
+      type: keyword
+    - name: sigUUID
+      type: keyword
+    - name: spi
+      type: keyword
+    - name: srcburb
+      type: keyword
+    - name: srcdom
+      type: keyword
+    - name: srcservice
+      type: keyword
+    - name: state
+      type: keyword
+    - name: status1
+      type: keyword
+    - name: svcno
+      type: keyword
+    - name: system
+      type: keyword
+    - name: tbdstr1
+      type: keyword
+    - name: tgtdom
+      type: keyword
+    - name: tgtdomain
+      type: keyword
+    - name: threshold
+      type: keyword
+    - name: type1
+      type: keyword
+    - name: udb_class
+      type: keyword
+    - name: url_fld
+      type: keyword
+    - name: user_div
+      type: keyword
+    - name: userid
+      type: keyword
+    - name: username_fld
+      type: keyword
+    - name: utcstamp
+      type: keyword
+    - name: v_instafname
+      type: keyword
+    - name: virt_data
+      type: keyword
+    - name: vpnid
+      type: keyword
+    - name: autorun_type
+      type: keyword
+      description: This is used to capture Auto Run type
+    - name: cc_number
+      type: long
+      description: Valid Credit Card Numbers only
+    - name: content
+      type: keyword
+      description: This key captures the content type from protocol headers
+    - name: ein_number
+      type: long
+      description: Employee Identification Numbers only
+    - name: found
+      type: keyword
+      description: This is used to capture the results of regex match
+    - name: language
+      type: keyword
+      description: This is used to capture list of languages the client support and
+        what it prefers
+    - name: lifetime
+      type: long
+      description: This key is used to capture the session lifetime in seconds.
+    - name: link
+      type: keyword
+      description: This key is used to link the sessions together. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: match
+      type: keyword
+      description: This key is for regex match name from search.ini
+    - name: param_dst
+      type: keyword
+      description: This key captures the command line/launch argument of the target
+        process or file
+    - name: param_src
+      type: keyword
+      description: This key captures source parameter
+    - name: search_text
+      type: keyword
+      description: This key captures the Search Text used
+    - name: sig_name
+      type: keyword
+      description: This key is used to capture the Signature Name only.
+    - name: snmp_value
+      type: keyword
+      description: SNMP set request value
+    - name: streams
+      type: long
+      description: This key captures number of streams in session
+  - name: db
+    type: group
+    fields:
+    - name: index
+      type: keyword
+      description: This key captures IndexID of the index.
+    - name: instance
+      type: keyword
+      description: This key is used to capture the database server instance name
+    - name: database
+      type: keyword
+      description: This key is used to capture the name of a database or an instance
+        as seen in a session
+    - name: transact_id
+      type: keyword
+      description: This key captures the SQL transantion ID of the current session
+    - name: permissions
+      type: keyword
+      description: This key captures permission or privilege level assigned to a resource.
+    - name: table_name
+      type: keyword
+      description: This key is used to capture the table name
+    - name: db_id
+      type: keyword
+      description: This key is used to capture the unique identifier for a database
+    - name: db_pid
+      type: long
+      description: This key captures the process id of a connection with database
+        server
+    - name: lread
+      type: long
+      description: This key is used for the number of logical reads
+    - name: lwrite
+      type: long
+      description: This key is used for the number of logical writes
+    - name: pread
+      type: long
+      description: This key is used for the number of physical writes
+  - name: network
+    type: group
+    fields:
+    - name: alias_host
+      type: keyword
+      description: This key should be used when the source or destination context
+        of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
+        that isnt ad.computer.
+    - name: domain
+      type: keyword
+    - name: host_dst
+      type: keyword
+      description: "This key should only be used when it\u2019s a Destination Hostname"
+    - name: network_service
+      type: keyword
+      description: This is used to capture layer 7 protocols/service names
+    - name: interface
+      type: keyword
+      description: This key should be used when the source or destination context
+        of an interface is not clear
+    - name: network_port
+      type: long
+      description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
+        used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
+    - name: eth_host
+      type: keyword
+      description: Deprecated, use alias.mac
+    - name: sinterface
+      type: keyword
+      description: "This key should only be used when it\u2019s a Source Interface"
+    - name: dinterface
+      type: keyword
+      description: "This key should only be used when it\u2019s a Destination Interface"
+    - name: vlan
+      type: long
+      description: This key should only be used to capture the ID of the Virtual LAN
+    - name: zone_src
+      type: keyword
+      description: "This key should only be used when it\u2019s a Source Zone."
+    - name: zone
+      type: keyword
+      description: This key should be used when the source or destination context
+        of a Zone is not clear
+    - name: zone_dst
+      type: keyword
+      description: "This key should only be used when it\u2019s a Destination Zone."
+    - name: gateway
+      type: keyword
+      description: This key is used to capture the IP Address of the gateway
+    - name: icmp_type
+      type: long
+      description: This key is used to capture the ICMP type only
+    - name: mask
+      type: keyword
+      description: This key is used to capture the device network IPmask.
+    - name: icmp_code
+      type: long
+      description: This key is used to capture the ICMP code only
+    - name: protocol_detail
+      type: keyword
+      description: This key should be used to capture additional protocol information
+    - name: dmask
+      type: keyword
+      description: This key is used for Destionation Device network mask
+    - name: port
+      type: long
+      description: This key should only be used to capture a Network Port when the
+        directionality is not clear
+    - name: smask
+      type: keyword
+      description: This key is used for capturing source Network Mask
+    - name: netname
+      type: keyword
+      description: This key is used to capture the network name associated with an
+        IP range. This is configured by the end user.
+    - name: paddr
+      type: ip
+      description: Deprecated
+    - name: faddr
+      type: keyword
+    - name: lhost
+      type: keyword
+    - name: origin
+      type: keyword
+    - name: remote_domain_id
+      type: keyword
+    - name: addr
+      type: keyword
+    - name: dns_a_record
+      type: keyword
+    - name: dns_ptr_record
+      type: keyword
+    - name: fhost
+      type: keyword
+    - name: fport
+      type: keyword
+    - name: laddr
+      type: keyword
+    - name: linterface
+      type: keyword
+    - name: phost
+      type: keyword
+    - name: ad_computer_dst
+      type: keyword
+      description: Deprecated, use host.dst
+    - name: eth_type
+      type: long
+      description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
+        Only
+    - name: ip_proto
+      type: long
+      description: This key should be used to capture the Protocol number, all the
+        protocol nubers are converted into string in UI
+    - name: dns_cname_record
+      type: keyword
+    - name: dns_id
+      type: keyword
+    - name: dns_opcode
+      type: keyword
+    - name: dns_resp
+      type: keyword
+    - name: dns_type
+      type: keyword
+    - name: domain1
+      type: keyword
+    - name: host_type
+      type: keyword
+    - name: packet_length
+      type: keyword
+    - name: host_orig
+      type: keyword
+      description: This is used to capture the original hostname in case of a Forwarding
+        Agent or a Proxy in between.
+    - name: rpayload
+      type: keyword
+      description: This key is used to capture the total number of payload bytes seen
+        in the retransmitted packets.
+    - name: vlan_name
+      type: keyword
+      description: This key should only be used to capture the name of the Virtual
+        LAN
+  - name: investigations
+    type: group
+    fields:
+    - name: ec_activity
+      type: keyword
+      description: This key captures the particular event activity(Ex:Logoff)
+    - name: ec_theme
+      type: keyword
+      description: This key captures the Theme of a particular Event(Ex:Authentication)
+    - name: ec_subject
+      type: keyword
+      description: This key captures the Subject of a particular Event(Ex:User)
+    - name: ec_outcome
+      type: keyword
+      description: This key captures the outcome of a particular Event(Ex:Success)
+    - name: event_cat
+      type: long
+      description: This key captures the Event category number
+    - name: event_cat_name
+      type: keyword
+      description: This key captures the event category name corresponding to the
+        event cat code
+    - name: event_vcat
+      type: keyword
+      description: This is a vendor supplied category. This should be used in situations
+        where the vendor has adopted their own event_category taxonomy.
+    - name: analysis_file
+      type: keyword
+      description: This is used to capture all indicators used in a File Analysis.
+        This key should be used to capture an analysis of a file
+    - name: analysis_service
+      type: keyword
+      description: This is used to capture all indicators used in a Service Analysis.
+        This key should be used to capture an analysis of a service
+    - name: analysis_session
+      type: keyword
+      description: This is used to capture all indicators used for a Session Analysis.
+        This key should be used to capture an analysis of a session
+    - name: boc
+      type: keyword
+      description: This is used to capture behaviour of compromise
+    - name: eoc
+      type: keyword
+      description: This is used to capture Enablers of Compromise
+    - name: inv_category
+      type: keyword
+      description: This used to capture investigation category
+    - name: inv_context
+      type: keyword
+      description: This used to capture investigation context
+    - name: ioc
+      type: keyword
+      description: This is key capture indicator of compromise
+  - name: counters
+    type: group
+    fields:
+    - name: dclass_c1
+      type: long
+      description: This is a generic counter key that should be used with the label
+        dclass.c1.str only
+    - name: dclass_c2
+      type: long
+      description: This is a generic counter key that should be used with the label
+        dclass.c2.str only
+    - name: event_counter
+      type: long
+      description: This is used to capture the number of times an event repeated
+    - name: dclass_r1
+      type: keyword
+      description: This is a generic ratio key that should be used with the label
+        dclass.r1.str only
+    - name: dclass_c3
+      type: long
+      description: This is a generic counter key that should be used with the label
+        dclass.c3.str only
+    - name: dclass_c1_str
+      type: keyword
+      description: This is a generic counter string key that should be used with the
+        label dclass.c1 only
+    - name: dclass_c2_str
+      type: keyword
+      description: This is a generic counter string key that should be used with the
+        label dclass.c2 only
+    - name: dclass_r1_str
+      type: keyword
+      description: This is a generic ratio string key that should be used with the
+        label dclass.r1 only
+    - name: dclass_r2
+      type: keyword
+      description: This is a generic ratio key that should be used with the label
+        dclass.r2.str only
+    - name: dclass_c3_str
+      type: keyword
+      description: This is a generic counter string key that should be used with the
+        label dclass.c3 only
+    - name: dclass_r3
+      type: keyword
+      description: This is a generic ratio key that should be used with the label
+        dclass.r3.str only
+    - name: dclass_r2_str
+      type: keyword
+      description: This is a generic ratio string key that should be used with the
+        label dclass.r2 only
+    - name: dclass_r3_str
+      type: keyword
+      description: This is a generic ratio string key that should be used with the
+        label dclass.r3 only
+  - name: identity
+    type: group
+    fields:
+    - name: auth_method
+      type: keyword
+      description: This key is used to capture authentication methods used only
+    - name: user_role
+      type: keyword
+      description: This key is used to capture the Role of a user only
+    - name: dn
+      type: keyword
+      description: X.500 (LDAP) Distinguished Name
+    - name: logon_type
+      type: keyword
+      description: This key is used to capture the type of logon method used.
+    - name: profile
+      type: keyword
+      description: This key is used to capture the user profile
+    - name: accesses
+      type: keyword
+      description: This key is used to capture actual privileges used in accessing
+        an object
+    - name: realm
+      type: keyword
+      description: Radius realm or similar grouping of accounts
+    - name: user_sid_dst
+      type: keyword
+      description: This key captures Destination User Session ID
+    - name: dn_src
+      type: keyword
+      description: An X.500 (LDAP) Distinguished name that is used in a context that
+        indicates a Source dn
+    - name: org
+      type: keyword
+      description: This key captures the User organization
+    - name: dn_dst
+      type: keyword
+      description: An X.500 (LDAP) Distinguished name that used in a context that
+        indicates a Destination dn
+    - name: firstname
+      type: keyword
+      description: This key is for First Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: lastname
+      type: keyword
+      description: This key is for Last Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: user_dept
+      type: keyword
+      description: User's Department Names only
+    - name: user_sid_src
+      type: keyword
+      description: This key captures Source User Session ID
+    - name: federated_sp
+      type: keyword
+      description: This key is the Federated Service Provider. This is the application
+        requesting authentication.
+    - name: federated_idp
+      type: keyword
+      description: This key is the federated Identity Provider. This is the server
+        providing the authentication.
+    - name: logon_type_desc
+      type: keyword
+      description: This key is used to capture the textual description of an integer
+        logon type as stored in the meta key 'logon.type'.
+    - name: middlename
+      type: keyword
+      description: This key is for Middle Names only, this is used for Healthcare
+        predominantly to capture Patients information
+    - name: password
+      type: keyword
+      description: This key is for Passwords seen in any session, plain text or encrypted
+    - name: host_role
+      type: keyword
+      description: This key should only be used to capture the role of a Host Machine
+    - name: ldap
+      type: keyword
+      description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
+        t have a clear query or response context"
+    - name: ldap_query
+      type: keyword
+      description: This key is the Search criteria from an LDAP search
+    - name: ldap_response
+      type: keyword
+      description: This key is to capture Results from an LDAP search
+    - name: owner
+      type: keyword
+      description: This is used to capture username the process or service is running
+        as, the author of the task
+    - name: service_account
+      type: keyword
+      description: This key is a windows specific key, used for capturing name of
+        the account a service (referenced in the event) is running under. Legacy Usage
+  - name: email
+    type: group
+    fields:
+    - name: email_dst
+      type: keyword
+      description: This key is used to capture the Destination email address only,
+        when the destination context is not clear use email
+    - name: email_src
+      type: keyword
+      description: This key is used to capture the source email address only, when
+        the source context is not clear use email
+    - name: subject
+      type: keyword
+      description: This key is used to capture the subject string from an Email only.
+    - name: email
+      type: keyword
+      description: This key is used to capture a generic email address where the source
+        or destination context is not clear
+    - name: trans_from
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: trans_to
+      type: keyword
+      description: Deprecated key defined only in table map.
+  - name: file
+    type: group
+    fields:
+    - name: privilege
+      type: keyword
+      description: Deprecated, use permissions
+    - name: attachment
+      type: keyword
+      description: This key captures the attachment file name
+    - name: filesystem
+      type: keyword
+    - name: binary
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: filename_dst
+      type: keyword
+      description: This is used to capture name of the file targeted by the action
+    - name: filename_src
+      type: keyword
+      description: This is used to capture name of the parent filename, the file which
+        performed the action
+    - name: filename_tmp
+      type: keyword
+    - name: directory_dst
+      type: keyword
+      description: <span>This key is used to capture the directory of the target process
+        or file</span>
+    - name: directory_src
+      type: keyword
+      description: This key is used to capture the directory of the source process
+        or file
+    - name: file_entropy
+      type: double
+      description: This is used to capture entropy vale of a file
+    - name: file_vendor
+      type: keyword
+      description: This is used to capture Company name of file located in version_info
+    - name: task_name
+      type: keyword
+      description: This is used to capture name of the task
+  - name: web
+    type: group
+    fields:
+    - name: fqdn
+      type: keyword
+      description: Fully Qualified Domain Names
+    - name: web_cookie
+      type: keyword
+      description: This key is used to capture the Web cookies specifically.
+    - name: alias_host
+      type: keyword
+    - name: reputation_num
+      type: double
+      description: Reputation Number of an entity. Typically used for Web Domains
+    - name: web_ref_domain
+      type: keyword
+      description: Web referer's domain
+    - name: web_ref_query
+      type: keyword
+      description: This key captures Web referer's query portion of the URL
+    - name: remote_domain
+      type: keyword
+    - name: web_ref_page
+      type: keyword
+      description: This key captures Web referer's page information
+    - name: web_ref_root
+      type: keyword
+      description: Web referer's root URL path
+    - name: cn_asn_dst
+      type: keyword
+    - name: cn_rpackets
+      type: keyword
+    - name: urlpage
+      type: keyword
+    - name: urlroot
+      type: keyword
+    - name: p_url
+      type: keyword
+    - name: p_user_agent
+      type: keyword
+    - name: p_web_cookie
+      type: keyword
+    - name: p_web_method
+      type: keyword
+    - name: p_web_referer
+      type: keyword
+    - name: web_extension_tmp
+      type: keyword
+    - name: web_page
+      type: keyword
+  - name: threat
+    type: group
+    fields:
+    - name: threat_category
+      type: keyword
+      description: This key captures Threat Name/Threat Category/Categorization of
+        alert
+    - name: threat_desc
+      type: keyword
+      description: This key is used to capture the threat description from the session
+        directly or inferred
+    - name: alert
+      type: keyword
+      description: This key is used to capture name of the alert
+    - name: threat_source
+      type: keyword
+      description: This key is used to capture source of the threat
+  - name: crypto
+    type: group
+    fields:
+    - name: crypto
+      type: keyword
+      description: This key is used to capture the Encryption Type or Encryption Key
+        only
+    - name: cipher_src
+      type: keyword
+      description: This key is for Source (Client) Cipher
+    - name: cert_subject
+      type: keyword
+      description: This key is used to capture the Certificate organization only
+    - name: peer
+      type: keyword
+      description: This key is for Encryption peer's IP Address
+    - name: cipher_size_src
+      type: long
+      description: This key captures Source (Client) Cipher Size
+    - name: ike
+      type: keyword
+      description: IKE negotiation phase.
+    - name: scheme
+      type: keyword
+      description: This key captures the Encryption scheme used
+    - name: peer_id
+      type: keyword
+      description: "This key is for Encryption peer\u2019s identity"
+    - name: sig_type
+      type: keyword
+      description: This key captures the Signature Type
+    - name: cert_issuer
+      type: keyword
+    - name: cert_host_name
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: cert_error
+      type: keyword
+      description: This key captures the Certificate Error String
+    - name: cipher_dst
+      type: keyword
+      description: This key is for Destination (Server) Cipher
+    - name: cipher_size_dst
+      type: long
+      description: This key captures Destination (Server) Cipher Size
+    - name: ssl_ver_src
+      type: keyword
+      description: Deprecated, use version
+    - name: d_certauth
+      type: keyword
+    - name: s_certauth
+      type: keyword
+    - name: ike_cookie1
+      type: keyword
+      description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
+    - name: ike_cookie2
+      type: keyword
+      description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
+    - name: cert_checksum
+      type: keyword
+    - name: cert_host_cat
+      type: keyword
+      description: This key is used for the hostname category value of a certificate
+    - name: cert_serial
+      type: keyword
+      description: This key is used to capture the Certificate serial number only
+    - name: cert_status
+      type: keyword
+      description: This key captures Certificate validation status
+    - name: ssl_ver_dst
+      type: keyword
+      description: Deprecated, use version
+    - name: cert_keysize
+      type: keyword
+    - name: cert_username
+      type: keyword
+    - name: https_insact
+      type: keyword
+    - name: https_valid
+      type: keyword
+    - name: cert_ca
+      type: keyword
+      description: This key is used to capture the Certificate signing authority only
+    - name: cert_common
+      type: keyword
+      description: This key is used to capture the Certificate common name only
+  - name: wireless
+    type: group
+    fields:
+    - name: wlan_ssid
+      type: keyword
+      description: This key is used to capture the ssid of a Wireless Session
+    - name: access_point
+      type: keyword
+      description: This key is used to capture the access point name.
+    - name: wlan_channel
+      type: long
+      description: This is used to capture the channel names
+    - name: wlan_name
+      type: keyword
+      description: This key captures either WLAN number/name
+  - name: storage
+    type: group
+    fields:
+    - name: disk_volume
+      type: keyword
+      description: A unique name assigned to logical units (volumes) within a physical
+        disk
+    - name: lun
+      type: keyword
+      description: Logical Unit Number.This key is a very useful concept in Storage.
+    - name: pwwn
+      type: keyword
+      description: This uniquely identifies a port on a HBA.
+  - name: physical
+    type: group
+    fields:
+    - name: org_dst
+      type: keyword
+      description: This is used to capture the destination organization based on the
+        GEOPIP Maxmind database.
+    - name: org_src
+      type: keyword
+      description: This is used to capture the source organization based on the GEOPIP
+        Maxmind database.
+  - name: healthcare
+    type: group
+    fields:
+    - name: patient_fname
+      type: keyword
+      description: This key is for First Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: patient_id
+      type: keyword
+      description: This key captures the unique ID for a patient
+    - name: patient_lname
+      type: keyword
+      description: This key is for Last Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: patient_mname
+      type: keyword
+      description: This key is for Middle Names only, this is used for Healthcare
+        predominantly to capture Patients information
+  - name: endpoint
+    type: group
+    fields:
+    - name: host_state
+      type: keyword
+      description: This key is used to capture the current state of the machine, such
+        as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
+        disabled</strong> and so on
+    - name: registry_key
+      type: keyword
+      description: This key captures the path to the registry key
+    - name: registry_value
+      type: keyword
+      description: This key captures values or decorators used within a registry entry
diff --git a/packages/imperva/0.1.0/dataset/securesphere/manifest.yml b/packages/imperva/0.1.0/dataset/securesphere/manifest.yml
new file mode 100644
index 0000000000..6ddeecaff3
--- /dev/null
+++ b/packages/imperva/0.1.0/dataset/securesphere/manifest.yml
@@ -0,0 +1,155 @@
+title: Imperva SecureSphere logs
+release: experimental
+type: logs
+streams:
+- input: udp
+  title: Imperva SecureSphere logs
+  description: Collect Imperva SecureSphere logs
+  template_path: udp.yml.hbs
+  vars:
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - imperva-securesphere
+      - forwarded
+  - name: udp_host
+    type: text
+    title: UDP host to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: localhost
+  - name: udp_port
+    type: integer
+    title: UDP port to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: 9510
+  - name: tz_offset
+    type: text
+    title: Timezone offset (+HH:mm format)
+    required: false
+    show_user: true
+    default: "local"
+  - name: rsa_fields
+    type: bool
+    title: Add non-ECS fields
+    required: false
+    show_user: true
+    default: true
+  - name: keep_raw_fields
+    type: bool
+    title: Keep raw parser fields
+    required: false
+    show_user: false
+    default: false
+  - name: debug
+    type: bool
+    title: Enable debug logging
+    required: false
+    show_user: false
+    default: false
+
+- input: tcp
+  title: Imperva SecureSphere logs
+  description: Collect Imperva SecureSphere logs
+  template_path: tcp.yml.hbs
+  vars:
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - imperva-securesphere
+      - forwarded
+  - name: tcp_host
+    type: text
+    title: TCP host to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: localhost
+  - name: tcp_port
+    type: integer
+    title: TCP port to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: 9510
+  - name: tz_offset
+    type: text
+    title: Timezone offset (+HH:mm format)
+    required: false
+    show_user: true
+    default: "local"
+  - name: rsa_fields
+    type: bool
+    title: Add non-ECS fields
+    required: false
+    show_user: true
+    default: true
+  - name: keep_raw_fields
+    type: bool
+    title: Keep raw parser fields
+    required: false
+    show_user: false
+    default: false
+  - name: debug
+    type: bool
+    title: Enable debug logging
+    required: false
+    show_user: false
+    default: false
+
+- input: file
+  title: Imperva SecureSphere logs
+  description: Collect Imperva SecureSphere logs from file
+  vars:
+  - name: paths
+    type: text
+    title: Paths
+    multi: true
+    required: true
+    show_user: true
+    default:
+      - /var/log/imperva-securesphere.log
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - imperva-securesphere
+      - forwarded
+  - name: tz_offset
+    type: text
+    title: Timezone offset (+HH:mm format)
+    required: false
+    show_user: true
+    default: "local"
+  - name: rsa_fields
+    type: bool
+    title: Add non-ECS fields
+    required: false
+    show_user: true
+    default: true
+  - name: keep_raw_fields
+    type: bool
+    title: Keep raw parser fields
+    required: false
+    show_user: false
+    default: false
+  - name: debug
+    type: bool
+    title: Enable debug logging
+    required: false
+    show_user: false
+    default: false
diff --git a/packages/imperva/0.1.0/docs/README.md b/packages/imperva/0.1.0/docs/README.md
new file mode 100644
index 0000000000..7ae2015a25
--- /dev/null
+++ b/packages/imperva/0.1.0/docs/README.md
@@ -0,0 +1,780 @@
+# Imperva integration
+
+This integration is for Imperva device's logs. It includes the following
+datasets for receiving logs over syslog or read from a file:
+- `securesphere` dataset: supports Imperva SecureSphere logs.
+
+### Securesphere
+
+The `securesphere` dataset collects Imperva SecureSphere logs.
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
+| dataset.name | Dataset name. | constant_keyword |
+| dataset.namespace | Dataset namespace. | constant_keyword |
+| dataset.type | Dataset type. | constant_keyword |
+| datastream.dataset | Datastream dataset. | constant_keyword |
+| datastream.namespace | Datastream namespace. | constant_keyword |
+| datastream.type | Datastream type. | constant_keyword |
+| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| destination.bytes | Bytes sent from the destination to the source. | long |
+| destination.domain | Destination domain. | keyword |
+| destination.geo.city_name | City name. | keyword |
+| destination.geo.country_name | Country name. | keyword |
+| destination.geo.location.lat |  | double |
+| destination.geo.location.lon |  | double |
+| destination.ip | IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses. | ip |
+| destination.mac | MAC address of the destination. | keyword |
+| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip |
+| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long |
+| destination.port | Port of the destination. | long |
+| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword |
+| dns.answers.type | The type of data contained in this resource record. | keyword |
+| dns.question.type | The type of record being queried. | keyword |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword |
+| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword |
+| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword |
+| file.extension | File extension. | keyword |
+| file.name | Name of the file including the extension, without the directory. | keyword |
+| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword |
+| file.size | File size in bytes. Only relevant when `file.type` is "file". | long |
+| file.type | File type (file, dir, or symlink). | keyword |
+| geo.city_name | City name. | keyword |
+| geo.country_name | Country name. | keyword |
+| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| geo.region_name | Region name. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| http.request.method | HTTP request method. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| http.request.referrer | Referrer for this HTTP request. | keyword |
+| http.response.body.content | The full HTTP response body. | keyword |
+| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword |
+| log.original | This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. | keyword |
+| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long |
+| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. | long |
+| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text |
+| network.application | A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long |
+| network.direction | Direction of the network traffic. Recommended values are: * inbound * outbound * internal * external * unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view. When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. | keyword |
+| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip |
+| network.interface.name |  | keyword |
+| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long |
+| network.protocol | L7 Network protocol name. ex. http, lumberjack, transport protocol. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| observer.egress.interface.name | Interface name as reported by the system. | keyword |
+| observer.ingress.interface.name | Interface name as reported by the system. | keyword |
+| observer.product | The product name of the observer. | keyword |
+| observer.version | Observer version. | keyword |
+| process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.parent.name | Process name. Sometimes called program name or similar. | keyword |
+| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword |
+| process.pid | Process id. | long |
+| process.ppid | Parent process' pid. | long |
+| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword |
+| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long |
+| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword |
+| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long |
+| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword |
+| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long |
+| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword |
+| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword |
+| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword |
+| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword |
+| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword |
+| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword |
+| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword |
+| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long |
+| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword |
+| rsa.crypto.cert_checksum |  | keyword |
+| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword |
+| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword |
+| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword |
+| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword |
+| rsa.crypto.cert_issuer |  | keyword |
+| rsa.crypto.cert_keysize |  | keyword |
+| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword |
+| rsa.crypto.cert_status | This key captures Certificate validation status | keyword |
+| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword |
+| rsa.crypto.cert_username |  | keyword |
+| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword |
+| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long |
+| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long |
+| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword |
+| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword |
+| rsa.crypto.d_certauth |  | keyword |
+| rsa.crypto.https_insact |  | keyword |
+| rsa.crypto.https_valid |  | keyword |
+| rsa.crypto.ike | IKE negotiation phase. | keyword |
+| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword |
+| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword |
+| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword |
+| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword |
+| rsa.crypto.s_certauth |  | keyword |
+| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword |
+| rsa.crypto.sig_type | This key captures the Signature Type | keyword |
+| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword |
+| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword |
+| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword |
+| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword |
+| rsa.db.db_pid | This key captures the process id of a connection with database server | long |
+| rsa.db.index | This key captures IndexID of the index. | keyword |
+| rsa.db.instance | This key is used to capture the database server instance name | keyword |
+| rsa.db.lread | This key is used for the number of logical reads | long |
+| rsa.db.lwrite | This key is used for the number of logical writes | long |
+| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword |
+| rsa.db.pread | This key is used for the number of physical writes | long |
+| rsa.db.table_name | This key is used to capture the table name | keyword |
+| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword |
+| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword |
+| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword |
+| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword |
+| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword |
+| rsa.email.trans_from | Deprecated key defined only in table map. | keyword |
+| rsa.email.trans_to | Deprecated key defined only in table map. | keyword |
+| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall disabled</strong> and so on | keyword |
+| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword |
+| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword |
+| rsa.file.attachment | This key captures the attachment file name | keyword |
+| rsa.file.binary | Deprecated key defined only in table map. | keyword |
+| rsa.file.directory_dst | <span>This key is used to capture the directory of the target process or file</span> | keyword |
+| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword |
+| rsa.file.file_entropy | This is used to capture entropy vale of a file | double |
+| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword |
+| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword |
+| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword |
+| rsa.file.filename_tmp |  | keyword |
+| rsa.file.filesystem |  | keyword |
+| rsa.file.privilege | Deprecated, use permissions | keyword |
+| rsa.file.task_name | This is used to capture name of the task | keyword |
+| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword |
+| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword |
+| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword |
+| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword |
+| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword |
+| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword |
+| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword |
+| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword |
+| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword |
+| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword |
+| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword |
+| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword |
+| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword |
+| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword |
+| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.org | This key captures the User organization | keyword |
+| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword |
+| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword |
+| rsa.identity.profile | This key is used to capture the user profile | keyword |
+| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword |
+| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword |
+| rsa.identity.user_dept | User's Department Names only | keyword |
+| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword |
+| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword |
+| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword |
+| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword |
+| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.data | Deprecated key defined only in table map. | keyword |
+| rsa.internal.dead | Deprecated key defined only in table map. | long |
+| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_type_id | Deprecated key defined only in table map. | long |
+| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long |
+| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long |
+| rsa.internal.entry | Deprecated key defined only in table map. | keyword |
+| rsa.internal.event_desc |  | keyword |
+| rsa.internal.event_name | Deprecated key defined only in table map. | keyword |
+| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip |
+| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.hcode | Deprecated key defined only in table map. | keyword |
+| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.inode | Deprecated key defined only in table map. | long |
+| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date |
+| rsa.internal.level | Deprecated key defined only in table map. | long |
+| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long |
+| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long |
+| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long |
+| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long |
+| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, &lt; 32 is packet session | long |
+| rsa.internal.message | This key captures the contents of instant messages | keyword |
+| rsa.internal.messageid |  | keyword |
+| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword |
+| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.node_name | Deprecated key defined only in table map. | keyword |
+| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword |
+| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword |
+| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword |
+| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword |
+| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long |
+| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long |
+| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword |
+| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword |
+| rsa.internal.resource | Deprecated key defined only in table map. | keyword |
+| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword |
+| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long |
+| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.site | Deprecated key defined only in table map. | keyword |
+| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long |
+| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.statement | Deprecated key defined only in table map. | keyword |
+| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date |
+| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long |
+| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long |
+| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword |
+| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword |
+| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword |
+| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword |
+| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword |
+| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword |
+| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword |
+| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword |
+| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword |
+| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword |
+| rsa.investigations.event_cat | This key captures the Event category number | long |
+| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword |
+| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword |
+| rsa.investigations.inv_category | This used to capture investigation category | keyword |
+| rsa.investigations.inv_context | This used to capture investigation context | keyword |
+| rsa.investigations.ioc | This is key capture indicator of compromise | keyword |
+| rsa.misc.OS | This key captures the Name of the Operating System | keyword |
+| rsa.misc.acl_id |  | keyword |
+| rsa.misc.acl_op |  | keyword |
+| rsa.misc.acl_pos |  | keyword |
+| rsa.misc.acl_table |  | keyword |
+| rsa.misc.action |  | keyword |
+| rsa.misc.admin |  | keyword |
+| rsa.misc.agent_id | This key is used to capture agent id | keyword |
+| rsa.misc.alarm_id |  | keyword |
+| rsa.misc.alarmname |  | keyword |
+| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.app_id |  | keyword |
+| rsa.misc.audit |  | keyword |
+| rsa.misc.audit_object |  | keyword |
+| rsa.misc.auditdata |  | keyword |
+| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword |
+| rsa.misc.benchmark |  | keyword |
+| rsa.misc.bypass |  | keyword |
+| rsa.misc.cache |  | keyword |
+| rsa.misc.cache_hit |  | keyword |
+| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword |
+| rsa.misc.cc_number | Valid Credit Card Numbers only | long |
+| rsa.misc.cefversion |  | keyword |
+| rsa.misc.cfg_attr |  | keyword |
+| rsa.misc.cfg_obj |  | keyword |
+| rsa.misc.cfg_path |  | keyword |
+| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword |
+| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword |
+| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword |
+| rsa.misc.changes |  | keyword |
+| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword |
+| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword |
+| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword |
+| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword |
+| rsa.misc.client_ip |  | keyword |
+| rsa.misc.clustermembers |  | keyword |
+| rsa.misc.cmd |  | keyword |
+| rsa.misc.cn_acttimeout |  | keyword |
+| rsa.misc.cn_asn_src |  | keyword |
+| rsa.misc.cn_bgpv4nxthop |  | keyword |
+| rsa.misc.cn_ctr_dst_code |  | keyword |
+| rsa.misc.cn_dst_tos |  | keyword |
+| rsa.misc.cn_dst_vlan |  | keyword |
+| rsa.misc.cn_engine_id |  | keyword |
+| rsa.misc.cn_engine_type |  | keyword |
+| rsa.misc.cn_f_switch |  | keyword |
+| rsa.misc.cn_flowsampid |  | keyword |
+| rsa.misc.cn_flowsampintv |  | keyword |
+| rsa.misc.cn_flowsampmode |  | keyword |
+| rsa.misc.cn_inacttimeout |  | keyword |
+| rsa.misc.cn_inpermbyts |  | keyword |
+| rsa.misc.cn_inpermpckts |  | keyword |
+| rsa.misc.cn_invalid |  | keyword |
+| rsa.misc.cn_ip_proto_ver |  | keyword |
+| rsa.misc.cn_ipv4_ident |  | keyword |
+| rsa.misc.cn_l_switch |  | keyword |
+| rsa.misc.cn_log_did |  | keyword |
+| rsa.misc.cn_log_rid |  | keyword |
+| rsa.misc.cn_max_ttl |  | keyword |
+| rsa.misc.cn_maxpcktlen |  | keyword |
+| rsa.misc.cn_min_ttl |  | keyword |
+| rsa.misc.cn_minpcktlen |  | keyword |
+| rsa.misc.cn_mpls_lbl_1 |  | keyword |
+| rsa.misc.cn_mpls_lbl_10 |  | keyword |
+| rsa.misc.cn_mpls_lbl_2 |  | keyword |
+| rsa.misc.cn_mpls_lbl_3 |  | keyword |
+| rsa.misc.cn_mpls_lbl_4 |  | keyword |
+| rsa.misc.cn_mpls_lbl_5 |  | keyword |
+| rsa.misc.cn_mpls_lbl_6 |  | keyword |
+| rsa.misc.cn_mpls_lbl_7 |  | keyword |
+| rsa.misc.cn_mpls_lbl_8 |  | keyword |
+| rsa.misc.cn_mpls_lbl_9 |  | keyword |
+| rsa.misc.cn_mplstoplabel |  | keyword |
+| rsa.misc.cn_mplstoplabip |  | keyword |
+| rsa.misc.cn_mul_dst_byt |  | keyword |
+| rsa.misc.cn_mul_dst_pks |  | keyword |
+| rsa.misc.cn_muligmptype |  | keyword |
+| rsa.misc.cn_sampalgo |  | keyword |
+| rsa.misc.cn_sampint |  | keyword |
+| rsa.misc.cn_seqctr |  | keyword |
+| rsa.misc.cn_spackets |  | keyword |
+| rsa.misc.cn_src_tos |  | keyword |
+| rsa.misc.cn_src_vlan |  | keyword |
+| rsa.misc.cn_sysuptime |  | keyword |
+| rsa.misc.cn_template_id |  | keyword |
+| rsa.misc.cn_totbytsexp |  | keyword |
+| rsa.misc.cn_totflowexp |  | keyword |
+| rsa.misc.cn_totpcktsexp |  | keyword |
+| rsa.misc.cn_unixnanosecs |  | keyword |
+| rsa.misc.cn_v6flowlabel |  | keyword |
+| rsa.misc.cn_v6optheaders |  | keyword |
+| rsa.misc.code |  | keyword |
+| rsa.misc.command |  | keyword |
+| rsa.misc.comments | Comment information provided in the log message | keyword |
+| rsa.misc.comp_class |  | keyword |
+| rsa.misc.comp_name |  | keyword |
+| rsa.misc.comp_rbytes |  | keyword |
+| rsa.misc.comp_sbytes |  | keyword |
+| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword |
+| rsa.misc.connection_id | This key captures the Connection ID | keyword |
+| rsa.misc.content | This key captures the content type from protocol headers | keyword |
+| rsa.misc.content_type | This key is used to capture Content Type only. | keyword |
+| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword |
+| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword |
+| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword |
+| rsa.misc.context_target |  | keyword |
+| rsa.misc.count |  | keyword |
+| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long |
+| rsa.misc.cpu_data |  | keyword |
+| rsa.misc.criticality |  | keyword |
+| rsa.misc.cs_agency_dst |  | keyword |
+| rsa.misc.cs_analyzedby |  | keyword |
+| rsa.misc.cs_av_other |  | keyword |
+| rsa.misc.cs_av_primary |  | keyword |
+| rsa.misc.cs_av_secondary |  | keyword |
+| rsa.misc.cs_bgpv6nxthop |  | keyword |
+| rsa.misc.cs_bit9status |  | keyword |
+| rsa.misc.cs_context |  | keyword |
+| rsa.misc.cs_control |  | keyword |
+| rsa.misc.cs_data |  | keyword |
+| rsa.misc.cs_datecret |  | keyword |
+| rsa.misc.cs_dst_tld |  | keyword |
+| rsa.misc.cs_eth_dst_ven |  | keyword |
+| rsa.misc.cs_eth_src_ven |  | keyword |
+| rsa.misc.cs_event_uuid |  | keyword |
+| rsa.misc.cs_filetype |  | keyword |
+| rsa.misc.cs_fld |  | keyword |
+| rsa.misc.cs_if_desc |  | keyword |
+| rsa.misc.cs_if_name |  | keyword |
+| rsa.misc.cs_ip_next_hop |  | keyword |
+| rsa.misc.cs_ipv4dstpre |  | keyword |
+| rsa.misc.cs_ipv4srcpre |  | keyword |
+| rsa.misc.cs_lifetime |  | keyword |
+| rsa.misc.cs_log_medium |  | keyword |
+| rsa.misc.cs_loginname |  | keyword |
+| rsa.misc.cs_modulescore |  | keyword |
+| rsa.misc.cs_modulesign |  | keyword |
+| rsa.misc.cs_opswatresult |  | keyword |
+| rsa.misc.cs_payload |  | keyword |
+| rsa.misc.cs_registrant |  | keyword |
+| rsa.misc.cs_registrar |  | keyword |
+| rsa.misc.cs_represult |  | keyword |
+| rsa.misc.cs_rpayload |  | keyword |
+| rsa.misc.cs_sampler_name |  | keyword |
+| rsa.misc.cs_sourcemodule |  | keyword |
+| rsa.misc.cs_streams |  | keyword |
+| rsa.misc.cs_targetmodule |  | keyword |
+| rsa.misc.cs_v6nxthop |  | keyword |
+| rsa.misc.cs_whois_server |  | keyword |
+| rsa.misc.cs_yararesult |  | keyword |
+| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword |
+| rsa.misc.data_type |  | keyword |
+| rsa.misc.description |  | keyword |
+| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword |
+| rsa.misc.devvendor |  | keyword |
+| rsa.misc.disposition | This key captures the The end state of an action. | keyword |
+| rsa.misc.distance |  | keyword |
+| rsa.misc.doc_number | This key captures File Identification number | long |
+| rsa.misc.dstburb |  | keyword |
+| rsa.misc.edomain |  | keyword |
+| rsa.misc.edomaub |  | keyword |
+| rsa.misc.ein_number | Employee Identification Numbers only | long |
+| rsa.misc.error | This key captures All non successful Error codes or responses | keyword |
+| rsa.misc.euid |  | keyword |
+| rsa.misc.event_category |  | keyword |
+| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword |
+| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword |
+| rsa.misc.event_id |  | keyword |
+| rsa.misc.event_log | This key captures the Name of the event log | keyword |
+| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword |
+| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword |
+| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword |
+| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword |
+| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword |
+| rsa.misc.facility |  | keyword |
+| rsa.misc.facilityname |  | keyword |
+| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword |
+| rsa.misc.filter | This key captures Filter used to reduce result set | keyword |
+| rsa.misc.finterface |  | keyword |
+| rsa.misc.flags |  | keyword |
+| rsa.misc.forensic_info |  | keyword |
+| rsa.misc.found | This is used to capture the results of regex match | keyword |
+| rsa.misc.fresult | This key captures the Filter Result | long |
+| rsa.misc.gaddr |  | keyword |
+| rsa.misc.group | This key captures the Group Name value | keyword |
+| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword |
+| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword |
+| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword |
+| rsa.misc.id3 |  | keyword |
+| rsa.misc.im_buddyid |  | keyword |
+| rsa.misc.im_buddyname |  | keyword |
+| rsa.misc.im_client |  | keyword |
+| rsa.misc.im_croomid |  | keyword |
+| rsa.misc.im_croomtype |  | keyword |
+| rsa.misc.im_members |  | keyword |
+| rsa.misc.im_userid |  | keyword |
+| rsa.misc.im_username |  | keyword |
+| rsa.misc.index |  | keyword |
+| rsa.misc.inout |  | keyword |
+| rsa.misc.ipkt |  | keyword |
+| rsa.misc.ipscat |  | keyword |
+| rsa.misc.ipspri |  | keyword |
+| rsa.misc.job_num | This key captures the Job Number | keyword |
+| rsa.misc.jobname |  | keyword |
+| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword |
+| rsa.misc.latitude |  | keyword |
+| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword |
+| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long |
+| rsa.misc.linenum |  | keyword |
+| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.misc.list_name |  | keyword |
+| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword |
+| rsa.misc.load_data |  | keyword |
+| rsa.misc.location_floor |  | keyword |
+| rsa.misc.location_mark |  | keyword |
+| rsa.misc.log_id |  | keyword |
+| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword |
+| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword |
+| rsa.misc.log_type |  | keyword |
+| rsa.misc.logid |  | keyword |
+| rsa.misc.logip |  | keyword |
+| rsa.misc.logname |  | keyword |
+| rsa.misc.longitude |  | keyword |
+| rsa.misc.lport |  | keyword |
+| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword |
+| rsa.misc.match | This key is for regex match name from search.ini | keyword |
+| rsa.misc.mbug_data |  | keyword |
+| rsa.misc.message_body | This key captures the The contents of the message body. | keyword |
+| rsa.misc.misc |  | keyword |
+| rsa.misc.misc_name |  | keyword |
+| rsa.misc.mode |  | keyword |
+| rsa.misc.msgIdPart1 |  | keyword |
+| rsa.misc.msgIdPart2 |  | keyword |
+| rsa.misc.msgIdPart3 |  | keyword |
+| rsa.misc.msgIdPart4 |  | keyword |
+| rsa.misc.msg_type |  | keyword |
+| rsa.misc.msgid |  | keyword |
+| rsa.misc.name |  | keyword |
+| rsa.misc.netsessid |  | keyword |
+| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword |
+| rsa.misc.ntype |  | keyword |
+| rsa.misc.num |  | keyword |
+| rsa.misc.number |  | keyword |
+| rsa.misc.number1 |  | keyword |
+| rsa.misc.number2 |  | keyword |
+| rsa.misc.nwwn |  | keyword |
+| rsa.misc.obj_name | This is used to capture name of object | keyword |
+| rsa.misc.obj_type | This is used to capture type of object | keyword |
+| rsa.misc.object |  | keyword |
+| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword |
+| rsa.misc.operation |  | keyword |
+| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword |
+| rsa.misc.opkt |  | keyword |
+| rsa.misc.orig_from |  | keyword |
+| rsa.misc.owner_id |  | keyword |
+| rsa.misc.p_action |  | keyword |
+| rsa.misc.p_filter |  | keyword |
+| rsa.misc.p_group_object |  | keyword |
+| rsa.misc.p_id |  | keyword |
+| rsa.misc.p_msgid |  | keyword |
+| rsa.misc.p_msgid1 |  | keyword |
+| rsa.misc.p_msgid2 |  | keyword |
+| rsa.misc.p_result1 |  | keyword |
+| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword |
+| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword |
+| rsa.misc.param_src | This key captures source parameter | keyword |
+| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword |
+| rsa.misc.password_chg |  | keyword |
+| rsa.misc.password_expire |  | keyword |
+| rsa.misc.payload_dst | This key is used to capture destination payload | keyword |
+| rsa.misc.payload_src | This key is used to capture source payload | keyword |
+| rsa.misc.permgranted |  | keyword |
+| rsa.misc.permwanted |  | keyword |
+| rsa.misc.pgid |  | keyword |
+| rsa.misc.phone |  | keyword |
+| rsa.misc.pid |  | keyword |
+| rsa.misc.policy |  | keyword |
+| rsa.misc.policyUUID |  | keyword |
+| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword |
+| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword |
+| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword |
+| rsa.misc.policy_waiver |  | keyword |
+| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword |
+| rsa.misc.pool_name | This key captures the name of a resource pool | keyword |
+| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword |
+| rsa.misc.priority |  | keyword |
+| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword |
+| rsa.misc.prog_asp_num |  | keyword |
+| rsa.misc.program |  | keyword |
+| rsa.misc.real_data |  | keyword |
+| rsa.misc.reason |  | keyword |
+| rsa.misc.rec_asp_device |  | keyword |
+| rsa.misc.rec_asp_num |  | keyword |
+| rsa.misc.rec_library |  | keyword |
+| rsa.misc.recordnum |  | keyword |
+| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword |
+| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword |
+| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword |
+| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword |
+| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword |
+| rsa.misc.risk | This key captures the non-numeric risk value | keyword |
+| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.risk_num | This key captures a Numeric Risk value | double |
+| rsa.misc.risk_num_comm | This key captures Risk Number Community | double |
+| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double |
+| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double |
+| rsa.misc.risk_num_static | This key captures Risk Number Static | double |
+| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.ruid |  | keyword |
+| rsa.misc.rule | This key captures the Rule number | keyword |
+| rsa.misc.rule_group | This key captures the Rule group name | keyword |
+| rsa.misc.rule_name | This key captures the Rule Name | keyword |
+| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword |
+| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword |
+| rsa.misc.sburb |  | keyword |
+| rsa.misc.sdomain_fld |  | keyword |
+| rsa.misc.search_text | This key captures the Search Text used | keyword |
+| rsa.misc.sec |  | keyword |
+| rsa.misc.second |  | keyword |
+| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword |
+| rsa.misc.sensorname |  | keyword |
+| rsa.misc.seqnum |  | keyword |
+| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword |
+| rsa.misc.session |  | keyword |
+| rsa.misc.sessiontype |  | keyword |
+| rsa.misc.severity | This key is used to capture the severity given the session | keyword |
+| rsa.misc.sigUUID |  | keyword |
+| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long |
+| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long |
+| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword |
+| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword |
+| rsa.misc.sigcat |  | keyword |
+| rsa.misc.snmp_oid | SNMP Object Identifier | keyword |
+| rsa.misc.snmp_value | SNMP set request value | keyword |
+| rsa.misc.space |  | keyword |
+| rsa.misc.space1 |  | keyword |
+| rsa.misc.spi |  | keyword |
+| rsa.misc.spi_dst | Destination SPI Index | keyword |
+| rsa.misc.spi_src | Source SPI Index | keyword |
+| rsa.misc.sql | This key captures the SQL query | keyword |
+| rsa.misc.srcburb |  | keyword |
+| rsa.misc.srcdom |  | keyword |
+| rsa.misc.srcservice |  | keyword |
+| rsa.misc.state |  | keyword |
+| rsa.misc.status |  | keyword |
+| rsa.misc.status1 |  | keyword |
+| rsa.misc.streams | This key captures number of streams in session | long |
+| rsa.misc.subcategory |  | keyword |
+| rsa.misc.svcno |  | keyword |
+| rsa.misc.system |  | keyword |
+| rsa.misc.tbdstr1 |  | keyword |
+| rsa.misc.tbdstr2 |  | keyword |
+| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long |
+| rsa.misc.terminal | This key captures the Terminal Names only | keyword |
+| rsa.misc.tgtdom |  | keyword |
+| rsa.misc.tgtdomain |  | keyword |
+| rsa.misc.threshold |  | keyword |
+| rsa.misc.tos | This key describes the type of service | long |
+| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword |
+| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword |
+| rsa.misc.type |  | keyword |
+| rsa.misc.type1 |  | keyword |
+| rsa.misc.udb_class |  | keyword |
+| rsa.misc.url_fld |  | keyword |
+| rsa.misc.user_div |  | keyword |
+| rsa.misc.userid |  | keyword |
+| rsa.misc.username_fld |  | keyword |
+| rsa.misc.utcstamp |  | keyword |
+| rsa.misc.v_instafname |  | keyword |
+| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword |
+| rsa.misc.virt_data |  | keyword |
+| rsa.misc.virusname | This key captures the name of the virus | keyword |
+| rsa.misc.vm_target | VMWare Target **VMWARE** only varaible. | keyword |
+| rsa.misc.vpnid |  | keyword |
+| rsa.misc.vsys | This key captures Virtual System Name | keyword |
+| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword |
+| rsa.misc.workspace | This key captures Workspace Description | keyword |
+| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword |
+| rsa.network.addr |  | keyword |
+| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword |
+| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword |
+| rsa.network.dmask | This key is used for Destionation Device network mask | keyword |
+| rsa.network.dns_a_record |  | keyword |
+| rsa.network.dns_cname_record |  | keyword |
+| rsa.network.dns_id |  | keyword |
+| rsa.network.dns_opcode |  | keyword |
+| rsa.network.dns_ptr_record |  | keyword |
+| rsa.network.dns_resp |  | keyword |
+| rsa.network.dns_type |  | keyword |
+| rsa.network.domain |  | keyword |
+| rsa.network.domain1 |  | keyword |
+| rsa.network.eth_host | Deprecated, use alias.mac | keyword |
+| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long |
+| rsa.network.faddr |  | keyword |
+| rsa.network.fhost |  | keyword |
+| rsa.network.fport |  | keyword |
+| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword |
+| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword |
+| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword |
+| rsa.network.host_type |  | keyword |
+| rsa.network.icmp_code | This key is used to capture the ICMP code only | long |
+| rsa.network.icmp_type | This key is used to capture the ICMP type only | long |
+| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword |
+| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long |
+| rsa.network.laddr |  | keyword |
+| rsa.network.lhost |  | keyword |
+| rsa.network.linterface |  | keyword |
+| rsa.network.mask | This key is used to capture the device network IPmask. | keyword |
+| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword |
+| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long |
+| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword |
+| rsa.network.origin |  | keyword |
+| rsa.network.packet_length |  | keyword |
+| rsa.network.paddr | Deprecated | ip |
+| rsa.network.phost |  | keyword |
+| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long |
+| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword |
+| rsa.network.remote_domain_id |  | keyword |
+| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword |
+| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword |
+| rsa.network.smask | This key is used for capturing source Network Mask | keyword |
+| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long |
+| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword |
+| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword |
+| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword |
+| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword |
+| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword |
+| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword |
+| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword |
+| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword |
+| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword |
+| rsa.threat.alert | This key is used to capture name of the alert | keyword |
+| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword |
+| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword |
+| rsa.threat.threat_source | This key is used to capture source of the threat | keyword |
+| rsa.time.date |  | keyword |
+| rsa.time.datetime |  | keyword |
+| rsa.time.day |  | keyword |
+| rsa.time.duration_str | A text string version of the duration | keyword |
+| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double |
+| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date |
+| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date |
+| rsa.time.event_queue_time | This key is the Time that the event was queued. | date |
+| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date |
+| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword |
+| rsa.time.eventtime |  | keyword |
+| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date |
+| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword |
+| rsa.time.gmtdate |  | keyword |
+| rsa.time.gmttime |  | keyword |
+| rsa.time.hour |  | keyword |
+| rsa.time.min |  | keyword |
+| rsa.time.month |  | keyword |
+| rsa.time.p_date |  | keyword |
+| rsa.time.p_month |  | keyword |
+| rsa.time.p_time |  | keyword |
+| rsa.time.p_time1 |  | keyword |
+| rsa.time.p_time2 |  | keyword |
+| rsa.time.p_year |  | keyword |
+| rsa.time.process_time | Deprecated, use duration.time | keyword |
+| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date |
+| rsa.time.stamp | Deprecated key defined only in table map. | date |
+| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date |
+| rsa.time.timestamp |  | keyword |
+| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword |
+| rsa.time.tzone |  | keyword |
+| rsa.time.year |  | keyword |
+| rsa.web.alias_host |  | keyword |
+| rsa.web.cn_asn_dst |  | keyword |
+| rsa.web.cn_rpackets |  | keyword |
+| rsa.web.fqdn | Fully Qualified Domain Names | keyword |
+| rsa.web.p_url |  | keyword |
+| rsa.web.p_user_agent |  | keyword |
+| rsa.web.p_web_cookie |  | keyword |
+| rsa.web.p_web_method |  | keyword |
+| rsa.web.p_web_referer |  | keyword |
+| rsa.web.remote_domain |  | keyword |
+| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double |
+| rsa.web.urlpage |  | keyword |
+| rsa.web.urlroot |  | keyword |
+| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword |
+| rsa.web.web_extension_tmp |  | keyword |
+| rsa.web.web_page |  | keyword |
+| rsa.web.web_ref_domain | Web referer's domain | keyword |
+| rsa.web.web_ref_page | This key captures Web referer's page information | keyword |
+| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword |
+| rsa.web.web_ref_root | Web referer's root URL path | keyword |
+| rsa.wireless.access_point | This key is used to capture the access point name. | keyword |
+| rsa.wireless.wlan_channel | This is used to capture the channel names | long |
+| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword |
+| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword |
+| rule.name | The name of the rule or signature generating the event. | keyword |
+| server.domain | Server domain. | keyword |
+| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword |
+| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.bytes | Bytes sent from the source to the destination. | long |
+| source.domain | Source domain. | keyword |
+| source.geo.city_name | City name. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location.lat |  | double |
+| source.geo.location.lon |  | double |
+| source.ip | IP address of the source. Can be one or multiple IPv4 or IPv6 addresses. | ip |
+| source.mac | MAC address of the source. | keyword |
+| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip |
+| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long |
+| source.port | Port of the source. | long |
+| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. | keyword |
+| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | keyword |
+| url.path | Path of the request, such as "/search". | keyword |
+| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword |
+| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.google.com" is "google.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword |
+| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword |
+| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| user.full_name | User's full name, if available. | keyword |
+| user.id | Unique identifiers of the user. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user_agent.original | Unparsed user_agent string. | keyword |
diff --git a/packages/imperva/0.1.0/manifest.yml b/packages/imperva/0.1.0/manifest.yml
new file mode 100644
index 0000000000..1df618e4ac
--- /dev/null
+++ b/packages/imperva/0.1.0/manifest.yml
@@ -0,0 +1,31 @@
+format_version: 1.0.0
+name: imperva
+title: Imperva SecureSphere
+version: 0.1.0
+description: Imperva SecureSphere Integration
+categories: ["network","security"]
+release: experimental
+removable: true
+license: basic
+type: integration
+conditions:
+    kibana:
+        version: '>=7.9.0'
+    elasticsearch:
+        version: '>=7.9.0'
+config_templates:
+- name: securesphere
+  title: Imperva SecureSphere
+  description: Collect Imperva SecureSphere logs from syslog or a file.
+  inputs:
+      - type: udp
+        title: Collect logs from Imperva SecureSphere via UDP
+        description: Collecting syslog from Imperva SecureSphere via UDP
+      - type: tcp
+        title: Collect logs from Imperva SecureSphere via TCP
+        description: Collecting syslog from Imperva SecureSphere via TCP
+      - type: file
+        title: Collect logs from Imperva SecureSphere via file
+        description: Collecting syslog from Imperva SecureSphere via file.
+# No icon
+icons:
diff --git a/packages/infoblox/0.1.0/dataset/nios/agent/stream/stream.yml.hbs b/packages/infoblox/0.1.0/dataset/nios/agent/stream/stream.yml.hbs
new file mode 100644
index 0000000000..439a9fc8e4
--- /dev/null
+++ b/packages/infoblox/0.1.0/dataset/nios/agent/stream/stream.yml.hbs
@@ -0,0 +1,6067 @@
+paths:
+{{#each paths as |path i|}}
+  - {{path}}
+{{/each}}
+exclude_files: [".gz$"]
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "Infoblox"
+        product: "Network"
+        type: "IPAM"
+publisher_pipeline.disable_host: true
+
+processors:
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.error(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(populate_fields);
+      	builder.Add(restore_flags);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var dup1 = setc("eventcategory","1401070000");
+      
+      var dup2 = setc("ec_theme","Authentication");
+      
+      var dup3 = setc("ec_subject","User");
+      
+      var dup4 = setc("ec_activity","Logoff");
+      
+      var dup5 = setc("ec_outcome","Success");
+      
+      var dup6 = setf("msg","$MSG");
+      
+      var dup7 = date_time({
+      	dest: "event_time",
+      	args: ["fld1","fld2"],
+      	fmts: [
+      		[dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup8 = setf("event_source","hhostname");
+      
+      var dup9 = setc("eventcategory","1401060000");
+      
+      var dup10 = setc("ec_activity","Logon");
+      
+      var dup11 = setc("eventcategory","1609000000");
+      
+      var dup12 = setc("eventcategory","1605000000");
+      
+      var dup13 = setc("eventcategory","1401030000");
+      
+      var dup14 = setc("ec_outcome","Failure");
+      
+      var dup15 = setc("eventcategory","1603000000");
+      
+      var dup16 = match("MESSAGE#19:dhcpd:18/0", "nwparser.payload", "%{} %{p0}");
+      
+      var dup17 = match("MESSAGE#19:dhcpd:18/1_0", "nwparser.p0", "Added %{p0}");
+      
+      var dup18 = match("MESSAGE#19:dhcpd:18/1_1", "nwparser.p0", "added %{p0}");
+      
+      var dup19 = setc("action","DHCPDECLINE");
+      
+      var dup20 = match("MESSAGE#25:dhcpd:03/1_0", "nwparser.p0", "%{dmacaddr->} (%{dhost}) via %{p0}");
+      
+      var dup21 = match("MESSAGE#25:dhcpd:03/1_1", "nwparser.p0", "%{dmacaddr->} via %{p0}");
+      
+      var dup22 = setc("action","DHCPRELEASE");
+      
+      var dup23 = setc("action","DHCPDISCOVER");
+      
+      var dup24 = match("MESSAGE#28:dhcpd:09/0", "nwparser.payload", "DHCPREQUEST for %{saddr->} from %{p0}");
+      
+      var dup25 = match("MESSAGE#28:dhcpd:09/1_0", "nwparser.p0", "%{smacaddr->} (%{shost}) via %{p0}");
+      
+      var dup26 = match("MESSAGE#28:dhcpd:09/1_1", "nwparser.p0", "%{smacaddr->} via %{p0}");
+      
+      var dup27 = setc("action","DHCPREQUEST");
+      
+      var dup28 = match("MESSAGE#31:dhcpd:11/2", "nwparser.p0", "%{} %{interface}");
+      
+      var dup29 = setc("event_description","unknown network segment");
+      
+      var dup30 = date_time({
+      	dest: "event_time",
+      	args: ["month","day","time"],
+      	fmts: [
+      		[dB,dF,dZ],
+      	],
+      });
+      
+      var dup31 = match("MESSAGE#38:dhcpd:14/2", "nwparser.p0", "%{} %{interface->} relay %{fld1->} lease-duration %{duration}");
+      
+      var dup32 = setc("action","DHCPACK");
+      
+      var dup33 = match("MESSAGE#53:named:16/1_0", "nwparser.p0", "approved %{}");
+      
+      var dup34 = match("MESSAGE#53:named:16/1_1", "nwparser.p0", " denied%{}");
+      
+      var dup35 = setf("domain","zone");
+      
+      var dup36 = match("MESSAGE#56:named:01/0", "nwparser.payload", "client %{saddr}#%{p0}");
+      
+      var dup37 = match("MESSAGE#57:named:17/1_0", "nwparser.p0", "IN%{p0}");
+      
+      var dup38 = match("MESSAGE#57:named:17/1_1", "nwparser.p0", "CH%{p0}");
+      
+      var dup39 = match("MESSAGE#57:named:17/1_2", "nwparser.p0", "HS%{p0}");
+      
+      var dup40 = match("MESSAGE#57:named:17/3_1", "nwparser.p0", "%{action->} at '%{p0}");
+      
+      var dup41 = match("MESSAGE#57:named:17/4_0", "nwparser.p0", "%{hostip}.in-addr.arpa' %{p0}");
+      
+      var dup42 = match("MESSAGE#57:named:17/5_0", "nwparser.p0", "%{dns_querytype->} \"%{fld3}\"");
+      
+      var dup43 = match("MESSAGE#57:named:17/5_1", "nwparser.p0", "%{dns_querytype->} %{hostip}");
+      
+      var dup44 = match("MESSAGE#57:named:17/5_2", "nwparser.p0", "%{dns_querytype}");
+      
+      var dup45 = setc("event_description","updating zone");
+      
+      var dup46 = match("MESSAGE#60:named:19/2", "nwparser.p0", "%{event_description}");
+      
+      var dup47 = setf("domain","hostname");
+      
+      var dup48 = setc("eventcategory","1801010000");
+      
+      var dup49 = setc("ec_activity","Request");
+      
+      var dup50 = match("MESSAGE#67:named:63/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3}: %{severity}: client %{p0}");
+      
+      var dup51 = match("MESSAGE#67:named:63/1_0", "nwparser.p0", "%{fld9->} %{saddr}#%{p0}");
+      
+      var dup52 = match("MESSAGE#67:named:63/1_1", "nwparser.p0", " %{saddr}#%{p0}");
+      
+      var dup53 = match("MESSAGE#74:named:10/1_3", "nwparser.p0", "%{sport}:%{p0}");
+      
+      var dup54 = setc("action","Refused");
+      
+      var dup55 = setf("dns_querytype","event_description");
+      
+      var dup56 = setc("eventcategory","1901000000");
+      
+      var dup57 = match("MESSAGE#83:named:24/0", "nwparser.payload", "client %{saddr}#%{sport->} (%{p0}");
+      
+      var dup58 = setc("eventcategory","1801000000");
+      
+      var dup59 = setf("zone","domain");
+      
+      var dup60 = date_time({
+      	dest: "event_time",
+      	args: ["month","day","time"],
+      	fmts: [
+      		[dB,dD,dZ],
+      	],
+      });
+      
+      var dup61 = setf("info","hdata");
+      
+      var dup62 = setc("eventcategory","1301000000");
+      
+      var dup63 = setc("eventcategory","1303000000");
+      
+      var dup64 = match("MESSAGE#7:httpd:06", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var dup65 = linear_select([
+      	dup17,
+      	dup18,
+      ]);
+      
+      var dup66 = linear_select([
+      	dup20,
+      	dup21,
+      ]);
+      
+      var dup67 = linear_select([
+      	dup25,
+      	dup26,
+      ]);
+      
+      var dup68 = match("MESSAGE#204:dhcpd:37", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var dup69 = linear_select([
+      	dup33,
+      	dup34,
+      ]);
+      
+      var dup70 = linear_select([
+      	dup37,
+      	dup38,
+      	dup39,
+      ]);
+      
+      var dup71 = linear_select([
+      	dup42,
+      	dup43,
+      	dup44,
+      ]);
+      
+      var dup72 = linear_select([
+      	dup51,
+      	dup52,
+      ]);
+      
+      var dup73 = match("MESSAGE#118:validate_dhcpd", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var dup74 = match("MESSAGE#134:openvpn-member:01", "nwparser.payload", "%{action->} : %{event_description->} (code=%{resultcode})", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var dup75 = match("MESSAGE#137:openvpn-member:04", "nwparser.payload", "%{severity}: %{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var dup76 = match("MESSAGE#225:syslog", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup61,
+      ]));
+      
+      var hdr1 = match("HEADER#0:006/0", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{p0}");
+      
+      var part1 = match("HEADER#0:006/1_0", "nwparser.p0", "%{hhostip->} %{messageid}[%{data}]: %{p0}");
+      
+      var part2 = match("HEADER#0:006/1_1", "nwparser.p0", "%{hhostip->} %{messageid}: %{p0}");
+      
+      var select1 = linear_select([
+      	part1,
+      	part2,
+      ]);
+      
+      var part3 = match("HEADER#0:006/2", "nwparser.p0", "%{payload}");
+      
+      var all1 = all_match({
+      	processors: [
+      		hdr1,
+      		select1,
+      		part3,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","006"),
+      	]),
+      });
+      
+      var hdr2 = match("HEADER#1:001", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{messageid}[%{data}]: %{payload}", processor_chain([
+      	setc("header_id","001"),
+      ]));
+      
+      var hdr3 = match("HEADER#2:005", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{hdata}: %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","005"),
+      ]));
+      
+      var hdr4 = match("HEADER#3:002/0", "message", "%{month->} %{day->} %{time->} %{p0}");
+      
+      var part4 = match("HEADER#3:002/1_0", "nwparser.p0", "%{hhostname->} -%{messageid}:%{p0}");
+      
+      var part5 = match("HEADER#3:002/1_1", "nwparser.p0", "%{hhostname->} %{messageid}:%{p0}");
+      
+      var select2 = linear_select([
+      	part4,
+      	part5,
+      ]);
+      
+      var part6 = match("HEADER#3:002/2", "nwparser.p0", "%{} %{payload}");
+      
+      var all2 = all_match({
+      	processors: [
+      		hdr4,
+      		select2,
+      		part6,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","002"),
+      	]),
+      });
+      
+      var hdr5 = match("HEADER#4:0003", "message", "%{messageid}[%{data}]: %{payload}", processor_chain([
+      	setc("header_id","0003"),
+      ]));
+      
+      var hdr6 = match("HEADER#5:0004", "message", "%{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0004"),
+      ]));
+      
+      var hdr7 = match("HEADER#6:0005", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{fld1->} |%{messageid->} |%{payload}", processor_chain([
+      	setc("header_id","0005"),
+      ]));
+      
+      var select3 = linear_select([
+      	all1,
+      	hdr2,
+      	hdr3,
+      	all2,
+      	hdr5,
+      	hdr6,
+      	hdr7,
+      ]);
+      
+      var part7 = match("MESSAGE#0:httpd", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Logout - - ip=%{saddr->} group=%{group->} trigger_event=%{event_description}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup6,
+      	dup7,
+      	dup8,
+      ]));
+      
+      var msg1 = msg("httpd", part7);
+      
+      var part8 = match("MESSAGE#1:httpd:01", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Login_Allowed - - to=%{fld4->} ip=%{saddr->} auth=%{authmethod->} group=%{group->} apparently_via=%{info}", processor_chain([
+      	dup9,
+      	dup2,
+      	dup3,
+      	dup10,
+      	dup5,
+      	dup6,
+      	dup7,
+      	dup8,
+      ]));
+      
+      var msg2 = msg("httpd:01", part8);
+      
+      var part9 = match("MESSAGE#2:httpd:02", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Called - %{action->} message=%{info}", processor_chain([
+      	dup11,
+      	dup6,
+      	dup7,
+      	dup8,
+      ]));
+      
+      var msg3 = msg("httpd:02", part9);
+      
+      var part10 = match("MESSAGE#3:httpd:03", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Created HostAddress %{hostip}: Set address=\"%{saddr}\",configure_for_dhcp=%{fld10},match_option=\"%{info}\",parent=%{context}", processor_chain([
+      	dup11,
+      	dup6,
+      	dup7,
+      	dup8,
+      ]));
+      
+      var msg4 = msg("httpd:03", part10);
+      
+      var part11 = match("MESSAGE#4:httpd:04", "nwparser.payload", "%{shost}: %{fld1->} authentication for user %{username->} failed", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg5 = msg("httpd:04", part11);
+      
+      var part12 = match("MESSAGE#5:httpd:05", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Called - %{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup7,
+      	dup8,
+      ]));
+      
+      var msg6 = msg("httpd:05", part12);
+      
+      var part13 = match("MESSAGE#6:httpd:07", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Login_Denied - - to=%{terminal->} ip=%{saddr->} info=%{info}", processor_chain([
+      	dup13,
+      	dup2,
+      	dup3,
+      	dup10,
+      	dup14,
+      	dup6,
+      	dup7,
+      	dup8,
+      ]));
+      
+      var msg7 = msg("httpd:07", part13);
+      
+      var msg8 = msg("httpd:06", dup64);
+      
+      var select4 = linear_select([
+      	msg1,
+      	msg2,
+      	msg3,
+      	msg4,
+      	msg5,
+      	msg6,
+      	msg7,
+      	msg8,
+      ]);
+      
+      var part14 = match("MESSAGE#8:in.tftpd:01", "nwparser.payload", "RRQ from %{saddr->} filename %{filename}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","RRQ from remote host"),
+      ]));
+      
+      var msg9 = msg("in.tftpd:01", part14);
+      
+      var part15 = match("MESSAGE#9:in.tftpd:02", "nwparser.payload", "sending NAK (%{resultcode}, %{result}) to %{daddr}", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      	setc("event_description","sending NAK to remote host"),
+      ]));
+      
+      var msg10 = msg("in.tftpd:02", part15);
+      
+      var part16 = match("MESSAGE#10:in.tftpd", "nwparser.payload", "connection refused from %{saddr}", processor_chain([
+      	setc("eventcategory","1801030000"),
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg11 = msg("in.tftpd", part16);
+      
+      var select5 = linear_select([
+      	msg9,
+      	msg10,
+      	msg11,
+      ]);
+      
+      var part17 = match("MESSAGE#11:dhcpd:12/0", "nwparser.payload", "%{event_type}: received a REQUEST DHCP packet from relay-agent %{interface->} with a circuit-id of \"%{id}\" and remote-id of \"%{smacaddr}\" for %{hostip->} (%{dmacaddr}) lease time is %{p0}");
+      
+      var part18 = match("MESSAGE#11:dhcpd:12/1_0", "nwparser.p0", "undefined %{p0}");
+      
+      var part19 = match("MESSAGE#11:dhcpd:12/1_1", "nwparser.p0", "%{duration->} %{p0}");
+      
+      var select6 = linear_select([
+      	part18,
+      	part19,
+      ]);
+      
+      var part20 = match("MESSAGE#11:dhcpd:12/2", "nwparser.p0", "%{}seconds");
+      
+      var all3 = all_match({
+      	processors: [
+      		part17,
+      		select6,
+      		part20,
+      	],
+      	on_success: processor_chain([
+      		dup15,
+      		dup6,
+      		dup8,
+      		setc("event_description","received a REQUEST DHCP packet from relay-agent"),
+      	]),
+      });
+      
+      var msg12 = msg("dhcpd:12", all3);
+      
+      var part21 = match("MESSAGE#12:dhcpd:21", "nwparser.payload", "bind update on %{hostip->} from %{hostname}(%{fld1}) rejected: %{result}", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      	setc("event_description","bind update rejected"),
+      ]));
+      
+      var msg13 = msg("dhcpd:21", part21);
+      
+      var part22 = match("MESSAGE#13:dhcpd:10", "nwparser.payload", "Unable to add forward map from %{shost->} %{fld1}to %{daddr}: %{result}", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      	setc("event_description","Unable to add forward map"),
+      ]));
+      
+      var msg14 = msg("dhcpd:10", part22);
+      
+      var part23 = match("MESSAGE#14:dhcpd:13", "nwparser.payload", "Average %{fld1->} dynamic DNS update latency: %{result->} micro seconds", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","Average dynamic DNS update latency"),
+      ]));
+      
+      var msg15 = msg("dhcpd:13", part23);
+      
+      var part24 = match("MESSAGE#15:dhcpd:15", "nwparser.payload", "Dynamic DNS update timeout count in last %{info->} minutes: %{result}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","Dynamic DNS update timeout count"),
+      ]));
+      
+      var msg16 = msg("dhcpd:15", part24);
+      
+      var part25 = match("MESSAGE#16:dhcpd:22", "nwparser.payload", "Removed forward map from %{shost->} %{fld1}to %{daddr}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","Removed forward map"),
+      ]));
+      
+      var msg17 = msg("dhcpd:22", part25);
+      
+      var part26 = match("MESSAGE#17:dhcpd:25", "nwparser.payload", "Removed reverse map on %{hostname}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","Removed reverse map"),
+      ]));
+      
+      var msg18 = msg("dhcpd:25", part26);
+      
+      var part27 = match("MESSAGE#18:dhcpd:06", "nwparser.payload", "received shutdown -/-/ %{result}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","received shutdown"),
+      ]));
+      
+      var msg19 = msg("dhcpd:06", part27);
+      
+      var part28 = match("MESSAGE#19:dhcpd:18/2", "nwparser.p0", "%{}new forward map from %{hostname->} %{space->} %{daddr}");
+      
+      var all4 = all_match({
+      	processors: [
+      		dup16,
+      		dup65,
+      		part28,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		setc("event_description","Added new forward map"),
+      	]),
+      });
+      
+      var msg20 = msg("dhcpd:18", all4);
+      
+      var part29 = match("MESSAGE#20:dhcpd:19/2", "nwparser.p0", "%{}reverse map from %{hostname->} %{space->} %{daddr}");
+      
+      var all5 = all_match({
+      	processors: [
+      		dup16,
+      		dup65,
+      		part29,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		setc("event_description","added reverse map"),
+      	]),
+      });
+      
+      var msg21 = msg("dhcpd:19", all5);
+      
+      var part30 = match("MESSAGE#21:dhcpd", "nwparser.payload", "Abandoning IP address %{hostip}: declined", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      	setc("event_description","Abandoning IP declined"),
+      ]));
+      
+      var msg22 = msg("dhcpd", part30);
+      
+      var part31 = match("MESSAGE#22:dhcpd:30", "nwparser.payload", "Abandoning IP address %{hostip}: pinged before offer", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      	setc("event_description","Abandoning IP pinged before offer"),
+      ]));
+      
+      var msg23 = msg("dhcpd:30", part31);
+      
+      var part32 = match("MESSAGE#23:dhcpd:01", "nwparser.payload", "DHCPDECLINE of %{saddr->} from %{smacaddr->} (%{shost}) via %{interface}: %{info}", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      	dup19,
+      ]));
+      
+      var msg24 = msg("dhcpd:01", part32);
+      
+      var part33 = match("MESSAGE#24:dhcpd:02", "nwparser.payload", "DHCPDECLINE of %{saddr->} from %{smacaddr->} via %{interface}: %{info}", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      	dup19,
+      ]));
+      
+      var msg25 = msg("dhcpd:02", part33);
+      
+      var part34 = match("MESSAGE#25:dhcpd:03/0", "nwparser.payload", "DHCPRELEASE of %{saddr->} from %{p0}");
+      
+      var part35 = match("MESSAGE#25:dhcpd:03/2", "nwparser.p0", "%{} %{interface->} (%{info})");
+      
+      var all6 = all_match({
+      	processors: [
+      		part34,
+      		dup66,
+      		part35,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup22,
+      	]),
+      });
+      
+      var msg26 = msg("dhcpd:03", all6);
+      
+      var part36 = match("MESSAGE#26:dhcpd:04", "nwparser.payload", "DHCPDISCOVER from %{smacaddr->} via %{interface}: network %{mask}: %{info}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup23,
+      ]));
+      
+      var msg27 = msg("dhcpd:04", part36);
+      
+      var part37 = match("MESSAGE#27:dhcpd:07/0", "nwparser.payload", "DHCPREQUEST for %{saddr->} %{p0}");
+      
+      var part38 = match("MESSAGE#27:dhcpd:07/1_0", "nwparser.p0", "(%{shost}) from %{p0}");
+      
+      var part39 = match("MESSAGE#27:dhcpd:07/1_1", "nwparser.p0", "from %{p0}");
+      
+      var select7 = linear_select([
+      	part38,
+      	part39,
+      ]);
+      
+      var part40 = match("MESSAGE#27:dhcpd:07/2", "nwparser.p0", "%{} %{smacaddr->} (%{hostname}) via %{interface}: ignored (%{result})");
+      
+      var all7 = all_match({
+      	processors: [
+      		part37,
+      		select7,
+      		part40,
+      	],
+      	on_success: processor_chain([
+      		dup15,
+      		dup6,
+      		dup8,
+      		setc("action","DHCPREQUEST ignored"),
+      	]),
+      });
+      
+      var msg28 = msg("dhcpd:07", all7);
+      
+      var part41 = match("MESSAGE#28:dhcpd:09/2", "nwparser.p0", "%{} %{interface}: wrong network");
+      
+      var all8 = all_match({
+      	processors: [
+      		dup24,
+      		dup67,
+      		part41,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup27,
+      		setc("result","wrong network"),
+      	]),
+      });
+      
+      var msg29 = msg("dhcpd:09", all8);
+      
+      var part42 = match("MESSAGE#29:dhcpd:26/2", "nwparser.p0", "%{} %{interface}: lease %{hostip->} unavailable");
+      
+      var all9 = all_match({
+      	processors: [
+      		dup24,
+      		dup67,
+      		part42,
+      	],
+      	on_success: processor_chain([
+      		dup15,
+      		dup6,
+      		dup8,
+      		dup27,
+      		setc("result","lease unavailable"),
+      	]),
+      });
+      
+      var msg30 = msg("dhcpd:26", all9);
+      
+      var part43 = match("MESSAGE#30:dhcpd:08", "nwparser.payload", "DHCPREQUEST for %{saddr->} (%{shost}) from %{smacaddr->} (%{hostname}) via %{interface}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup27,
+      ]));
+      
+      var msg31 = msg("dhcpd:08", part43);
+      
+      var all10 = all_match({
+      	processors: [
+      		dup24,
+      		dup67,
+      		dup28,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup27,
+      	]),
+      });
+      
+      var msg32 = msg("dhcpd:11", all10);
+      
+      var part44 = match("MESSAGE#32:dhcpd:31", "nwparser.payload", "DHCPRELEASE from %{smacaddr->} via %{saddr}: unknown network segment", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup22,
+      	dup29,
+      ]));
+      
+      var msg33 = msg("dhcpd:31", part44);
+      
+      var part45 = match("MESSAGE#33:dhcpd:32", "nwparser.payload", "BOOTREQUEST from %{smacaddr->} via %{saddr}: %{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("action","BOOTREQUEST"),
+      	dup30,
+      ]));
+      
+      var msg34 = msg("dhcpd:32", part45);
+      
+      var part46 = match("MESSAGE#34:dhcpd:33", "nwparser.payload", "Reclaiming abandoned lease %{saddr}.", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","Reclaiming abandoned lease"),
+      ]));
+      
+      var msg35 = msg("dhcpd:33", part46);
+      
+      var part47 = match("MESSAGE#35:dhcpd:34/0", "nwparser.payload", "balanc%{p0}");
+      
+      var part48 = match("MESSAGE#35:dhcpd:34/1_0", "nwparser.p0", "ed%{p0}");
+      
+      var part49 = match("MESSAGE#35:dhcpd:34/1_1", "nwparser.p0", "ing%{p0}");
+      
+      var select8 = linear_select([
+      	part48,
+      	part49,
+      ]);
+      
+      var part50 = match("MESSAGE#35:dhcpd:34/2", "nwparser.p0", "%{}pool %{fld1->} %{saddr}/%{sport->} total %{fld2->} free %{fld3->} backup %{fld4->} lts %{fld5->} max-%{fld6->} %{p0}");
+      
+      var part51 = match("MESSAGE#35:dhcpd:34/3_0", "nwparser.p0", "(+/-)%{fld7}(%{info})");
+      
+      var part52 = match("MESSAGE#35:dhcpd:34/3_1", "nwparser.p0", "(+/-)%{fld7}");
+      
+      var part53 = match("MESSAGE#35:dhcpd:34/3_2", "nwparser.p0", "%{fld7}");
+      
+      var select9 = linear_select([
+      	part51,
+      	part52,
+      	part53,
+      ]);
+      
+      var all11 = all_match({
+      	processors: [
+      		part47,
+      		select8,
+      		part50,
+      		select9,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup30,
+      	]),
+      });
+      
+      var msg36 = msg("dhcpd:34", all11);
+      
+      var part54 = match("MESSAGE#36:dhcpd:35", "nwparser.payload", "Unable to add reverse map from %{shost->} to %{dhost}: REFUSED", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description"," Unable to add reverse map"),
+      ]));
+      
+      var msg37 = msg("dhcpd:35", part54);
+      
+      var part55 = match("MESSAGE#37:dhcpd:36", "nwparser.payload", "Forward map from %{shost->} %{fld2}to %{daddr->} FAILED: %{fld1}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description"," Forward map failed"),
+      ]));
+      
+      var msg38 = msg("dhcpd:36", part55);
+      
+      var part56 = match("MESSAGE#38:dhcpd:14/0", "nwparser.payload", "DHCPACK on %{saddr->} to %{p0}");
+      
+      var all12 = all_match({
+      	processors: [
+      		part56,
+      		dup66,
+      		dup31,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup32,
+      	]),
+      });
+      
+      var msg39 = msg("dhcpd:14", all12);
+      
+      var part57 = match("MESSAGE#39:dhcpd:24/0", "nwparser.payload", "DHCPOFFER on %{saddr->} to %{p0}");
+      
+      var part58 = match("MESSAGE#39:dhcpd:24/1_0", "nwparser.p0", "\"%{dmacaddr}\" (%{dhost}) via %{p0}");
+      
+      var select10 = linear_select([
+      	part58,
+      	dup20,
+      	dup21,
+      ]);
+      
+      var all13 = all_match({
+      	processors: [
+      		part57,
+      		select10,
+      		dup31,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		setc("action","DHCPOFFER"),
+      	]),
+      });
+      
+      var msg40 = msg("dhcpd:24", all13);
+      
+      var part59 = match("MESSAGE#40:dhcpd:17", "nwparser.payload", "DHCPNAK on %{saddr->} to %{dmacaddr->} via %{interface}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("action","DHCPNAK"),
+      ]));
+      
+      var msg41 = msg("dhcpd:17", part59);
+      
+      var part60 = match("MESSAGE#41:dhcpd:05/0", "nwparser.payload", "DHCPDISCOVER from %{p0}");
+      
+      var all14 = all_match({
+      	processors: [
+      		part60,
+      		dup67,
+      		dup28,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup23,
+      	]),
+      });
+      
+      var msg42 = msg("dhcpd:05", all14);
+      
+      var part61 = match("MESSAGE#42:dhcpd:16", "nwparser.payload", "DHCPACK to %{daddr->} (%{dmacaddr}) via %{interface}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup32,
+      ]));
+      
+      var msg43 = msg("dhcpd:16", part61);
+      
+      var part62 = match("MESSAGE#43:dhcpd:20", "nwparser.payload", "DHCPINFORM from %{saddr->} via %{interface}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("action","DHCPINFORM"),
+      ]));
+      
+      var msg44 = msg("dhcpd:20", part62);
+      
+      var part63 = match("MESSAGE#44:dhcpd:23", "nwparser.payload", "DHCPEXPIRE on %{saddr->} to %{dmacaddr}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("action","DHCPEXPIRE"),
+      ]));
+      
+      var msg45 = msg("dhcpd:23", part63);
+      
+      var part64 = match("MESSAGE#45:dhcpd:28", "nwparser.payload", "uid lease %{hostip->} for client %{smacaddr->} is duplicate on %{mask}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg46 = msg("dhcpd:28", part64);
+      
+      var part65 = match("MESSAGE#46:dhcpd:29", "nwparser.payload", "Attempt to add forward map \"%{shost}\" (and reverse map \"%{dhost}\") for %{saddr->} abandoned because of non-retryable failure: %{result}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg47 = msg("dhcpd:29", part65);
+      
+      var part66 = match("MESSAGE#191:dhcpd:39", "nwparser.payload", "NOT FREE/BACKUP lease%{hostip}End Time%{fld1->} Bind-State %{change_old->} Next-Bind-State %{change_new}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var msg48 = msg("dhcpd:39", part66);
+      
+      var part67 = match("MESSAGE#192:dhcpd:41", "nwparser.payload", "RELEASE on%{saddr}to%{dmacaddr}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var msg49 = msg("dhcpd:41", part67);
+      
+      var part68 = match("MESSAGE#193:dhcpd:42", "nwparser.payload", "r-l-e:%{hostip},%{result},%{fld1},%{macaddr},%{fld3},%{fld4},%{fld5},%{info}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var msg50 = msg("dhcpd:42", part68);
+      
+      var part69 = match("MESSAGE#194:dhcpd:43", "nwparser.payload", "failover peer%{fld1}:%{dclass_counter1}leases added to send queue from pool%{fld3->} %{hostip}/%{network_port}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("dclass_counter1_string","count of leases"),
+      	dup30,
+      ]));
+      
+      var msg51 = msg("dhcpd:43", part69);
+      
+      var part70 = match("MESSAGE#195:dhcpd:44", "nwparser.payload", "DHCPDECLINE from%{macaddr}via%{hostip}: unknown network segment", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      	dup29,
+      ]));
+      
+      var msg52 = msg("dhcpd:44", part70);
+      
+      var part71 = match("MESSAGE#196:dhcpd:45", "nwparser.payload", "Reverse map update for%{hostip}abandoned because of non-retryable failure:%{disposition}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var msg53 = msg("dhcpd:45", part71);
+      
+      var part72 = match("MESSAGE#197:dhcpd:46", "nwparser.payload", "Reclaiming REQUESTed abandoned IP address%{saddr}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      	setc("event_description","Reclaiming REQUESTed abandoned IP address"),
+      ]));
+      
+      var msg54 = msg("dhcpd:46", part72);
+      
+      var part73 = match("MESSAGE#198:dhcpd:47/0", "nwparser.payload", "%{hostip}: removing client association (%{action})%{p0}");
+      
+      var part74 = match("MESSAGE#198:dhcpd:47/1_0", "nwparser.p0", "uid=%{fld1}hw=%{macaddr}");
+      
+      var part75 = match("MESSAGE#198:dhcpd:47/1_1", "nwparser.p0", "hw=%{macaddr}");
+      
+      var select11 = linear_select([
+      	part74,
+      	part75,
+      ]);
+      
+      var all15 = all_match({
+      	processors: [
+      		part73,
+      		select11,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup30,
+      	]),
+      });
+      
+      var msg55 = msg("dhcpd:47", all15);
+      
+      var part76 = match("MESSAGE#199:dhcpd:48", "nwparser.payload", "Lease conflict at %{hostip}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var msg56 = msg("dhcpd:48", part76);
+      
+      var part77 = match("MESSAGE#200:dhcpd:49", "nwparser.payload", "ICMP Echo reply while lease %{hostip->} valid.", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      	setc("protocol","ICMP"),
+      ]));
+      
+      var msg57 = msg("dhcpd:49", part77);
+      
+      var part78 = match("MESSAGE#201:dhcpd:50", "nwparser.payload", "Lease state %{result}. Not abandoning %{hostip}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var msg58 = msg("dhcpd:50", part78);
+      
+      var part79 = match("MESSAGE#202:dhcpd:51/0_0", "nwparser.payload", "Addition%{p0}");
+      
+      var part80 = match("MESSAGE#202:dhcpd:51/0_1", "nwparser.payload", "Removal%{p0}");
+      
+      var select12 = linear_select([
+      	part79,
+      	part80,
+      ]);
+      
+      var part81 = match("MESSAGE#202:dhcpd:51/1", "nwparser.p0", "%{}of %{p0}");
+      
+      var part82 = match("MESSAGE#202:dhcpd:51/2_0", "nwparser.p0", "forward%{p0}");
+      
+      var part83 = match("MESSAGE#202:dhcpd:51/2_1", "nwparser.p0", "reverse%{p0}");
+      
+      var select13 = linear_select([
+      	part82,
+      	part83,
+      ]);
+      
+      var part84 = match("MESSAGE#202:dhcpd:51/3", "nwparser.p0", "%{}map for %{hostip->} deferred");
+      
+      var all16 = all_match({
+      	processors: [
+      		select12,
+      		part81,
+      		select13,
+      		part84,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup30,
+      		setc("disposition","deferred"),
+      	]),
+      });
+      
+      var msg59 = msg("dhcpd:51", all16);
+      
+      var part85 = match("MESSAGE#203:dhcpd:52", "nwparser.payload", "Hostname%{change_old}replaced by%{hostname}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var msg60 = msg("dhcpd:52", part85);
+      
+      var msg61 = msg("dhcpd:37", dup68);
+      
+      var select14 = linear_select([
+      	msg12,
+      	msg13,
+      	msg14,
+      	msg15,
+      	msg16,
+      	msg17,
+      	msg18,
+      	msg19,
+      	msg20,
+      	msg21,
+      	msg22,
+      	msg23,
+      	msg24,
+      	msg25,
+      	msg26,
+      	msg27,
+      	msg28,
+      	msg29,
+      	msg30,
+      	msg31,
+      	msg32,
+      	msg33,
+      	msg34,
+      	msg35,
+      	msg36,
+      	msg37,
+      	msg38,
+      	msg39,
+      	msg40,
+      	msg41,
+      	msg42,
+      	msg43,
+      	msg44,
+      	msg45,
+      	msg46,
+      	msg47,
+      	msg48,
+      	msg49,
+      	msg50,
+      	msg51,
+      	msg52,
+      	msg53,
+      	msg54,
+      	msg55,
+      	msg56,
+      	msg57,
+      	msg58,
+      	msg59,
+      	msg60,
+      	msg61,
+      ]);
+      
+      var part86 = match("MESSAGE#47:ntpd:05", "nwparser.payload", "system event '%{event_type}' (%{fld1}) status '%{result}' (%{fld2})", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","system event status"),
+      ]));
+      
+      var msg62 = msg("ntpd:05", part86);
+      
+      var part87 = match("MESSAGE#48:ntpd:04", "nwparser.payload", "frequency initialized %{result->} from %{filename}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","frequency initialized from file"),
+      ]));
+      
+      var msg63 = msg("ntpd:04", part87);
+      
+      var part88 = match("MESSAGE#49:ntpd:03", "nwparser.payload", "ntpd exiting on signal %{dclass_counter1}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","ntpd exiting on signal"),
+      ]));
+      
+      var msg64 = msg("ntpd:03", part88);
+      
+      var part89 = match("MESSAGE#50:ntpd", "nwparser.payload", "time slew %{result}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","time slew duraion"),
+      ]));
+      
+      var msg65 = msg("ntpd", part89);
+      
+      var part90 = match("MESSAGE#51:ntpd:01", "nwparser.payload", "%{process}: signal %{dclass_counter1->} had flags %{result}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","signal had flags"),
+      ]));
+      
+      var msg66 = msg("ntpd:01", part90);
+      
+      var msg67 = msg("ntpd:02", dup64);
+      
+      var select15 = linear_select([
+      	msg62,
+      	msg63,
+      	msg64,
+      	msg65,
+      	msg66,
+      	msg67,
+      ]);
+      
+      var part91 = match("MESSAGE#53:named:16/0", "nwparser.payload", "client %{saddr}#%{sport}:%{fld1}: update '%{zone}' %{p0}");
+      
+      var all17 = all_match({
+      	processors: [
+      		part91,
+      		dup69,
+      	],
+      	on_success: processor_chain([
+      		dup15,
+      		dup6,
+      		dup8,
+      	]),
+      });
+      
+      var msg68 = msg("named:16", all17);
+      
+      var part92 = match("MESSAGE#54:named/0", "nwparser.payload", "client %{saddr}#%{sport}: update '%{zone}/IN' %{p0}");
+      
+      var all18 = all_match({
+      	processors: [
+      		part92,
+      		dup69,
+      	],
+      	on_success: processor_chain([
+      		dup15,
+      		dup6,
+      		dup8,
+      		dup35,
+      	]),
+      });
+      
+      var msg69 = msg("named", all18);
+      
+      var part93 = match("MESSAGE#55:named:12/0", "nwparser.payload", "client %{saddr}#%{sport}/key dhcp_updater_default: signer \"%{owner}\" %{p0}");
+      
+      var all19 = all_match({
+      	processors: [
+      		part93,
+      		dup69,
+      	],
+      	on_success: processor_chain([
+      		dup15,
+      		dup6,
+      		dup8,
+      	]),
+      });
+      
+      var msg70 = msg("named:12", all19);
+      
+      var part94 = match("MESSAGE#56:named:01/1_0", "nwparser.p0", "%{sport}/%{fld1}: signer \"%{p0}");
+      
+      var part95 = match("MESSAGE#56:named:01/1_1", "nwparser.p0", "%{sport}: signer \"%{p0}");
+      
+      var select16 = linear_select([
+      	part94,
+      	part95,
+      ]);
+      
+      var part96 = match("MESSAGE#56:named:01/2", "nwparser.p0", "%{owner}\" %{p0}");
+      
+      var all20 = all_match({
+      	processors: [
+      		dup36,
+      		select16,
+      		part96,
+      		dup69,
+      	],
+      	on_success: processor_chain([
+      		dup15,
+      		dup6,
+      		dup8,
+      	]),
+      });
+      
+      var msg71 = msg("named:01", all20);
+      
+      var part97 = match("MESSAGE#57:named:17/0", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1}: updating zone '%{zone}/%{p0}");
+      
+      var part98 = match("MESSAGE#57:named:17/2", "nwparser.p0", "': %{p0}");
+      
+      var part99 = match("MESSAGE#57:named:17/3_0", "nwparser.p0", "%{fld2}: %{action->} at '%{p0}");
+      
+      var select17 = linear_select([
+      	part99,
+      	dup40,
+      ]);
+      
+      var part100 = match("MESSAGE#57:named:17/4_1", "nwparser.p0", "%{hostname}' %{p0}");
+      
+      var select18 = linear_select([
+      	dup41,
+      	part100,
+      ]);
+      
+      var all21 = all_match({
+      	processors: [
+      		part97,
+      		dup70,
+      		part98,
+      		select17,
+      		select18,
+      		dup71,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup45,
+      		dup35,
+      	]),
+      });
+      
+      var msg72 = msg("named:17", all21);
+      
+      var part101 = match("MESSAGE#58:named:18/0", "nwparser.payload", "client %{saddr}#%{sport}:%{fld1}: updating zone '%{zone}': %{p0}");
+      
+      var part102 = match("MESSAGE#58:named:18/1_0", "nwparser.p0", "adding %{p0}");
+      
+      var part103 = match("MESSAGE#58:named:18/1_1", "nwparser.p0", "deleting%{p0}");
+      
+      var select19 = linear_select([
+      	part102,
+      	part103,
+      ]);
+      
+      var part104 = match("MESSAGE#58:named:18/2", "nwparser.p0", "%{} %{info->} at '%{hostname}'");
+      
+      var all22 = all_match({
+      	processors: [
+      		part101,
+      		select19,
+      		part104,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      	]),
+      });
+      
+      var msg73 = msg("named:18", all22);
+      
+      var part105 = match("MESSAGE#59:named:02/0", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}/%{p0}");
+      
+      var part106 = match("MESSAGE#59:named:02/2", "nwparser.p0", "':%{p0}");
+      
+      var part107 = match("MESSAGE#59:named:02/3_0", "nwparser.p0", "%{fld1}: %{action->} at '%{p0}");
+      
+      var select20 = linear_select([
+      	part107,
+      	dup40,
+      ]);
+      
+      var part108 = match("MESSAGE#59:named:02/4_1", "nwparser.p0", "%{hostip}' %{p0}");
+      
+      var select21 = linear_select([
+      	dup41,
+      	part108,
+      ]);
+      
+      var all23 = all_match({
+      	processors: [
+      		part105,
+      		dup70,
+      		part106,
+      		select20,
+      		select21,
+      		dup71,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup45,
+      		dup35,
+      	]),
+      });
+      
+      var msg74 = msg("named:02", all23);
+      
+      var part109 = match("MESSAGE#60:named:19/0", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1}: updating zone '%{zone}': update %{disposition}: %{p0}");
+      
+      var part110 = match("MESSAGE#60:named:19/1_0", "nwparser.p0", "%{hostname}/%{dns_querytype}: %{p0}");
+      
+      var part111 = match("MESSAGE#60:named:19/1_1", "nwparser.p0", "%{hostname}: %{p0}");
+      
+      var select22 = linear_select([
+      	part110,
+      	part111,
+      ]);
+      
+      var all24 = all_match({
+      	processors: [
+      		part109,
+      		select22,
+      		dup46,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup47,
+      	]),
+      });
+      
+      var msg75 = msg("named:19", all24);
+      
+      var part112 = match("MESSAGE#61:named:03", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}': update %{disposition}: %{hostname}: %{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg76 = msg("named:03", part112);
+      
+      var part113 = match("MESSAGE#62:named:11", "nwparser.payload", "zone %{zone}: notify from %{saddr}#%{sport}: zone is up to date", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","notify zone is up to date"),
+      ]));
+      
+      var msg77 = msg("named:11", part113);
+      
+      var part114 = match("MESSAGE#63:named:13", "nwparser.payload", "zone %{zone}: notify from %{saddr}#%{sport}: %{action}, %{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg78 = msg("named:13", part114);
+      
+      var part115 = match("MESSAGE#64:named:14", "nwparser.payload", "zone %{zone}: refresh: retry limit for master %{saddr}#%{sport->} exceeded (%{action})", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg79 = msg("named:14", part115);
+      
+      var part116 = match("MESSAGE#65:named:15", "nwparser.payload", "zone %{zone}: refresh: failure trying master %{saddr}#%{sport->} (source ::#0): %{action}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg80 = msg("named:15", part116);
+      
+      var part117 = match("MESSAGE#66:named:25/0", "nwparser.payload", "DNS format error from %{saddr}#%{sport->} resolving %{domain}/%{dns_querytype->} for client %{daddr}#%{dport}: %{p0}");
+      
+      var part118 = match("MESSAGE#66:named:25/1_0", "nwparser.p0", "%{error}--%{result}");
+      
+      var part119 = match("MESSAGE#66:named:25/1_1", "nwparser.p0", "%{result}");
+      
+      var select23 = linear_select([
+      	part118,
+      	part119,
+      ]);
+      
+      var all25 = all_match({
+      	processors: [
+      		part117,
+      		select23,
+      	],
+      	on_success: processor_chain([
+      		dup48,
+      		dup49,
+      		dup14,
+      		dup6,
+      		dup8,
+      		setc("event_description","DNS format error"),
+      		dup30,
+      	]),
+      });
+      
+      var msg81 = msg("named:25", all25);
+      
+      var part120 = match("MESSAGE#67:named:63/2", "nwparser.p0", "%{sport->} (#%{fld5}): query: %{domain->} %{fld4->} (%{daddr})");
+      
+      var all26 = all_match({
+      	processors: [
+      		dup50,
+      		dup72,
+      		part120,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup30,
+      	]),
+      });
+      
+      var msg82 = msg("named:63", all26);
+      
+      var part121 = match("MESSAGE#68:named:72/0", "nwparser.payload", "client %{saddr}#%{sport->} (%{fld1}): %{p0}");
+      
+      var part122 = match("MESSAGE#68:named:72/1_0", "nwparser.p0", "view%{fld3}: query:%{p0}");
+      
+      var part123 = match("MESSAGE#68:named:72/1_1", "nwparser.p0", "query:%{p0}");
+      
+      var select24 = linear_select([
+      	part122,
+      	part123,
+      ]);
+      
+      var part124 = match("MESSAGE#68:named:72/2", "nwparser.p0", "%{} %{domain->} %{fld2->} %{dns_querytype->} %{context->} (%{daddr})");
+      
+      var all27 = all_match({
+      	processors: [
+      		part121,
+      		select24,
+      		part124,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup30,
+      	]),
+      });
+      
+      var msg83 = msg("named:72", all27);
+      
+      var part125 = match("MESSAGE#69:named:28", "nwparser.payload", "%{action->} (%{saddr}#%{sport}) %{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg84 = msg("named:28", part125);
+      
+      var part126 = match("MESSAGE#70:named:71/0", "nwparser.payload", "transfer of '%{zone}' from %{saddr}#%{sport}: failed %{p0}");
+      
+      var part127 = match("MESSAGE#70:named:71/1_0", "nwparser.p0", "to connect: %{result}");
+      
+      var part128 = match("MESSAGE#70:named:71/1_1", "nwparser.p0", "while receiving responses: %{result}");
+      
+      var select25 = linear_select([
+      	part127,
+      	part128,
+      ]);
+      
+      var all28 = all_match({
+      	processors: [
+      		part126,
+      		select25,
+      	],
+      	on_success: processor_chain([
+      		dup48,
+      		dup6,
+      		dup8,
+      		dup30,
+      		setc("event_description","failed"),
+      	]),
+      });
+      
+      var msg85 = msg("named:71", all28);
+      
+      var part129 = match("MESSAGE#71:named:70/0", "nwparser.payload", "transfer of '%{zone}' from %{saddr}#%{sport}: %{p0}");
+      
+      var part130 = match("MESSAGE#71:named:70/1_0", "nwparser.p0", "connected using %{daddr}#%{dport}");
+      
+      var select26 = linear_select([
+      	part130,
+      	dup46,
+      ]);
+      
+      var all29 = all_match({
+      	processors: [
+      		part129,
+      		select26,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup30,
+      	]),
+      });
+      
+      var msg86 = msg("named:70", all29);
+      
+      var part131 = match("MESSAGE#72:named:40/0", "nwparser.payload", "%{fld1->} client %{saddr}#%{sport}: %{p0}");
+      
+      var part132 = match("MESSAGE#72:named:40/1_0", "nwparser.p0", "view %{fld2}: %{protocol}: query: %{p0}");
+      
+      var part133 = match("MESSAGE#72:named:40/1_1", "nwparser.p0", "%{protocol}: query: %{p0}");
+      
+      var select27 = linear_select([
+      	part132,
+      	part133,
+      ]);
+      
+      var part134 = match("MESSAGE#72:named:40/2", "nwparser.p0", "%{domain->} %{fld3->} %{dns_querytype->} response:%{result->} %{p0}");
+      
+      var part135 = match("MESSAGE#72:named:40/3_0", "nwparser.p0", "%{context->} %{dns.resptext}");
+      
+      var part136 = match("MESSAGE#72:named:40/3_1", "nwparser.p0", "%{context}");
+      
+      var select28 = linear_select([
+      	part135,
+      	part136,
+      ]);
+      
+      var all30 = all_match({
+      	processors: [
+      		part131,
+      		select27,
+      		part134,
+      		select28,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup30,
+      	]),
+      });
+      
+      var msg87 = msg("named:40", all30);
+      
+      var part137 = match("MESSAGE#73:named:05", "nwparser.payload", "zone '%{zone}' %{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg88 = msg("named:05", part137);
+      
+      var part138 = match("MESSAGE#74:named:10/1_0", "nwparser.p0", "%{sport->} %{fld22}/%{fld21}:%{p0}");
+      
+      var part139 = match("MESSAGE#74:named:10/1_1", "nwparser.p0", "%{sport}/%{fld21}:%{p0}");
+      
+      var part140 = match("MESSAGE#74:named:10/1_2", "nwparser.p0", "%{sport->} (%{fld21}): %{p0}");
+      
+      var select29 = linear_select([
+      	part138,
+      	part139,
+      	part140,
+      	dup53,
+      ]);
+      
+      var part141 = match("MESSAGE#74:named:10/2", "nwparser.p0", "%{}query: %{domain->} %{info->} (%{daddr})");
+      
+      var all31 = all_match({
+      	processors: [
+      		dup36,
+      		select29,
+      		part141,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		setc("event_description","dns query"),
+      	]),
+      });
+      
+      var msg89 = msg("named:10", all31);
+      
+      var part142 = match("MESSAGE#75:named:29", "nwparser.payload", "client %{saddr}#%{sport}: %{fld1}: received notify for zone '%{zone}'", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","received notify for zone"),
+      ]));
+      
+      var msg90 = msg("named:29", part142);
+      
+      var part143 = match("MESSAGE#76:named:08", "nwparser.payload", "client %{saddr}#%{sport}: received notify for zone '%{zone}'", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","client received notify for zone"),
+      ]));
+      
+      var msg91 = msg("named:08", part143);
+      
+      var part144 = match("MESSAGE#77:named:09", "nwparser.payload", "client %{saddr}#%{sport}: update forwarding '%{zone}' denied", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      	setc("event_description","client update forwarding for zone denied"),
+      ]));
+      
+      var msg92 = msg("named:09", part144);
+      
+      var part145 = match("MESSAGE#78:named:76/0", "nwparser.payload", "zone %{zone}: ZRQ appl%{p0}");
+      
+      var part146 = match("MESSAGE#78:named:76/1_0", "nwparser.p0", "ied%{p0}");
+      
+      var part147 = match("MESSAGE#78:named:76/1_1", "nwparser.p0", "ying%{p0}");
+      
+      var select30 = linear_select([
+      	part146,
+      	part147,
+      ]);
+      
+      var part148 = match("MESSAGE#78:named:76/2", "nwparser.p0", "%{}transaction %{p0}");
+      
+      var part149 = match("MESSAGE#78:named:76/3_0", "nwparser.p0", "%{operation_id->} with SOA serial %{serial_number}. Zone version is now %{version}.");
+      
+      var part150 = match("MESSAGE#78:named:76/3_1", "nwparser.p0", "%{fld1}.");
+      
+      var select31 = linear_select([
+      	part149,
+      	part150,
+      ]);
+      
+      var all32 = all_match({
+      	processors: [
+      		part145,
+      		select30,
+      		part148,
+      		select31,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup30,
+      	]),
+      });
+      
+      var msg93 = msg("named:76", all32);
+      
+      var part151 = match("MESSAGE#79:named:75", "nwparser.payload", "zone %{zone}: ZRQ applied %{action->} for '%{fld1}': %{fld2->} %{fld3->} %{dns_querytype->} %{info}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var msg94 = msg("named:75", part151);
+      
+      var part152 = match("MESSAGE#80:named:06/0", "nwparser.payload", "zone%{p0}");
+      
+      var part153 = match("MESSAGE#80:named:06/1_0", "nwparser.p0", "_%{fld1}: %{p0}");
+      
+      var part154 = match("MESSAGE#80:named:06/1_1", "nwparser.p0", " %{zone}: %{p0}");
+      
+      var select32 = linear_select([
+      	part153,
+      	part154,
+      ]);
+      
+      var all33 = all_match({
+      	processors: [
+      		part152,
+      		select32,
+      		dup46,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup30,
+      	]),
+      });
+      
+      var msg95 = msg("named:06", all33);
+      
+      var part155 = match("MESSAGE#81:named:20", "nwparser.payload", "REFUSED unexpected RCODE resolving '%{saddr}.in-addr.arpa/%{event_description}/IN': %{daddr}#%{dport}", processor_chain([
+      	dup12,
+      	dup49,
+      	dup14,
+      	dup6,
+      	dup8,
+      	dup54,
+      	dup30,
+      	dup55,
+      ]));
+      
+      var msg96 = msg("named:20", part155);
+      
+      var part156 = match("MESSAGE#82:named:49/0", "nwparser.payload", "REFUSED unexpected RCODE resolving '%{zone}/%{dns_querytype}/IN': %{p0}");
+      
+      var part157 = match("MESSAGE#82:named:49/1_0", "nwparser.p0", "%{daddr}#%{dport}");
+      
+      var part158 = match("MESSAGE#82:named:49/1_1", "nwparser.p0", "%{fld1}");
+      
+      var select33 = linear_select([
+      	part157,
+      	part158,
+      ]);
+      
+      var all34 = all_match({
+      	processors: [
+      		part156,
+      		select33,
+      	],
+      	on_success: processor_chain([
+      		dup56,
+      		dup49,
+      		dup14,
+      		dup6,
+      		dup8,
+      		dup54,
+      		dup30,
+      		dup35,
+      	]),
+      });
+      
+      var msg97 = msg("named:49", all34);
+      
+      var part159 = match("MESSAGE#83:named:24/1_0", "nwparser.p0", "%{domain}): %{fld2}: zone transfer%{p0}");
+      
+      var part160 = match("MESSAGE#83:named:24/1_1", "nwparser.p0", "%{domain}): zone transfer%{p0}");
+      
+      var select34 = linear_select([
+      	part159,
+      	part160,
+      ]);
+      
+      var part161 = match("MESSAGE#83:named:24/2", "nwparser.p0", "%{}'%{zone}' %{action}");
+      
+      var all35 = all_match({
+      	processors: [
+      		dup57,
+      		select34,
+      		part161,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup30,
+      	]),
+      });
+      
+      var msg98 = msg("named:24", all35);
+      
+      var part162 = match("MESSAGE#84:named:26/1_0", "nwparser.p0", "%{domain}): %{fld2}: no more recursive clients %{p0}");
+      
+      var part163 = match("MESSAGE#84:named:26/1_1", "nwparser.p0", "%{domain}): no more recursive clients%{p0}");
+      
+      var select35 = linear_select([
+      	part162,
+      	part163,
+      ]);
+      
+      var part164 = match("MESSAGE#84:named:26/2", "nwparser.p0", "%{}(%{fld3}) %{info}");
+      
+      var all36 = all_match({
+      	processors: [
+      		dup57,
+      		select35,
+      		part164,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      	]),
+      });
+      
+      var msg99 = msg("named:26", all36);
+      
+      var part165 = match("MESSAGE#85:named:27/1_0", "nwparser.p0", "%{domain}): %{fld2->} : %{fld3->} response from Internet for %{p0}");
+      
+      var part166 = match("MESSAGE#85:named:27/1_1", "nwparser.p0", "%{domain}): %{fld3->} response from Internet for %{p0}");
+      
+      var select36 = linear_select([
+      	part165,
+      	part166,
+      ]);
+      
+      var part167 = match("MESSAGE#85:named:27/2", "nwparser.p0", "%{fld4}");
+      
+      var all37 = all_match({
+      	processors: [
+      		dup57,
+      		select36,
+      		part167,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      	]),
+      });
+      
+      var msg100 = msg("named:27", all37);
+      
+      var part168 = match("MESSAGE#86:named:38/2_0", "nwparser.p0", "%{sport}#%{fld5->} (%{fld6}):%{p0}");
+      
+      var part169 = match("MESSAGE#86:named:38/2_1", "nwparser.p0", "%{sport->} (%{fld5}):%{p0}");
+      
+      var select37 = linear_select([
+      	part168,
+      	part169,
+      	dup53,
+      ]);
+      
+      var part170 = match("MESSAGE#86:named:38/3", "nwparser.p0", "%{}query%{p0}");
+      
+      var part171 = match("MESSAGE#86:named:38/4_0", "nwparser.p0", " (%{fld7}) '%{domain}/%{fld4}' %{result}");
+      
+      var part172 = match("MESSAGE#86:named:38/4_1", "nwparser.p0", ": %{domain->} %{fld4->} (%{daddr})");
+      
+      var select38 = linear_select([
+      	part171,
+      	part172,
+      ]);
+      
+      var all38 = all_match({
+      	processors: [
+      		dup50,
+      		dup72,
+      		select37,
+      		part170,
+      		select38,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      	]),
+      });
+      
+      var msg101 = msg("named:38", all38);
+      
+      var part173 = match("MESSAGE#87:named:39", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3}: %{severity}: error (%{result}) resolving '%{saddr}.in-addr.arpa/%{event_description}/IN': %{daddr}#%{dport}", processor_chain([
+      	dup12,
+      	dup49,
+      	dup14,
+      	dup6,
+      	dup8,
+      	dup54,
+      ]));
+      
+      var msg102 = msg("named:39", part173);
+      
+      var part174 = match("MESSAGE#88:named:46", "nwparser.payload", "%{event_description}: Authorization denied for the operation (%{fld4}): %{fld5->} (data=\"%{hostip}\", source=\"%{hostname}\")", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg103 = msg("named:46", part174);
+      
+      var part175 = match("MESSAGE#89:named:64", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1}: updating zone '%{zone}': deleting %{info->} at %{hostname->} %{dns_querytype}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var msg104 = msg("named:64", part175);
+      
+      var part176 = match("MESSAGE#90:named:45", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}': deleting %{info->} at %{hostname->} %{dns_querytype}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup47,
+      ]));
+      
+      var msg105 = msg("named:45", part176);
+      
+      var part177 = match("MESSAGE#91:named:44/0", "nwparser.payload", "client %{saddr}#%{sport}/key dhcp_updater_default: updating zone '%{p0}");
+      
+      var part178 = match("MESSAGE#91:named:44/1_0", "nwparser.p0", "%{domain}/IN'%{p0}");
+      
+      var part179 = match("MESSAGE#91:named:44/1_1", "nwparser.p0", "%{domain}'%{p0}");
+      
+      var select39 = linear_select([
+      	part178,
+      	part179,
+      ]);
+      
+      var part180 = match("MESSAGE#91:named:44/2", "nwparser.p0", ": %{p0}");
+      
+      var part181 = match("MESSAGE#91:named:44/3_0", "nwparser.p0", "deleting an RR at %{daddr}.in-addr.arpa ");
+      
+      var part182 = match("MESSAGE#91:named:44/3_1", "nwparser.p0", "deleting an RR at %{daddr}.%{fld6->} ");
+      
+      var part183 = match("MESSAGE#91:named:44/3_2", "nwparser.p0", "%{fld5}");
+      
+      var select40 = linear_select([
+      	part181,
+      	part182,
+      	part183,
+      ]);
+      
+      var all39 = all_match({
+      	processors: [
+      		part177,
+      		select39,
+      		part180,
+      		select40,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      	]),
+      });
+      
+      var msg106 = msg("named:44", all39);
+      
+      var part184 = match("MESSAGE#92:named:43", "nwparser.payload", "client %{saddr}#%{sport->} (%{domain}): query (%{fld3}) '%{fld4}/%{dns_querytype}/IN' %{result}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var msg107 = msg("named:43", part184);
+      
+      var part185 = match("MESSAGE#93:named:42", "nwparser.payload", "%{result->} resolving '%{saddr}.in-addr.arpa/%{event_description}/IN': %{daddr}#%{dport}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup55,
+      ]));
+      
+      var msg108 = msg("named:42", part185);
+      
+      var part186 = match("MESSAGE#94:named:41", "nwparser.payload", "%{fld1}: unable to find root NS '%{domain}'", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg109 = msg("named:41", part186);
+      
+      var part187 = match("MESSAGE#95:named:47", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}': update %{disposition}: %{event_description}", processor_chain([
+      	setc("eventcategory","1502000000"),
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg110 = msg("named:47", part187);
+      
+      var part188 = match("MESSAGE#96:named:48", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): query '%{zone}' %{result}", processor_chain([
+      	dup56,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var msg111 = msg("named:48", part188);
+      
+      var part189 = match("MESSAGE#97:named:62", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1->} (%{hostname}): transfer of '%{zone}': %{info}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var msg112 = msg("named:62", part189);
+      
+      var part190 = match("MESSAGE#98:named:53", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): transfer of '%{zone}': %{info}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg113 = msg("named:53", part190);
+      
+      var part191 = match("MESSAGE#99:named:77", "nwparser.payload", "client %{saddr}#%{sport->} (%{domain}): query failed (%{error}) for %{fld1}/IN/%{dns_querytype->} at %{filename}:%{fld2}", processor_chain([
+      	dup48,
+      	dup6,
+      	dup8,
+      	setc("event_description"," query failed"),
+      ]));
+      
+      var msg114 = msg("named:77", part191);
+      
+      var part192 = match("MESSAGE#100:named:52", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): %{info}", processor_chain([
+      	dup58,
+      	dup6,
+      	dup8,
+      	dup47,
+      ]));
+      
+      var msg115 = msg("named:52", part192);
+      
+      var part193 = match("MESSAGE#101:named:50", "nwparser.payload", "%{fld1}: %{domain}/%{dns_querytype->} (%{saddr}) %{info}", processor_chain([
+      	dup58,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg116 = msg("named:50", part193);
+      
+      var part194 = match("MESSAGE#102:named:51", "nwparser.payload", "%{fld1}: %{fld2}: REFUSED", processor_chain([
+      	dup56,
+      	dup6,
+      	dup8,
+      	dup49,
+      	dup14,
+      	dup54,
+      ]));
+      
+      var msg117 = msg("named:51", part194);
+      
+      var part195 = match("MESSAGE#103:named:54", "nwparser.payload", "%{hostip}#%{network_port}: GSS-TSIG authentication failed:%{event_description}", processor_chain([
+      	dup58,
+      	dup6,
+      	dup8,
+      	dup2,
+      	dup14,
+      	dup30,
+      ]));
+      
+      var msg118 = msg("named:54", part195);
+      
+      var part196 = match("MESSAGE#104:named:55/0", "nwparser.payload", "success resolving '%{domain}/%{dns_querytype}' (in '%{fld1}'?) %{p0}");
+      
+      var part197 = match("MESSAGE#104:named:55/1_0", "nwparser.p0", "after disabling EDNS%{}");
+      
+      var part198 = match("MESSAGE#104:named:55/1_1", "nwparser.p0", "%{fld2}");
+      
+      var select41 = linear_select([
+      	part197,
+      	part198,
+      ]);
+      
+      var all40 = all_match({
+      	processors: [
+      		part196,
+      		select41,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup6,
+      		dup8,
+      		dup5,
+      		dup30,
+      		dup59,
+      	]),
+      });
+      
+      var msg119 = msg("named:55", all40);
+      
+      var part199 = match("MESSAGE#105:named:56", "nwparser.payload", "SERVFAIL unexpected RCODE resolving '%{domain}/%{dns_querytype}/IN':%{hostip}#%{network_port}", processor_chain([
+      	dup58,
+      	dup6,
+      	dup8,
+      	dup49,
+      	dup14,
+      	dup30,
+      	dup59,
+      ]));
+      
+      var msg120 = msg("named:56", part199);
+      
+      var part200 = match("MESSAGE#106:named:57", "nwparser.payload", "FORMERR resolving '%{domain}/%{dns_querytype}/IN':%{hostip}#%{network_port}", processor_chain([
+      	dup58,
+      	dup6,
+      	dup8,
+      	setc("ec_outcome","Error"),
+      	dup30,
+      	dup59,
+      ]));
+      
+      var msg121 = msg("named:57", part200);
+      
+      var part201 = match("MESSAGE#107:named:04/0", "nwparser.payload", "%{action->} on %{p0}");
+      
+      var part202 = match("MESSAGE#107:named:04/1_0", "nwparser.p0", "IPv4 interface %{sinterface}, %{saddr}#%{p0}");
+      
+      var part203 = match("MESSAGE#107:named:04/1_1", "nwparser.p0", "%{saddr}#%{p0}");
+      
+      var select42 = linear_select([
+      	part202,
+      	part203,
+      ]);
+      
+      var part204 = match("MESSAGE#107:named:04/2", "nwparser.p0", "%{sport}");
+      
+      var all41 = all_match({
+      	processors: [
+      		part201,
+      		select42,
+      		part204,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      	]),
+      });
+      
+      var msg122 = msg("named:04", all41);
+      
+      var part205 = match("MESSAGE#108:named:58", "nwparser.payload", "lame server resolving '%{domain}' (in '%{fld2}'?):%{hostip}#%{network_port}", processor_chain([
+      	dup58,
+      	dup6,
+      	dup8,
+      	dup30,
+      	dup59,
+      ]));
+      
+      var msg123 = msg("named:58", part205);
+      
+      var part206 = match("MESSAGE#109:named:59", "nwparser.payload", "exceeded max queries resolving '%{domain}/%{dns_querytype}'", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      	dup59,
+      ]));
+      
+      var msg124 = msg("named:59", part206);
+      
+      var part207 = match("MESSAGE#110:named:60", "nwparser.payload", "skipping nameserver '%{hostname}' because it is a CNAME, while resolving '%{domain}/%{dns_querytype}'", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      	dup59,
+      	setc("event_description","skipping nameserver because it is a CNAME"),
+      ]));
+      
+      var msg125 = msg("named:60", part207);
+      
+      var part208 = match("MESSAGE#111:named:61", "nwparser.payload", "loading configuration from '%{filename}'", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var msg126 = msg("named:61", part208);
+      
+      var part209 = match("MESSAGE#112:named:73", "nwparser.payload", "fetch: %{zone}/%{dns_querytype}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      	dup35,
+      ]));
+      
+      var msg127 = msg("named:73", part209);
+      
+      var part210 = match("MESSAGE#113:named:74", "nwparser.payload", "decrement_reference: delete from rbt: %{fld1->} %{domain}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var msg128 = msg("named:74", part210);
+      
+      var part211 = match("MESSAGE#114:named:07/0_0", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): view %{fld2}: query: %{web_query}");
+      
+      var part212 = match("MESSAGE#114:named:07/0_1", "nwparser.payload", "%{event_description}");
+      
+      var select43 = linear_select([
+      	part211,
+      	part212,
+      ]);
+      
+      var all42 = all_match({
+      	processors: [
+      		select43,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup30,
+      	]),
+      });
+      
+      var msg129 = msg("named:07", all42);
+      
+      var select44 = linear_select([
+      	msg68,
+      	msg69,
+      	msg70,
+      	msg71,
+      	msg72,
+      	msg73,
+      	msg74,
+      	msg75,
+      	msg76,
+      	msg77,
+      	msg78,
+      	msg79,
+      	msg80,
+      	msg81,
+      	msg82,
+      	msg83,
+      	msg84,
+      	msg85,
+      	msg86,
+      	msg87,
+      	msg88,
+      	msg89,
+      	msg90,
+      	msg91,
+      	msg92,
+      	msg93,
+      	msg94,
+      	msg95,
+      	msg96,
+      	msg97,
+      	msg98,
+      	msg99,
+      	msg100,
+      	msg101,
+      	msg102,
+      	msg103,
+      	msg104,
+      	msg105,
+      	msg106,
+      	msg107,
+      	msg108,
+      	msg109,
+      	msg110,
+      	msg111,
+      	msg112,
+      	msg113,
+      	msg114,
+      	msg115,
+      	msg116,
+      	msg117,
+      	msg118,
+      	msg119,
+      	msg120,
+      	msg121,
+      	msg122,
+      	msg123,
+      	msg124,
+      	msg125,
+      	msg126,
+      	msg127,
+      	msg128,
+      	msg129,
+      ]);
+      
+      var part213 = match("MESSAGE#115:pidof:01", "nwparser.payload", "can't read sid from %{agent}", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      	setc("event_description","can't read sid"),
+      ]));
+      
+      var msg130 = msg("pidof:01", part213);
+      
+      var part214 = match("MESSAGE#116:pidof", "nwparser.payload", "can't get program name from %{agent}", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg131 = msg("pidof", part214);
+      
+      var select45 = linear_select([
+      	msg130,
+      	msg131,
+      ]);
+      
+      var part215 = match("MESSAGE#117:validate_dhcpd:01", "nwparser.payload", "Configured local-address not available as source address for DNS updates. %{result}", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      	setc("event_description","Configured local-address not available as source address for DNS updates"),
+      ]));
+      
+      var msg132 = msg("validate_dhcpd:01", part215);
+      
+      var msg133 = msg("validate_dhcpd", dup73);
+      
+      var select46 = linear_select([
+      	msg132,
+      	msg133,
+      ]);
+      
+      var msg134 = msg("syslog-ng", dup64);
+      
+      var part216 = match("MESSAGE#120:kernel", "nwparser.payload", "Linux version %{version->} (%{from}) (%{fld1}) %{fld2}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg135 = msg("kernel", part216);
+      
+      var msg136 = msg("kernel:01", dup64);
+      
+      var select47 = linear_select([
+      	msg135,
+      	msg136,
+      ]);
+      
+      var msg137 = msg("radiusd", dup64);
+      
+      var part217 = match("MESSAGE#123:rc", "nwparser.payload", "executing %{agent->} start", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg138 = msg("rc", part217);
+      
+      var msg139 = msg("rc3", dup64);
+      
+      var part218 = match("MESSAGE#125:rcsysinit", "nwparser.payload", "fsck from %{version}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg140 = msg("rcsysinit", part218);
+      
+      var msg141 = msg("rcsysinit:01", dup64);
+      
+      var select48 = linear_select([
+      	msg140,
+      	msg141,
+      ]);
+      
+      var part219 = match("MESSAGE#126:watchdog", "nwparser.payload", "opened %{filename}, with timeout = %{duration->} secs", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg142 = msg("watchdog", part219);
+      
+      var part220 = match("MESSAGE#127:watchdog:01", "nwparser.payload", "%{action}, pid = %{process_id}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg143 = msg("watchdog:01", part220);
+      
+      var part221 = match("MESSAGE#128:watchdog:02", "nwparser.payload", "received %{fld1}, cancelling softdog and exiting...", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg144 = msg("watchdog:02", part221);
+      
+      var part222 = match("MESSAGE#129:watchdog:03", "nwparser.payload", "%{filename->} could not be opened, errno = %{resultcode}", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg145 = msg("watchdog:03", part222);
+      
+      var msg146 = msg("watchdog:04", dup64);
+      
+      var select49 = linear_select([
+      	msg142,
+      	msg143,
+      	msg144,
+      	msg145,
+      	msg146,
+      ]);
+      
+      var msg147 = msg("init", dup64);
+      
+      var part223 = match("MESSAGE#131:logger", "nwparser.payload", "%{action}: %{saddr}/%{mask->} to %{interface}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg148 = msg("logger", part223);
+      
+      var msg149 = msg("logger:01", dup64);
+      
+      var select50 = linear_select([
+      	msg148,
+      	msg149,
+      ]);
+      
+      var part224 = match("MESSAGE#133:openvpn-member", "nwparser.payload", "read %{protocol->} [%{info}] %{event_description->} (code=%{resultcode})", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg150 = msg("openvpn-member", part224);
+      
+      var msg151 = msg("openvpn-member:01", dup74);
+      
+      var part225 = match("MESSAGE#135:openvpn-member:02", "nwparser.payload", "Options error: %{event_description}", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg152 = msg("openvpn-member:02", part225);
+      
+      var part226 = match("MESSAGE#136:openvpn-member:03", "nwparser.payload", "OpenVPN %{version->} [%{protocol}] [%{fld2}] %{info}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg153 = msg("openvpn-member:03", part226);
+      
+      var msg154 = msg("openvpn-member:04", dup75);
+      
+      var msg155 = msg("openvpn-member:05", dup64);
+      
+      var select51 = linear_select([
+      	msg150,
+      	msg151,
+      	msg152,
+      	msg153,
+      	msg154,
+      	msg155,
+      ]);
+      
+      var part227 = match("MESSAGE#139:sshd", "nwparser.payload", "Server listening on %{hostip->} port %{network_port}.", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg156 = msg("sshd", part227);
+      
+      var part228 = match("MESSAGE#140:sshd:01/0", "nwparser.payload", "Accepted password for %{p0}");
+      
+      var part229 = match("MESSAGE#140:sshd:01/1_0", "nwparser.p0", "root from %{p0}");
+      
+      var part230 = match("MESSAGE#140:sshd:01/1_1", "nwparser.p0", "%{username->} from %{p0}");
+      
+      var select52 = linear_select([
+      	part229,
+      	part230,
+      ]);
+      
+      var part231 = match("MESSAGE#140:sshd:01/2", "nwparser.p0", "%{saddr->} port %{sport->} %{protocol}");
+      
+      var all43 = all_match({
+      	processors: [
+      		part228,
+      		select52,
+      		part231,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      	]),
+      });
+      
+      var msg157 = msg("sshd:01", all43);
+      
+      var part232 = match("MESSAGE#141:sshd:02", "nwparser.payload", "Connection closed by %{hostip}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg158 = msg("sshd:02", part232);
+      
+      var part233 = match("MESSAGE#142:sshd:03", "nwparser.payload", "%{severity}: Bind to port %{network_port->} on %{hostip->} %{result}: %{event_description}", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg159 = msg("sshd:03", part233);
+      
+      var part234 = match("MESSAGE#143:sshd:04", "nwparser.payload", "%{severity}: Cannot bind any address.", processor_chain([
+      	setc("eventcategory","1601000000"),
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg160 = msg("sshd:04", part234);
+      
+      var part235 = match("MESSAGE#144:sshd:05", "nwparser.payload", "%{action}: logout() %{result}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	dup14,
+      	dup6,
+      	dup8,
+      	setc("event_description","logout"),
+      ]));
+      
+      var msg161 = msg("sshd:05", part235);
+      
+      var part236 = match("MESSAGE#145:sshd:06", "nwparser.payload", "Did not receive identification string from %{saddr}", processor_chain([
+      	dup15,
+      	dup6,
+      	setc("result","no identification string"),
+      	setc("event_description","Did not receive identification string from peer"),
+      ]));
+      
+      var msg162 = msg("sshd:06", part236);
+      
+      var part237 = match("MESSAGE#146:sshd:07", "nwparser.payload", "Sleep 60 seconds for slowing down ssh login%{}", processor_chain([
+      	dup12,
+      	dup6,
+      	setc("result","slowing down ssh login"),
+      	setc("event_description","Sleep 60 seconds"),
+      ]));
+      
+      var msg163 = msg("sshd:07", part237);
+      
+      var part238 = match("MESSAGE#147:sshd:08", "nwparser.payload", "%{authmethod->} authentication succeeded for user %{username}", processor_chain([
+      	setc("eventcategory","1302010300"),
+      	dup6,
+      	setc("event_description","authentication succeeded"),
+      	dup8,
+      	dup60,
+      ]));
+      
+      var msg164 = msg("sshd:08", part238);
+      
+      var part239 = match("MESSAGE#148:sshd:09", "nwparser.payload", "User group = %{group}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","User group"),
+      	dup60,
+      ]));
+      
+      var msg165 = msg("sshd:09", part239);
+      
+      var part240 = match("MESSAGE#149:sshd:10", "nwparser.payload", "Bad protocol version identification '%{protocol_detail}' from %{saddr}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","Bad protocol version identification"),
+      	dup60,
+      ]));
+      
+      var msg166 = msg("sshd:10", part240);
+      
+      var select53 = linear_select([
+      	msg156,
+      	msg157,
+      	msg158,
+      	msg159,
+      	msg160,
+      	msg161,
+      	msg162,
+      	msg163,
+      	msg164,
+      	msg165,
+      	msg166,
+      ]);
+      
+      var part241 = match("MESSAGE#150:openvpn-master", "nwparser.payload", "OpenVPN %{version->} [%{protocol}] [%{fld1}] %{info}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg167 = msg("openvpn-master", part241);
+      
+      var part242 = match("MESSAGE#151:openvpn-master:01", "nwparser.payload", "read %{protocol->} [%{info}]: %{event_description->} (code=%{resultcode})", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg168 = msg("openvpn-master:01", part242);
+      
+      var msg169 = msg("openvpn-master:02", dup74);
+      
+      var part243 = match("MESSAGE#153:openvpn-master:03", "nwparser.payload", "%{saddr}:%{sport->} TLS Error: TLS handshake failed", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg170 = msg("openvpn-master:03", part243);
+      
+      var part244 = match("MESSAGE#154:openvpn-master:04", "nwparser.payload", "%{fld1}/%{saddr}:%{sport->} [%{fld2}] %{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg171 = msg("openvpn-master:04", part244);
+      
+      var part245 = match("MESSAGE#155:openvpn-master:05", "nwparser.payload", "%{saddr}:%{sport->} [%{fld1}] %{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg172 = msg("openvpn-master:05", part245);
+      
+      var msg173 = msg("openvpn-master:06", dup75);
+      
+      var msg174 = msg("openvpn-master:07", dup64);
+      
+      var select54 = linear_select([
+      	msg167,
+      	msg168,
+      	msg169,
+      	msg170,
+      	msg171,
+      	msg172,
+      	msg173,
+      	msg174,
+      ]);
+      
+      var part246 = match("MESSAGE#158:INFOBLOX-Grid", "nwparser.payload", "Grid member at %{saddr->} %{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg175 = msg("INFOBLOX-Grid", part246);
+      
+      var part247 = match("MESSAGE#159:INFOBLOX-Grid:02/0_0", "nwparser.payload", "Started%{p0}");
+      
+      var part248 = match("MESSAGE#159:INFOBLOX-Grid:02/0_1", "nwparser.payload", "Completed%{p0}");
+      
+      var select55 = linear_select([
+      	part247,
+      	part248,
+      ]);
+      
+      var part249 = match("MESSAGE#159:INFOBLOX-Grid:02/1", "nwparser.p0", "%{}distribution on member with IP address %{saddr}");
+      
+      var all44 = all_match({
+      	processors: [
+      		select55,
+      		part249,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      	]),
+      });
+      
+      var msg176 = msg("INFOBLOX-Grid:02", all44);
+      
+      var part250 = match("MESSAGE#160:INFOBLOX-Grid:03", "nwparser.payload", "Upgrade Complete%{}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","Upgrade Complete"),
+      ]));
+      
+      var msg177 = msg("INFOBLOX-Grid:03", part250);
+      
+      var part251 = match("MESSAGE#161:INFOBLOX-Grid:04", "nwparser.payload", "Upgrade to %{fld1}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg178 = msg("INFOBLOX-Grid:04", part251);
+      
+      var select56 = linear_select([
+      	msg175,
+      	msg176,
+      	msg177,
+      	msg178,
+      ]);
+      
+      var part252 = match("MESSAGE#162:db_jnld", "nwparser.payload", "Grid member at %{saddr->} is online.", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg179 = msg("db_jnld", part252);
+      
+      var part253 = match("MESSAGE#219:db_jnld:01/0", "nwparser.payload", "Resolved conflict for replicated delete of %{p0}");
+      
+      var part254 = match("MESSAGE#219:db_jnld:01/1_0", "nwparser.p0", "PTR %{p0}");
+      
+      var part255 = match("MESSAGE#219:db_jnld:01/1_1", "nwparser.p0", "TXT %{p0}");
+      
+      var part256 = match("MESSAGE#219:db_jnld:01/1_2", "nwparser.p0", "A %{p0}");
+      
+      var part257 = match("MESSAGE#219:db_jnld:01/1_3", "nwparser.p0", "CNAME %{p0}");
+      
+      var part258 = match("MESSAGE#219:db_jnld:01/1_4", "nwparser.p0", "SRV %{p0}");
+      
+      var select57 = linear_select([
+      	part254,
+      	part255,
+      	part256,
+      	part257,
+      	part258,
+      ]);
+      
+      var part259 = match("MESSAGE#219:db_jnld:01/2", "nwparser.p0", "%{}\"%{fld1}\" in zone \"%{zone}\"");
+      
+      var all45 = all_match({
+      	processors: [
+      		part253,
+      		select57,
+      		part259,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      	]),
+      });
+      
+      var msg180 = msg("db_jnld:01", all45);
+      
+      var select58 = linear_select([
+      	msg179,
+      	msg180,
+      ]);
+      
+      var part260 = match("MESSAGE#163:sSMTP/0", "nwparser.payload", "Sent mail for %{to->} (%{fld1}) %{p0}");
+      
+      var part261 = match("MESSAGE#163:sSMTP/1_0", "nwparser.p0", "uid=%{uid->} username=%{username->} outbytes=%{sbytes->} ");
+      
+      var part262 = match("MESSAGE#163:sSMTP/1_1", "nwparser.p0", "%{space->} ");
+      
+      var select59 = linear_select([
+      	part261,
+      	part262,
+      ]);
+      
+      var all46 = all_match({
+      	processors: [
+      		part260,
+      		select59,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      	]),
+      });
+      
+      var msg181 = msg("sSMTP", all46);
+      
+      var part263 = match("MESSAGE#164:sSMTP:02", "nwparser.payload", "Cannot open %{hostname}:%{network_port}", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg182 = msg("sSMTP:02", part263);
+      
+      var part264 = match("MESSAGE#165:sSMTP:03", "nwparser.payload", "Unable to locate %{hostname}.", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg183 = msg("sSMTP:03", part264);
+      
+      var msg184 = msg("sSMTP:04", dup73);
+      
+      var select60 = linear_select([
+      	msg181,
+      	msg182,
+      	msg183,
+      	msg184,
+      ]);
+      
+      var part265 = match("MESSAGE#167:scheduled_backups", "nwparser.payload", "Backup to %{device->} was successful - Backup file %{filename}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg185 = msg("scheduled_backups", part265);
+      
+      var part266 = match("MESSAGE#168:scheduled_ftp_backups", "nwparser.payload", "Scheduled backup to the %{device->} was successful - Backup file %{filename}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","Scheduled backup to the FTP server was successful"),
+      ]));
+      
+      var msg186 = msg("scheduled_ftp_backups", part266);
+      
+      var part267 = match("MESSAGE#169:failed_scheduled_ftp_backups", "nwparser.payload", "Scheduled backup to the %{device->} failed - %{result}.", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      	setc("event_description","Scheduled backup to the FTP server failed"),
+      ]));
+      
+      var msg187 = msg("failed_scheduled_ftp_backups", part267);
+      
+      var select61 = linear_select([
+      	msg186,
+      	msg187,
+      ]);
+      
+      var part268 = match("MESSAGE#170:scheduled_scp_backups", "nwparser.payload", "Scheduled backup to the %{device->} was successful - Backup file %{filename}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","Scheduled backup to the SCP server was successful"),
+      ]));
+      
+      var msg188 = msg("scheduled_scp_backups", part268);
+      
+      var part269 = match("MESSAGE#171:python", "nwparser.payload", "%{action->} even though zone '%{zone}' in view '%{fld1}' is locked.", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg189 = msg("python", part269);
+      
+      var part270 = match("MESSAGE#172:python:01", "nwparser.payload", "%{action->} (algorithm=%{fld1}, key tag=%{fld2}, key size=%{fld3}): '%{hostname}' in view '%{fld4}'.", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg190 = msg("python:01", part270);
+      
+      var part271 = match("MESSAGE#173:python:02", "nwparser.payload", "%{action}: '%{hostname}' in view '%{fld1}'.", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg191 = msg("python:02", part271);
+      
+      var part272 = match("MESSAGE#174:python:03", "nwparser.payload", "%{action}: FQDN='%{domain}', ADDRESS='%{saddr}', View='%{fld1}'", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg192 = msg("python:03", part272);
+      
+      var part273 = match("MESSAGE#175:python:04", "nwparser.payload", "%{action}: FQDN='%{domain}', View='%{fld1}'", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg193 = msg("python:04", part273);
+      
+      var part274 = match("MESSAGE#176:python:05", "nwparser.payload", "%{fld1}: %{fld2}.%{fld3->} [%{username}]: Populated %{zone->} %{hostname->} DnsView=%{fld4}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg194 = msg("python:05", part274);
+      
+      var msg195 = msg("python:06", dup64);
+      
+      var select62 = linear_select([
+      	msg189,
+      	msg190,
+      	msg191,
+      	msg192,
+      	msg193,
+      	msg194,
+      	msg195,
+      ]);
+      
+      var part275 = match("MESSAGE#178:monitor", "nwparser.payload", "Type: %{protocol}, State: %{event_state}, Event: %{event_description}.", processor_chain([
+      	dup11,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg196 = msg("monitor", part275);
+      
+      var part276 = match("MESSAGE#179:snmptrapd", "nwparser.payload", "NET-SNMP version %{version->} %{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg197 = msg("snmptrapd", part276);
+      
+      var part277 = match("MESSAGE#180:snmptrapd:01", "nwparser.payload", "lock in %{fld1->} sleeps more than %{duration->} milliseconds in %{fld2}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg198 = msg("snmptrapd:01", part277);
+      
+      var msg199 = msg("snmptrapd:02", dup64);
+      
+      var select63 = linear_select([
+      	msg197,
+      	msg198,
+      	msg199,
+      ]);
+      
+      var part278 = match("MESSAGE#182:ntpdate", "nwparser.payload", "adjust time server %{saddr->} offset %{duration->} sec", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg200 = msg("ntpdate", part278);
+      
+      var msg201 = msg("ntpdate:01", dup73);
+      
+      var select64 = linear_select([
+      	msg200,
+      	msg201,
+      ]);
+      
+      var msg202 = msg("phonehome", dup64);
+      
+      var part279 = match("MESSAGE#185:purge_scheduled_tasks", "nwparser.payload", "Scheduled tasks have been purged%{}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg203 = msg("purge_scheduled_tasks", part279);
+      
+      var part280 = match("MESSAGE#186:serial_console:04", "nwparser.payload", "%{fld20->} %{fld21}.%{fld22->} [%{domain}]: Login_Denied - - to=%{terminal->} apparently_via=%{info->} ip=%{saddr->} error=%{result}", processor_chain([
+      	dup13,
+      	dup2,
+      	dup3,
+      	dup10,
+      	dup14,
+      	dup6,
+      	date_time({
+      		dest: "event_time",
+      		args: ["fld20","fld21"],
+      		fmts: [
+      			[dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO],
+      		],
+      	}),
+      	dup8,
+      	setc("event_description","Login Denied"),
+      ]));
+      
+      var msg204 = msg("serial_console:04", part280);
+      
+      var part281 = match("MESSAGE#187:serial_console:03", "nwparser.payload", "No authentication methods succeeded for user %{username}", processor_chain([
+      	dup13,
+      	dup2,
+      	dup3,
+      	dup10,
+      	dup14,
+      	dup6,
+      	dup8,
+      	setc("event_description","No authentication methods succeeded for user"),
+      ]));
+      
+      var msg205 = msg("serial_console:03", part281);
+      
+      var part282 = match("MESSAGE#188:serial_console", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Login_Allowed - - to=%{terminal->} apparently_via=%{info->} auth=%{authmethod->} group=%{group}", processor_chain([
+      	dup9,
+      	dup2,
+      	dup3,
+      	dup10,
+      	dup5,
+      	dup6,
+      	dup7,
+      	dup8,
+      ]));
+      
+      var msg206 = msg("serial_console", part282);
+      
+      var part283 = match("MESSAGE#189:serial_console:01", "nwparser.payload", "RADIUS authentication succeeded for user %{username}", processor_chain([
+      	setc("eventcategory","1302010100"),
+      	dup2,
+      	dup3,
+      	dup10,
+      	dup5,
+      	dup6,
+      	dup8,
+      	setc("event_description","RADIUS authentication succeeded for user"),
+      ]));
+      
+      var msg207 = msg("serial_console:01", part283);
+      
+      var part284 = match("MESSAGE#190:serial_console:02", "nwparser.payload", "User group = %{group}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","User group identification"),
+      ]));
+      
+      var msg208 = msg("serial_console:02", part284);
+      
+      var part285 = match("MESSAGE#205:serial_console:05", "nwparser.payload", "%{fld1->} [%{username}]: rebooted the system", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","system reboot"),
+      ]));
+      
+      var msg209 = msg("serial_console:05", part285);
+      
+      var part286 = match("MESSAGE#214:serial_console:06", "nwparser.payload", "Local authentication succeeded for user %{username}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","Local authentication succeeded for user"),
+      ]));
+      
+      var msg210 = msg("serial_console:06", part286);
+      
+      var select65 = linear_select([
+      	msg204,
+      	msg205,
+      	msg206,
+      	msg207,
+      	msg208,
+      	msg209,
+      	msg210,
+      ]);
+      
+      var msg211 = msg("rc6", dup64);
+      
+      var msg212 = msg("acpid", dup64);
+      
+      var msg213 = msg("diskcheck", dup64);
+      
+      var part287 = match("MESSAGE#210:debug_mount", "nwparser.payload", "mount %{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg214 = msg("debug_mount", part287);
+      
+      var msg215 = msg("smart_check_io", dup64);
+      
+      var msg216 = msg("speedstep_control", dup64);
+      
+      var part288 = match("MESSAGE#215:controld", "nwparser.payload", "Distribution Started%{}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","Distribution Started"),
+      ]));
+      
+      var msg217 = msg("controld", part288);
+      
+      var part289 = match("MESSAGE#216:controld:02", "nwparser.payload", "Distribution Complete%{}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","Distribution Complete"),
+      ]));
+      
+      var msg218 = msg("controld:02", part289);
+      
+      var select66 = linear_select([
+      	msg217,
+      	msg218,
+      ]);
+      
+      var part290 = match("MESSAGE#217:shutdown", "nwparser.payload", "shutting down for system reboot%{}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","shutting down for system reboot"),
+      ]));
+      
+      var msg219 = msg("shutdown", part290);
+      
+      var part291 = match("MESSAGE#218:ntpd_initres", "nwparser.payload", "ntpd exiting on signal 15%{}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","ntpd exiting"),
+      ]));
+      
+      var msg220 = msg("ntpd_initres", part291);
+      
+      var part292 = match("MESSAGE#220:rsyncd", "nwparser.payload", "name lookup failed for %{saddr}: %{info}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg221 = msg("rsyncd", part292);
+      
+      var part293 = match("MESSAGE#221:rsyncd:01", "nwparser.payload", "connect from %{shost->} (%{saddr})", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg222 = msg("rsyncd:01", part293);
+      
+      var part294 = match("MESSAGE#222:rsyncd:02", "nwparser.payload", "rsync on %{filename->} from %{shost->} (%{saddr})", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg223 = msg("rsyncd:02", part294);
+      
+      var part295 = match("MESSAGE#223:rsyncd:03", "nwparser.payload", "sent %{sbytes->} bytes received %{rbytes->} bytes total size %{fld1}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg224 = msg("rsyncd:03", part295);
+      
+      var part296 = match("MESSAGE#224:rsyncd:04", "nwparser.payload", "building file list%{}", processor_chain([
+      	dup12,
+      	dup6,
+      	setc("event_description","building file list"),
+      	dup8,
+      ]));
+      
+      var msg225 = msg("rsyncd:04", part296);
+      
+      var select67 = linear_select([
+      	msg221,
+      	msg222,
+      	msg223,
+      	msg224,
+      	msg225,
+      ]);
+      
+      var msg226 = msg("syslog", dup76);
+      
+      var msg227 = msg("restarting", dup76);
+      
+      var part297 = match("MESSAGE#227:ipmievd", "nwparser.payload", "%{fld1}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup61,
+      ]));
+      
+      var msg228 = msg("ipmievd", part297);
+      
+      var part298 = match("MESSAGE#228:netauto_discovery", "nwparser.payload", "%{agent}: Processing path%{fld1}, vnid [%{fld2}]", processor_chain([
+      	dup58,
+      	dup6,
+      	dup8,
+      	dup60,
+      ]));
+      
+      var msg229 = msg("netauto_discovery", part298);
+      
+      var part299 = match("MESSAGE#229:netauto_discovery:01", "nwparser.payload", "%{agent}:%{fld1}(%{fld2})%{hostip}/%{fld3}:%{product}ver%{version->} device does not answer to lldpRem OID requests, skipping LLDP Neighbors poll", processor_chain([
+      	dup58,
+      	dup6,
+      	dup8,
+      	dup60,
+      	setc("event_description","device does not answer to lldpRem OID requests, skipping LLDP Neighbors poll"),
+      ]));
+      
+      var msg230 = msg("netauto_discovery:01", part299);
+      
+      var part300 = match("MESSAGE#230:netauto_discovery:02", "nwparser.payload", "%{agent}:%{space}Static address already set with IP:%{hostip}, Processing%{fld1}", processor_chain([
+      	dup58,
+      	dup6,
+      	dup8,
+      	dup60,
+      ]));
+      
+      var msg231 = msg("netauto_discovery:02", part300);
+      
+      var part301 = match("MESSAGE#231:netauto_discovery:03", "nwparser.payload", "%{agent}:%{fld1}(%{fld2})%{hostip}/%{fld3}: SNMP Credentials: Failed to authenticate", processor_chain([
+      	dup62,
+      	dup6,
+      	dup8,
+      	dup60,
+      	dup14,
+      ]));
+      
+      var msg232 = msg("netauto_discovery:03", part301);
+      
+      var select68 = linear_select([
+      	msg229,
+      	msg230,
+      	msg231,
+      	msg232,
+      ]);
+      
+      var part302 = match("MESSAGE#232:netauto_core:01", "nwparser.payload", "%{agent}: Attempting CLI on device%{device}with interface not in table, ip%{hostip}", processor_chain([
+      	dup58,
+      	dup6,
+      	dup8,
+      	dup60,
+      ]));
+      
+      var msg233 = msg("netauto_core:01", part302);
+      
+      var part303 = match("MESSAGE#233:netauto_core", "nwparser.payload", "netautoctl:%{event_description}", processor_chain([
+      	dup58,
+      	dup6,
+      	dup8,
+      	dup60,
+      ]));
+      
+      var msg234 = msg("netauto_core", part303);
+      
+      var select69 = linear_select([
+      	msg233,
+      	msg234,
+      ]);
+      
+      var part304 = match("MESSAGE#234:captured_dns_uploader", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup48,
+      	dup6,
+      	dup8,
+      	dup60,
+      	dup14,
+      ]));
+      
+      var msg235 = msg("captured_dns_uploader", part304);
+      
+      var part305 = match("MESSAGE#235:DIS", "nwparser.payload", "%{fld1}:%{fld2}: Device%{device}/%{hostip}login failure%{result}", processor_chain([
+      	dup62,
+      	dup6,
+      	dup8,
+      	dup60,
+      	dup10,
+      	dup14,
+      ]));
+      
+      var msg236 = msg("DIS", part305);
+      
+      var part306 = match("MESSAGE#236:DIS:01", "nwparser.payload", "%{fld2}: %{fld3}: Attempting discover-now for %{hostip->} on %{fld4}, using session ID", processor_chain([
+      	dup58,
+      	dup6,
+      	dup8,
+      	dup60,
+      ]));
+      
+      var msg237 = msg("DIS:01", part306);
+      
+      var select70 = linear_select([
+      	msg236,
+      	msg237,
+      ]);
+      
+      var part307 = match("MESSAGE#237:ErrorMsg", "nwparser.payload", "%{result}", processor_chain([
+      	dup63,
+      	dup6,
+      	dup8,
+      	dup60,
+      ]));
+      
+      var msg238 = msg("ErrorMsg", part307);
+      
+      var part308 = match("MESSAGE#238:tacacs_acct", "nwparser.payload", "%{fld1}: Server %{daddr->} port %{dport}: %{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup60,
+      ]));
+      
+      var msg239 = msg("tacacs_acct", part308);
+      
+      var part309 = match("MESSAGE#239:tacacs_acct:01", "nwparser.payload", "%{fld1}: Accounting request failed. %{fld2}Server is %{daddr}, port is %{dport}.", processor_chain([
+      	dup63,
+      	dup6,
+      	dup8,
+      	dup60,
+      	setc("event_description","Accounting request failed."),
+      ]));
+      
+      var msg240 = msg("tacacs_acct:01", part309);
+      
+      var part310 = match("MESSAGE#240:tacacs_acct:02", "nwparser.payload", "%{fld1}: Read %{fld2->} bytes from server %{daddr->} port %{dport}, expecting %{fld3}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup60,
+      ]));
+      
+      var msg241 = msg("tacacs_acct:02", part310);
+      
+      var select71 = linear_select([
+      	msg239,
+      	msg240,
+      	msg241,
+      ]);
+      
+      var part311 = match("MESSAGE#241:dhcpdv6", "nwparser.payload", "Relay-forward message from %{saddr_v6->} port %{sport}, link address %{fld1}, peer address %{daddr_v6}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      	setc("event_description","Relay-forward message"),
+      ]));
+      
+      var msg242 = msg("dhcpdv6", part311);
+      
+      var part312 = match("MESSAGE#242:dhcpdv6:01", "nwparser.payload", "Encapsulated Solicit message from %{saddr_v6->} port %{sport->} from client DUID %{fld1}, transaction ID %{id}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      	setc("event_description","Encapsulated Solicit message"),
+      ]));
+      
+      var msg243 = msg("dhcpdv6:01", part312);
+      
+      var part313 = match("MESSAGE#243:dhcpdv6:02", "nwparser.payload", "Client %{fld1}, IP '%{fld2}': No addresses available for this interface", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      	setc("event_description","IP unknown - No addresses available for this interface"),
+      ]));
+      
+      var msg244 = msg("dhcpdv6:02", part313);
+      
+      var part314 = match("MESSAGE#244:dhcpdv6:03", "nwparser.payload", "Encapsulating Advertise message to send to %{saddr_v6->} port %{sport}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      	setc("event_description","Encapsulating Advertise message"),
+      ]));
+      
+      var msg245 = msg("dhcpdv6:03", part314);
+      
+      var part315 = match("MESSAGE#245:dhcpdv6:04", "nwparser.payload", "Sending Relay-reply message to %{saddr_v6->} port %{sport}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      	setc("event_description","Sending Relay-reply message"),
+      ]));
+      
+      var msg246 = msg("dhcpdv6:04", part315);
+      
+      var part316 = match("MESSAGE#246:dhcpdv6:05", "nwparser.payload", "Encapsulated Information-request message from %{saddr_v6->} port %{sport}, transaction ID %{id}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      	setc("event_description","Encapsulated Information-request message"),
+      ]));
+      
+      var msg247 = msg("dhcpdv6:05", part316);
+      
+      var part317 = match("MESSAGE#247:dhcpdv6:06", "nwparser.payload", "Encapsulating Reply message to send to %{saddr_v6->} port %{sport}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      	setc("event_description","Encapsulating Reply message"),
+      ]));
+      
+      var msg248 = msg("dhcpdv6:06", part317);
+      
+      var part318 = match("MESSAGE#248:dhcpdv6:07", "nwparser.payload", "Encapsulated Renew message from %{saddr_v6->} port %{sport->} from client DUID %{fld1}, transaction ID %{id}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      	setc("event_description","Encapsulated Renew message"),
+      ]));
+      
+      var msg249 = msg("dhcpdv6:07", part318);
+      
+      var part319 = match("MESSAGE#249:dhcpdv6:08", "nwparser.payload", "Reply NA: address %{saddr_v6->} to client with duid %{fld1->} iaid = %{fld2->} static", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var msg250 = msg("dhcpdv6:08", part319);
+      
+      var msg251 = msg("dhcpdv6:09", dup68);
+      
+      var select72 = linear_select([
+      	msg242,
+      	msg243,
+      	msg244,
+      	msg245,
+      	msg246,
+      	msg247,
+      	msg248,
+      	msg249,
+      	msg250,
+      	msg251,
+      ]);
+      
+      var msg252 = msg("debug", dup68);
+      
+      var part320 = match("MESSAGE#252:cloud_api", "nwparser.payload", "proxying request to %{hostname}(%{hostip}) %{web_method->} %{url->} %{protocol->} %{info}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      	setc("event_description","proxying request"),
+      ]));
+      
+      var msg253 = msg("cloud_api", part320);
+      
+      var chain1 = processor_chain([
+      	select3,
+      	msgid_select({
+      		"DIS": select70,
+      		"ErrorMsg": msg238,
+      		"INFOBLOX-Grid": select56,
+      		"acpid": msg212,
+      		"captured_dns_uploader": msg235,
+      		"cloud_api": msg253,
+      		"controld": select66,
+      		"db_jnld": select58,
+      		"debug": msg252,
+      		"debug_mount": msg214,
+      		"dhcpd": select14,
+      		"dhcpdv6": select72,
+      		"diskcheck": msg213,
+      		"httpd": select4,
+      		"in.tftpd": select5,
+      		"init": msg147,
+      		"ipmievd": msg228,
+      		"kernel": select47,
+      		"logger": select50,
+      		"monitor": msg196,
+      		"named": select44,
+      		"netauto_core": select69,
+      		"netauto_discovery": select68,
+      		"ntpd": select15,
+      		"ntpd_initres": msg220,
+      		"ntpdate": select64,
+      		"openvpn-master": select54,
+      		"openvpn-member": select51,
+      		"phonehome": msg202,
+      		"pidof": select45,
+      		"purge_scheduled_tasks": msg203,
+      		"python": select62,
+      		"radiusd": msg137,
+      		"rc": msg138,
+      		"rc3": msg139,
+      		"rc6": msg211,
+      		"rcsysinit": select48,
+      		"restarting": msg227,
+      		"rsyncd": select67,
+      		"sSMTP": select60,
+      		"scheduled_backups": msg185,
+      		"scheduled_ftp_backups": select61,
+      		"scheduled_scp_backups": msg188,
+      		"serial_console": select65,
+      		"shutdown": msg219,
+      		"smart_check_io": msg215,
+      		"snmptrapd": select63,
+      		"speedstep_control": msg216,
+      		"sshd": select53,
+      		"syslog": msg226,
+      		"syslog-ng": msg134,
+      		"tacacs_acct": select71,
+      		"validate_dhcpd": select46,
+      		"watchdog": select49,
+      	}),
+      ]);
+      
+      var part321 = match("MESSAGE#19:dhcpd:18/0", "nwparser.payload", "%{} %{p0}");
+      
+      var part322 = match("MESSAGE#19:dhcpd:18/1_0", "nwparser.p0", "Added %{p0}");
+      
+      var part323 = match("MESSAGE#19:dhcpd:18/1_1", "nwparser.p0", "added %{p0}");
+      
+      var part324 = match("MESSAGE#25:dhcpd:03/1_0", "nwparser.p0", "%{dmacaddr->} (%{dhost}) via %{p0}");
+      
+      var part325 = match("MESSAGE#25:dhcpd:03/1_1", "nwparser.p0", "%{dmacaddr->} via %{p0}");
+      
+      var part326 = match("MESSAGE#28:dhcpd:09/0", "nwparser.payload", "DHCPREQUEST for %{saddr->} from %{p0}");
+      
+      var part327 = match("MESSAGE#28:dhcpd:09/1_0", "nwparser.p0", "%{smacaddr->} (%{shost}) via %{p0}");
+      
+      var part328 = match("MESSAGE#28:dhcpd:09/1_1", "nwparser.p0", "%{smacaddr->} via %{p0}");
+      
+      var part329 = match("MESSAGE#31:dhcpd:11/2", "nwparser.p0", "%{} %{interface}");
+      
+      var part330 = match("MESSAGE#38:dhcpd:14/2", "nwparser.p0", "%{} %{interface->} relay %{fld1->} lease-duration %{duration}");
+      
+      var part331 = match("MESSAGE#53:named:16/1_0", "nwparser.p0", "approved %{}");
+      
+      var part332 = match("MESSAGE#53:named:16/1_1", "nwparser.p0", " denied%{}");
+      
+      var part333 = match("MESSAGE#56:named:01/0", "nwparser.payload", "client %{saddr}#%{p0}");
+      
+      var part334 = match("MESSAGE#57:named:17/1_0", "nwparser.p0", "IN%{p0}");
+      
+      var part335 = match("MESSAGE#57:named:17/1_1", "nwparser.p0", "CH%{p0}");
+      
+      var part336 = match("MESSAGE#57:named:17/1_2", "nwparser.p0", "HS%{p0}");
+      
+      var part337 = match("MESSAGE#57:named:17/3_1", "nwparser.p0", "%{action->} at '%{p0}");
+      
+      var part338 = match("MESSAGE#57:named:17/4_0", "nwparser.p0", "%{hostip}.in-addr.arpa' %{p0}");
+      
+      var part339 = match("MESSAGE#57:named:17/5_0", "nwparser.p0", "%{dns_querytype->} \"%{fld3}\"");
+      
+      var part340 = match("MESSAGE#57:named:17/5_1", "nwparser.p0", "%{dns_querytype->} %{hostip}");
+      
+      var part341 = match("MESSAGE#57:named:17/5_2", "nwparser.p0", "%{dns_querytype}");
+      
+      var part342 = match("MESSAGE#60:named:19/2", "nwparser.p0", "%{event_description}");
+      
+      var part343 = match("MESSAGE#67:named:63/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3}: %{severity}: client %{p0}");
+      
+      var part344 = match("MESSAGE#67:named:63/1_0", "nwparser.p0", "%{fld9->} %{saddr}#%{p0}");
+      
+      var part345 = match("MESSAGE#67:named:63/1_1", "nwparser.p0", " %{saddr}#%{p0}");
+      
+      var part346 = match("MESSAGE#74:named:10/1_3", "nwparser.p0", "%{sport}:%{p0}");
+      
+      var part347 = match("MESSAGE#83:named:24/0", "nwparser.payload", "client %{saddr}#%{sport->} (%{p0}");
+      
+      var part348 = match("MESSAGE#7:httpd:06", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var select73 = linear_select([
+      	dup17,
+      	dup18,
+      ]);
+      
+      var select74 = linear_select([
+      	dup20,
+      	dup21,
+      ]);
+      
+      var select75 = linear_select([
+      	dup25,
+      	dup26,
+      ]);
+      
+      var part349 = match("MESSAGE#204:dhcpd:37", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var select76 = linear_select([
+      	dup33,
+      	dup34,
+      ]);
+      
+      var select77 = linear_select([
+      	dup37,
+      	dup38,
+      	dup39,
+      ]);
+      
+      var select78 = linear_select([
+      	dup42,
+      	dup43,
+      	dup44,
+      ]);
+      
+      var select79 = linear_select([
+      	dup51,
+      	dup52,
+      ]);
+      
+      var part350 = match("MESSAGE#118:validate_dhcpd", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var part351 = match("MESSAGE#134:openvpn-member:01", "nwparser.payload", "%{action->} : %{event_description->} (code=%{resultcode})", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var part352 = match("MESSAGE#137:openvpn-member:04", "nwparser.payload", "%{severity}: %{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var part353 = match("MESSAGE#225:syslog", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup61,
+      ]));
+      
+- community_id:
+- add_locale: ~
+- add_fields:
+    target: ''
+    fields:
+        ecs.version: 1.5.0
diff --git a/packages/infoblox/0.1.0/dataset/nios/agent/stream/tcp.yml.hbs b/packages/infoblox/0.1.0/dataset/nios/agent/stream/tcp.yml.hbs
new file mode 100644
index 0000000000..9455aa1a08
--- /dev/null
+++ b/packages/infoblox/0.1.0/dataset/nios/agent/stream/tcp.yml.hbs
@@ -0,0 +1,6064 @@
+tcp:
+host: "{{tcp_host}}:{{tcp_port}}"
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "Infoblox"
+        product: "Network"
+        type: "IPAM"
+publisher_pipeline.disable_host: true
+
+processors:
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.error(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(populate_fields);
+      	builder.Add(restore_flags);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var dup1 = setc("eventcategory","1401070000");
+      
+      var dup2 = setc("ec_theme","Authentication");
+      
+      var dup3 = setc("ec_subject","User");
+      
+      var dup4 = setc("ec_activity","Logoff");
+      
+      var dup5 = setc("ec_outcome","Success");
+      
+      var dup6 = setf("msg","$MSG");
+      
+      var dup7 = date_time({
+      	dest: "event_time",
+      	args: ["fld1","fld2"],
+      	fmts: [
+      		[dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup8 = setf("event_source","hhostname");
+      
+      var dup9 = setc("eventcategory","1401060000");
+      
+      var dup10 = setc("ec_activity","Logon");
+      
+      var dup11 = setc("eventcategory","1609000000");
+      
+      var dup12 = setc("eventcategory","1605000000");
+      
+      var dup13 = setc("eventcategory","1401030000");
+      
+      var dup14 = setc("ec_outcome","Failure");
+      
+      var dup15 = setc("eventcategory","1603000000");
+      
+      var dup16 = match("MESSAGE#19:dhcpd:18/0", "nwparser.payload", "%{} %{p0}");
+      
+      var dup17 = match("MESSAGE#19:dhcpd:18/1_0", "nwparser.p0", "Added %{p0}");
+      
+      var dup18 = match("MESSAGE#19:dhcpd:18/1_1", "nwparser.p0", "added %{p0}");
+      
+      var dup19 = setc("action","DHCPDECLINE");
+      
+      var dup20 = match("MESSAGE#25:dhcpd:03/1_0", "nwparser.p0", "%{dmacaddr->} (%{dhost}) via %{p0}");
+      
+      var dup21 = match("MESSAGE#25:dhcpd:03/1_1", "nwparser.p0", "%{dmacaddr->} via %{p0}");
+      
+      var dup22 = setc("action","DHCPRELEASE");
+      
+      var dup23 = setc("action","DHCPDISCOVER");
+      
+      var dup24 = match("MESSAGE#28:dhcpd:09/0", "nwparser.payload", "DHCPREQUEST for %{saddr->} from %{p0}");
+      
+      var dup25 = match("MESSAGE#28:dhcpd:09/1_0", "nwparser.p0", "%{smacaddr->} (%{shost}) via %{p0}");
+      
+      var dup26 = match("MESSAGE#28:dhcpd:09/1_1", "nwparser.p0", "%{smacaddr->} via %{p0}");
+      
+      var dup27 = setc("action","DHCPREQUEST");
+      
+      var dup28 = match("MESSAGE#31:dhcpd:11/2", "nwparser.p0", "%{} %{interface}");
+      
+      var dup29 = setc("event_description","unknown network segment");
+      
+      var dup30 = date_time({
+      	dest: "event_time",
+      	args: ["month","day","time"],
+      	fmts: [
+      		[dB,dF,dZ],
+      	],
+      });
+      
+      var dup31 = match("MESSAGE#38:dhcpd:14/2", "nwparser.p0", "%{} %{interface->} relay %{fld1->} lease-duration %{duration}");
+      
+      var dup32 = setc("action","DHCPACK");
+      
+      var dup33 = match("MESSAGE#53:named:16/1_0", "nwparser.p0", "approved %{}");
+      
+      var dup34 = match("MESSAGE#53:named:16/1_1", "nwparser.p0", " denied%{}");
+      
+      var dup35 = setf("domain","zone");
+      
+      var dup36 = match("MESSAGE#56:named:01/0", "nwparser.payload", "client %{saddr}#%{p0}");
+      
+      var dup37 = match("MESSAGE#57:named:17/1_0", "nwparser.p0", "IN%{p0}");
+      
+      var dup38 = match("MESSAGE#57:named:17/1_1", "nwparser.p0", "CH%{p0}");
+      
+      var dup39 = match("MESSAGE#57:named:17/1_2", "nwparser.p0", "HS%{p0}");
+      
+      var dup40 = match("MESSAGE#57:named:17/3_1", "nwparser.p0", "%{action->} at '%{p0}");
+      
+      var dup41 = match("MESSAGE#57:named:17/4_0", "nwparser.p0", "%{hostip}.in-addr.arpa' %{p0}");
+      
+      var dup42 = match("MESSAGE#57:named:17/5_0", "nwparser.p0", "%{dns_querytype->} \"%{fld3}\"");
+      
+      var dup43 = match("MESSAGE#57:named:17/5_1", "nwparser.p0", "%{dns_querytype->} %{hostip}");
+      
+      var dup44 = match("MESSAGE#57:named:17/5_2", "nwparser.p0", "%{dns_querytype}");
+      
+      var dup45 = setc("event_description","updating zone");
+      
+      var dup46 = match("MESSAGE#60:named:19/2", "nwparser.p0", "%{event_description}");
+      
+      var dup47 = setf("domain","hostname");
+      
+      var dup48 = setc("eventcategory","1801010000");
+      
+      var dup49 = setc("ec_activity","Request");
+      
+      var dup50 = match("MESSAGE#67:named:63/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3}: %{severity}: client %{p0}");
+      
+      var dup51 = match("MESSAGE#67:named:63/1_0", "nwparser.p0", "%{fld9->} %{saddr}#%{p0}");
+      
+      var dup52 = match("MESSAGE#67:named:63/1_1", "nwparser.p0", " %{saddr}#%{p0}");
+      
+      var dup53 = match("MESSAGE#74:named:10/1_3", "nwparser.p0", "%{sport}:%{p0}");
+      
+      var dup54 = setc("action","Refused");
+      
+      var dup55 = setf("dns_querytype","event_description");
+      
+      var dup56 = setc("eventcategory","1901000000");
+      
+      var dup57 = match("MESSAGE#83:named:24/0", "nwparser.payload", "client %{saddr}#%{sport->} (%{p0}");
+      
+      var dup58 = setc("eventcategory","1801000000");
+      
+      var dup59 = setf("zone","domain");
+      
+      var dup60 = date_time({
+      	dest: "event_time",
+      	args: ["month","day","time"],
+      	fmts: [
+      		[dB,dD,dZ],
+      	],
+      });
+      
+      var dup61 = setf("info","hdata");
+      
+      var dup62 = setc("eventcategory","1301000000");
+      
+      var dup63 = setc("eventcategory","1303000000");
+      
+      var dup64 = match("MESSAGE#7:httpd:06", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var dup65 = linear_select([
+      	dup17,
+      	dup18,
+      ]);
+      
+      var dup66 = linear_select([
+      	dup20,
+      	dup21,
+      ]);
+      
+      var dup67 = linear_select([
+      	dup25,
+      	dup26,
+      ]);
+      
+      var dup68 = match("MESSAGE#204:dhcpd:37", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var dup69 = linear_select([
+      	dup33,
+      	dup34,
+      ]);
+      
+      var dup70 = linear_select([
+      	dup37,
+      	dup38,
+      	dup39,
+      ]);
+      
+      var dup71 = linear_select([
+      	dup42,
+      	dup43,
+      	dup44,
+      ]);
+      
+      var dup72 = linear_select([
+      	dup51,
+      	dup52,
+      ]);
+      
+      var dup73 = match("MESSAGE#118:validate_dhcpd", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var dup74 = match("MESSAGE#134:openvpn-member:01", "nwparser.payload", "%{action->} : %{event_description->} (code=%{resultcode})", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var dup75 = match("MESSAGE#137:openvpn-member:04", "nwparser.payload", "%{severity}: %{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var dup76 = match("MESSAGE#225:syslog", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup61,
+      ]));
+      
+      var hdr1 = match("HEADER#0:006/0", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{p0}");
+      
+      var part1 = match("HEADER#0:006/1_0", "nwparser.p0", "%{hhostip->} %{messageid}[%{data}]: %{p0}");
+      
+      var part2 = match("HEADER#0:006/1_1", "nwparser.p0", "%{hhostip->} %{messageid}: %{p0}");
+      
+      var select1 = linear_select([
+      	part1,
+      	part2,
+      ]);
+      
+      var part3 = match("HEADER#0:006/2", "nwparser.p0", "%{payload}");
+      
+      var all1 = all_match({
+      	processors: [
+      		hdr1,
+      		select1,
+      		part3,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","006"),
+      	]),
+      });
+      
+      var hdr2 = match("HEADER#1:001", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{messageid}[%{data}]: %{payload}", processor_chain([
+      	setc("header_id","001"),
+      ]));
+      
+      var hdr3 = match("HEADER#2:005", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{hdata}: %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","005"),
+      ]));
+      
+      var hdr4 = match("HEADER#3:002/0", "message", "%{month->} %{day->} %{time->} %{p0}");
+      
+      var part4 = match("HEADER#3:002/1_0", "nwparser.p0", "%{hhostname->} -%{messageid}:%{p0}");
+      
+      var part5 = match("HEADER#3:002/1_1", "nwparser.p0", "%{hhostname->} %{messageid}:%{p0}");
+      
+      var select2 = linear_select([
+      	part4,
+      	part5,
+      ]);
+      
+      var part6 = match("HEADER#3:002/2", "nwparser.p0", "%{} %{payload}");
+      
+      var all2 = all_match({
+      	processors: [
+      		hdr4,
+      		select2,
+      		part6,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","002"),
+      	]),
+      });
+      
+      var hdr5 = match("HEADER#4:0003", "message", "%{messageid}[%{data}]: %{payload}", processor_chain([
+      	setc("header_id","0003"),
+      ]));
+      
+      var hdr6 = match("HEADER#5:0004", "message", "%{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0004"),
+      ]));
+      
+      var hdr7 = match("HEADER#6:0005", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{fld1->} |%{messageid->} |%{payload}", processor_chain([
+      	setc("header_id","0005"),
+      ]));
+      
+      var select3 = linear_select([
+      	all1,
+      	hdr2,
+      	hdr3,
+      	all2,
+      	hdr5,
+      	hdr6,
+      	hdr7,
+      ]);
+      
+      var part7 = match("MESSAGE#0:httpd", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Logout - - ip=%{saddr->} group=%{group->} trigger_event=%{event_description}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup6,
+      	dup7,
+      	dup8,
+      ]));
+      
+      var msg1 = msg("httpd", part7);
+      
+      var part8 = match("MESSAGE#1:httpd:01", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Login_Allowed - - to=%{fld4->} ip=%{saddr->} auth=%{authmethod->} group=%{group->} apparently_via=%{info}", processor_chain([
+      	dup9,
+      	dup2,
+      	dup3,
+      	dup10,
+      	dup5,
+      	dup6,
+      	dup7,
+      	dup8,
+      ]));
+      
+      var msg2 = msg("httpd:01", part8);
+      
+      var part9 = match("MESSAGE#2:httpd:02", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Called - %{action->} message=%{info}", processor_chain([
+      	dup11,
+      	dup6,
+      	dup7,
+      	dup8,
+      ]));
+      
+      var msg3 = msg("httpd:02", part9);
+      
+      var part10 = match("MESSAGE#3:httpd:03", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Created HostAddress %{hostip}: Set address=\"%{saddr}\",configure_for_dhcp=%{fld10},match_option=\"%{info}\",parent=%{context}", processor_chain([
+      	dup11,
+      	dup6,
+      	dup7,
+      	dup8,
+      ]));
+      
+      var msg4 = msg("httpd:03", part10);
+      
+      var part11 = match("MESSAGE#4:httpd:04", "nwparser.payload", "%{shost}: %{fld1->} authentication for user %{username->} failed", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg5 = msg("httpd:04", part11);
+      
+      var part12 = match("MESSAGE#5:httpd:05", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Called - %{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup7,
+      	dup8,
+      ]));
+      
+      var msg6 = msg("httpd:05", part12);
+      
+      var part13 = match("MESSAGE#6:httpd:07", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Login_Denied - - to=%{terminal->} ip=%{saddr->} info=%{info}", processor_chain([
+      	dup13,
+      	dup2,
+      	dup3,
+      	dup10,
+      	dup14,
+      	dup6,
+      	dup7,
+      	dup8,
+      ]));
+      
+      var msg7 = msg("httpd:07", part13);
+      
+      var msg8 = msg("httpd:06", dup64);
+      
+      var select4 = linear_select([
+      	msg1,
+      	msg2,
+      	msg3,
+      	msg4,
+      	msg5,
+      	msg6,
+      	msg7,
+      	msg8,
+      ]);
+      
+      var part14 = match("MESSAGE#8:in.tftpd:01", "nwparser.payload", "RRQ from %{saddr->} filename %{filename}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","RRQ from remote host"),
+      ]));
+      
+      var msg9 = msg("in.tftpd:01", part14);
+      
+      var part15 = match("MESSAGE#9:in.tftpd:02", "nwparser.payload", "sending NAK (%{resultcode}, %{result}) to %{daddr}", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      	setc("event_description","sending NAK to remote host"),
+      ]));
+      
+      var msg10 = msg("in.tftpd:02", part15);
+      
+      var part16 = match("MESSAGE#10:in.tftpd", "nwparser.payload", "connection refused from %{saddr}", processor_chain([
+      	setc("eventcategory","1801030000"),
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg11 = msg("in.tftpd", part16);
+      
+      var select5 = linear_select([
+      	msg9,
+      	msg10,
+      	msg11,
+      ]);
+      
+      var part17 = match("MESSAGE#11:dhcpd:12/0", "nwparser.payload", "%{event_type}: received a REQUEST DHCP packet from relay-agent %{interface->} with a circuit-id of \"%{id}\" and remote-id of \"%{smacaddr}\" for %{hostip->} (%{dmacaddr}) lease time is %{p0}");
+      
+      var part18 = match("MESSAGE#11:dhcpd:12/1_0", "nwparser.p0", "undefined %{p0}");
+      
+      var part19 = match("MESSAGE#11:dhcpd:12/1_1", "nwparser.p0", "%{duration->} %{p0}");
+      
+      var select6 = linear_select([
+      	part18,
+      	part19,
+      ]);
+      
+      var part20 = match("MESSAGE#11:dhcpd:12/2", "nwparser.p0", "%{}seconds");
+      
+      var all3 = all_match({
+      	processors: [
+      		part17,
+      		select6,
+      		part20,
+      	],
+      	on_success: processor_chain([
+      		dup15,
+      		dup6,
+      		dup8,
+      		setc("event_description","received a REQUEST DHCP packet from relay-agent"),
+      	]),
+      });
+      
+      var msg12 = msg("dhcpd:12", all3);
+      
+      var part21 = match("MESSAGE#12:dhcpd:21", "nwparser.payload", "bind update on %{hostip->} from %{hostname}(%{fld1}) rejected: %{result}", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      	setc("event_description","bind update rejected"),
+      ]));
+      
+      var msg13 = msg("dhcpd:21", part21);
+      
+      var part22 = match("MESSAGE#13:dhcpd:10", "nwparser.payload", "Unable to add forward map from %{shost->} %{fld1}to %{daddr}: %{result}", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      	setc("event_description","Unable to add forward map"),
+      ]));
+      
+      var msg14 = msg("dhcpd:10", part22);
+      
+      var part23 = match("MESSAGE#14:dhcpd:13", "nwparser.payload", "Average %{fld1->} dynamic DNS update latency: %{result->} micro seconds", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","Average dynamic DNS update latency"),
+      ]));
+      
+      var msg15 = msg("dhcpd:13", part23);
+      
+      var part24 = match("MESSAGE#15:dhcpd:15", "nwparser.payload", "Dynamic DNS update timeout count in last %{info->} minutes: %{result}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","Dynamic DNS update timeout count"),
+      ]));
+      
+      var msg16 = msg("dhcpd:15", part24);
+      
+      var part25 = match("MESSAGE#16:dhcpd:22", "nwparser.payload", "Removed forward map from %{shost->} %{fld1}to %{daddr}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","Removed forward map"),
+      ]));
+      
+      var msg17 = msg("dhcpd:22", part25);
+      
+      var part26 = match("MESSAGE#17:dhcpd:25", "nwparser.payload", "Removed reverse map on %{hostname}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","Removed reverse map"),
+      ]));
+      
+      var msg18 = msg("dhcpd:25", part26);
+      
+      var part27 = match("MESSAGE#18:dhcpd:06", "nwparser.payload", "received shutdown -/-/ %{result}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","received shutdown"),
+      ]));
+      
+      var msg19 = msg("dhcpd:06", part27);
+      
+      var part28 = match("MESSAGE#19:dhcpd:18/2", "nwparser.p0", "%{}new forward map from %{hostname->} %{space->} %{daddr}");
+      
+      var all4 = all_match({
+      	processors: [
+      		dup16,
+      		dup65,
+      		part28,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		setc("event_description","Added new forward map"),
+      	]),
+      });
+      
+      var msg20 = msg("dhcpd:18", all4);
+      
+      var part29 = match("MESSAGE#20:dhcpd:19/2", "nwparser.p0", "%{}reverse map from %{hostname->} %{space->} %{daddr}");
+      
+      var all5 = all_match({
+      	processors: [
+      		dup16,
+      		dup65,
+      		part29,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		setc("event_description","added reverse map"),
+      	]),
+      });
+      
+      var msg21 = msg("dhcpd:19", all5);
+      
+      var part30 = match("MESSAGE#21:dhcpd", "nwparser.payload", "Abandoning IP address %{hostip}: declined", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      	setc("event_description","Abandoning IP declined"),
+      ]));
+      
+      var msg22 = msg("dhcpd", part30);
+      
+      var part31 = match("MESSAGE#22:dhcpd:30", "nwparser.payload", "Abandoning IP address %{hostip}: pinged before offer", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      	setc("event_description","Abandoning IP pinged before offer"),
+      ]));
+      
+      var msg23 = msg("dhcpd:30", part31);
+      
+      var part32 = match("MESSAGE#23:dhcpd:01", "nwparser.payload", "DHCPDECLINE of %{saddr->} from %{smacaddr->} (%{shost}) via %{interface}: %{info}", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      	dup19,
+      ]));
+      
+      var msg24 = msg("dhcpd:01", part32);
+      
+      var part33 = match("MESSAGE#24:dhcpd:02", "nwparser.payload", "DHCPDECLINE of %{saddr->} from %{smacaddr->} via %{interface}: %{info}", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      	dup19,
+      ]));
+      
+      var msg25 = msg("dhcpd:02", part33);
+      
+      var part34 = match("MESSAGE#25:dhcpd:03/0", "nwparser.payload", "DHCPRELEASE of %{saddr->} from %{p0}");
+      
+      var part35 = match("MESSAGE#25:dhcpd:03/2", "nwparser.p0", "%{} %{interface->} (%{info})");
+      
+      var all6 = all_match({
+      	processors: [
+      		part34,
+      		dup66,
+      		part35,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup22,
+      	]),
+      });
+      
+      var msg26 = msg("dhcpd:03", all6);
+      
+      var part36 = match("MESSAGE#26:dhcpd:04", "nwparser.payload", "DHCPDISCOVER from %{smacaddr->} via %{interface}: network %{mask}: %{info}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup23,
+      ]));
+      
+      var msg27 = msg("dhcpd:04", part36);
+      
+      var part37 = match("MESSAGE#27:dhcpd:07/0", "nwparser.payload", "DHCPREQUEST for %{saddr->} %{p0}");
+      
+      var part38 = match("MESSAGE#27:dhcpd:07/1_0", "nwparser.p0", "(%{shost}) from %{p0}");
+      
+      var part39 = match("MESSAGE#27:dhcpd:07/1_1", "nwparser.p0", "from %{p0}");
+      
+      var select7 = linear_select([
+      	part38,
+      	part39,
+      ]);
+      
+      var part40 = match("MESSAGE#27:dhcpd:07/2", "nwparser.p0", "%{} %{smacaddr->} (%{hostname}) via %{interface}: ignored (%{result})");
+      
+      var all7 = all_match({
+      	processors: [
+      		part37,
+      		select7,
+      		part40,
+      	],
+      	on_success: processor_chain([
+      		dup15,
+      		dup6,
+      		dup8,
+      		setc("action","DHCPREQUEST ignored"),
+      	]),
+      });
+      
+      var msg28 = msg("dhcpd:07", all7);
+      
+      var part41 = match("MESSAGE#28:dhcpd:09/2", "nwparser.p0", "%{} %{interface}: wrong network");
+      
+      var all8 = all_match({
+      	processors: [
+      		dup24,
+      		dup67,
+      		part41,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup27,
+      		setc("result","wrong network"),
+      	]),
+      });
+      
+      var msg29 = msg("dhcpd:09", all8);
+      
+      var part42 = match("MESSAGE#29:dhcpd:26/2", "nwparser.p0", "%{} %{interface}: lease %{hostip->} unavailable");
+      
+      var all9 = all_match({
+      	processors: [
+      		dup24,
+      		dup67,
+      		part42,
+      	],
+      	on_success: processor_chain([
+      		dup15,
+      		dup6,
+      		dup8,
+      		dup27,
+      		setc("result","lease unavailable"),
+      	]),
+      });
+      
+      var msg30 = msg("dhcpd:26", all9);
+      
+      var part43 = match("MESSAGE#30:dhcpd:08", "nwparser.payload", "DHCPREQUEST for %{saddr->} (%{shost}) from %{smacaddr->} (%{hostname}) via %{interface}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup27,
+      ]));
+      
+      var msg31 = msg("dhcpd:08", part43);
+      
+      var all10 = all_match({
+      	processors: [
+      		dup24,
+      		dup67,
+      		dup28,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup27,
+      	]),
+      });
+      
+      var msg32 = msg("dhcpd:11", all10);
+      
+      var part44 = match("MESSAGE#32:dhcpd:31", "nwparser.payload", "DHCPRELEASE from %{smacaddr->} via %{saddr}: unknown network segment", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup22,
+      	dup29,
+      ]));
+      
+      var msg33 = msg("dhcpd:31", part44);
+      
+      var part45 = match("MESSAGE#33:dhcpd:32", "nwparser.payload", "BOOTREQUEST from %{smacaddr->} via %{saddr}: %{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("action","BOOTREQUEST"),
+      	dup30,
+      ]));
+      
+      var msg34 = msg("dhcpd:32", part45);
+      
+      var part46 = match("MESSAGE#34:dhcpd:33", "nwparser.payload", "Reclaiming abandoned lease %{saddr}.", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","Reclaiming abandoned lease"),
+      ]));
+      
+      var msg35 = msg("dhcpd:33", part46);
+      
+      var part47 = match("MESSAGE#35:dhcpd:34/0", "nwparser.payload", "balanc%{p0}");
+      
+      var part48 = match("MESSAGE#35:dhcpd:34/1_0", "nwparser.p0", "ed%{p0}");
+      
+      var part49 = match("MESSAGE#35:dhcpd:34/1_1", "nwparser.p0", "ing%{p0}");
+      
+      var select8 = linear_select([
+      	part48,
+      	part49,
+      ]);
+      
+      var part50 = match("MESSAGE#35:dhcpd:34/2", "nwparser.p0", "%{}pool %{fld1->} %{saddr}/%{sport->} total %{fld2->} free %{fld3->} backup %{fld4->} lts %{fld5->} max-%{fld6->} %{p0}");
+      
+      var part51 = match("MESSAGE#35:dhcpd:34/3_0", "nwparser.p0", "(+/-)%{fld7}(%{info})");
+      
+      var part52 = match("MESSAGE#35:dhcpd:34/3_1", "nwparser.p0", "(+/-)%{fld7}");
+      
+      var part53 = match("MESSAGE#35:dhcpd:34/3_2", "nwparser.p0", "%{fld7}");
+      
+      var select9 = linear_select([
+      	part51,
+      	part52,
+      	part53,
+      ]);
+      
+      var all11 = all_match({
+      	processors: [
+      		part47,
+      		select8,
+      		part50,
+      		select9,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup30,
+      	]),
+      });
+      
+      var msg36 = msg("dhcpd:34", all11);
+      
+      var part54 = match("MESSAGE#36:dhcpd:35", "nwparser.payload", "Unable to add reverse map from %{shost->} to %{dhost}: REFUSED", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description"," Unable to add reverse map"),
+      ]));
+      
+      var msg37 = msg("dhcpd:35", part54);
+      
+      var part55 = match("MESSAGE#37:dhcpd:36", "nwparser.payload", "Forward map from %{shost->} %{fld2}to %{daddr->} FAILED: %{fld1}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description"," Forward map failed"),
+      ]));
+      
+      var msg38 = msg("dhcpd:36", part55);
+      
+      var part56 = match("MESSAGE#38:dhcpd:14/0", "nwparser.payload", "DHCPACK on %{saddr->} to %{p0}");
+      
+      var all12 = all_match({
+      	processors: [
+      		part56,
+      		dup66,
+      		dup31,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup32,
+      	]),
+      });
+      
+      var msg39 = msg("dhcpd:14", all12);
+      
+      var part57 = match("MESSAGE#39:dhcpd:24/0", "nwparser.payload", "DHCPOFFER on %{saddr->} to %{p0}");
+      
+      var part58 = match("MESSAGE#39:dhcpd:24/1_0", "nwparser.p0", "\"%{dmacaddr}\" (%{dhost}) via %{p0}");
+      
+      var select10 = linear_select([
+      	part58,
+      	dup20,
+      	dup21,
+      ]);
+      
+      var all13 = all_match({
+      	processors: [
+      		part57,
+      		select10,
+      		dup31,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		setc("action","DHCPOFFER"),
+      	]),
+      });
+      
+      var msg40 = msg("dhcpd:24", all13);
+      
+      var part59 = match("MESSAGE#40:dhcpd:17", "nwparser.payload", "DHCPNAK on %{saddr->} to %{dmacaddr->} via %{interface}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("action","DHCPNAK"),
+      ]));
+      
+      var msg41 = msg("dhcpd:17", part59);
+      
+      var part60 = match("MESSAGE#41:dhcpd:05/0", "nwparser.payload", "DHCPDISCOVER from %{p0}");
+      
+      var all14 = all_match({
+      	processors: [
+      		part60,
+      		dup67,
+      		dup28,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup23,
+      	]),
+      });
+      
+      var msg42 = msg("dhcpd:05", all14);
+      
+      var part61 = match("MESSAGE#42:dhcpd:16", "nwparser.payload", "DHCPACK to %{daddr->} (%{dmacaddr}) via %{interface}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup32,
+      ]));
+      
+      var msg43 = msg("dhcpd:16", part61);
+      
+      var part62 = match("MESSAGE#43:dhcpd:20", "nwparser.payload", "DHCPINFORM from %{saddr->} via %{interface}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("action","DHCPINFORM"),
+      ]));
+      
+      var msg44 = msg("dhcpd:20", part62);
+      
+      var part63 = match("MESSAGE#44:dhcpd:23", "nwparser.payload", "DHCPEXPIRE on %{saddr->} to %{dmacaddr}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("action","DHCPEXPIRE"),
+      ]));
+      
+      var msg45 = msg("dhcpd:23", part63);
+      
+      var part64 = match("MESSAGE#45:dhcpd:28", "nwparser.payload", "uid lease %{hostip->} for client %{smacaddr->} is duplicate on %{mask}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg46 = msg("dhcpd:28", part64);
+      
+      var part65 = match("MESSAGE#46:dhcpd:29", "nwparser.payload", "Attempt to add forward map \"%{shost}\" (and reverse map \"%{dhost}\") for %{saddr->} abandoned because of non-retryable failure: %{result}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg47 = msg("dhcpd:29", part65);
+      
+      var part66 = match("MESSAGE#191:dhcpd:39", "nwparser.payload", "NOT FREE/BACKUP lease%{hostip}End Time%{fld1->} Bind-State %{change_old->} Next-Bind-State %{change_new}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var msg48 = msg("dhcpd:39", part66);
+      
+      var part67 = match("MESSAGE#192:dhcpd:41", "nwparser.payload", "RELEASE on%{saddr}to%{dmacaddr}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var msg49 = msg("dhcpd:41", part67);
+      
+      var part68 = match("MESSAGE#193:dhcpd:42", "nwparser.payload", "r-l-e:%{hostip},%{result},%{fld1},%{macaddr},%{fld3},%{fld4},%{fld5},%{info}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var msg50 = msg("dhcpd:42", part68);
+      
+      var part69 = match("MESSAGE#194:dhcpd:43", "nwparser.payload", "failover peer%{fld1}:%{dclass_counter1}leases added to send queue from pool%{fld3->} %{hostip}/%{network_port}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("dclass_counter1_string","count of leases"),
+      	dup30,
+      ]));
+      
+      var msg51 = msg("dhcpd:43", part69);
+      
+      var part70 = match("MESSAGE#195:dhcpd:44", "nwparser.payload", "DHCPDECLINE from%{macaddr}via%{hostip}: unknown network segment", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      	dup29,
+      ]));
+      
+      var msg52 = msg("dhcpd:44", part70);
+      
+      var part71 = match("MESSAGE#196:dhcpd:45", "nwparser.payload", "Reverse map update for%{hostip}abandoned because of non-retryable failure:%{disposition}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var msg53 = msg("dhcpd:45", part71);
+      
+      var part72 = match("MESSAGE#197:dhcpd:46", "nwparser.payload", "Reclaiming REQUESTed abandoned IP address%{saddr}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      	setc("event_description","Reclaiming REQUESTed abandoned IP address"),
+      ]));
+      
+      var msg54 = msg("dhcpd:46", part72);
+      
+      var part73 = match("MESSAGE#198:dhcpd:47/0", "nwparser.payload", "%{hostip}: removing client association (%{action})%{p0}");
+      
+      var part74 = match("MESSAGE#198:dhcpd:47/1_0", "nwparser.p0", "uid=%{fld1}hw=%{macaddr}");
+      
+      var part75 = match("MESSAGE#198:dhcpd:47/1_1", "nwparser.p0", "hw=%{macaddr}");
+      
+      var select11 = linear_select([
+      	part74,
+      	part75,
+      ]);
+      
+      var all15 = all_match({
+      	processors: [
+      		part73,
+      		select11,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup30,
+      	]),
+      });
+      
+      var msg55 = msg("dhcpd:47", all15);
+      
+      var part76 = match("MESSAGE#199:dhcpd:48", "nwparser.payload", "Lease conflict at %{hostip}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var msg56 = msg("dhcpd:48", part76);
+      
+      var part77 = match("MESSAGE#200:dhcpd:49", "nwparser.payload", "ICMP Echo reply while lease %{hostip->} valid.", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      	setc("protocol","ICMP"),
+      ]));
+      
+      var msg57 = msg("dhcpd:49", part77);
+      
+      var part78 = match("MESSAGE#201:dhcpd:50", "nwparser.payload", "Lease state %{result}. Not abandoning %{hostip}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var msg58 = msg("dhcpd:50", part78);
+      
+      var part79 = match("MESSAGE#202:dhcpd:51/0_0", "nwparser.payload", "Addition%{p0}");
+      
+      var part80 = match("MESSAGE#202:dhcpd:51/0_1", "nwparser.payload", "Removal%{p0}");
+      
+      var select12 = linear_select([
+      	part79,
+      	part80,
+      ]);
+      
+      var part81 = match("MESSAGE#202:dhcpd:51/1", "nwparser.p0", "%{}of %{p0}");
+      
+      var part82 = match("MESSAGE#202:dhcpd:51/2_0", "nwparser.p0", "forward%{p0}");
+      
+      var part83 = match("MESSAGE#202:dhcpd:51/2_1", "nwparser.p0", "reverse%{p0}");
+      
+      var select13 = linear_select([
+      	part82,
+      	part83,
+      ]);
+      
+      var part84 = match("MESSAGE#202:dhcpd:51/3", "nwparser.p0", "%{}map for %{hostip->} deferred");
+      
+      var all16 = all_match({
+      	processors: [
+      		select12,
+      		part81,
+      		select13,
+      		part84,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup30,
+      		setc("disposition","deferred"),
+      	]),
+      });
+      
+      var msg59 = msg("dhcpd:51", all16);
+      
+      var part85 = match("MESSAGE#203:dhcpd:52", "nwparser.payload", "Hostname%{change_old}replaced by%{hostname}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var msg60 = msg("dhcpd:52", part85);
+      
+      var msg61 = msg("dhcpd:37", dup68);
+      
+      var select14 = linear_select([
+      	msg12,
+      	msg13,
+      	msg14,
+      	msg15,
+      	msg16,
+      	msg17,
+      	msg18,
+      	msg19,
+      	msg20,
+      	msg21,
+      	msg22,
+      	msg23,
+      	msg24,
+      	msg25,
+      	msg26,
+      	msg27,
+      	msg28,
+      	msg29,
+      	msg30,
+      	msg31,
+      	msg32,
+      	msg33,
+      	msg34,
+      	msg35,
+      	msg36,
+      	msg37,
+      	msg38,
+      	msg39,
+      	msg40,
+      	msg41,
+      	msg42,
+      	msg43,
+      	msg44,
+      	msg45,
+      	msg46,
+      	msg47,
+      	msg48,
+      	msg49,
+      	msg50,
+      	msg51,
+      	msg52,
+      	msg53,
+      	msg54,
+      	msg55,
+      	msg56,
+      	msg57,
+      	msg58,
+      	msg59,
+      	msg60,
+      	msg61,
+      ]);
+      
+      var part86 = match("MESSAGE#47:ntpd:05", "nwparser.payload", "system event '%{event_type}' (%{fld1}) status '%{result}' (%{fld2})", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","system event status"),
+      ]));
+      
+      var msg62 = msg("ntpd:05", part86);
+      
+      var part87 = match("MESSAGE#48:ntpd:04", "nwparser.payload", "frequency initialized %{result->} from %{filename}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","frequency initialized from file"),
+      ]));
+      
+      var msg63 = msg("ntpd:04", part87);
+      
+      var part88 = match("MESSAGE#49:ntpd:03", "nwparser.payload", "ntpd exiting on signal %{dclass_counter1}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","ntpd exiting on signal"),
+      ]));
+      
+      var msg64 = msg("ntpd:03", part88);
+      
+      var part89 = match("MESSAGE#50:ntpd", "nwparser.payload", "time slew %{result}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","time slew duraion"),
+      ]));
+      
+      var msg65 = msg("ntpd", part89);
+      
+      var part90 = match("MESSAGE#51:ntpd:01", "nwparser.payload", "%{process}: signal %{dclass_counter1->} had flags %{result}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","signal had flags"),
+      ]));
+      
+      var msg66 = msg("ntpd:01", part90);
+      
+      var msg67 = msg("ntpd:02", dup64);
+      
+      var select15 = linear_select([
+      	msg62,
+      	msg63,
+      	msg64,
+      	msg65,
+      	msg66,
+      	msg67,
+      ]);
+      
+      var part91 = match("MESSAGE#53:named:16/0", "nwparser.payload", "client %{saddr}#%{sport}:%{fld1}: update '%{zone}' %{p0}");
+      
+      var all17 = all_match({
+      	processors: [
+      		part91,
+      		dup69,
+      	],
+      	on_success: processor_chain([
+      		dup15,
+      		dup6,
+      		dup8,
+      	]),
+      });
+      
+      var msg68 = msg("named:16", all17);
+      
+      var part92 = match("MESSAGE#54:named/0", "nwparser.payload", "client %{saddr}#%{sport}: update '%{zone}/IN' %{p0}");
+      
+      var all18 = all_match({
+      	processors: [
+      		part92,
+      		dup69,
+      	],
+      	on_success: processor_chain([
+      		dup15,
+      		dup6,
+      		dup8,
+      		dup35,
+      	]),
+      });
+      
+      var msg69 = msg("named", all18);
+      
+      var part93 = match("MESSAGE#55:named:12/0", "nwparser.payload", "client %{saddr}#%{sport}/key dhcp_updater_default: signer \"%{owner}\" %{p0}");
+      
+      var all19 = all_match({
+      	processors: [
+      		part93,
+      		dup69,
+      	],
+      	on_success: processor_chain([
+      		dup15,
+      		dup6,
+      		dup8,
+      	]),
+      });
+      
+      var msg70 = msg("named:12", all19);
+      
+      var part94 = match("MESSAGE#56:named:01/1_0", "nwparser.p0", "%{sport}/%{fld1}: signer \"%{p0}");
+      
+      var part95 = match("MESSAGE#56:named:01/1_1", "nwparser.p0", "%{sport}: signer \"%{p0}");
+      
+      var select16 = linear_select([
+      	part94,
+      	part95,
+      ]);
+      
+      var part96 = match("MESSAGE#56:named:01/2", "nwparser.p0", "%{owner}\" %{p0}");
+      
+      var all20 = all_match({
+      	processors: [
+      		dup36,
+      		select16,
+      		part96,
+      		dup69,
+      	],
+      	on_success: processor_chain([
+      		dup15,
+      		dup6,
+      		dup8,
+      	]),
+      });
+      
+      var msg71 = msg("named:01", all20);
+      
+      var part97 = match("MESSAGE#57:named:17/0", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1}: updating zone '%{zone}/%{p0}");
+      
+      var part98 = match("MESSAGE#57:named:17/2", "nwparser.p0", "': %{p0}");
+      
+      var part99 = match("MESSAGE#57:named:17/3_0", "nwparser.p0", "%{fld2}: %{action->} at '%{p0}");
+      
+      var select17 = linear_select([
+      	part99,
+      	dup40,
+      ]);
+      
+      var part100 = match("MESSAGE#57:named:17/4_1", "nwparser.p0", "%{hostname}' %{p0}");
+      
+      var select18 = linear_select([
+      	dup41,
+      	part100,
+      ]);
+      
+      var all21 = all_match({
+      	processors: [
+      		part97,
+      		dup70,
+      		part98,
+      		select17,
+      		select18,
+      		dup71,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup45,
+      		dup35,
+      	]),
+      });
+      
+      var msg72 = msg("named:17", all21);
+      
+      var part101 = match("MESSAGE#58:named:18/0", "nwparser.payload", "client %{saddr}#%{sport}:%{fld1}: updating zone '%{zone}': %{p0}");
+      
+      var part102 = match("MESSAGE#58:named:18/1_0", "nwparser.p0", "adding %{p0}");
+      
+      var part103 = match("MESSAGE#58:named:18/1_1", "nwparser.p0", "deleting%{p0}");
+      
+      var select19 = linear_select([
+      	part102,
+      	part103,
+      ]);
+      
+      var part104 = match("MESSAGE#58:named:18/2", "nwparser.p0", "%{} %{info->} at '%{hostname}'");
+      
+      var all22 = all_match({
+      	processors: [
+      		part101,
+      		select19,
+      		part104,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      	]),
+      });
+      
+      var msg73 = msg("named:18", all22);
+      
+      var part105 = match("MESSAGE#59:named:02/0", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}/%{p0}");
+      
+      var part106 = match("MESSAGE#59:named:02/2", "nwparser.p0", "':%{p0}");
+      
+      var part107 = match("MESSAGE#59:named:02/3_0", "nwparser.p0", "%{fld1}: %{action->} at '%{p0}");
+      
+      var select20 = linear_select([
+      	part107,
+      	dup40,
+      ]);
+      
+      var part108 = match("MESSAGE#59:named:02/4_1", "nwparser.p0", "%{hostip}' %{p0}");
+      
+      var select21 = linear_select([
+      	dup41,
+      	part108,
+      ]);
+      
+      var all23 = all_match({
+      	processors: [
+      		part105,
+      		dup70,
+      		part106,
+      		select20,
+      		select21,
+      		dup71,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup45,
+      		dup35,
+      	]),
+      });
+      
+      var msg74 = msg("named:02", all23);
+      
+      var part109 = match("MESSAGE#60:named:19/0", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1}: updating zone '%{zone}': update %{disposition}: %{p0}");
+      
+      var part110 = match("MESSAGE#60:named:19/1_0", "nwparser.p0", "%{hostname}/%{dns_querytype}: %{p0}");
+      
+      var part111 = match("MESSAGE#60:named:19/1_1", "nwparser.p0", "%{hostname}: %{p0}");
+      
+      var select22 = linear_select([
+      	part110,
+      	part111,
+      ]);
+      
+      var all24 = all_match({
+      	processors: [
+      		part109,
+      		select22,
+      		dup46,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup47,
+      	]),
+      });
+      
+      var msg75 = msg("named:19", all24);
+      
+      var part112 = match("MESSAGE#61:named:03", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}': update %{disposition}: %{hostname}: %{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg76 = msg("named:03", part112);
+      
+      var part113 = match("MESSAGE#62:named:11", "nwparser.payload", "zone %{zone}: notify from %{saddr}#%{sport}: zone is up to date", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","notify zone is up to date"),
+      ]));
+      
+      var msg77 = msg("named:11", part113);
+      
+      var part114 = match("MESSAGE#63:named:13", "nwparser.payload", "zone %{zone}: notify from %{saddr}#%{sport}: %{action}, %{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg78 = msg("named:13", part114);
+      
+      var part115 = match("MESSAGE#64:named:14", "nwparser.payload", "zone %{zone}: refresh: retry limit for master %{saddr}#%{sport->} exceeded (%{action})", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg79 = msg("named:14", part115);
+      
+      var part116 = match("MESSAGE#65:named:15", "nwparser.payload", "zone %{zone}: refresh: failure trying master %{saddr}#%{sport->} (source ::#0): %{action}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg80 = msg("named:15", part116);
+      
+      var part117 = match("MESSAGE#66:named:25/0", "nwparser.payload", "DNS format error from %{saddr}#%{sport->} resolving %{domain}/%{dns_querytype->} for client %{daddr}#%{dport}: %{p0}");
+      
+      var part118 = match("MESSAGE#66:named:25/1_0", "nwparser.p0", "%{error}--%{result}");
+      
+      var part119 = match("MESSAGE#66:named:25/1_1", "nwparser.p0", "%{result}");
+      
+      var select23 = linear_select([
+      	part118,
+      	part119,
+      ]);
+      
+      var all25 = all_match({
+      	processors: [
+      		part117,
+      		select23,
+      	],
+      	on_success: processor_chain([
+      		dup48,
+      		dup49,
+      		dup14,
+      		dup6,
+      		dup8,
+      		setc("event_description","DNS format error"),
+      		dup30,
+      	]),
+      });
+      
+      var msg81 = msg("named:25", all25);
+      
+      var part120 = match("MESSAGE#67:named:63/2", "nwparser.p0", "%{sport->} (#%{fld5}): query: %{domain->} %{fld4->} (%{daddr})");
+      
+      var all26 = all_match({
+      	processors: [
+      		dup50,
+      		dup72,
+      		part120,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup30,
+      	]),
+      });
+      
+      var msg82 = msg("named:63", all26);
+      
+      var part121 = match("MESSAGE#68:named:72/0", "nwparser.payload", "client %{saddr}#%{sport->} (%{fld1}): %{p0}");
+      
+      var part122 = match("MESSAGE#68:named:72/1_0", "nwparser.p0", "view%{fld3}: query:%{p0}");
+      
+      var part123 = match("MESSAGE#68:named:72/1_1", "nwparser.p0", "query:%{p0}");
+      
+      var select24 = linear_select([
+      	part122,
+      	part123,
+      ]);
+      
+      var part124 = match("MESSAGE#68:named:72/2", "nwparser.p0", "%{} %{domain->} %{fld2->} %{dns_querytype->} %{context->} (%{daddr})");
+      
+      var all27 = all_match({
+      	processors: [
+      		part121,
+      		select24,
+      		part124,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup30,
+      	]),
+      });
+      
+      var msg83 = msg("named:72", all27);
+      
+      var part125 = match("MESSAGE#69:named:28", "nwparser.payload", "%{action->} (%{saddr}#%{sport}) %{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg84 = msg("named:28", part125);
+      
+      var part126 = match("MESSAGE#70:named:71/0", "nwparser.payload", "transfer of '%{zone}' from %{saddr}#%{sport}: failed %{p0}");
+      
+      var part127 = match("MESSAGE#70:named:71/1_0", "nwparser.p0", "to connect: %{result}");
+      
+      var part128 = match("MESSAGE#70:named:71/1_1", "nwparser.p0", "while receiving responses: %{result}");
+      
+      var select25 = linear_select([
+      	part127,
+      	part128,
+      ]);
+      
+      var all28 = all_match({
+      	processors: [
+      		part126,
+      		select25,
+      	],
+      	on_success: processor_chain([
+      		dup48,
+      		dup6,
+      		dup8,
+      		dup30,
+      		setc("event_description","failed"),
+      	]),
+      });
+      
+      var msg85 = msg("named:71", all28);
+      
+      var part129 = match("MESSAGE#71:named:70/0", "nwparser.payload", "transfer of '%{zone}' from %{saddr}#%{sport}: %{p0}");
+      
+      var part130 = match("MESSAGE#71:named:70/1_0", "nwparser.p0", "connected using %{daddr}#%{dport}");
+      
+      var select26 = linear_select([
+      	part130,
+      	dup46,
+      ]);
+      
+      var all29 = all_match({
+      	processors: [
+      		part129,
+      		select26,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup30,
+      	]),
+      });
+      
+      var msg86 = msg("named:70", all29);
+      
+      var part131 = match("MESSAGE#72:named:40/0", "nwparser.payload", "%{fld1->} client %{saddr}#%{sport}: %{p0}");
+      
+      var part132 = match("MESSAGE#72:named:40/1_0", "nwparser.p0", "view %{fld2}: %{protocol}: query: %{p0}");
+      
+      var part133 = match("MESSAGE#72:named:40/1_1", "nwparser.p0", "%{protocol}: query: %{p0}");
+      
+      var select27 = linear_select([
+      	part132,
+      	part133,
+      ]);
+      
+      var part134 = match("MESSAGE#72:named:40/2", "nwparser.p0", "%{domain->} %{fld3->} %{dns_querytype->} response:%{result->} %{p0}");
+      
+      var part135 = match("MESSAGE#72:named:40/3_0", "nwparser.p0", "%{context->} %{dns.resptext}");
+      
+      var part136 = match("MESSAGE#72:named:40/3_1", "nwparser.p0", "%{context}");
+      
+      var select28 = linear_select([
+      	part135,
+      	part136,
+      ]);
+      
+      var all30 = all_match({
+      	processors: [
+      		part131,
+      		select27,
+      		part134,
+      		select28,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup30,
+      	]),
+      });
+      
+      var msg87 = msg("named:40", all30);
+      
+      var part137 = match("MESSAGE#73:named:05", "nwparser.payload", "zone '%{zone}' %{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg88 = msg("named:05", part137);
+      
+      var part138 = match("MESSAGE#74:named:10/1_0", "nwparser.p0", "%{sport->} %{fld22}/%{fld21}:%{p0}");
+      
+      var part139 = match("MESSAGE#74:named:10/1_1", "nwparser.p0", "%{sport}/%{fld21}:%{p0}");
+      
+      var part140 = match("MESSAGE#74:named:10/1_2", "nwparser.p0", "%{sport->} (%{fld21}): %{p0}");
+      
+      var select29 = linear_select([
+      	part138,
+      	part139,
+      	part140,
+      	dup53,
+      ]);
+      
+      var part141 = match("MESSAGE#74:named:10/2", "nwparser.p0", "%{}query: %{domain->} %{info->} (%{daddr})");
+      
+      var all31 = all_match({
+      	processors: [
+      		dup36,
+      		select29,
+      		part141,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		setc("event_description","dns query"),
+      	]),
+      });
+      
+      var msg89 = msg("named:10", all31);
+      
+      var part142 = match("MESSAGE#75:named:29", "nwparser.payload", "client %{saddr}#%{sport}: %{fld1}: received notify for zone '%{zone}'", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","received notify for zone"),
+      ]));
+      
+      var msg90 = msg("named:29", part142);
+      
+      var part143 = match("MESSAGE#76:named:08", "nwparser.payload", "client %{saddr}#%{sport}: received notify for zone '%{zone}'", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","client received notify for zone"),
+      ]));
+      
+      var msg91 = msg("named:08", part143);
+      
+      var part144 = match("MESSAGE#77:named:09", "nwparser.payload", "client %{saddr}#%{sport}: update forwarding '%{zone}' denied", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      	setc("event_description","client update forwarding for zone denied"),
+      ]));
+      
+      var msg92 = msg("named:09", part144);
+      
+      var part145 = match("MESSAGE#78:named:76/0", "nwparser.payload", "zone %{zone}: ZRQ appl%{p0}");
+      
+      var part146 = match("MESSAGE#78:named:76/1_0", "nwparser.p0", "ied%{p0}");
+      
+      var part147 = match("MESSAGE#78:named:76/1_1", "nwparser.p0", "ying%{p0}");
+      
+      var select30 = linear_select([
+      	part146,
+      	part147,
+      ]);
+      
+      var part148 = match("MESSAGE#78:named:76/2", "nwparser.p0", "%{}transaction %{p0}");
+      
+      var part149 = match("MESSAGE#78:named:76/3_0", "nwparser.p0", "%{operation_id->} with SOA serial %{serial_number}. Zone version is now %{version}.");
+      
+      var part150 = match("MESSAGE#78:named:76/3_1", "nwparser.p0", "%{fld1}.");
+      
+      var select31 = linear_select([
+      	part149,
+      	part150,
+      ]);
+      
+      var all32 = all_match({
+      	processors: [
+      		part145,
+      		select30,
+      		part148,
+      		select31,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup30,
+      	]),
+      });
+      
+      var msg93 = msg("named:76", all32);
+      
+      var part151 = match("MESSAGE#79:named:75", "nwparser.payload", "zone %{zone}: ZRQ applied %{action->} for '%{fld1}': %{fld2->} %{fld3->} %{dns_querytype->} %{info}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var msg94 = msg("named:75", part151);
+      
+      var part152 = match("MESSAGE#80:named:06/0", "nwparser.payload", "zone%{p0}");
+      
+      var part153 = match("MESSAGE#80:named:06/1_0", "nwparser.p0", "_%{fld1}: %{p0}");
+      
+      var part154 = match("MESSAGE#80:named:06/1_1", "nwparser.p0", " %{zone}: %{p0}");
+      
+      var select32 = linear_select([
+      	part153,
+      	part154,
+      ]);
+      
+      var all33 = all_match({
+      	processors: [
+      		part152,
+      		select32,
+      		dup46,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup30,
+      	]),
+      });
+      
+      var msg95 = msg("named:06", all33);
+      
+      var part155 = match("MESSAGE#81:named:20", "nwparser.payload", "REFUSED unexpected RCODE resolving '%{saddr}.in-addr.arpa/%{event_description}/IN': %{daddr}#%{dport}", processor_chain([
+      	dup12,
+      	dup49,
+      	dup14,
+      	dup6,
+      	dup8,
+      	dup54,
+      	dup30,
+      	dup55,
+      ]));
+      
+      var msg96 = msg("named:20", part155);
+      
+      var part156 = match("MESSAGE#82:named:49/0", "nwparser.payload", "REFUSED unexpected RCODE resolving '%{zone}/%{dns_querytype}/IN': %{p0}");
+      
+      var part157 = match("MESSAGE#82:named:49/1_0", "nwparser.p0", "%{daddr}#%{dport}");
+      
+      var part158 = match("MESSAGE#82:named:49/1_1", "nwparser.p0", "%{fld1}");
+      
+      var select33 = linear_select([
+      	part157,
+      	part158,
+      ]);
+      
+      var all34 = all_match({
+      	processors: [
+      		part156,
+      		select33,
+      	],
+      	on_success: processor_chain([
+      		dup56,
+      		dup49,
+      		dup14,
+      		dup6,
+      		dup8,
+      		dup54,
+      		dup30,
+      		dup35,
+      	]),
+      });
+      
+      var msg97 = msg("named:49", all34);
+      
+      var part159 = match("MESSAGE#83:named:24/1_0", "nwparser.p0", "%{domain}): %{fld2}: zone transfer%{p0}");
+      
+      var part160 = match("MESSAGE#83:named:24/1_1", "nwparser.p0", "%{domain}): zone transfer%{p0}");
+      
+      var select34 = linear_select([
+      	part159,
+      	part160,
+      ]);
+      
+      var part161 = match("MESSAGE#83:named:24/2", "nwparser.p0", "%{}'%{zone}' %{action}");
+      
+      var all35 = all_match({
+      	processors: [
+      		dup57,
+      		select34,
+      		part161,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup30,
+      	]),
+      });
+      
+      var msg98 = msg("named:24", all35);
+      
+      var part162 = match("MESSAGE#84:named:26/1_0", "nwparser.p0", "%{domain}): %{fld2}: no more recursive clients %{p0}");
+      
+      var part163 = match("MESSAGE#84:named:26/1_1", "nwparser.p0", "%{domain}): no more recursive clients%{p0}");
+      
+      var select35 = linear_select([
+      	part162,
+      	part163,
+      ]);
+      
+      var part164 = match("MESSAGE#84:named:26/2", "nwparser.p0", "%{}(%{fld3}) %{info}");
+      
+      var all36 = all_match({
+      	processors: [
+      		dup57,
+      		select35,
+      		part164,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      	]),
+      });
+      
+      var msg99 = msg("named:26", all36);
+      
+      var part165 = match("MESSAGE#85:named:27/1_0", "nwparser.p0", "%{domain}): %{fld2->} : %{fld3->} response from Internet for %{p0}");
+      
+      var part166 = match("MESSAGE#85:named:27/1_1", "nwparser.p0", "%{domain}): %{fld3->} response from Internet for %{p0}");
+      
+      var select36 = linear_select([
+      	part165,
+      	part166,
+      ]);
+      
+      var part167 = match("MESSAGE#85:named:27/2", "nwparser.p0", "%{fld4}");
+      
+      var all37 = all_match({
+      	processors: [
+      		dup57,
+      		select36,
+      		part167,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      	]),
+      });
+      
+      var msg100 = msg("named:27", all37);
+      
+      var part168 = match("MESSAGE#86:named:38/2_0", "nwparser.p0", "%{sport}#%{fld5->} (%{fld6}):%{p0}");
+      
+      var part169 = match("MESSAGE#86:named:38/2_1", "nwparser.p0", "%{sport->} (%{fld5}):%{p0}");
+      
+      var select37 = linear_select([
+      	part168,
+      	part169,
+      	dup53,
+      ]);
+      
+      var part170 = match("MESSAGE#86:named:38/3", "nwparser.p0", "%{}query%{p0}");
+      
+      var part171 = match("MESSAGE#86:named:38/4_0", "nwparser.p0", " (%{fld7}) '%{domain}/%{fld4}' %{result}");
+      
+      var part172 = match("MESSAGE#86:named:38/4_1", "nwparser.p0", ": %{domain->} %{fld4->} (%{daddr})");
+      
+      var select38 = linear_select([
+      	part171,
+      	part172,
+      ]);
+      
+      var all38 = all_match({
+      	processors: [
+      		dup50,
+      		dup72,
+      		select37,
+      		part170,
+      		select38,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      	]),
+      });
+      
+      var msg101 = msg("named:38", all38);
+      
+      var part173 = match("MESSAGE#87:named:39", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3}: %{severity}: error (%{result}) resolving '%{saddr}.in-addr.arpa/%{event_description}/IN': %{daddr}#%{dport}", processor_chain([
+      	dup12,
+      	dup49,
+      	dup14,
+      	dup6,
+      	dup8,
+      	dup54,
+      ]));
+      
+      var msg102 = msg("named:39", part173);
+      
+      var part174 = match("MESSAGE#88:named:46", "nwparser.payload", "%{event_description}: Authorization denied for the operation (%{fld4}): %{fld5->} (data=\"%{hostip}\", source=\"%{hostname}\")", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg103 = msg("named:46", part174);
+      
+      var part175 = match("MESSAGE#89:named:64", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1}: updating zone '%{zone}': deleting %{info->} at %{hostname->} %{dns_querytype}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var msg104 = msg("named:64", part175);
+      
+      var part176 = match("MESSAGE#90:named:45", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}': deleting %{info->} at %{hostname->} %{dns_querytype}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup47,
+      ]));
+      
+      var msg105 = msg("named:45", part176);
+      
+      var part177 = match("MESSAGE#91:named:44/0", "nwparser.payload", "client %{saddr}#%{sport}/key dhcp_updater_default: updating zone '%{p0}");
+      
+      var part178 = match("MESSAGE#91:named:44/1_0", "nwparser.p0", "%{domain}/IN'%{p0}");
+      
+      var part179 = match("MESSAGE#91:named:44/1_1", "nwparser.p0", "%{domain}'%{p0}");
+      
+      var select39 = linear_select([
+      	part178,
+      	part179,
+      ]);
+      
+      var part180 = match("MESSAGE#91:named:44/2", "nwparser.p0", ": %{p0}");
+      
+      var part181 = match("MESSAGE#91:named:44/3_0", "nwparser.p0", "deleting an RR at %{daddr}.in-addr.arpa ");
+      
+      var part182 = match("MESSAGE#91:named:44/3_1", "nwparser.p0", "deleting an RR at %{daddr}.%{fld6->} ");
+      
+      var part183 = match("MESSAGE#91:named:44/3_2", "nwparser.p0", "%{fld5}");
+      
+      var select40 = linear_select([
+      	part181,
+      	part182,
+      	part183,
+      ]);
+      
+      var all39 = all_match({
+      	processors: [
+      		part177,
+      		select39,
+      		part180,
+      		select40,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      	]),
+      });
+      
+      var msg106 = msg("named:44", all39);
+      
+      var part184 = match("MESSAGE#92:named:43", "nwparser.payload", "client %{saddr}#%{sport->} (%{domain}): query (%{fld3}) '%{fld4}/%{dns_querytype}/IN' %{result}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var msg107 = msg("named:43", part184);
+      
+      var part185 = match("MESSAGE#93:named:42", "nwparser.payload", "%{result->} resolving '%{saddr}.in-addr.arpa/%{event_description}/IN': %{daddr}#%{dport}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup55,
+      ]));
+      
+      var msg108 = msg("named:42", part185);
+      
+      var part186 = match("MESSAGE#94:named:41", "nwparser.payload", "%{fld1}: unable to find root NS '%{domain}'", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg109 = msg("named:41", part186);
+      
+      var part187 = match("MESSAGE#95:named:47", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}': update %{disposition}: %{event_description}", processor_chain([
+      	setc("eventcategory","1502000000"),
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg110 = msg("named:47", part187);
+      
+      var part188 = match("MESSAGE#96:named:48", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): query '%{zone}' %{result}", processor_chain([
+      	dup56,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var msg111 = msg("named:48", part188);
+      
+      var part189 = match("MESSAGE#97:named:62", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1->} (%{hostname}): transfer of '%{zone}': %{info}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var msg112 = msg("named:62", part189);
+      
+      var part190 = match("MESSAGE#98:named:53", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): transfer of '%{zone}': %{info}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg113 = msg("named:53", part190);
+      
+      var part191 = match("MESSAGE#99:named:77", "nwparser.payload", "client %{saddr}#%{sport->} (%{domain}): query failed (%{error}) for %{fld1}/IN/%{dns_querytype->} at %{filename}:%{fld2}", processor_chain([
+      	dup48,
+      	dup6,
+      	dup8,
+      	setc("event_description"," query failed"),
+      ]));
+      
+      var msg114 = msg("named:77", part191);
+      
+      var part192 = match("MESSAGE#100:named:52", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): %{info}", processor_chain([
+      	dup58,
+      	dup6,
+      	dup8,
+      	dup47,
+      ]));
+      
+      var msg115 = msg("named:52", part192);
+      
+      var part193 = match("MESSAGE#101:named:50", "nwparser.payload", "%{fld1}: %{domain}/%{dns_querytype->} (%{saddr}) %{info}", processor_chain([
+      	dup58,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg116 = msg("named:50", part193);
+      
+      var part194 = match("MESSAGE#102:named:51", "nwparser.payload", "%{fld1}: %{fld2}: REFUSED", processor_chain([
+      	dup56,
+      	dup6,
+      	dup8,
+      	dup49,
+      	dup14,
+      	dup54,
+      ]));
+      
+      var msg117 = msg("named:51", part194);
+      
+      var part195 = match("MESSAGE#103:named:54", "nwparser.payload", "%{hostip}#%{network_port}: GSS-TSIG authentication failed:%{event_description}", processor_chain([
+      	dup58,
+      	dup6,
+      	dup8,
+      	dup2,
+      	dup14,
+      	dup30,
+      ]));
+      
+      var msg118 = msg("named:54", part195);
+      
+      var part196 = match("MESSAGE#104:named:55/0", "nwparser.payload", "success resolving '%{domain}/%{dns_querytype}' (in '%{fld1}'?) %{p0}");
+      
+      var part197 = match("MESSAGE#104:named:55/1_0", "nwparser.p0", "after disabling EDNS%{}");
+      
+      var part198 = match("MESSAGE#104:named:55/1_1", "nwparser.p0", "%{fld2}");
+      
+      var select41 = linear_select([
+      	part197,
+      	part198,
+      ]);
+      
+      var all40 = all_match({
+      	processors: [
+      		part196,
+      		select41,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup6,
+      		dup8,
+      		dup5,
+      		dup30,
+      		dup59,
+      	]),
+      });
+      
+      var msg119 = msg("named:55", all40);
+      
+      var part199 = match("MESSAGE#105:named:56", "nwparser.payload", "SERVFAIL unexpected RCODE resolving '%{domain}/%{dns_querytype}/IN':%{hostip}#%{network_port}", processor_chain([
+      	dup58,
+      	dup6,
+      	dup8,
+      	dup49,
+      	dup14,
+      	dup30,
+      	dup59,
+      ]));
+      
+      var msg120 = msg("named:56", part199);
+      
+      var part200 = match("MESSAGE#106:named:57", "nwparser.payload", "FORMERR resolving '%{domain}/%{dns_querytype}/IN':%{hostip}#%{network_port}", processor_chain([
+      	dup58,
+      	dup6,
+      	dup8,
+      	setc("ec_outcome","Error"),
+      	dup30,
+      	dup59,
+      ]));
+      
+      var msg121 = msg("named:57", part200);
+      
+      var part201 = match("MESSAGE#107:named:04/0", "nwparser.payload", "%{action->} on %{p0}");
+      
+      var part202 = match("MESSAGE#107:named:04/1_0", "nwparser.p0", "IPv4 interface %{sinterface}, %{saddr}#%{p0}");
+      
+      var part203 = match("MESSAGE#107:named:04/1_1", "nwparser.p0", "%{saddr}#%{p0}");
+      
+      var select42 = linear_select([
+      	part202,
+      	part203,
+      ]);
+      
+      var part204 = match("MESSAGE#107:named:04/2", "nwparser.p0", "%{sport}");
+      
+      var all41 = all_match({
+      	processors: [
+      		part201,
+      		select42,
+      		part204,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      	]),
+      });
+      
+      var msg122 = msg("named:04", all41);
+      
+      var part205 = match("MESSAGE#108:named:58", "nwparser.payload", "lame server resolving '%{domain}' (in '%{fld2}'?):%{hostip}#%{network_port}", processor_chain([
+      	dup58,
+      	dup6,
+      	dup8,
+      	dup30,
+      	dup59,
+      ]));
+      
+      var msg123 = msg("named:58", part205);
+      
+      var part206 = match("MESSAGE#109:named:59", "nwparser.payload", "exceeded max queries resolving '%{domain}/%{dns_querytype}'", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      	dup59,
+      ]));
+      
+      var msg124 = msg("named:59", part206);
+      
+      var part207 = match("MESSAGE#110:named:60", "nwparser.payload", "skipping nameserver '%{hostname}' because it is a CNAME, while resolving '%{domain}/%{dns_querytype}'", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      	dup59,
+      	setc("event_description","skipping nameserver because it is a CNAME"),
+      ]));
+      
+      var msg125 = msg("named:60", part207);
+      
+      var part208 = match("MESSAGE#111:named:61", "nwparser.payload", "loading configuration from '%{filename}'", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var msg126 = msg("named:61", part208);
+      
+      var part209 = match("MESSAGE#112:named:73", "nwparser.payload", "fetch: %{zone}/%{dns_querytype}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      	dup35,
+      ]));
+      
+      var msg127 = msg("named:73", part209);
+      
+      var part210 = match("MESSAGE#113:named:74", "nwparser.payload", "decrement_reference: delete from rbt: %{fld1->} %{domain}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var msg128 = msg("named:74", part210);
+      
+      var part211 = match("MESSAGE#114:named:07/0_0", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): view %{fld2}: query: %{web_query}");
+      
+      var part212 = match("MESSAGE#114:named:07/0_1", "nwparser.payload", "%{event_description}");
+      
+      var select43 = linear_select([
+      	part211,
+      	part212,
+      ]);
+      
+      var all42 = all_match({
+      	processors: [
+      		select43,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup30,
+      	]),
+      });
+      
+      var msg129 = msg("named:07", all42);
+      
+      var select44 = linear_select([
+      	msg68,
+      	msg69,
+      	msg70,
+      	msg71,
+      	msg72,
+      	msg73,
+      	msg74,
+      	msg75,
+      	msg76,
+      	msg77,
+      	msg78,
+      	msg79,
+      	msg80,
+      	msg81,
+      	msg82,
+      	msg83,
+      	msg84,
+      	msg85,
+      	msg86,
+      	msg87,
+      	msg88,
+      	msg89,
+      	msg90,
+      	msg91,
+      	msg92,
+      	msg93,
+      	msg94,
+      	msg95,
+      	msg96,
+      	msg97,
+      	msg98,
+      	msg99,
+      	msg100,
+      	msg101,
+      	msg102,
+      	msg103,
+      	msg104,
+      	msg105,
+      	msg106,
+      	msg107,
+      	msg108,
+      	msg109,
+      	msg110,
+      	msg111,
+      	msg112,
+      	msg113,
+      	msg114,
+      	msg115,
+      	msg116,
+      	msg117,
+      	msg118,
+      	msg119,
+      	msg120,
+      	msg121,
+      	msg122,
+      	msg123,
+      	msg124,
+      	msg125,
+      	msg126,
+      	msg127,
+      	msg128,
+      	msg129,
+      ]);
+      
+      var part213 = match("MESSAGE#115:pidof:01", "nwparser.payload", "can't read sid from %{agent}", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      	setc("event_description","can't read sid"),
+      ]));
+      
+      var msg130 = msg("pidof:01", part213);
+      
+      var part214 = match("MESSAGE#116:pidof", "nwparser.payload", "can't get program name from %{agent}", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg131 = msg("pidof", part214);
+      
+      var select45 = linear_select([
+      	msg130,
+      	msg131,
+      ]);
+      
+      var part215 = match("MESSAGE#117:validate_dhcpd:01", "nwparser.payload", "Configured local-address not available as source address for DNS updates. %{result}", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      	setc("event_description","Configured local-address not available as source address for DNS updates"),
+      ]));
+      
+      var msg132 = msg("validate_dhcpd:01", part215);
+      
+      var msg133 = msg("validate_dhcpd", dup73);
+      
+      var select46 = linear_select([
+      	msg132,
+      	msg133,
+      ]);
+      
+      var msg134 = msg("syslog-ng", dup64);
+      
+      var part216 = match("MESSAGE#120:kernel", "nwparser.payload", "Linux version %{version->} (%{from}) (%{fld1}) %{fld2}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg135 = msg("kernel", part216);
+      
+      var msg136 = msg("kernel:01", dup64);
+      
+      var select47 = linear_select([
+      	msg135,
+      	msg136,
+      ]);
+      
+      var msg137 = msg("radiusd", dup64);
+      
+      var part217 = match("MESSAGE#123:rc", "nwparser.payload", "executing %{agent->} start", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg138 = msg("rc", part217);
+      
+      var msg139 = msg("rc3", dup64);
+      
+      var part218 = match("MESSAGE#125:rcsysinit", "nwparser.payload", "fsck from %{version}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg140 = msg("rcsysinit", part218);
+      
+      var msg141 = msg("rcsysinit:01", dup64);
+      
+      var select48 = linear_select([
+      	msg140,
+      	msg141,
+      ]);
+      
+      var part219 = match("MESSAGE#126:watchdog", "nwparser.payload", "opened %{filename}, with timeout = %{duration->} secs", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg142 = msg("watchdog", part219);
+      
+      var part220 = match("MESSAGE#127:watchdog:01", "nwparser.payload", "%{action}, pid = %{process_id}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg143 = msg("watchdog:01", part220);
+      
+      var part221 = match("MESSAGE#128:watchdog:02", "nwparser.payload", "received %{fld1}, cancelling softdog and exiting...", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg144 = msg("watchdog:02", part221);
+      
+      var part222 = match("MESSAGE#129:watchdog:03", "nwparser.payload", "%{filename->} could not be opened, errno = %{resultcode}", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg145 = msg("watchdog:03", part222);
+      
+      var msg146 = msg("watchdog:04", dup64);
+      
+      var select49 = linear_select([
+      	msg142,
+      	msg143,
+      	msg144,
+      	msg145,
+      	msg146,
+      ]);
+      
+      var msg147 = msg("init", dup64);
+      
+      var part223 = match("MESSAGE#131:logger", "nwparser.payload", "%{action}: %{saddr}/%{mask->} to %{interface}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg148 = msg("logger", part223);
+      
+      var msg149 = msg("logger:01", dup64);
+      
+      var select50 = linear_select([
+      	msg148,
+      	msg149,
+      ]);
+      
+      var part224 = match("MESSAGE#133:openvpn-member", "nwparser.payload", "read %{protocol->} [%{info}] %{event_description->} (code=%{resultcode})", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg150 = msg("openvpn-member", part224);
+      
+      var msg151 = msg("openvpn-member:01", dup74);
+      
+      var part225 = match("MESSAGE#135:openvpn-member:02", "nwparser.payload", "Options error: %{event_description}", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg152 = msg("openvpn-member:02", part225);
+      
+      var part226 = match("MESSAGE#136:openvpn-member:03", "nwparser.payload", "OpenVPN %{version->} [%{protocol}] [%{fld2}] %{info}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg153 = msg("openvpn-member:03", part226);
+      
+      var msg154 = msg("openvpn-member:04", dup75);
+      
+      var msg155 = msg("openvpn-member:05", dup64);
+      
+      var select51 = linear_select([
+      	msg150,
+      	msg151,
+      	msg152,
+      	msg153,
+      	msg154,
+      	msg155,
+      ]);
+      
+      var part227 = match("MESSAGE#139:sshd", "nwparser.payload", "Server listening on %{hostip->} port %{network_port}.", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg156 = msg("sshd", part227);
+      
+      var part228 = match("MESSAGE#140:sshd:01/0", "nwparser.payload", "Accepted password for %{p0}");
+      
+      var part229 = match("MESSAGE#140:sshd:01/1_0", "nwparser.p0", "root from %{p0}");
+      
+      var part230 = match("MESSAGE#140:sshd:01/1_1", "nwparser.p0", "%{username->} from %{p0}");
+      
+      var select52 = linear_select([
+      	part229,
+      	part230,
+      ]);
+      
+      var part231 = match("MESSAGE#140:sshd:01/2", "nwparser.p0", "%{saddr->} port %{sport->} %{protocol}");
+      
+      var all43 = all_match({
+      	processors: [
+      		part228,
+      		select52,
+      		part231,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      	]),
+      });
+      
+      var msg157 = msg("sshd:01", all43);
+      
+      var part232 = match("MESSAGE#141:sshd:02", "nwparser.payload", "Connection closed by %{hostip}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg158 = msg("sshd:02", part232);
+      
+      var part233 = match("MESSAGE#142:sshd:03", "nwparser.payload", "%{severity}: Bind to port %{network_port->} on %{hostip->} %{result}: %{event_description}", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg159 = msg("sshd:03", part233);
+      
+      var part234 = match("MESSAGE#143:sshd:04", "nwparser.payload", "%{severity}: Cannot bind any address.", processor_chain([
+      	setc("eventcategory","1601000000"),
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg160 = msg("sshd:04", part234);
+      
+      var part235 = match("MESSAGE#144:sshd:05", "nwparser.payload", "%{action}: logout() %{result}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	dup14,
+      	dup6,
+      	dup8,
+      	setc("event_description","logout"),
+      ]));
+      
+      var msg161 = msg("sshd:05", part235);
+      
+      var part236 = match("MESSAGE#145:sshd:06", "nwparser.payload", "Did not receive identification string from %{saddr}", processor_chain([
+      	dup15,
+      	dup6,
+      	setc("result","no identification string"),
+      	setc("event_description","Did not receive identification string from peer"),
+      ]));
+      
+      var msg162 = msg("sshd:06", part236);
+      
+      var part237 = match("MESSAGE#146:sshd:07", "nwparser.payload", "Sleep 60 seconds for slowing down ssh login%{}", processor_chain([
+      	dup12,
+      	dup6,
+      	setc("result","slowing down ssh login"),
+      	setc("event_description","Sleep 60 seconds"),
+      ]));
+      
+      var msg163 = msg("sshd:07", part237);
+      
+      var part238 = match("MESSAGE#147:sshd:08", "nwparser.payload", "%{authmethod->} authentication succeeded for user %{username}", processor_chain([
+      	setc("eventcategory","1302010300"),
+      	dup6,
+      	setc("event_description","authentication succeeded"),
+      	dup8,
+      	dup60,
+      ]));
+      
+      var msg164 = msg("sshd:08", part238);
+      
+      var part239 = match("MESSAGE#148:sshd:09", "nwparser.payload", "User group = %{group}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","User group"),
+      	dup60,
+      ]));
+      
+      var msg165 = msg("sshd:09", part239);
+      
+      var part240 = match("MESSAGE#149:sshd:10", "nwparser.payload", "Bad protocol version identification '%{protocol_detail}' from %{saddr}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","Bad protocol version identification"),
+      	dup60,
+      ]));
+      
+      var msg166 = msg("sshd:10", part240);
+      
+      var select53 = linear_select([
+      	msg156,
+      	msg157,
+      	msg158,
+      	msg159,
+      	msg160,
+      	msg161,
+      	msg162,
+      	msg163,
+      	msg164,
+      	msg165,
+      	msg166,
+      ]);
+      
+      var part241 = match("MESSAGE#150:openvpn-master", "nwparser.payload", "OpenVPN %{version->} [%{protocol}] [%{fld1}] %{info}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg167 = msg("openvpn-master", part241);
+      
+      var part242 = match("MESSAGE#151:openvpn-master:01", "nwparser.payload", "read %{protocol->} [%{info}]: %{event_description->} (code=%{resultcode})", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg168 = msg("openvpn-master:01", part242);
+      
+      var msg169 = msg("openvpn-master:02", dup74);
+      
+      var part243 = match("MESSAGE#153:openvpn-master:03", "nwparser.payload", "%{saddr}:%{sport->} TLS Error: TLS handshake failed", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg170 = msg("openvpn-master:03", part243);
+      
+      var part244 = match("MESSAGE#154:openvpn-master:04", "nwparser.payload", "%{fld1}/%{saddr}:%{sport->} [%{fld2}] %{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg171 = msg("openvpn-master:04", part244);
+      
+      var part245 = match("MESSAGE#155:openvpn-master:05", "nwparser.payload", "%{saddr}:%{sport->} [%{fld1}] %{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg172 = msg("openvpn-master:05", part245);
+      
+      var msg173 = msg("openvpn-master:06", dup75);
+      
+      var msg174 = msg("openvpn-master:07", dup64);
+      
+      var select54 = linear_select([
+      	msg167,
+      	msg168,
+      	msg169,
+      	msg170,
+      	msg171,
+      	msg172,
+      	msg173,
+      	msg174,
+      ]);
+      
+      var part246 = match("MESSAGE#158:INFOBLOX-Grid", "nwparser.payload", "Grid member at %{saddr->} %{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg175 = msg("INFOBLOX-Grid", part246);
+      
+      var part247 = match("MESSAGE#159:INFOBLOX-Grid:02/0_0", "nwparser.payload", "Started%{p0}");
+      
+      var part248 = match("MESSAGE#159:INFOBLOX-Grid:02/0_1", "nwparser.payload", "Completed%{p0}");
+      
+      var select55 = linear_select([
+      	part247,
+      	part248,
+      ]);
+      
+      var part249 = match("MESSAGE#159:INFOBLOX-Grid:02/1", "nwparser.p0", "%{}distribution on member with IP address %{saddr}");
+      
+      var all44 = all_match({
+      	processors: [
+      		select55,
+      		part249,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      	]),
+      });
+      
+      var msg176 = msg("INFOBLOX-Grid:02", all44);
+      
+      var part250 = match("MESSAGE#160:INFOBLOX-Grid:03", "nwparser.payload", "Upgrade Complete%{}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","Upgrade Complete"),
+      ]));
+      
+      var msg177 = msg("INFOBLOX-Grid:03", part250);
+      
+      var part251 = match("MESSAGE#161:INFOBLOX-Grid:04", "nwparser.payload", "Upgrade to %{fld1}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg178 = msg("INFOBLOX-Grid:04", part251);
+      
+      var select56 = linear_select([
+      	msg175,
+      	msg176,
+      	msg177,
+      	msg178,
+      ]);
+      
+      var part252 = match("MESSAGE#162:db_jnld", "nwparser.payload", "Grid member at %{saddr->} is online.", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg179 = msg("db_jnld", part252);
+      
+      var part253 = match("MESSAGE#219:db_jnld:01/0", "nwparser.payload", "Resolved conflict for replicated delete of %{p0}");
+      
+      var part254 = match("MESSAGE#219:db_jnld:01/1_0", "nwparser.p0", "PTR %{p0}");
+      
+      var part255 = match("MESSAGE#219:db_jnld:01/1_1", "nwparser.p0", "TXT %{p0}");
+      
+      var part256 = match("MESSAGE#219:db_jnld:01/1_2", "nwparser.p0", "A %{p0}");
+      
+      var part257 = match("MESSAGE#219:db_jnld:01/1_3", "nwparser.p0", "CNAME %{p0}");
+      
+      var part258 = match("MESSAGE#219:db_jnld:01/1_4", "nwparser.p0", "SRV %{p0}");
+      
+      var select57 = linear_select([
+      	part254,
+      	part255,
+      	part256,
+      	part257,
+      	part258,
+      ]);
+      
+      var part259 = match("MESSAGE#219:db_jnld:01/2", "nwparser.p0", "%{}\"%{fld1}\" in zone \"%{zone}\"");
+      
+      var all45 = all_match({
+      	processors: [
+      		part253,
+      		select57,
+      		part259,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      	]),
+      });
+      
+      var msg180 = msg("db_jnld:01", all45);
+      
+      var select58 = linear_select([
+      	msg179,
+      	msg180,
+      ]);
+      
+      var part260 = match("MESSAGE#163:sSMTP/0", "nwparser.payload", "Sent mail for %{to->} (%{fld1}) %{p0}");
+      
+      var part261 = match("MESSAGE#163:sSMTP/1_0", "nwparser.p0", "uid=%{uid->} username=%{username->} outbytes=%{sbytes->} ");
+      
+      var part262 = match("MESSAGE#163:sSMTP/1_1", "nwparser.p0", "%{space->} ");
+      
+      var select59 = linear_select([
+      	part261,
+      	part262,
+      ]);
+      
+      var all46 = all_match({
+      	processors: [
+      		part260,
+      		select59,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      	]),
+      });
+      
+      var msg181 = msg("sSMTP", all46);
+      
+      var part263 = match("MESSAGE#164:sSMTP:02", "nwparser.payload", "Cannot open %{hostname}:%{network_port}", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg182 = msg("sSMTP:02", part263);
+      
+      var part264 = match("MESSAGE#165:sSMTP:03", "nwparser.payload", "Unable to locate %{hostname}.", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg183 = msg("sSMTP:03", part264);
+      
+      var msg184 = msg("sSMTP:04", dup73);
+      
+      var select60 = linear_select([
+      	msg181,
+      	msg182,
+      	msg183,
+      	msg184,
+      ]);
+      
+      var part265 = match("MESSAGE#167:scheduled_backups", "nwparser.payload", "Backup to %{device->} was successful - Backup file %{filename}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg185 = msg("scheduled_backups", part265);
+      
+      var part266 = match("MESSAGE#168:scheduled_ftp_backups", "nwparser.payload", "Scheduled backup to the %{device->} was successful - Backup file %{filename}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","Scheduled backup to the FTP server was successful"),
+      ]));
+      
+      var msg186 = msg("scheduled_ftp_backups", part266);
+      
+      var part267 = match("MESSAGE#169:failed_scheduled_ftp_backups", "nwparser.payload", "Scheduled backup to the %{device->} failed - %{result}.", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      	setc("event_description","Scheduled backup to the FTP server failed"),
+      ]));
+      
+      var msg187 = msg("failed_scheduled_ftp_backups", part267);
+      
+      var select61 = linear_select([
+      	msg186,
+      	msg187,
+      ]);
+      
+      var part268 = match("MESSAGE#170:scheduled_scp_backups", "nwparser.payload", "Scheduled backup to the %{device->} was successful - Backup file %{filename}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","Scheduled backup to the SCP server was successful"),
+      ]));
+      
+      var msg188 = msg("scheduled_scp_backups", part268);
+      
+      var part269 = match("MESSAGE#171:python", "nwparser.payload", "%{action->} even though zone '%{zone}' in view '%{fld1}' is locked.", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg189 = msg("python", part269);
+      
+      var part270 = match("MESSAGE#172:python:01", "nwparser.payload", "%{action->} (algorithm=%{fld1}, key tag=%{fld2}, key size=%{fld3}): '%{hostname}' in view '%{fld4}'.", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg190 = msg("python:01", part270);
+      
+      var part271 = match("MESSAGE#173:python:02", "nwparser.payload", "%{action}: '%{hostname}' in view '%{fld1}'.", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg191 = msg("python:02", part271);
+      
+      var part272 = match("MESSAGE#174:python:03", "nwparser.payload", "%{action}: FQDN='%{domain}', ADDRESS='%{saddr}', View='%{fld1}'", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg192 = msg("python:03", part272);
+      
+      var part273 = match("MESSAGE#175:python:04", "nwparser.payload", "%{action}: FQDN='%{domain}', View='%{fld1}'", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg193 = msg("python:04", part273);
+      
+      var part274 = match("MESSAGE#176:python:05", "nwparser.payload", "%{fld1}: %{fld2}.%{fld3->} [%{username}]: Populated %{zone->} %{hostname->} DnsView=%{fld4}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg194 = msg("python:05", part274);
+      
+      var msg195 = msg("python:06", dup64);
+      
+      var select62 = linear_select([
+      	msg189,
+      	msg190,
+      	msg191,
+      	msg192,
+      	msg193,
+      	msg194,
+      	msg195,
+      ]);
+      
+      var part275 = match("MESSAGE#178:monitor", "nwparser.payload", "Type: %{protocol}, State: %{event_state}, Event: %{event_description}.", processor_chain([
+      	dup11,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg196 = msg("monitor", part275);
+      
+      var part276 = match("MESSAGE#179:snmptrapd", "nwparser.payload", "NET-SNMP version %{version->} %{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg197 = msg("snmptrapd", part276);
+      
+      var part277 = match("MESSAGE#180:snmptrapd:01", "nwparser.payload", "lock in %{fld1->} sleeps more than %{duration->} milliseconds in %{fld2}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg198 = msg("snmptrapd:01", part277);
+      
+      var msg199 = msg("snmptrapd:02", dup64);
+      
+      var select63 = linear_select([
+      	msg197,
+      	msg198,
+      	msg199,
+      ]);
+      
+      var part278 = match("MESSAGE#182:ntpdate", "nwparser.payload", "adjust time server %{saddr->} offset %{duration->} sec", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg200 = msg("ntpdate", part278);
+      
+      var msg201 = msg("ntpdate:01", dup73);
+      
+      var select64 = linear_select([
+      	msg200,
+      	msg201,
+      ]);
+      
+      var msg202 = msg("phonehome", dup64);
+      
+      var part279 = match("MESSAGE#185:purge_scheduled_tasks", "nwparser.payload", "Scheduled tasks have been purged%{}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg203 = msg("purge_scheduled_tasks", part279);
+      
+      var part280 = match("MESSAGE#186:serial_console:04", "nwparser.payload", "%{fld20->} %{fld21}.%{fld22->} [%{domain}]: Login_Denied - - to=%{terminal->} apparently_via=%{info->} ip=%{saddr->} error=%{result}", processor_chain([
+      	dup13,
+      	dup2,
+      	dup3,
+      	dup10,
+      	dup14,
+      	dup6,
+      	date_time({
+      		dest: "event_time",
+      		args: ["fld20","fld21"],
+      		fmts: [
+      			[dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO],
+      		],
+      	}),
+      	dup8,
+      	setc("event_description","Login Denied"),
+      ]));
+      
+      var msg204 = msg("serial_console:04", part280);
+      
+      var part281 = match("MESSAGE#187:serial_console:03", "nwparser.payload", "No authentication methods succeeded for user %{username}", processor_chain([
+      	dup13,
+      	dup2,
+      	dup3,
+      	dup10,
+      	dup14,
+      	dup6,
+      	dup8,
+      	setc("event_description","No authentication methods succeeded for user"),
+      ]));
+      
+      var msg205 = msg("serial_console:03", part281);
+      
+      var part282 = match("MESSAGE#188:serial_console", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Login_Allowed - - to=%{terminal->} apparently_via=%{info->} auth=%{authmethod->} group=%{group}", processor_chain([
+      	dup9,
+      	dup2,
+      	dup3,
+      	dup10,
+      	dup5,
+      	dup6,
+      	dup7,
+      	dup8,
+      ]));
+      
+      var msg206 = msg("serial_console", part282);
+      
+      var part283 = match("MESSAGE#189:serial_console:01", "nwparser.payload", "RADIUS authentication succeeded for user %{username}", processor_chain([
+      	setc("eventcategory","1302010100"),
+      	dup2,
+      	dup3,
+      	dup10,
+      	dup5,
+      	dup6,
+      	dup8,
+      	setc("event_description","RADIUS authentication succeeded for user"),
+      ]));
+      
+      var msg207 = msg("serial_console:01", part283);
+      
+      var part284 = match("MESSAGE#190:serial_console:02", "nwparser.payload", "User group = %{group}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","User group identification"),
+      ]));
+      
+      var msg208 = msg("serial_console:02", part284);
+      
+      var part285 = match("MESSAGE#205:serial_console:05", "nwparser.payload", "%{fld1->} [%{username}]: rebooted the system", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","system reboot"),
+      ]));
+      
+      var msg209 = msg("serial_console:05", part285);
+      
+      var part286 = match("MESSAGE#214:serial_console:06", "nwparser.payload", "Local authentication succeeded for user %{username}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","Local authentication succeeded for user"),
+      ]));
+      
+      var msg210 = msg("serial_console:06", part286);
+      
+      var select65 = linear_select([
+      	msg204,
+      	msg205,
+      	msg206,
+      	msg207,
+      	msg208,
+      	msg209,
+      	msg210,
+      ]);
+      
+      var msg211 = msg("rc6", dup64);
+      
+      var msg212 = msg("acpid", dup64);
+      
+      var msg213 = msg("diskcheck", dup64);
+      
+      var part287 = match("MESSAGE#210:debug_mount", "nwparser.payload", "mount %{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg214 = msg("debug_mount", part287);
+      
+      var msg215 = msg("smart_check_io", dup64);
+      
+      var msg216 = msg("speedstep_control", dup64);
+      
+      var part288 = match("MESSAGE#215:controld", "nwparser.payload", "Distribution Started%{}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","Distribution Started"),
+      ]));
+      
+      var msg217 = msg("controld", part288);
+      
+      var part289 = match("MESSAGE#216:controld:02", "nwparser.payload", "Distribution Complete%{}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","Distribution Complete"),
+      ]));
+      
+      var msg218 = msg("controld:02", part289);
+      
+      var select66 = linear_select([
+      	msg217,
+      	msg218,
+      ]);
+      
+      var part290 = match("MESSAGE#217:shutdown", "nwparser.payload", "shutting down for system reboot%{}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","shutting down for system reboot"),
+      ]));
+      
+      var msg219 = msg("shutdown", part290);
+      
+      var part291 = match("MESSAGE#218:ntpd_initres", "nwparser.payload", "ntpd exiting on signal 15%{}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","ntpd exiting"),
+      ]));
+      
+      var msg220 = msg("ntpd_initres", part291);
+      
+      var part292 = match("MESSAGE#220:rsyncd", "nwparser.payload", "name lookup failed for %{saddr}: %{info}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg221 = msg("rsyncd", part292);
+      
+      var part293 = match("MESSAGE#221:rsyncd:01", "nwparser.payload", "connect from %{shost->} (%{saddr})", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg222 = msg("rsyncd:01", part293);
+      
+      var part294 = match("MESSAGE#222:rsyncd:02", "nwparser.payload", "rsync on %{filename->} from %{shost->} (%{saddr})", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg223 = msg("rsyncd:02", part294);
+      
+      var part295 = match("MESSAGE#223:rsyncd:03", "nwparser.payload", "sent %{sbytes->} bytes received %{rbytes->} bytes total size %{fld1}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg224 = msg("rsyncd:03", part295);
+      
+      var part296 = match("MESSAGE#224:rsyncd:04", "nwparser.payload", "building file list%{}", processor_chain([
+      	dup12,
+      	dup6,
+      	setc("event_description","building file list"),
+      	dup8,
+      ]));
+      
+      var msg225 = msg("rsyncd:04", part296);
+      
+      var select67 = linear_select([
+      	msg221,
+      	msg222,
+      	msg223,
+      	msg224,
+      	msg225,
+      ]);
+      
+      var msg226 = msg("syslog", dup76);
+      
+      var msg227 = msg("restarting", dup76);
+      
+      var part297 = match("MESSAGE#227:ipmievd", "nwparser.payload", "%{fld1}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup61,
+      ]));
+      
+      var msg228 = msg("ipmievd", part297);
+      
+      var part298 = match("MESSAGE#228:netauto_discovery", "nwparser.payload", "%{agent}: Processing path%{fld1}, vnid [%{fld2}]", processor_chain([
+      	dup58,
+      	dup6,
+      	dup8,
+      	dup60,
+      ]));
+      
+      var msg229 = msg("netauto_discovery", part298);
+      
+      var part299 = match("MESSAGE#229:netauto_discovery:01", "nwparser.payload", "%{agent}:%{fld1}(%{fld2})%{hostip}/%{fld3}:%{product}ver%{version->} device does not answer to lldpRem OID requests, skipping LLDP Neighbors poll", processor_chain([
+      	dup58,
+      	dup6,
+      	dup8,
+      	dup60,
+      	setc("event_description","device does not answer to lldpRem OID requests, skipping LLDP Neighbors poll"),
+      ]));
+      
+      var msg230 = msg("netauto_discovery:01", part299);
+      
+      var part300 = match("MESSAGE#230:netauto_discovery:02", "nwparser.payload", "%{agent}:%{space}Static address already set with IP:%{hostip}, Processing%{fld1}", processor_chain([
+      	dup58,
+      	dup6,
+      	dup8,
+      	dup60,
+      ]));
+      
+      var msg231 = msg("netauto_discovery:02", part300);
+      
+      var part301 = match("MESSAGE#231:netauto_discovery:03", "nwparser.payload", "%{agent}:%{fld1}(%{fld2})%{hostip}/%{fld3}: SNMP Credentials: Failed to authenticate", processor_chain([
+      	dup62,
+      	dup6,
+      	dup8,
+      	dup60,
+      	dup14,
+      ]));
+      
+      var msg232 = msg("netauto_discovery:03", part301);
+      
+      var select68 = linear_select([
+      	msg229,
+      	msg230,
+      	msg231,
+      	msg232,
+      ]);
+      
+      var part302 = match("MESSAGE#232:netauto_core:01", "nwparser.payload", "%{agent}: Attempting CLI on device%{device}with interface not in table, ip%{hostip}", processor_chain([
+      	dup58,
+      	dup6,
+      	dup8,
+      	dup60,
+      ]));
+      
+      var msg233 = msg("netauto_core:01", part302);
+      
+      var part303 = match("MESSAGE#233:netauto_core", "nwparser.payload", "netautoctl:%{event_description}", processor_chain([
+      	dup58,
+      	dup6,
+      	dup8,
+      	dup60,
+      ]));
+      
+      var msg234 = msg("netauto_core", part303);
+      
+      var select69 = linear_select([
+      	msg233,
+      	msg234,
+      ]);
+      
+      var part304 = match("MESSAGE#234:captured_dns_uploader", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup48,
+      	dup6,
+      	dup8,
+      	dup60,
+      	dup14,
+      ]));
+      
+      var msg235 = msg("captured_dns_uploader", part304);
+      
+      var part305 = match("MESSAGE#235:DIS", "nwparser.payload", "%{fld1}:%{fld2}: Device%{device}/%{hostip}login failure%{result}", processor_chain([
+      	dup62,
+      	dup6,
+      	dup8,
+      	dup60,
+      	dup10,
+      	dup14,
+      ]));
+      
+      var msg236 = msg("DIS", part305);
+      
+      var part306 = match("MESSAGE#236:DIS:01", "nwparser.payload", "%{fld2}: %{fld3}: Attempting discover-now for %{hostip->} on %{fld4}, using session ID", processor_chain([
+      	dup58,
+      	dup6,
+      	dup8,
+      	dup60,
+      ]));
+      
+      var msg237 = msg("DIS:01", part306);
+      
+      var select70 = linear_select([
+      	msg236,
+      	msg237,
+      ]);
+      
+      var part307 = match("MESSAGE#237:ErrorMsg", "nwparser.payload", "%{result}", processor_chain([
+      	dup63,
+      	dup6,
+      	dup8,
+      	dup60,
+      ]));
+      
+      var msg238 = msg("ErrorMsg", part307);
+      
+      var part308 = match("MESSAGE#238:tacacs_acct", "nwparser.payload", "%{fld1}: Server %{daddr->} port %{dport}: %{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup60,
+      ]));
+      
+      var msg239 = msg("tacacs_acct", part308);
+      
+      var part309 = match("MESSAGE#239:tacacs_acct:01", "nwparser.payload", "%{fld1}: Accounting request failed. %{fld2}Server is %{daddr}, port is %{dport}.", processor_chain([
+      	dup63,
+      	dup6,
+      	dup8,
+      	dup60,
+      	setc("event_description","Accounting request failed."),
+      ]));
+      
+      var msg240 = msg("tacacs_acct:01", part309);
+      
+      var part310 = match("MESSAGE#240:tacacs_acct:02", "nwparser.payload", "%{fld1}: Read %{fld2->} bytes from server %{daddr->} port %{dport}, expecting %{fld3}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup60,
+      ]));
+      
+      var msg241 = msg("tacacs_acct:02", part310);
+      
+      var select71 = linear_select([
+      	msg239,
+      	msg240,
+      	msg241,
+      ]);
+      
+      var part311 = match("MESSAGE#241:dhcpdv6", "nwparser.payload", "Relay-forward message from %{saddr_v6->} port %{sport}, link address %{fld1}, peer address %{daddr_v6}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      	setc("event_description","Relay-forward message"),
+      ]));
+      
+      var msg242 = msg("dhcpdv6", part311);
+      
+      var part312 = match("MESSAGE#242:dhcpdv6:01", "nwparser.payload", "Encapsulated Solicit message from %{saddr_v6->} port %{sport->} from client DUID %{fld1}, transaction ID %{id}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      	setc("event_description","Encapsulated Solicit message"),
+      ]));
+      
+      var msg243 = msg("dhcpdv6:01", part312);
+      
+      var part313 = match("MESSAGE#243:dhcpdv6:02", "nwparser.payload", "Client %{fld1}, IP '%{fld2}': No addresses available for this interface", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      	setc("event_description","IP unknown - No addresses available for this interface"),
+      ]));
+      
+      var msg244 = msg("dhcpdv6:02", part313);
+      
+      var part314 = match("MESSAGE#244:dhcpdv6:03", "nwparser.payload", "Encapsulating Advertise message to send to %{saddr_v6->} port %{sport}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      	setc("event_description","Encapsulating Advertise message"),
+      ]));
+      
+      var msg245 = msg("dhcpdv6:03", part314);
+      
+      var part315 = match("MESSAGE#245:dhcpdv6:04", "nwparser.payload", "Sending Relay-reply message to %{saddr_v6->} port %{sport}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      	setc("event_description","Sending Relay-reply message"),
+      ]));
+      
+      var msg246 = msg("dhcpdv6:04", part315);
+      
+      var part316 = match("MESSAGE#246:dhcpdv6:05", "nwparser.payload", "Encapsulated Information-request message from %{saddr_v6->} port %{sport}, transaction ID %{id}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      	setc("event_description","Encapsulated Information-request message"),
+      ]));
+      
+      var msg247 = msg("dhcpdv6:05", part316);
+      
+      var part317 = match("MESSAGE#247:dhcpdv6:06", "nwparser.payload", "Encapsulating Reply message to send to %{saddr_v6->} port %{sport}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      	setc("event_description","Encapsulating Reply message"),
+      ]));
+      
+      var msg248 = msg("dhcpdv6:06", part317);
+      
+      var part318 = match("MESSAGE#248:dhcpdv6:07", "nwparser.payload", "Encapsulated Renew message from %{saddr_v6->} port %{sport->} from client DUID %{fld1}, transaction ID %{id}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      	setc("event_description","Encapsulated Renew message"),
+      ]));
+      
+      var msg249 = msg("dhcpdv6:07", part318);
+      
+      var part319 = match("MESSAGE#249:dhcpdv6:08", "nwparser.payload", "Reply NA: address %{saddr_v6->} to client with duid %{fld1->} iaid = %{fld2->} static", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var msg250 = msg("dhcpdv6:08", part319);
+      
+      var msg251 = msg("dhcpdv6:09", dup68);
+      
+      var select72 = linear_select([
+      	msg242,
+      	msg243,
+      	msg244,
+      	msg245,
+      	msg246,
+      	msg247,
+      	msg248,
+      	msg249,
+      	msg250,
+      	msg251,
+      ]);
+      
+      var msg252 = msg("debug", dup68);
+      
+      var part320 = match("MESSAGE#252:cloud_api", "nwparser.payload", "proxying request to %{hostname}(%{hostip}) %{web_method->} %{url->} %{protocol->} %{info}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      	setc("event_description","proxying request"),
+      ]));
+      
+      var msg253 = msg("cloud_api", part320);
+      
+      var chain1 = processor_chain([
+      	select3,
+      	msgid_select({
+      		"DIS": select70,
+      		"ErrorMsg": msg238,
+      		"INFOBLOX-Grid": select56,
+      		"acpid": msg212,
+      		"captured_dns_uploader": msg235,
+      		"cloud_api": msg253,
+      		"controld": select66,
+      		"db_jnld": select58,
+      		"debug": msg252,
+      		"debug_mount": msg214,
+      		"dhcpd": select14,
+      		"dhcpdv6": select72,
+      		"diskcheck": msg213,
+      		"httpd": select4,
+      		"in.tftpd": select5,
+      		"init": msg147,
+      		"ipmievd": msg228,
+      		"kernel": select47,
+      		"logger": select50,
+      		"monitor": msg196,
+      		"named": select44,
+      		"netauto_core": select69,
+      		"netauto_discovery": select68,
+      		"ntpd": select15,
+      		"ntpd_initres": msg220,
+      		"ntpdate": select64,
+      		"openvpn-master": select54,
+      		"openvpn-member": select51,
+      		"phonehome": msg202,
+      		"pidof": select45,
+      		"purge_scheduled_tasks": msg203,
+      		"python": select62,
+      		"radiusd": msg137,
+      		"rc": msg138,
+      		"rc3": msg139,
+      		"rc6": msg211,
+      		"rcsysinit": select48,
+      		"restarting": msg227,
+      		"rsyncd": select67,
+      		"sSMTP": select60,
+      		"scheduled_backups": msg185,
+      		"scheduled_ftp_backups": select61,
+      		"scheduled_scp_backups": msg188,
+      		"serial_console": select65,
+      		"shutdown": msg219,
+      		"smart_check_io": msg215,
+      		"snmptrapd": select63,
+      		"speedstep_control": msg216,
+      		"sshd": select53,
+      		"syslog": msg226,
+      		"syslog-ng": msg134,
+      		"tacacs_acct": select71,
+      		"validate_dhcpd": select46,
+      		"watchdog": select49,
+      	}),
+      ]);
+      
+      var part321 = match("MESSAGE#19:dhcpd:18/0", "nwparser.payload", "%{} %{p0}");
+      
+      var part322 = match("MESSAGE#19:dhcpd:18/1_0", "nwparser.p0", "Added %{p0}");
+      
+      var part323 = match("MESSAGE#19:dhcpd:18/1_1", "nwparser.p0", "added %{p0}");
+      
+      var part324 = match("MESSAGE#25:dhcpd:03/1_0", "nwparser.p0", "%{dmacaddr->} (%{dhost}) via %{p0}");
+      
+      var part325 = match("MESSAGE#25:dhcpd:03/1_1", "nwparser.p0", "%{dmacaddr->} via %{p0}");
+      
+      var part326 = match("MESSAGE#28:dhcpd:09/0", "nwparser.payload", "DHCPREQUEST for %{saddr->} from %{p0}");
+      
+      var part327 = match("MESSAGE#28:dhcpd:09/1_0", "nwparser.p0", "%{smacaddr->} (%{shost}) via %{p0}");
+      
+      var part328 = match("MESSAGE#28:dhcpd:09/1_1", "nwparser.p0", "%{smacaddr->} via %{p0}");
+      
+      var part329 = match("MESSAGE#31:dhcpd:11/2", "nwparser.p0", "%{} %{interface}");
+      
+      var part330 = match("MESSAGE#38:dhcpd:14/2", "nwparser.p0", "%{} %{interface->} relay %{fld1->} lease-duration %{duration}");
+      
+      var part331 = match("MESSAGE#53:named:16/1_0", "nwparser.p0", "approved %{}");
+      
+      var part332 = match("MESSAGE#53:named:16/1_1", "nwparser.p0", " denied%{}");
+      
+      var part333 = match("MESSAGE#56:named:01/0", "nwparser.payload", "client %{saddr}#%{p0}");
+      
+      var part334 = match("MESSAGE#57:named:17/1_0", "nwparser.p0", "IN%{p0}");
+      
+      var part335 = match("MESSAGE#57:named:17/1_1", "nwparser.p0", "CH%{p0}");
+      
+      var part336 = match("MESSAGE#57:named:17/1_2", "nwparser.p0", "HS%{p0}");
+      
+      var part337 = match("MESSAGE#57:named:17/3_1", "nwparser.p0", "%{action->} at '%{p0}");
+      
+      var part338 = match("MESSAGE#57:named:17/4_0", "nwparser.p0", "%{hostip}.in-addr.arpa' %{p0}");
+      
+      var part339 = match("MESSAGE#57:named:17/5_0", "nwparser.p0", "%{dns_querytype->} \"%{fld3}\"");
+      
+      var part340 = match("MESSAGE#57:named:17/5_1", "nwparser.p0", "%{dns_querytype->} %{hostip}");
+      
+      var part341 = match("MESSAGE#57:named:17/5_2", "nwparser.p0", "%{dns_querytype}");
+      
+      var part342 = match("MESSAGE#60:named:19/2", "nwparser.p0", "%{event_description}");
+      
+      var part343 = match("MESSAGE#67:named:63/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3}: %{severity}: client %{p0}");
+      
+      var part344 = match("MESSAGE#67:named:63/1_0", "nwparser.p0", "%{fld9->} %{saddr}#%{p0}");
+      
+      var part345 = match("MESSAGE#67:named:63/1_1", "nwparser.p0", " %{saddr}#%{p0}");
+      
+      var part346 = match("MESSAGE#74:named:10/1_3", "nwparser.p0", "%{sport}:%{p0}");
+      
+      var part347 = match("MESSAGE#83:named:24/0", "nwparser.payload", "client %{saddr}#%{sport->} (%{p0}");
+      
+      var part348 = match("MESSAGE#7:httpd:06", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var select73 = linear_select([
+      	dup17,
+      	dup18,
+      ]);
+      
+      var select74 = linear_select([
+      	dup20,
+      	dup21,
+      ]);
+      
+      var select75 = linear_select([
+      	dup25,
+      	dup26,
+      ]);
+      
+      var part349 = match("MESSAGE#204:dhcpd:37", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var select76 = linear_select([
+      	dup33,
+      	dup34,
+      ]);
+      
+      var select77 = linear_select([
+      	dup37,
+      	dup38,
+      	dup39,
+      ]);
+      
+      var select78 = linear_select([
+      	dup42,
+      	dup43,
+      	dup44,
+      ]);
+      
+      var select79 = linear_select([
+      	dup51,
+      	dup52,
+      ]);
+      
+      var part350 = match("MESSAGE#118:validate_dhcpd", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var part351 = match("MESSAGE#134:openvpn-member:01", "nwparser.payload", "%{action->} : %{event_description->} (code=%{resultcode})", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var part352 = match("MESSAGE#137:openvpn-member:04", "nwparser.payload", "%{severity}: %{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var part353 = match("MESSAGE#225:syslog", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup61,
+      ]));
+      
+- community_id:
+- add_locale: ~
+- add_fields:
+    target: ''
+    fields:
+        ecs.version: 1.5.0
diff --git a/packages/infoblox/0.1.0/dataset/nios/agent/stream/udp.yml.hbs b/packages/infoblox/0.1.0/dataset/nios/agent/stream/udp.yml.hbs
new file mode 100644
index 0000000000..c910c2ef44
--- /dev/null
+++ b/packages/infoblox/0.1.0/dataset/nios/agent/stream/udp.yml.hbs
@@ -0,0 +1,6064 @@
+udp:
+host: "{{udp_host}}:{{udp_port}}"
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "Infoblox"
+        product: "Network"
+        type: "IPAM"
+publisher_pipeline.disable_host: true
+
+processors:
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.error(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(populate_fields);
+      	builder.Add(restore_flags);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var dup1 = setc("eventcategory","1401070000");
+      
+      var dup2 = setc("ec_theme","Authentication");
+      
+      var dup3 = setc("ec_subject","User");
+      
+      var dup4 = setc("ec_activity","Logoff");
+      
+      var dup5 = setc("ec_outcome","Success");
+      
+      var dup6 = setf("msg","$MSG");
+      
+      var dup7 = date_time({
+      	dest: "event_time",
+      	args: ["fld1","fld2"],
+      	fmts: [
+      		[dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup8 = setf("event_source","hhostname");
+      
+      var dup9 = setc("eventcategory","1401060000");
+      
+      var dup10 = setc("ec_activity","Logon");
+      
+      var dup11 = setc("eventcategory","1609000000");
+      
+      var dup12 = setc("eventcategory","1605000000");
+      
+      var dup13 = setc("eventcategory","1401030000");
+      
+      var dup14 = setc("ec_outcome","Failure");
+      
+      var dup15 = setc("eventcategory","1603000000");
+      
+      var dup16 = match("MESSAGE#19:dhcpd:18/0", "nwparser.payload", "%{} %{p0}");
+      
+      var dup17 = match("MESSAGE#19:dhcpd:18/1_0", "nwparser.p0", "Added %{p0}");
+      
+      var dup18 = match("MESSAGE#19:dhcpd:18/1_1", "nwparser.p0", "added %{p0}");
+      
+      var dup19 = setc("action","DHCPDECLINE");
+      
+      var dup20 = match("MESSAGE#25:dhcpd:03/1_0", "nwparser.p0", "%{dmacaddr->} (%{dhost}) via %{p0}");
+      
+      var dup21 = match("MESSAGE#25:dhcpd:03/1_1", "nwparser.p0", "%{dmacaddr->} via %{p0}");
+      
+      var dup22 = setc("action","DHCPRELEASE");
+      
+      var dup23 = setc("action","DHCPDISCOVER");
+      
+      var dup24 = match("MESSAGE#28:dhcpd:09/0", "nwparser.payload", "DHCPREQUEST for %{saddr->} from %{p0}");
+      
+      var dup25 = match("MESSAGE#28:dhcpd:09/1_0", "nwparser.p0", "%{smacaddr->} (%{shost}) via %{p0}");
+      
+      var dup26 = match("MESSAGE#28:dhcpd:09/1_1", "nwparser.p0", "%{smacaddr->} via %{p0}");
+      
+      var dup27 = setc("action","DHCPREQUEST");
+      
+      var dup28 = match("MESSAGE#31:dhcpd:11/2", "nwparser.p0", "%{} %{interface}");
+      
+      var dup29 = setc("event_description","unknown network segment");
+      
+      var dup30 = date_time({
+      	dest: "event_time",
+      	args: ["month","day","time"],
+      	fmts: [
+      		[dB,dF,dZ],
+      	],
+      });
+      
+      var dup31 = match("MESSAGE#38:dhcpd:14/2", "nwparser.p0", "%{} %{interface->} relay %{fld1->} lease-duration %{duration}");
+      
+      var dup32 = setc("action","DHCPACK");
+      
+      var dup33 = match("MESSAGE#53:named:16/1_0", "nwparser.p0", "approved %{}");
+      
+      var dup34 = match("MESSAGE#53:named:16/1_1", "nwparser.p0", " denied%{}");
+      
+      var dup35 = setf("domain","zone");
+      
+      var dup36 = match("MESSAGE#56:named:01/0", "nwparser.payload", "client %{saddr}#%{p0}");
+      
+      var dup37 = match("MESSAGE#57:named:17/1_0", "nwparser.p0", "IN%{p0}");
+      
+      var dup38 = match("MESSAGE#57:named:17/1_1", "nwparser.p0", "CH%{p0}");
+      
+      var dup39 = match("MESSAGE#57:named:17/1_2", "nwparser.p0", "HS%{p0}");
+      
+      var dup40 = match("MESSAGE#57:named:17/3_1", "nwparser.p0", "%{action->} at '%{p0}");
+      
+      var dup41 = match("MESSAGE#57:named:17/4_0", "nwparser.p0", "%{hostip}.in-addr.arpa' %{p0}");
+      
+      var dup42 = match("MESSAGE#57:named:17/5_0", "nwparser.p0", "%{dns_querytype->} \"%{fld3}\"");
+      
+      var dup43 = match("MESSAGE#57:named:17/5_1", "nwparser.p0", "%{dns_querytype->} %{hostip}");
+      
+      var dup44 = match("MESSAGE#57:named:17/5_2", "nwparser.p0", "%{dns_querytype}");
+      
+      var dup45 = setc("event_description","updating zone");
+      
+      var dup46 = match("MESSAGE#60:named:19/2", "nwparser.p0", "%{event_description}");
+      
+      var dup47 = setf("domain","hostname");
+      
+      var dup48 = setc("eventcategory","1801010000");
+      
+      var dup49 = setc("ec_activity","Request");
+      
+      var dup50 = match("MESSAGE#67:named:63/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3}: %{severity}: client %{p0}");
+      
+      var dup51 = match("MESSAGE#67:named:63/1_0", "nwparser.p0", "%{fld9->} %{saddr}#%{p0}");
+      
+      var dup52 = match("MESSAGE#67:named:63/1_1", "nwparser.p0", " %{saddr}#%{p0}");
+      
+      var dup53 = match("MESSAGE#74:named:10/1_3", "nwparser.p0", "%{sport}:%{p0}");
+      
+      var dup54 = setc("action","Refused");
+      
+      var dup55 = setf("dns_querytype","event_description");
+      
+      var dup56 = setc("eventcategory","1901000000");
+      
+      var dup57 = match("MESSAGE#83:named:24/0", "nwparser.payload", "client %{saddr}#%{sport->} (%{p0}");
+      
+      var dup58 = setc("eventcategory","1801000000");
+      
+      var dup59 = setf("zone","domain");
+      
+      var dup60 = date_time({
+      	dest: "event_time",
+      	args: ["month","day","time"],
+      	fmts: [
+      		[dB,dD,dZ],
+      	],
+      });
+      
+      var dup61 = setf("info","hdata");
+      
+      var dup62 = setc("eventcategory","1301000000");
+      
+      var dup63 = setc("eventcategory","1303000000");
+      
+      var dup64 = match("MESSAGE#7:httpd:06", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var dup65 = linear_select([
+      	dup17,
+      	dup18,
+      ]);
+      
+      var dup66 = linear_select([
+      	dup20,
+      	dup21,
+      ]);
+      
+      var dup67 = linear_select([
+      	dup25,
+      	dup26,
+      ]);
+      
+      var dup68 = match("MESSAGE#204:dhcpd:37", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var dup69 = linear_select([
+      	dup33,
+      	dup34,
+      ]);
+      
+      var dup70 = linear_select([
+      	dup37,
+      	dup38,
+      	dup39,
+      ]);
+      
+      var dup71 = linear_select([
+      	dup42,
+      	dup43,
+      	dup44,
+      ]);
+      
+      var dup72 = linear_select([
+      	dup51,
+      	dup52,
+      ]);
+      
+      var dup73 = match("MESSAGE#118:validate_dhcpd", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var dup74 = match("MESSAGE#134:openvpn-member:01", "nwparser.payload", "%{action->} : %{event_description->} (code=%{resultcode})", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var dup75 = match("MESSAGE#137:openvpn-member:04", "nwparser.payload", "%{severity}: %{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var dup76 = match("MESSAGE#225:syslog", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup61,
+      ]));
+      
+      var hdr1 = match("HEADER#0:006/0", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{p0}");
+      
+      var part1 = match("HEADER#0:006/1_0", "nwparser.p0", "%{hhostip->} %{messageid}[%{data}]: %{p0}");
+      
+      var part2 = match("HEADER#0:006/1_1", "nwparser.p0", "%{hhostip->} %{messageid}: %{p0}");
+      
+      var select1 = linear_select([
+      	part1,
+      	part2,
+      ]);
+      
+      var part3 = match("HEADER#0:006/2", "nwparser.p0", "%{payload}");
+      
+      var all1 = all_match({
+      	processors: [
+      		hdr1,
+      		select1,
+      		part3,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","006"),
+      	]),
+      });
+      
+      var hdr2 = match("HEADER#1:001", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{messageid}[%{data}]: %{payload}", processor_chain([
+      	setc("header_id","001"),
+      ]));
+      
+      var hdr3 = match("HEADER#2:005", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{hdata}: %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","005"),
+      ]));
+      
+      var hdr4 = match("HEADER#3:002/0", "message", "%{month->} %{day->} %{time->} %{p0}");
+      
+      var part4 = match("HEADER#3:002/1_0", "nwparser.p0", "%{hhostname->} -%{messageid}:%{p0}");
+      
+      var part5 = match("HEADER#3:002/1_1", "nwparser.p0", "%{hhostname->} %{messageid}:%{p0}");
+      
+      var select2 = linear_select([
+      	part4,
+      	part5,
+      ]);
+      
+      var part6 = match("HEADER#3:002/2", "nwparser.p0", "%{} %{payload}");
+      
+      var all2 = all_match({
+      	processors: [
+      		hdr4,
+      		select2,
+      		part6,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","002"),
+      	]),
+      });
+      
+      var hdr5 = match("HEADER#4:0003", "message", "%{messageid}[%{data}]: %{payload}", processor_chain([
+      	setc("header_id","0003"),
+      ]));
+      
+      var hdr6 = match("HEADER#5:0004", "message", "%{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0004"),
+      ]));
+      
+      var hdr7 = match("HEADER#6:0005", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{fld1->} |%{messageid->} |%{payload}", processor_chain([
+      	setc("header_id","0005"),
+      ]));
+      
+      var select3 = linear_select([
+      	all1,
+      	hdr2,
+      	hdr3,
+      	all2,
+      	hdr5,
+      	hdr6,
+      	hdr7,
+      ]);
+      
+      var part7 = match("MESSAGE#0:httpd", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Logout - - ip=%{saddr->} group=%{group->} trigger_event=%{event_description}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup6,
+      	dup7,
+      	dup8,
+      ]));
+      
+      var msg1 = msg("httpd", part7);
+      
+      var part8 = match("MESSAGE#1:httpd:01", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Login_Allowed - - to=%{fld4->} ip=%{saddr->} auth=%{authmethod->} group=%{group->} apparently_via=%{info}", processor_chain([
+      	dup9,
+      	dup2,
+      	dup3,
+      	dup10,
+      	dup5,
+      	dup6,
+      	dup7,
+      	dup8,
+      ]));
+      
+      var msg2 = msg("httpd:01", part8);
+      
+      var part9 = match("MESSAGE#2:httpd:02", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Called - %{action->} message=%{info}", processor_chain([
+      	dup11,
+      	dup6,
+      	dup7,
+      	dup8,
+      ]));
+      
+      var msg3 = msg("httpd:02", part9);
+      
+      var part10 = match("MESSAGE#3:httpd:03", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Created HostAddress %{hostip}: Set address=\"%{saddr}\",configure_for_dhcp=%{fld10},match_option=\"%{info}\",parent=%{context}", processor_chain([
+      	dup11,
+      	dup6,
+      	dup7,
+      	dup8,
+      ]));
+      
+      var msg4 = msg("httpd:03", part10);
+      
+      var part11 = match("MESSAGE#4:httpd:04", "nwparser.payload", "%{shost}: %{fld1->} authentication for user %{username->} failed", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg5 = msg("httpd:04", part11);
+      
+      var part12 = match("MESSAGE#5:httpd:05", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Called - %{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup7,
+      	dup8,
+      ]));
+      
+      var msg6 = msg("httpd:05", part12);
+      
+      var part13 = match("MESSAGE#6:httpd:07", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Login_Denied - - to=%{terminal->} ip=%{saddr->} info=%{info}", processor_chain([
+      	dup13,
+      	dup2,
+      	dup3,
+      	dup10,
+      	dup14,
+      	dup6,
+      	dup7,
+      	dup8,
+      ]));
+      
+      var msg7 = msg("httpd:07", part13);
+      
+      var msg8 = msg("httpd:06", dup64);
+      
+      var select4 = linear_select([
+      	msg1,
+      	msg2,
+      	msg3,
+      	msg4,
+      	msg5,
+      	msg6,
+      	msg7,
+      	msg8,
+      ]);
+      
+      var part14 = match("MESSAGE#8:in.tftpd:01", "nwparser.payload", "RRQ from %{saddr->} filename %{filename}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","RRQ from remote host"),
+      ]));
+      
+      var msg9 = msg("in.tftpd:01", part14);
+      
+      var part15 = match("MESSAGE#9:in.tftpd:02", "nwparser.payload", "sending NAK (%{resultcode}, %{result}) to %{daddr}", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      	setc("event_description","sending NAK to remote host"),
+      ]));
+      
+      var msg10 = msg("in.tftpd:02", part15);
+      
+      var part16 = match("MESSAGE#10:in.tftpd", "nwparser.payload", "connection refused from %{saddr}", processor_chain([
+      	setc("eventcategory","1801030000"),
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg11 = msg("in.tftpd", part16);
+      
+      var select5 = linear_select([
+      	msg9,
+      	msg10,
+      	msg11,
+      ]);
+      
+      var part17 = match("MESSAGE#11:dhcpd:12/0", "nwparser.payload", "%{event_type}: received a REQUEST DHCP packet from relay-agent %{interface->} with a circuit-id of \"%{id}\" and remote-id of \"%{smacaddr}\" for %{hostip->} (%{dmacaddr}) lease time is %{p0}");
+      
+      var part18 = match("MESSAGE#11:dhcpd:12/1_0", "nwparser.p0", "undefined %{p0}");
+      
+      var part19 = match("MESSAGE#11:dhcpd:12/1_1", "nwparser.p0", "%{duration->} %{p0}");
+      
+      var select6 = linear_select([
+      	part18,
+      	part19,
+      ]);
+      
+      var part20 = match("MESSAGE#11:dhcpd:12/2", "nwparser.p0", "%{}seconds");
+      
+      var all3 = all_match({
+      	processors: [
+      		part17,
+      		select6,
+      		part20,
+      	],
+      	on_success: processor_chain([
+      		dup15,
+      		dup6,
+      		dup8,
+      		setc("event_description","received a REQUEST DHCP packet from relay-agent"),
+      	]),
+      });
+      
+      var msg12 = msg("dhcpd:12", all3);
+      
+      var part21 = match("MESSAGE#12:dhcpd:21", "nwparser.payload", "bind update on %{hostip->} from %{hostname}(%{fld1}) rejected: %{result}", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      	setc("event_description","bind update rejected"),
+      ]));
+      
+      var msg13 = msg("dhcpd:21", part21);
+      
+      var part22 = match("MESSAGE#13:dhcpd:10", "nwparser.payload", "Unable to add forward map from %{shost->} %{fld1}to %{daddr}: %{result}", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      	setc("event_description","Unable to add forward map"),
+      ]));
+      
+      var msg14 = msg("dhcpd:10", part22);
+      
+      var part23 = match("MESSAGE#14:dhcpd:13", "nwparser.payload", "Average %{fld1->} dynamic DNS update latency: %{result->} micro seconds", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","Average dynamic DNS update latency"),
+      ]));
+      
+      var msg15 = msg("dhcpd:13", part23);
+      
+      var part24 = match("MESSAGE#15:dhcpd:15", "nwparser.payload", "Dynamic DNS update timeout count in last %{info->} minutes: %{result}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","Dynamic DNS update timeout count"),
+      ]));
+      
+      var msg16 = msg("dhcpd:15", part24);
+      
+      var part25 = match("MESSAGE#16:dhcpd:22", "nwparser.payload", "Removed forward map from %{shost->} %{fld1}to %{daddr}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","Removed forward map"),
+      ]));
+      
+      var msg17 = msg("dhcpd:22", part25);
+      
+      var part26 = match("MESSAGE#17:dhcpd:25", "nwparser.payload", "Removed reverse map on %{hostname}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","Removed reverse map"),
+      ]));
+      
+      var msg18 = msg("dhcpd:25", part26);
+      
+      var part27 = match("MESSAGE#18:dhcpd:06", "nwparser.payload", "received shutdown -/-/ %{result}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","received shutdown"),
+      ]));
+      
+      var msg19 = msg("dhcpd:06", part27);
+      
+      var part28 = match("MESSAGE#19:dhcpd:18/2", "nwparser.p0", "%{}new forward map from %{hostname->} %{space->} %{daddr}");
+      
+      var all4 = all_match({
+      	processors: [
+      		dup16,
+      		dup65,
+      		part28,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		setc("event_description","Added new forward map"),
+      	]),
+      });
+      
+      var msg20 = msg("dhcpd:18", all4);
+      
+      var part29 = match("MESSAGE#20:dhcpd:19/2", "nwparser.p0", "%{}reverse map from %{hostname->} %{space->} %{daddr}");
+      
+      var all5 = all_match({
+      	processors: [
+      		dup16,
+      		dup65,
+      		part29,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		setc("event_description","added reverse map"),
+      	]),
+      });
+      
+      var msg21 = msg("dhcpd:19", all5);
+      
+      var part30 = match("MESSAGE#21:dhcpd", "nwparser.payload", "Abandoning IP address %{hostip}: declined", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      	setc("event_description","Abandoning IP declined"),
+      ]));
+      
+      var msg22 = msg("dhcpd", part30);
+      
+      var part31 = match("MESSAGE#22:dhcpd:30", "nwparser.payload", "Abandoning IP address %{hostip}: pinged before offer", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      	setc("event_description","Abandoning IP pinged before offer"),
+      ]));
+      
+      var msg23 = msg("dhcpd:30", part31);
+      
+      var part32 = match("MESSAGE#23:dhcpd:01", "nwparser.payload", "DHCPDECLINE of %{saddr->} from %{smacaddr->} (%{shost}) via %{interface}: %{info}", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      	dup19,
+      ]));
+      
+      var msg24 = msg("dhcpd:01", part32);
+      
+      var part33 = match("MESSAGE#24:dhcpd:02", "nwparser.payload", "DHCPDECLINE of %{saddr->} from %{smacaddr->} via %{interface}: %{info}", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      	dup19,
+      ]));
+      
+      var msg25 = msg("dhcpd:02", part33);
+      
+      var part34 = match("MESSAGE#25:dhcpd:03/0", "nwparser.payload", "DHCPRELEASE of %{saddr->} from %{p0}");
+      
+      var part35 = match("MESSAGE#25:dhcpd:03/2", "nwparser.p0", "%{} %{interface->} (%{info})");
+      
+      var all6 = all_match({
+      	processors: [
+      		part34,
+      		dup66,
+      		part35,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup22,
+      	]),
+      });
+      
+      var msg26 = msg("dhcpd:03", all6);
+      
+      var part36 = match("MESSAGE#26:dhcpd:04", "nwparser.payload", "DHCPDISCOVER from %{smacaddr->} via %{interface}: network %{mask}: %{info}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup23,
+      ]));
+      
+      var msg27 = msg("dhcpd:04", part36);
+      
+      var part37 = match("MESSAGE#27:dhcpd:07/0", "nwparser.payload", "DHCPREQUEST for %{saddr->} %{p0}");
+      
+      var part38 = match("MESSAGE#27:dhcpd:07/1_0", "nwparser.p0", "(%{shost}) from %{p0}");
+      
+      var part39 = match("MESSAGE#27:dhcpd:07/1_1", "nwparser.p0", "from %{p0}");
+      
+      var select7 = linear_select([
+      	part38,
+      	part39,
+      ]);
+      
+      var part40 = match("MESSAGE#27:dhcpd:07/2", "nwparser.p0", "%{} %{smacaddr->} (%{hostname}) via %{interface}: ignored (%{result})");
+      
+      var all7 = all_match({
+      	processors: [
+      		part37,
+      		select7,
+      		part40,
+      	],
+      	on_success: processor_chain([
+      		dup15,
+      		dup6,
+      		dup8,
+      		setc("action","DHCPREQUEST ignored"),
+      	]),
+      });
+      
+      var msg28 = msg("dhcpd:07", all7);
+      
+      var part41 = match("MESSAGE#28:dhcpd:09/2", "nwparser.p0", "%{} %{interface}: wrong network");
+      
+      var all8 = all_match({
+      	processors: [
+      		dup24,
+      		dup67,
+      		part41,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup27,
+      		setc("result","wrong network"),
+      	]),
+      });
+      
+      var msg29 = msg("dhcpd:09", all8);
+      
+      var part42 = match("MESSAGE#29:dhcpd:26/2", "nwparser.p0", "%{} %{interface}: lease %{hostip->} unavailable");
+      
+      var all9 = all_match({
+      	processors: [
+      		dup24,
+      		dup67,
+      		part42,
+      	],
+      	on_success: processor_chain([
+      		dup15,
+      		dup6,
+      		dup8,
+      		dup27,
+      		setc("result","lease unavailable"),
+      	]),
+      });
+      
+      var msg30 = msg("dhcpd:26", all9);
+      
+      var part43 = match("MESSAGE#30:dhcpd:08", "nwparser.payload", "DHCPREQUEST for %{saddr->} (%{shost}) from %{smacaddr->} (%{hostname}) via %{interface}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup27,
+      ]));
+      
+      var msg31 = msg("dhcpd:08", part43);
+      
+      var all10 = all_match({
+      	processors: [
+      		dup24,
+      		dup67,
+      		dup28,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup27,
+      	]),
+      });
+      
+      var msg32 = msg("dhcpd:11", all10);
+      
+      var part44 = match("MESSAGE#32:dhcpd:31", "nwparser.payload", "DHCPRELEASE from %{smacaddr->} via %{saddr}: unknown network segment", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup22,
+      	dup29,
+      ]));
+      
+      var msg33 = msg("dhcpd:31", part44);
+      
+      var part45 = match("MESSAGE#33:dhcpd:32", "nwparser.payload", "BOOTREQUEST from %{smacaddr->} via %{saddr}: %{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("action","BOOTREQUEST"),
+      	dup30,
+      ]));
+      
+      var msg34 = msg("dhcpd:32", part45);
+      
+      var part46 = match("MESSAGE#34:dhcpd:33", "nwparser.payload", "Reclaiming abandoned lease %{saddr}.", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","Reclaiming abandoned lease"),
+      ]));
+      
+      var msg35 = msg("dhcpd:33", part46);
+      
+      var part47 = match("MESSAGE#35:dhcpd:34/0", "nwparser.payload", "balanc%{p0}");
+      
+      var part48 = match("MESSAGE#35:dhcpd:34/1_0", "nwparser.p0", "ed%{p0}");
+      
+      var part49 = match("MESSAGE#35:dhcpd:34/1_1", "nwparser.p0", "ing%{p0}");
+      
+      var select8 = linear_select([
+      	part48,
+      	part49,
+      ]);
+      
+      var part50 = match("MESSAGE#35:dhcpd:34/2", "nwparser.p0", "%{}pool %{fld1->} %{saddr}/%{sport->} total %{fld2->} free %{fld3->} backup %{fld4->} lts %{fld5->} max-%{fld6->} %{p0}");
+      
+      var part51 = match("MESSAGE#35:dhcpd:34/3_0", "nwparser.p0", "(+/-)%{fld7}(%{info})");
+      
+      var part52 = match("MESSAGE#35:dhcpd:34/3_1", "nwparser.p0", "(+/-)%{fld7}");
+      
+      var part53 = match("MESSAGE#35:dhcpd:34/3_2", "nwparser.p0", "%{fld7}");
+      
+      var select9 = linear_select([
+      	part51,
+      	part52,
+      	part53,
+      ]);
+      
+      var all11 = all_match({
+      	processors: [
+      		part47,
+      		select8,
+      		part50,
+      		select9,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup30,
+      	]),
+      });
+      
+      var msg36 = msg("dhcpd:34", all11);
+      
+      var part54 = match("MESSAGE#36:dhcpd:35", "nwparser.payload", "Unable to add reverse map from %{shost->} to %{dhost}: REFUSED", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description"," Unable to add reverse map"),
+      ]));
+      
+      var msg37 = msg("dhcpd:35", part54);
+      
+      var part55 = match("MESSAGE#37:dhcpd:36", "nwparser.payload", "Forward map from %{shost->} %{fld2}to %{daddr->} FAILED: %{fld1}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description"," Forward map failed"),
+      ]));
+      
+      var msg38 = msg("dhcpd:36", part55);
+      
+      var part56 = match("MESSAGE#38:dhcpd:14/0", "nwparser.payload", "DHCPACK on %{saddr->} to %{p0}");
+      
+      var all12 = all_match({
+      	processors: [
+      		part56,
+      		dup66,
+      		dup31,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup32,
+      	]),
+      });
+      
+      var msg39 = msg("dhcpd:14", all12);
+      
+      var part57 = match("MESSAGE#39:dhcpd:24/0", "nwparser.payload", "DHCPOFFER on %{saddr->} to %{p0}");
+      
+      var part58 = match("MESSAGE#39:dhcpd:24/1_0", "nwparser.p0", "\"%{dmacaddr}\" (%{dhost}) via %{p0}");
+      
+      var select10 = linear_select([
+      	part58,
+      	dup20,
+      	dup21,
+      ]);
+      
+      var all13 = all_match({
+      	processors: [
+      		part57,
+      		select10,
+      		dup31,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		setc("action","DHCPOFFER"),
+      	]),
+      });
+      
+      var msg40 = msg("dhcpd:24", all13);
+      
+      var part59 = match("MESSAGE#40:dhcpd:17", "nwparser.payload", "DHCPNAK on %{saddr->} to %{dmacaddr->} via %{interface}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("action","DHCPNAK"),
+      ]));
+      
+      var msg41 = msg("dhcpd:17", part59);
+      
+      var part60 = match("MESSAGE#41:dhcpd:05/0", "nwparser.payload", "DHCPDISCOVER from %{p0}");
+      
+      var all14 = all_match({
+      	processors: [
+      		part60,
+      		dup67,
+      		dup28,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup23,
+      	]),
+      });
+      
+      var msg42 = msg("dhcpd:05", all14);
+      
+      var part61 = match("MESSAGE#42:dhcpd:16", "nwparser.payload", "DHCPACK to %{daddr->} (%{dmacaddr}) via %{interface}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup32,
+      ]));
+      
+      var msg43 = msg("dhcpd:16", part61);
+      
+      var part62 = match("MESSAGE#43:dhcpd:20", "nwparser.payload", "DHCPINFORM from %{saddr->} via %{interface}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("action","DHCPINFORM"),
+      ]));
+      
+      var msg44 = msg("dhcpd:20", part62);
+      
+      var part63 = match("MESSAGE#44:dhcpd:23", "nwparser.payload", "DHCPEXPIRE on %{saddr->} to %{dmacaddr}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("action","DHCPEXPIRE"),
+      ]));
+      
+      var msg45 = msg("dhcpd:23", part63);
+      
+      var part64 = match("MESSAGE#45:dhcpd:28", "nwparser.payload", "uid lease %{hostip->} for client %{smacaddr->} is duplicate on %{mask}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg46 = msg("dhcpd:28", part64);
+      
+      var part65 = match("MESSAGE#46:dhcpd:29", "nwparser.payload", "Attempt to add forward map \"%{shost}\" (and reverse map \"%{dhost}\") for %{saddr->} abandoned because of non-retryable failure: %{result}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg47 = msg("dhcpd:29", part65);
+      
+      var part66 = match("MESSAGE#191:dhcpd:39", "nwparser.payload", "NOT FREE/BACKUP lease%{hostip}End Time%{fld1->} Bind-State %{change_old->} Next-Bind-State %{change_new}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var msg48 = msg("dhcpd:39", part66);
+      
+      var part67 = match("MESSAGE#192:dhcpd:41", "nwparser.payload", "RELEASE on%{saddr}to%{dmacaddr}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var msg49 = msg("dhcpd:41", part67);
+      
+      var part68 = match("MESSAGE#193:dhcpd:42", "nwparser.payload", "r-l-e:%{hostip},%{result},%{fld1},%{macaddr},%{fld3},%{fld4},%{fld5},%{info}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var msg50 = msg("dhcpd:42", part68);
+      
+      var part69 = match("MESSAGE#194:dhcpd:43", "nwparser.payload", "failover peer%{fld1}:%{dclass_counter1}leases added to send queue from pool%{fld3->} %{hostip}/%{network_port}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("dclass_counter1_string","count of leases"),
+      	dup30,
+      ]));
+      
+      var msg51 = msg("dhcpd:43", part69);
+      
+      var part70 = match("MESSAGE#195:dhcpd:44", "nwparser.payload", "DHCPDECLINE from%{macaddr}via%{hostip}: unknown network segment", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      	dup29,
+      ]));
+      
+      var msg52 = msg("dhcpd:44", part70);
+      
+      var part71 = match("MESSAGE#196:dhcpd:45", "nwparser.payload", "Reverse map update for%{hostip}abandoned because of non-retryable failure:%{disposition}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var msg53 = msg("dhcpd:45", part71);
+      
+      var part72 = match("MESSAGE#197:dhcpd:46", "nwparser.payload", "Reclaiming REQUESTed abandoned IP address%{saddr}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      	setc("event_description","Reclaiming REQUESTed abandoned IP address"),
+      ]));
+      
+      var msg54 = msg("dhcpd:46", part72);
+      
+      var part73 = match("MESSAGE#198:dhcpd:47/0", "nwparser.payload", "%{hostip}: removing client association (%{action})%{p0}");
+      
+      var part74 = match("MESSAGE#198:dhcpd:47/1_0", "nwparser.p0", "uid=%{fld1}hw=%{macaddr}");
+      
+      var part75 = match("MESSAGE#198:dhcpd:47/1_1", "nwparser.p0", "hw=%{macaddr}");
+      
+      var select11 = linear_select([
+      	part74,
+      	part75,
+      ]);
+      
+      var all15 = all_match({
+      	processors: [
+      		part73,
+      		select11,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup30,
+      	]),
+      });
+      
+      var msg55 = msg("dhcpd:47", all15);
+      
+      var part76 = match("MESSAGE#199:dhcpd:48", "nwparser.payload", "Lease conflict at %{hostip}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var msg56 = msg("dhcpd:48", part76);
+      
+      var part77 = match("MESSAGE#200:dhcpd:49", "nwparser.payload", "ICMP Echo reply while lease %{hostip->} valid.", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      	setc("protocol","ICMP"),
+      ]));
+      
+      var msg57 = msg("dhcpd:49", part77);
+      
+      var part78 = match("MESSAGE#201:dhcpd:50", "nwparser.payload", "Lease state %{result}. Not abandoning %{hostip}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var msg58 = msg("dhcpd:50", part78);
+      
+      var part79 = match("MESSAGE#202:dhcpd:51/0_0", "nwparser.payload", "Addition%{p0}");
+      
+      var part80 = match("MESSAGE#202:dhcpd:51/0_1", "nwparser.payload", "Removal%{p0}");
+      
+      var select12 = linear_select([
+      	part79,
+      	part80,
+      ]);
+      
+      var part81 = match("MESSAGE#202:dhcpd:51/1", "nwparser.p0", "%{}of %{p0}");
+      
+      var part82 = match("MESSAGE#202:dhcpd:51/2_0", "nwparser.p0", "forward%{p0}");
+      
+      var part83 = match("MESSAGE#202:dhcpd:51/2_1", "nwparser.p0", "reverse%{p0}");
+      
+      var select13 = linear_select([
+      	part82,
+      	part83,
+      ]);
+      
+      var part84 = match("MESSAGE#202:dhcpd:51/3", "nwparser.p0", "%{}map for %{hostip->} deferred");
+      
+      var all16 = all_match({
+      	processors: [
+      		select12,
+      		part81,
+      		select13,
+      		part84,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup30,
+      		setc("disposition","deferred"),
+      	]),
+      });
+      
+      var msg59 = msg("dhcpd:51", all16);
+      
+      var part85 = match("MESSAGE#203:dhcpd:52", "nwparser.payload", "Hostname%{change_old}replaced by%{hostname}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var msg60 = msg("dhcpd:52", part85);
+      
+      var msg61 = msg("dhcpd:37", dup68);
+      
+      var select14 = linear_select([
+      	msg12,
+      	msg13,
+      	msg14,
+      	msg15,
+      	msg16,
+      	msg17,
+      	msg18,
+      	msg19,
+      	msg20,
+      	msg21,
+      	msg22,
+      	msg23,
+      	msg24,
+      	msg25,
+      	msg26,
+      	msg27,
+      	msg28,
+      	msg29,
+      	msg30,
+      	msg31,
+      	msg32,
+      	msg33,
+      	msg34,
+      	msg35,
+      	msg36,
+      	msg37,
+      	msg38,
+      	msg39,
+      	msg40,
+      	msg41,
+      	msg42,
+      	msg43,
+      	msg44,
+      	msg45,
+      	msg46,
+      	msg47,
+      	msg48,
+      	msg49,
+      	msg50,
+      	msg51,
+      	msg52,
+      	msg53,
+      	msg54,
+      	msg55,
+      	msg56,
+      	msg57,
+      	msg58,
+      	msg59,
+      	msg60,
+      	msg61,
+      ]);
+      
+      var part86 = match("MESSAGE#47:ntpd:05", "nwparser.payload", "system event '%{event_type}' (%{fld1}) status '%{result}' (%{fld2})", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","system event status"),
+      ]));
+      
+      var msg62 = msg("ntpd:05", part86);
+      
+      var part87 = match("MESSAGE#48:ntpd:04", "nwparser.payload", "frequency initialized %{result->} from %{filename}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","frequency initialized from file"),
+      ]));
+      
+      var msg63 = msg("ntpd:04", part87);
+      
+      var part88 = match("MESSAGE#49:ntpd:03", "nwparser.payload", "ntpd exiting on signal %{dclass_counter1}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","ntpd exiting on signal"),
+      ]));
+      
+      var msg64 = msg("ntpd:03", part88);
+      
+      var part89 = match("MESSAGE#50:ntpd", "nwparser.payload", "time slew %{result}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","time slew duraion"),
+      ]));
+      
+      var msg65 = msg("ntpd", part89);
+      
+      var part90 = match("MESSAGE#51:ntpd:01", "nwparser.payload", "%{process}: signal %{dclass_counter1->} had flags %{result}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","signal had flags"),
+      ]));
+      
+      var msg66 = msg("ntpd:01", part90);
+      
+      var msg67 = msg("ntpd:02", dup64);
+      
+      var select15 = linear_select([
+      	msg62,
+      	msg63,
+      	msg64,
+      	msg65,
+      	msg66,
+      	msg67,
+      ]);
+      
+      var part91 = match("MESSAGE#53:named:16/0", "nwparser.payload", "client %{saddr}#%{sport}:%{fld1}: update '%{zone}' %{p0}");
+      
+      var all17 = all_match({
+      	processors: [
+      		part91,
+      		dup69,
+      	],
+      	on_success: processor_chain([
+      		dup15,
+      		dup6,
+      		dup8,
+      	]),
+      });
+      
+      var msg68 = msg("named:16", all17);
+      
+      var part92 = match("MESSAGE#54:named/0", "nwparser.payload", "client %{saddr}#%{sport}: update '%{zone}/IN' %{p0}");
+      
+      var all18 = all_match({
+      	processors: [
+      		part92,
+      		dup69,
+      	],
+      	on_success: processor_chain([
+      		dup15,
+      		dup6,
+      		dup8,
+      		dup35,
+      	]),
+      });
+      
+      var msg69 = msg("named", all18);
+      
+      var part93 = match("MESSAGE#55:named:12/0", "nwparser.payload", "client %{saddr}#%{sport}/key dhcp_updater_default: signer \"%{owner}\" %{p0}");
+      
+      var all19 = all_match({
+      	processors: [
+      		part93,
+      		dup69,
+      	],
+      	on_success: processor_chain([
+      		dup15,
+      		dup6,
+      		dup8,
+      	]),
+      });
+      
+      var msg70 = msg("named:12", all19);
+      
+      var part94 = match("MESSAGE#56:named:01/1_0", "nwparser.p0", "%{sport}/%{fld1}: signer \"%{p0}");
+      
+      var part95 = match("MESSAGE#56:named:01/1_1", "nwparser.p0", "%{sport}: signer \"%{p0}");
+      
+      var select16 = linear_select([
+      	part94,
+      	part95,
+      ]);
+      
+      var part96 = match("MESSAGE#56:named:01/2", "nwparser.p0", "%{owner}\" %{p0}");
+      
+      var all20 = all_match({
+      	processors: [
+      		dup36,
+      		select16,
+      		part96,
+      		dup69,
+      	],
+      	on_success: processor_chain([
+      		dup15,
+      		dup6,
+      		dup8,
+      	]),
+      });
+      
+      var msg71 = msg("named:01", all20);
+      
+      var part97 = match("MESSAGE#57:named:17/0", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1}: updating zone '%{zone}/%{p0}");
+      
+      var part98 = match("MESSAGE#57:named:17/2", "nwparser.p0", "': %{p0}");
+      
+      var part99 = match("MESSAGE#57:named:17/3_0", "nwparser.p0", "%{fld2}: %{action->} at '%{p0}");
+      
+      var select17 = linear_select([
+      	part99,
+      	dup40,
+      ]);
+      
+      var part100 = match("MESSAGE#57:named:17/4_1", "nwparser.p0", "%{hostname}' %{p0}");
+      
+      var select18 = linear_select([
+      	dup41,
+      	part100,
+      ]);
+      
+      var all21 = all_match({
+      	processors: [
+      		part97,
+      		dup70,
+      		part98,
+      		select17,
+      		select18,
+      		dup71,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup45,
+      		dup35,
+      	]),
+      });
+      
+      var msg72 = msg("named:17", all21);
+      
+      var part101 = match("MESSAGE#58:named:18/0", "nwparser.payload", "client %{saddr}#%{sport}:%{fld1}: updating zone '%{zone}': %{p0}");
+      
+      var part102 = match("MESSAGE#58:named:18/1_0", "nwparser.p0", "adding %{p0}");
+      
+      var part103 = match("MESSAGE#58:named:18/1_1", "nwparser.p0", "deleting%{p0}");
+      
+      var select19 = linear_select([
+      	part102,
+      	part103,
+      ]);
+      
+      var part104 = match("MESSAGE#58:named:18/2", "nwparser.p0", "%{} %{info->} at '%{hostname}'");
+      
+      var all22 = all_match({
+      	processors: [
+      		part101,
+      		select19,
+      		part104,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      	]),
+      });
+      
+      var msg73 = msg("named:18", all22);
+      
+      var part105 = match("MESSAGE#59:named:02/0", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}/%{p0}");
+      
+      var part106 = match("MESSAGE#59:named:02/2", "nwparser.p0", "':%{p0}");
+      
+      var part107 = match("MESSAGE#59:named:02/3_0", "nwparser.p0", "%{fld1}: %{action->} at '%{p0}");
+      
+      var select20 = linear_select([
+      	part107,
+      	dup40,
+      ]);
+      
+      var part108 = match("MESSAGE#59:named:02/4_1", "nwparser.p0", "%{hostip}' %{p0}");
+      
+      var select21 = linear_select([
+      	dup41,
+      	part108,
+      ]);
+      
+      var all23 = all_match({
+      	processors: [
+      		part105,
+      		dup70,
+      		part106,
+      		select20,
+      		select21,
+      		dup71,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup45,
+      		dup35,
+      	]),
+      });
+      
+      var msg74 = msg("named:02", all23);
+      
+      var part109 = match("MESSAGE#60:named:19/0", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1}: updating zone '%{zone}': update %{disposition}: %{p0}");
+      
+      var part110 = match("MESSAGE#60:named:19/1_0", "nwparser.p0", "%{hostname}/%{dns_querytype}: %{p0}");
+      
+      var part111 = match("MESSAGE#60:named:19/1_1", "nwparser.p0", "%{hostname}: %{p0}");
+      
+      var select22 = linear_select([
+      	part110,
+      	part111,
+      ]);
+      
+      var all24 = all_match({
+      	processors: [
+      		part109,
+      		select22,
+      		dup46,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup47,
+      	]),
+      });
+      
+      var msg75 = msg("named:19", all24);
+      
+      var part112 = match("MESSAGE#61:named:03", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}': update %{disposition}: %{hostname}: %{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg76 = msg("named:03", part112);
+      
+      var part113 = match("MESSAGE#62:named:11", "nwparser.payload", "zone %{zone}: notify from %{saddr}#%{sport}: zone is up to date", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","notify zone is up to date"),
+      ]));
+      
+      var msg77 = msg("named:11", part113);
+      
+      var part114 = match("MESSAGE#63:named:13", "nwparser.payload", "zone %{zone}: notify from %{saddr}#%{sport}: %{action}, %{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg78 = msg("named:13", part114);
+      
+      var part115 = match("MESSAGE#64:named:14", "nwparser.payload", "zone %{zone}: refresh: retry limit for master %{saddr}#%{sport->} exceeded (%{action})", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg79 = msg("named:14", part115);
+      
+      var part116 = match("MESSAGE#65:named:15", "nwparser.payload", "zone %{zone}: refresh: failure trying master %{saddr}#%{sport->} (source ::#0): %{action}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg80 = msg("named:15", part116);
+      
+      var part117 = match("MESSAGE#66:named:25/0", "nwparser.payload", "DNS format error from %{saddr}#%{sport->} resolving %{domain}/%{dns_querytype->} for client %{daddr}#%{dport}: %{p0}");
+      
+      var part118 = match("MESSAGE#66:named:25/1_0", "nwparser.p0", "%{error}--%{result}");
+      
+      var part119 = match("MESSAGE#66:named:25/1_1", "nwparser.p0", "%{result}");
+      
+      var select23 = linear_select([
+      	part118,
+      	part119,
+      ]);
+      
+      var all25 = all_match({
+      	processors: [
+      		part117,
+      		select23,
+      	],
+      	on_success: processor_chain([
+      		dup48,
+      		dup49,
+      		dup14,
+      		dup6,
+      		dup8,
+      		setc("event_description","DNS format error"),
+      		dup30,
+      	]),
+      });
+      
+      var msg81 = msg("named:25", all25);
+      
+      var part120 = match("MESSAGE#67:named:63/2", "nwparser.p0", "%{sport->} (#%{fld5}): query: %{domain->} %{fld4->} (%{daddr})");
+      
+      var all26 = all_match({
+      	processors: [
+      		dup50,
+      		dup72,
+      		part120,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup30,
+      	]),
+      });
+      
+      var msg82 = msg("named:63", all26);
+      
+      var part121 = match("MESSAGE#68:named:72/0", "nwparser.payload", "client %{saddr}#%{sport->} (%{fld1}): %{p0}");
+      
+      var part122 = match("MESSAGE#68:named:72/1_0", "nwparser.p0", "view%{fld3}: query:%{p0}");
+      
+      var part123 = match("MESSAGE#68:named:72/1_1", "nwparser.p0", "query:%{p0}");
+      
+      var select24 = linear_select([
+      	part122,
+      	part123,
+      ]);
+      
+      var part124 = match("MESSAGE#68:named:72/2", "nwparser.p0", "%{} %{domain->} %{fld2->} %{dns_querytype->} %{context->} (%{daddr})");
+      
+      var all27 = all_match({
+      	processors: [
+      		part121,
+      		select24,
+      		part124,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup30,
+      	]),
+      });
+      
+      var msg83 = msg("named:72", all27);
+      
+      var part125 = match("MESSAGE#69:named:28", "nwparser.payload", "%{action->} (%{saddr}#%{sport}) %{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg84 = msg("named:28", part125);
+      
+      var part126 = match("MESSAGE#70:named:71/0", "nwparser.payload", "transfer of '%{zone}' from %{saddr}#%{sport}: failed %{p0}");
+      
+      var part127 = match("MESSAGE#70:named:71/1_0", "nwparser.p0", "to connect: %{result}");
+      
+      var part128 = match("MESSAGE#70:named:71/1_1", "nwparser.p0", "while receiving responses: %{result}");
+      
+      var select25 = linear_select([
+      	part127,
+      	part128,
+      ]);
+      
+      var all28 = all_match({
+      	processors: [
+      		part126,
+      		select25,
+      	],
+      	on_success: processor_chain([
+      		dup48,
+      		dup6,
+      		dup8,
+      		dup30,
+      		setc("event_description","failed"),
+      	]),
+      });
+      
+      var msg85 = msg("named:71", all28);
+      
+      var part129 = match("MESSAGE#71:named:70/0", "nwparser.payload", "transfer of '%{zone}' from %{saddr}#%{sport}: %{p0}");
+      
+      var part130 = match("MESSAGE#71:named:70/1_0", "nwparser.p0", "connected using %{daddr}#%{dport}");
+      
+      var select26 = linear_select([
+      	part130,
+      	dup46,
+      ]);
+      
+      var all29 = all_match({
+      	processors: [
+      		part129,
+      		select26,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup30,
+      	]),
+      });
+      
+      var msg86 = msg("named:70", all29);
+      
+      var part131 = match("MESSAGE#72:named:40/0", "nwparser.payload", "%{fld1->} client %{saddr}#%{sport}: %{p0}");
+      
+      var part132 = match("MESSAGE#72:named:40/1_0", "nwparser.p0", "view %{fld2}: %{protocol}: query: %{p0}");
+      
+      var part133 = match("MESSAGE#72:named:40/1_1", "nwparser.p0", "%{protocol}: query: %{p0}");
+      
+      var select27 = linear_select([
+      	part132,
+      	part133,
+      ]);
+      
+      var part134 = match("MESSAGE#72:named:40/2", "nwparser.p0", "%{domain->} %{fld3->} %{dns_querytype->} response:%{result->} %{p0}");
+      
+      var part135 = match("MESSAGE#72:named:40/3_0", "nwparser.p0", "%{context->} %{dns.resptext}");
+      
+      var part136 = match("MESSAGE#72:named:40/3_1", "nwparser.p0", "%{context}");
+      
+      var select28 = linear_select([
+      	part135,
+      	part136,
+      ]);
+      
+      var all30 = all_match({
+      	processors: [
+      		part131,
+      		select27,
+      		part134,
+      		select28,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup30,
+      	]),
+      });
+      
+      var msg87 = msg("named:40", all30);
+      
+      var part137 = match("MESSAGE#73:named:05", "nwparser.payload", "zone '%{zone}' %{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg88 = msg("named:05", part137);
+      
+      var part138 = match("MESSAGE#74:named:10/1_0", "nwparser.p0", "%{sport->} %{fld22}/%{fld21}:%{p0}");
+      
+      var part139 = match("MESSAGE#74:named:10/1_1", "nwparser.p0", "%{sport}/%{fld21}:%{p0}");
+      
+      var part140 = match("MESSAGE#74:named:10/1_2", "nwparser.p0", "%{sport->} (%{fld21}): %{p0}");
+      
+      var select29 = linear_select([
+      	part138,
+      	part139,
+      	part140,
+      	dup53,
+      ]);
+      
+      var part141 = match("MESSAGE#74:named:10/2", "nwparser.p0", "%{}query: %{domain->} %{info->} (%{daddr})");
+      
+      var all31 = all_match({
+      	processors: [
+      		dup36,
+      		select29,
+      		part141,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		setc("event_description","dns query"),
+      	]),
+      });
+      
+      var msg89 = msg("named:10", all31);
+      
+      var part142 = match("MESSAGE#75:named:29", "nwparser.payload", "client %{saddr}#%{sport}: %{fld1}: received notify for zone '%{zone}'", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","received notify for zone"),
+      ]));
+      
+      var msg90 = msg("named:29", part142);
+      
+      var part143 = match("MESSAGE#76:named:08", "nwparser.payload", "client %{saddr}#%{sport}: received notify for zone '%{zone}'", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","client received notify for zone"),
+      ]));
+      
+      var msg91 = msg("named:08", part143);
+      
+      var part144 = match("MESSAGE#77:named:09", "nwparser.payload", "client %{saddr}#%{sport}: update forwarding '%{zone}' denied", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      	setc("event_description","client update forwarding for zone denied"),
+      ]));
+      
+      var msg92 = msg("named:09", part144);
+      
+      var part145 = match("MESSAGE#78:named:76/0", "nwparser.payload", "zone %{zone}: ZRQ appl%{p0}");
+      
+      var part146 = match("MESSAGE#78:named:76/1_0", "nwparser.p0", "ied%{p0}");
+      
+      var part147 = match("MESSAGE#78:named:76/1_1", "nwparser.p0", "ying%{p0}");
+      
+      var select30 = linear_select([
+      	part146,
+      	part147,
+      ]);
+      
+      var part148 = match("MESSAGE#78:named:76/2", "nwparser.p0", "%{}transaction %{p0}");
+      
+      var part149 = match("MESSAGE#78:named:76/3_0", "nwparser.p0", "%{operation_id->} with SOA serial %{serial_number}. Zone version is now %{version}.");
+      
+      var part150 = match("MESSAGE#78:named:76/3_1", "nwparser.p0", "%{fld1}.");
+      
+      var select31 = linear_select([
+      	part149,
+      	part150,
+      ]);
+      
+      var all32 = all_match({
+      	processors: [
+      		part145,
+      		select30,
+      		part148,
+      		select31,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup30,
+      	]),
+      });
+      
+      var msg93 = msg("named:76", all32);
+      
+      var part151 = match("MESSAGE#79:named:75", "nwparser.payload", "zone %{zone}: ZRQ applied %{action->} for '%{fld1}': %{fld2->} %{fld3->} %{dns_querytype->} %{info}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var msg94 = msg("named:75", part151);
+      
+      var part152 = match("MESSAGE#80:named:06/0", "nwparser.payload", "zone%{p0}");
+      
+      var part153 = match("MESSAGE#80:named:06/1_0", "nwparser.p0", "_%{fld1}: %{p0}");
+      
+      var part154 = match("MESSAGE#80:named:06/1_1", "nwparser.p0", " %{zone}: %{p0}");
+      
+      var select32 = linear_select([
+      	part153,
+      	part154,
+      ]);
+      
+      var all33 = all_match({
+      	processors: [
+      		part152,
+      		select32,
+      		dup46,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup30,
+      	]),
+      });
+      
+      var msg95 = msg("named:06", all33);
+      
+      var part155 = match("MESSAGE#81:named:20", "nwparser.payload", "REFUSED unexpected RCODE resolving '%{saddr}.in-addr.arpa/%{event_description}/IN': %{daddr}#%{dport}", processor_chain([
+      	dup12,
+      	dup49,
+      	dup14,
+      	dup6,
+      	dup8,
+      	dup54,
+      	dup30,
+      	dup55,
+      ]));
+      
+      var msg96 = msg("named:20", part155);
+      
+      var part156 = match("MESSAGE#82:named:49/0", "nwparser.payload", "REFUSED unexpected RCODE resolving '%{zone}/%{dns_querytype}/IN': %{p0}");
+      
+      var part157 = match("MESSAGE#82:named:49/1_0", "nwparser.p0", "%{daddr}#%{dport}");
+      
+      var part158 = match("MESSAGE#82:named:49/1_1", "nwparser.p0", "%{fld1}");
+      
+      var select33 = linear_select([
+      	part157,
+      	part158,
+      ]);
+      
+      var all34 = all_match({
+      	processors: [
+      		part156,
+      		select33,
+      	],
+      	on_success: processor_chain([
+      		dup56,
+      		dup49,
+      		dup14,
+      		dup6,
+      		dup8,
+      		dup54,
+      		dup30,
+      		dup35,
+      	]),
+      });
+      
+      var msg97 = msg("named:49", all34);
+      
+      var part159 = match("MESSAGE#83:named:24/1_0", "nwparser.p0", "%{domain}): %{fld2}: zone transfer%{p0}");
+      
+      var part160 = match("MESSAGE#83:named:24/1_1", "nwparser.p0", "%{domain}): zone transfer%{p0}");
+      
+      var select34 = linear_select([
+      	part159,
+      	part160,
+      ]);
+      
+      var part161 = match("MESSAGE#83:named:24/2", "nwparser.p0", "%{}'%{zone}' %{action}");
+      
+      var all35 = all_match({
+      	processors: [
+      		dup57,
+      		select34,
+      		part161,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup30,
+      	]),
+      });
+      
+      var msg98 = msg("named:24", all35);
+      
+      var part162 = match("MESSAGE#84:named:26/1_0", "nwparser.p0", "%{domain}): %{fld2}: no more recursive clients %{p0}");
+      
+      var part163 = match("MESSAGE#84:named:26/1_1", "nwparser.p0", "%{domain}): no more recursive clients%{p0}");
+      
+      var select35 = linear_select([
+      	part162,
+      	part163,
+      ]);
+      
+      var part164 = match("MESSAGE#84:named:26/2", "nwparser.p0", "%{}(%{fld3}) %{info}");
+      
+      var all36 = all_match({
+      	processors: [
+      		dup57,
+      		select35,
+      		part164,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      	]),
+      });
+      
+      var msg99 = msg("named:26", all36);
+      
+      var part165 = match("MESSAGE#85:named:27/1_0", "nwparser.p0", "%{domain}): %{fld2->} : %{fld3->} response from Internet for %{p0}");
+      
+      var part166 = match("MESSAGE#85:named:27/1_1", "nwparser.p0", "%{domain}): %{fld3->} response from Internet for %{p0}");
+      
+      var select36 = linear_select([
+      	part165,
+      	part166,
+      ]);
+      
+      var part167 = match("MESSAGE#85:named:27/2", "nwparser.p0", "%{fld4}");
+      
+      var all37 = all_match({
+      	processors: [
+      		dup57,
+      		select36,
+      		part167,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      	]),
+      });
+      
+      var msg100 = msg("named:27", all37);
+      
+      var part168 = match("MESSAGE#86:named:38/2_0", "nwparser.p0", "%{sport}#%{fld5->} (%{fld6}):%{p0}");
+      
+      var part169 = match("MESSAGE#86:named:38/2_1", "nwparser.p0", "%{sport->} (%{fld5}):%{p0}");
+      
+      var select37 = linear_select([
+      	part168,
+      	part169,
+      	dup53,
+      ]);
+      
+      var part170 = match("MESSAGE#86:named:38/3", "nwparser.p0", "%{}query%{p0}");
+      
+      var part171 = match("MESSAGE#86:named:38/4_0", "nwparser.p0", " (%{fld7}) '%{domain}/%{fld4}' %{result}");
+      
+      var part172 = match("MESSAGE#86:named:38/4_1", "nwparser.p0", ": %{domain->} %{fld4->} (%{daddr})");
+      
+      var select38 = linear_select([
+      	part171,
+      	part172,
+      ]);
+      
+      var all38 = all_match({
+      	processors: [
+      		dup50,
+      		dup72,
+      		select37,
+      		part170,
+      		select38,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      	]),
+      });
+      
+      var msg101 = msg("named:38", all38);
+      
+      var part173 = match("MESSAGE#87:named:39", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3}: %{severity}: error (%{result}) resolving '%{saddr}.in-addr.arpa/%{event_description}/IN': %{daddr}#%{dport}", processor_chain([
+      	dup12,
+      	dup49,
+      	dup14,
+      	dup6,
+      	dup8,
+      	dup54,
+      ]));
+      
+      var msg102 = msg("named:39", part173);
+      
+      var part174 = match("MESSAGE#88:named:46", "nwparser.payload", "%{event_description}: Authorization denied for the operation (%{fld4}): %{fld5->} (data=\"%{hostip}\", source=\"%{hostname}\")", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg103 = msg("named:46", part174);
+      
+      var part175 = match("MESSAGE#89:named:64", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1}: updating zone '%{zone}': deleting %{info->} at %{hostname->} %{dns_querytype}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var msg104 = msg("named:64", part175);
+      
+      var part176 = match("MESSAGE#90:named:45", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}': deleting %{info->} at %{hostname->} %{dns_querytype}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup47,
+      ]));
+      
+      var msg105 = msg("named:45", part176);
+      
+      var part177 = match("MESSAGE#91:named:44/0", "nwparser.payload", "client %{saddr}#%{sport}/key dhcp_updater_default: updating zone '%{p0}");
+      
+      var part178 = match("MESSAGE#91:named:44/1_0", "nwparser.p0", "%{domain}/IN'%{p0}");
+      
+      var part179 = match("MESSAGE#91:named:44/1_1", "nwparser.p0", "%{domain}'%{p0}");
+      
+      var select39 = linear_select([
+      	part178,
+      	part179,
+      ]);
+      
+      var part180 = match("MESSAGE#91:named:44/2", "nwparser.p0", ": %{p0}");
+      
+      var part181 = match("MESSAGE#91:named:44/3_0", "nwparser.p0", "deleting an RR at %{daddr}.in-addr.arpa ");
+      
+      var part182 = match("MESSAGE#91:named:44/3_1", "nwparser.p0", "deleting an RR at %{daddr}.%{fld6->} ");
+      
+      var part183 = match("MESSAGE#91:named:44/3_2", "nwparser.p0", "%{fld5}");
+      
+      var select40 = linear_select([
+      	part181,
+      	part182,
+      	part183,
+      ]);
+      
+      var all39 = all_match({
+      	processors: [
+      		part177,
+      		select39,
+      		part180,
+      		select40,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      	]),
+      });
+      
+      var msg106 = msg("named:44", all39);
+      
+      var part184 = match("MESSAGE#92:named:43", "nwparser.payload", "client %{saddr}#%{sport->} (%{domain}): query (%{fld3}) '%{fld4}/%{dns_querytype}/IN' %{result}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var msg107 = msg("named:43", part184);
+      
+      var part185 = match("MESSAGE#93:named:42", "nwparser.payload", "%{result->} resolving '%{saddr}.in-addr.arpa/%{event_description}/IN': %{daddr}#%{dport}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup55,
+      ]));
+      
+      var msg108 = msg("named:42", part185);
+      
+      var part186 = match("MESSAGE#94:named:41", "nwparser.payload", "%{fld1}: unable to find root NS '%{domain}'", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg109 = msg("named:41", part186);
+      
+      var part187 = match("MESSAGE#95:named:47", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}': update %{disposition}: %{event_description}", processor_chain([
+      	setc("eventcategory","1502000000"),
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg110 = msg("named:47", part187);
+      
+      var part188 = match("MESSAGE#96:named:48", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): query '%{zone}' %{result}", processor_chain([
+      	dup56,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var msg111 = msg("named:48", part188);
+      
+      var part189 = match("MESSAGE#97:named:62", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1->} (%{hostname}): transfer of '%{zone}': %{info}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var msg112 = msg("named:62", part189);
+      
+      var part190 = match("MESSAGE#98:named:53", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): transfer of '%{zone}': %{info}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg113 = msg("named:53", part190);
+      
+      var part191 = match("MESSAGE#99:named:77", "nwparser.payload", "client %{saddr}#%{sport->} (%{domain}): query failed (%{error}) for %{fld1}/IN/%{dns_querytype->} at %{filename}:%{fld2}", processor_chain([
+      	dup48,
+      	dup6,
+      	dup8,
+      	setc("event_description"," query failed"),
+      ]));
+      
+      var msg114 = msg("named:77", part191);
+      
+      var part192 = match("MESSAGE#100:named:52", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): %{info}", processor_chain([
+      	dup58,
+      	dup6,
+      	dup8,
+      	dup47,
+      ]));
+      
+      var msg115 = msg("named:52", part192);
+      
+      var part193 = match("MESSAGE#101:named:50", "nwparser.payload", "%{fld1}: %{domain}/%{dns_querytype->} (%{saddr}) %{info}", processor_chain([
+      	dup58,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg116 = msg("named:50", part193);
+      
+      var part194 = match("MESSAGE#102:named:51", "nwparser.payload", "%{fld1}: %{fld2}: REFUSED", processor_chain([
+      	dup56,
+      	dup6,
+      	dup8,
+      	dup49,
+      	dup14,
+      	dup54,
+      ]));
+      
+      var msg117 = msg("named:51", part194);
+      
+      var part195 = match("MESSAGE#103:named:54", "nwparser.payload", "%{hostip}#%{network_port}: GSS-TSIG authentication failed:%{event_description}", processor_chain([
+      	dup58,
+      	dup6,
+      	dup8,
+      	dup2,
+      	dup14,
+      	dup30,
+      ]));
+      
+      var msg118 = msg("named:54", part195);
+      
+      var part196 = match("MESSAGE#104:named:55/0", "nwparser.payload", "success resolving '%{domain}/%{dns_querytype}' (in '%{fld1}'?) %{p0}");
+      
+      var part197 = match("MESSAGE#104:named:55/1_0", "nwparser.p0", "after disabling EDNS%{}");
+      
+      var part198 = match("MESSAGE#104:named:55/1_1", "nwparser.p0", "%{fld2}");
+      
+      var select41 = linear_select([
+      	part197,
+      	part198,
+      ]);
+      
+      var all40 = all_match({
+      	processors: [
+      		part196,
+      		select41,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup6,
+      		dup8,
+      		dup5,
+      		dup30,
+      		dup59,
+      	]),
+      });
+      
+      var msg119 = msg("named:55", all40);
+      
+      var part199 = match("MESSAGE#105:named:56", "nwparser.payload", "SERVFAIL unexpected RCODE resolving '%{domain}/%{dns_querytype}/IN':%{hostip}#%{network_port}", processor_chain([
+      	dup58,
+      	dup6,
+      	dup8,
+      	dup49,
+      	dup14,
+      	dup30,
+      	dup59,
+      ]));
+      
+      var msg120 = msg("named:56", part199);
+      
+      var part200 = match("MESSAGE#106:named:57", "nwparser.payload", "FORMERR resolving '%{domain}/%{dns_querytype}/IN':%{hostip}#%{network_port}", processor_chain([
+      	dup58,
+      	dup6,
+      	dup8,
+      	setc("ec_outcome","Error"),
+      	dup30,
+      	dup59,
+      ]));
+      
+      var msg121 = msg("named:57", part200);
+      
+      var part201 = match("MESSAGE#107:named:04/0", "nwparser.payload", "%{action->} on %{p0}");
+      
+      var part202 = match("MESSAGE#107:named:04/1_0", "nwparser.p0", "IPv4 interface %{sinterface}, %{saddr}#%{p0}");
+      
+      var part203 = match("MESSAGE#107:named:04/1_1", "nwparser.p0", "%{saddr}#%{p0}");
+      
+      var select42 = linear_select([
+      	part202,
+      	part203,
+      ]);
+      
+      var part204 = match("MESSAGE#107:named:04/2", "nwparser.p0", "%{sport}");
+      
+      var all41 = all_match({
+      	processors: [
+      		part201,
+      		select42,
+      		part204,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      	]),
+      });
+      
+      var msg122 = msg("named:04", all41);
+      
+      var part205 = match("MESSAGE#108:named:58", "nwparser.payload", "lame server resolving '%{domain}' (in '%{fld2}'?):%{hostip}#%{network_port}", processor_chain([
+      	dup58,
+      	dup6,
+      	dup8,
+      	dup30,
+      	dup59,
+      ]));
+      
+      var msg123 = msg("named:58", part205);
+      
+      var part206 = match("MESSAGE#109:named:59", "nwparser.payload", "exceeded max queries resolving '%{domain}/%{dns_querytype}'", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      	dup59,
+      ]));
+      
+      var msg124 = msg("named:59", part206);
+      
+      var part207 = match("MESSAGE#110:named:60", "nwparser.payload", "skipping nameserver '%{hostname}' because it is a CNAME, while resolving '%{domain}/%{dns_querytype}'", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      	dup59,
+      	setc("event_description","skipping nameserver because it is a CNAME"),
+      ]));
+      
+      var msg125 = msg("named:60", part207);
+      
+      var part208 = match("MESSAGE#111:named:61", "nwparser.payload", "loading configuration from '%{filename}'", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var msg126 = msg("named:61", part208);
+      
+      var part209 = match("MESSAGE#112:named:73", "nwparser.payload", "fetch: %{zone}/%{dns_querytype}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      	dup35,
+      ]));
+      
+      var msg127 = msg("named:73", part209);
+      
+      var part210 = match("MESSAGE#113:named:74", "nwparser.payload", "decrement_reference: delete from rbt: %{fld1->} %{domain}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var msg128 = msg("named:74", part210);
+      
+      var part211 = match("MESSAGE#114:named:07/0_0", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): view %{fld2}: query: %{web_query}");
+      
+      var part212 = match("MESSAGE#114:named:07/0_1", "nwparser.payload", "%{event_description}");
+      
+      var select43 = linear_select([
+      	part211,
+      	part212,
+      ]);
+      
+      var all42 = all_match({
+      	processors: [
+      		select43,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      		dup30,
+      	]),
+      });
+      
+      var msg129 = msg("named:07", all42);
+      
+      var select44 = linear_select([
+      	msg68,
+      	msg69,
+      	msg70,
+      	msg71,
+      	msg72,
+      	msg73,
+      	msg74,
+      	msg75,
+      	msg76,
+      	msg77,
+      	msg78,
+      	msg79,
+      	msg80,
+      	msg81,
+      	msg82,
+      	msg83,
+      	msg84,
+      	msg85,
+      	msg86,
+      	msg87,
+      	msg88,
+      	msg89,
+      	msg90,
+      	msg91,
+      	msg92,
+      	msg93,
+      	msg94,
+      	msg95,
+      	msg96,
+      	msg97,
+      	msg98,
+      	msg99,
+      	msg100,
+      	msg101,
+      	msg102,
+      	msg103,
+      	msg104,
+      	msg105,
+      	msg106,
+      	msg107,
+      	msg108,
+      	msg109,
+      	msg110,
+      	msg111,
+      	msg112,
+      	msg113,
+      	msg114,
+      	msg115,
+      	msg116,
+      	msg117,
+      	msg118,
+      	msg119,
+      	msg120,
+      	msg121,
+      	msg122,
+      	msg123,
+      	msg124,
+      	msg125,
+      	msg126,
+      	msg127,
+      	msg128,
+      	msg129,
+      ]);
+      
+      var part213 = match("MESSAGE#115:pidof:01", "nwparser.payload", "can't read sid from %{agent}", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      	setc("event_description","can't read sid"),
+      ]));
+      
+      var msg130 = msg("pidof:01", part213);
+      
+      var part214 = match("MESSAGE#116:pidof", "nwparser.payload", "can't get program name from %{agent}", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg131 = msg("pidof", part214);
+      
+      var select45 = linear_select([
+      	msg130,
+      	msg131,
+      ]);
+      
+      var part215 = match("MESSAGE#117:validate_dhcpd:01", "nwparser.payload", "Configured local-address not available as source address for DNS updates. %{result}", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      	setc("event_description","Configured local-address not available as source address for DNS updates"),
+      ]));
+      
+      var msg132 = msg("validate_dhcpd:01", part215);
+      
+      var msg133 = msg("validate_dhcpd", dup73);
+      
+      var select46 = linear_select([
+      	msg132,
+      	msg133,
+      ]);
+      
+      var msg134 = msg("syslog-ng", dup64);
+      
+      var part216 = match("MESSAGE#120:kernel", "nwparser.payload", "Linux version %{version->} (%{from}) (%{fld1}) %{fld2}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg135 = msg("kernel", part216);
+      
+      var msg136 = msg("kernel:01", dup64);
+      
+      var select47 = linear_select([
+      	msg135,
+      	msg136,
+      ]);
+      
+      var msg137 = msg("radiusd", dup64);
+      
+      var part217 = match("MESSAGE#123:rc", "nwparser.payload", "executing %{agent->} start", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg138 = msg("rc", part217);
+      
+      var msg139 = msg("rc3", dup64);
+      
+      var part218 = match("MESSAGE#125:rcsysinit", "nwparser.payload", "fsck from %{version}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg140 = msg("rcsysinit", part218);
+      
+      var msg141 = msg("rcsysinit:01", dup64);
+      
+      var select48 = linear_select([
+      	msg140,
+      	msg141,
+      ]);
+      
+      var part219 = match("MESSAGE#126:watchdog", "nwparser.payload", "opened %{filename}, with timeout = %{duration->} secs", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg142 = msg("watchdog", part219);
+      
+      var part220 = match("MESSAGE#127:watchdog:01", "nwparser.payload", "%{action}, pid = %{process_id}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg143 = msg("watchdog:01", part220);
+      
+      var part221 = match("MESSAGE#128:watchdog:02", "nwparser.payload", "received %{fld1}, cancelling softdog and exiting...", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg144 = msg("watchdog:02", part221);
+      
+      var part222 = match("MESSAGE#129:watchdog:03", "nwparser.payload", "%{filename->} could not be opened, errno = %{resultcode}", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg145 = msg("watchdog:03", part222);
+      
+      var msg146 = msg("watchdog:04", dup64);
+      
+      var select49 = linear_select([
+      	msg142,
+      	msg143,
+      	msg144,
+      	msg145,
+      	msg146,
+      ]);
+      
+      var msg147 = msg("init", dup64);
+      
+      var part223 = match("MESSAGE#131:logger", "nwparser.payload", "%{action}: %{saddr}/%{mask->} to %{interface}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg148 = msg("logger", part223);
+      
+      var msg149 = msg("logger:01", dup64);
+      
+      var select50 = linear_select([
+      	msg148,
+      	msg149,
+      ]);
+      
+      var part224 = match("MESSAGE#133:openvpn-member", "nwparser.payload", "read %{protocol->} [%{info}] %{event_description->} (code=%{resultcode})", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg150 = msg("openvpn-member", part224);
+      
+      var msg151 = msg("openvpn-member:01", dup74);
+      
+      var part225 = match("MESSAGE#135:openvpn-member:02", "nwparser.payload", "Options error: %{event_description}", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg152 = msg("openvpn-member:02", part225);
+      
+      var part226 = match("MESSAGE#136:openvpn-member:03", "nwparser.payload", "OpenVPN %{version->} [%{protocol}] [%{fld2}] %{info}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg153 = msg("openvpn-member:03", part226);
+      
+      var msg154 = msg("openvpn-member:04", dup75);
+      
+      var msg155 = msg("openvpn-member:05", dup64);
+      
+      var select51 = linear_select([
+      	msg150,
+      	msg151,
+      	msg152,
+      	msg153,
+      	msg154,
+      	msg155,
+      ]);
+      
+      var part227 = match("MESSAGE#139:sshd", "nwparser.payload", "Server listening on %{hostip->} port %{network_port}.", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg156 = msg("sshd", part227);
+      
+      var part228 = match("MESSAGE#140:sshd:01/0", "nwparser.payload", "Accepted password for %{p0}");
+      
+      var part229 = match("MESSAGE#140:sshd:01/1_0", "nwparser.p0", "root from %{p0}");
+      
+      var part230 = match("MESSAGE#140:sshd:01/1_1", "nwparser.p0", "%{username->} from %{p0}");
+      
+      var select52 = linear_select([
+      	part229,
+      	part230,
+      ]);
+      
+      var part231 = match("MESSAGE#140:sshd:01/2", "nwparser.p0", "%{saddr->} port %{sport->} %{protocol}");
+      
+      var all43 = all_match({
+      	processors: [
+      		part228,
+      		select52,
+      		part231,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      	]),
+      });
+      
+      var msg157 = msg("sshd:01", all43);
+      
+      var part232 = match("MESSAGE#141:sshd:02", "nwparser.payload", "Connection closed by %{hostip}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg158 = msg("sshd:02", part232);
+      
+      var part233 = match("MESSAGE#142:sshd:03", "nwparser.payload", "%{severity}: Bind to port %{network_port->} on %{hostip->} %{result}: %{event_description}", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg159 = msg("sshd:03", part233);
+      
+      var part234 = match("MESSAGE#143:sshd:04", "nwparser.payload", "%{severity}: Cannot bind any address.", processor_chain([
+      	setc("eventcategory","1601000000"),
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg160 = msg("sshd:04", part234);
+      
+      var part235 = match("MESSAGE#144:sshd:05", "nwparser.payload", "%{action}: logout() %{result}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	dup14,
+      	dup6,
+      	dup8,
+      	setc("event_description","logout"),
+      ]));
+      
+      var msg161 = msg("sshd:05", part235);
+      
+      var part236 = match("MESSAGE#145:sshd:06", "nwparser.payload", "Did not receive identification string from %{saddr}", processor_chain([
+      	dup15,
+      	dup6,
+      	setc("result","no identification string"),
+      	setc("event_description","Did not receive identification string from peer"),
+      ]));
+      
+      var msg162 = msg("sshd:06", part236);
+      
+      var part237 = match("MESSAGE#146:sshd:07", "nwparser.payload", "Sleep 60 seconds for slowing down ssh login%{}", processor_chain([
+      	dup12,
+      	dup6,
+      	setc("result","slowing down ssh login"),
+      	setc("event_description","Sleep 60 seconds"),
+      ]));
+      
+      var msg163 = msg("sshd:07", part237);
+      
+      var part238 = match("MESSAGE#147:sshd:08", "nwparser.payload", "%{authmethod->} authentication succeeded for user %{username}", processor_chain([
+      	setc("eventcategory","1302010300"),
+      	dup6,
+      	setc("event_description","authentication succeeded"),
+      	dup8,
+      	dup60,
+      ]));
+      
+      var msg164 = msg("sshd:08", part238);
+      
+      var part239 = match("MESSAGE#148:sshd:09", "nwparser.payload", "User group = %{group}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","User group"),
+      	dup60,
+      ]));
+      
+      var msg165 = msg("sshd:09", part239);
+      
+      var part240 = match("MESSAGE#149:sshd:10", "nwparser.payload", "Bad protocol version identification '%{protocol_detail}' from %{saddr}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","Bad protocol version identification"),
+      	dup60,
+      ]));
+      
+      var msg166 = msg("sshd:10", part240);
+      
+      var select53 = linear_select([
+      	msg156,
+      	msg157,
+      	msg158,
+      	msg159,
+      	msg160,
+      	msg161,
+      	msg162,
+      	msg163,
+      	msg164,
+      	msg165,
+      	msg166,
+      ]);
+      
+      var part241 = match("MESSAGE#150:openvpn-master", "nwparser.payload", "OpenVPN %{version->} [%{protocol}] [%{fld1}] %{info}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg167 = msg("openvpn-master", part241);
+      
+      var part242 = match("MESSAGE#151:openvpn-master:01", "nwparser.payload", "read %{protocol->} [%{info}]: %{event_description->} (code=%{resultcode})", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg168 = msg("openvpn-master:01", part242);
+      
+      var msg169 = msg("openvpn-master:02", dup74);
+      
+      var part243 = match("MESSAGE#153:openvpn-master:03", "nwparser.payload", "%{saddr}:%{sport->} TLS Error: TLS handshake failed", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg170 = msg("openvpn-master:03", part243);
+      
+      var part244 = match("MESSAGE#154:openvpn-master:04", "nwparser.payload", "%{fld1}/%{saddr}:%{sport->} [%{fld2}] %{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg171 = msg("openvpn-master:04", part244);
+      
+      var part245 = match("MESSAGE#155:openvpn-master:05", "nwparser.payload", "%{saddr}:%{sport->} [%{fld1}] %{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg172 = msg("openvpn-master:05", part245);
+      
+      var msg173 = msg("openvpn-master:06", dup75);
+      
+      var msg174 = msg("openvpn-master:07", dup64);
+      
+      var select54 = linear_select([
+      	msg167,
+      	msg168,
+      	msg169,
+      	msg170,
+      	msg171,
+      	msg172,
+      	msg173,
+      	msg174,
+      ]);
+      
+      var part246 = match("MESSAGE#158:INFOBLOX-Grid", "nwparser.payload", "Grid member at %{saddr->} %{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg175 = msg("INFOBLOX-Grid", part246);
+      
+      var part247 = match("MESSAGE#159:INFOBLOX-Grid:02/0_0", "nwparser.payload", "Started%{p0}");
+      
+      var part248 = match("MESSAGE#159:INFOBLOX-Grid:02/0_1", "nwparser.payload", "Completed%{p0}");
+      
+      var select55 = linear_select([
+      	part247,
+      	part248,
+      ]);
+      
+      var part249 = match("MESSAGE#159:INFOBLOX-Grid:02/1", "nwparser.p0", "%{}distribution on member with IP address %{saddr}");
+      
+      var all44 = all_match({
+      	processors: [
+      		select55,
+      		part249,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      	]),
+      });
+      
+      var msg176 = msg("INFOBLOX-Grid:02", all44);
+      
+      var part250 = match("MESSAGE#160:INFOBLOX-Grid:03", "nwparser.payload", "Upgrade Complete%{}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","Upgrade Complete"),
+      ]));
+      
+      var msg177 = msg("INFOBLOX-Grid:03", part250);
+      
+      var part251 = match("MESSAGE#161:INFOBLOX-Grid:04", "nwparser.payload", "Upgrade to %{fld1}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg178 = msg("INFOBLOX-Grid:04", part251);
+      
+      var select56 = linear_select([
+      	msg175,
+      	msg176,
+      	msg177,
+      	msg178,
+      ]);
+      
+      var part252 = match("MESSAGE#162:db_jnld", "nwparser.payload", "Grid member at %{saddr->} is online.", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg179 = msg("db_jnld", part252);
+      
+      var part253 = match("MESSAGE#219:db_jnld:01/0", "nwparser.payload", "Resolved conflict for replicated delete of %{p0}");
+      
+      var part254 = match("MESSAGE#219:db_jnld:01/1_0", "nwparser.p0", "PTR %{p0}");
+      
+      var part255 = match("MESSAGE#219:db_jnld:01/1_1", "nwparser.p0", "TXT %{p0}");
+      
+      var part256 = match("MESSAGE#219:db_jnld:01/1_2", "nwparser.p0", "A %{p0}");
+      
+      var part257 = match("MESSAGE#219:db_jnld:01/1_3", "nwparser.p0", "CNAME %{p0}");
+      
+      var part258 = match("MESSAGE#219:db_jnld:01/1_4", "nwparser.p0", "SRV %{p0}");
+      
+      var select57 = linear_select([
+      	part254,
+      	part255,
+      	part256,
+      	part257,
+      	part258,
+      ]);
+      
+      var part259 = match("MESSAGE#219:db_jnld:01/2", "nwparser.p0", "%{}\"%{fld1}\" in zone \"%{zone}\"");
+      
+      var all45 = all_match({
+      	processors: [
+      		part253,
+      		select57,
+      		part259,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      	]),
+      });
+      
+      var msg180 = msg("db_jnld:01", all45);
+      
+      var select58 = linear_select([
+      	msg179,
+      	msg180,
+      ]);
+      
+      var part260 = match("MESSAGE#163:sSMTP/0", "nwparser.payload", "Sent mail for %{to->} (%{fld1}) %{p0}");
+      
+      var part261 = match("MESSAGE#163:sSMTP/1_0", "nwparser.p0", "uid=%{uid->} username=%{username->} outbytes=%{sbytes->} ");
+      
+      var part262 = match("MESSAGE#163:sSMTP/1_1", "nwparser.p0", "%{space->} ");
+      
+      var select59 = linear_select([
+      	part261,
+      	part262,
+      ]);
+      
+      var all46 = all_match({
+      	processors: [
+      		part260,
+      		select59,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      		dup6,
+      		dup8,
+      	]),
+      });
+      
+      var msg181 = msg("sSMTP", all46);
+      
+      var part263 = match("MESSAGE#164:sSMTP:02", "nwparser.payload", "Cannot open %{hostname}:%{network_port}", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg182 = msg("sSMTP:02", part263);
+      
+      var part264 = match("MESSAGE#165:sSMTP:03", "nwparser.payload", "Unable to locate %{hostname}.", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg183 = msg("sSMTP:03", part264);
+      
+      var msg184 = msg("sSMTP:04", dup73);
+      
+      var select60 = linear_select([
+      	msg181,
+      	msg182,
+      	msg183,
+      	msg184,
+      ]);
+      
+      var part265 = match("MESSAGE#167:scheduled_backups", "nwparser.payload", "Backup to %{device->} was successful - Backup file %{filename}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg185 = msg("scheduled_backups", part265);
+      
+      var part266 = match("MESSAGE#168:scheduled_ftp_backups", "nwparser.payload", "Scheduled backup to the %{device->} was successful - Backup file %{filename}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","Scheduled backup to the FTP server was successful"),
+      ]));
+      
+      var msg186 = msg("scheduled_ftp_backups", part266);
+      
+      var part267 = match("MESSAGE#169:failed_scheduled_ftp_backups", "nwparser.payload", "Scheduled backup to the %{device->} failed - %{result}.", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      	setc("event_description","Scheduled backup to the FTP server failed"),
+      ]));
+      
+      var msg187 = msg("failed_scheduled_ftp_backups", part267);
+      
+      var select61 = linear_select([
+      	msg186,
+      	msg187,
+      ]);
+      
+      var part268 = match("MESSAGE#170:scheduled_scp_backups", "nwparser.payload", "Scheduled backup to the %{device->} was successful - Backup file %{filename}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","Scheduled backup to the SCP server was successful"),
+      ]));
+      
+      var msg188 = msg("scheduled_scp_backups", part268);
+      
+      var part269 = match("MESSAGE#171:python", "nwparser.payload", "%{action->} even though zone '%{zone}' in view '%{fld1}' is locked.", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg189 = msg("python", part269);
+      
+      var part270 = match("MESSAGE#172:python:01", "nwparser.payload", "%{action->} (algorithm=%{fld1}, key tag=%{fld2}, key size=%{fld3}): '%{hostname}' in view '%{fld4}'.", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg190 = msg("python:01", part270);
+      
+      var part271 = match("MESSAGE#173:python:02", "nwparser.payload", "%{action}: '%{hostname}' in view '%{fld1}'.", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg191 = msg("python:02", part271);
+      
+      var part272 = match("MESSAGE#174:python:03", "nwparser.payload", "%{action}: FQDN='%{domain}', ADDRESS='%{saddr}', View='%{fld1}'", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg192 = msg("python:03", part272);
+      
+      var part273 = match("MESSAGE#175:python:04", "nwparser.payload", "%{action}: FQDN='%{domain}', View='%{fld1}'", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg193 = msg("python:04", part273);
+      
+      var part274 = match("MESSAGE#176:python:05", "nwparser.payload", "%{fld1}: %{fld2}.%{fld3->} [%{username}]: Populated %{zone->} %{hostname->} DnsView=%{fld4}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg194 = msg("python:05", part274);
+      
+      var msg195 = msg("python:06", dup64);
+      
+      var select62 = linear_select([
+      	msg189,
+      	msg190,
+      	msg191,
+      	msg192,
+      	msg193,
+      	msg194,
+      	msg195,
+      ]);
+      
+      var part275 = match("MESSAGE#178:monitor", "nwparser.payload", "Type: %{protocol}, State: %{event_state}, Event: %{event_description}.", processor_chain([
+      	dup11,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg196 = msg("monitor", part275);
+      
+      var part276 = match("MESSAGE#179:snmptrapd", "nwparser.payload", "NET-SNMP version %{version->} %{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg197 = msg("snmptrapd", part276);
+      
+      var part277 = match("MESSAGE#180:snmptrapd:01", "nwparser.payload", "lock in %{fld1->} sleeps more than %{duration->} milliseconds in %{fld2}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg198 = msg("snmptrapd:01", part277);
+      
+      var msg199 = msg("snmptrapd:02", dup64);
+      
+      var select63 = linear_select([
+      	msg197,
+      	msg198,
+      	msg199,
+      ]);
+      
+      var part278 = match("MESSAGE#182:ntpdate", "nwparser.payload", "adjust time server %{saddr->} offset %{duration->} sec", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg200 = msg("ntpdate", part278);
+      
+      var msg201 = msg("ntpdate:01", dup73);
+      
+      var select64 = linear_select([
+      	msg200,
+      	msg201,
+      ]);
+      
+      var msg202 = msg("phonehome", dup64);
+      
+      var part279 = match("MESSAGE#185:purge_scheduled_tasks", "nwparser.payload", "Scheduled tasks have been purged%{}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg203 = msg("purge_scheduled_tasks", part279);
+      
+      var part280 = match("MESSAGE#186:serial_console:04", "nwparser.payload", "%{fld20->} %{fld21}.%{fld22->} [%{domain}]: Login_Denied - - to=%{terminal->} apparently_via=%{info->} ip=%{saddr->} error=%{result}", processor_chain([
+      	dup13,
+      	dup2,
+      	dup3,
+      	dup10,
+      	dup14,
+      	dup6,
+      	date_time({
+      		dest: "event_time",
+      		args: ["fld20","fld21"],
+      		fmts: [
+      			[dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO],
+      		],
+      	}),
+      	dup8,
+      	setc("event_description","Login Denied"),
+      ]));
+      
+      var msg204 = msg("serial_console:04", part280);
+      
+      var part281 = match("MESSAGE#187:serial_console:03", "nwparser.payload", "No authentication methods succeeded for user %{username}", processor_chain([
+      	dup13,
+      	dup2,
+      	dup3,
+      	dup10,
+      	dup14,
+      	dup6,
+      	dup8,
+      	setc("event_description","No authentication methods succeeded for user"),
+      ]));
+      
+      var msg205 = msg("serial_console:03", part281);
+      
+      var part282 = match("MESSAGE#188:serial_console", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Login_Allowed - - to=%{terminal->} apparently_via=%{info->} auth=%{authmethod->} group=%{group}", processor_chain([
+      	dup9,
+      	dup2,
+      	dup3,
+      	dup10,
+      	dup5,
+      	dup6,
+      	dup7,
+      	dup8,
+      ]));
+      
+      var msg206 = msg("serial_console", part282);
+      
+      var part283 = match("MESSAGE#189:serial_console:01", "nwparser.payload", "RADIUS authentication succeeded for user %{username}", processor_chain([
+      	setc("eventcategory","1302010100"),
+      	dup2,
+      	dup3,
+      	dup10,
+      	dup5,
+      	dup6,
+      	dup8,
+      	setc("event_description","RADIUS authentication succeeded for user"),
+      ]));
+      
+      var msg207 = msg("serial_console:01", part283);
+      
+      var part284 = match("MESSAGE#190:serial_console:02", "nwparser.payload", "User group = %{group}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","User group identification"),
+      ]));
+      
+      var msg208 = msg("serial_console:02", part284);
+      
+      var part285 = match("MESSAGE#205:serial_console:05", "nwparser.payload", "%{fld1->} [%{username}]: rebooted the system", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","system reboot"),
+      ]));
+      
+      var msg209 = msg("serial_console:05", part285);
+      
+      var part286 = match("MESSAGE#214:serial_console:06", "nwparser.payload", "Local authentication succeeded for user %{username}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","Local authentication succeeded for user"),
+      ]));
+      
+      var msg210 = msg("serial_console:06", part286);
+      
+      var select65 = linear_select([
+      	msg204,
+      	msg205,
+      	msg206,
+      	msg207,
+      	msg208,
+      	msg209,
+      	msg210,
+      ]);
+      
+      var msg211 = msg("rc6", dup64);
+      
+      var msg212 = msg("acpid", dup64);
+      
+      var msg213 = msg("diskcheck", dup64);
+      
+      var part287 = match("MESSAGE#210:debug_mount", "nwparser.payload", "mount %{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg214 = msg("debug_mount", part287);
+      
+      var msg215 = msg("smart_check_io", dup64);
+      
+      var msg216 = msg("speedstep_control", dup64);
+      
+      var part288 = match("MESSAGE#215:controld", "nwparser.payload", "Distribution Started%{}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","Distribution Started"),
+      ]));
+      
+      var msg217 = msg("controld", part288);
+      
+      var part289 = match("MESSAGE#216:controld:02", "nwparser.payload", "Distribution Complete%{}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","Distribution Complete"),
+      ]));
+      
+      var msg218 = msg("controld:02", part289);
+      
+      var select66 = linear_select([
+      	msg217,
+      	msg218,
+      ]);
+      
+      var part290 = match("MESSAGE#217:shutdown", "nwparser.payload", "shutting down for system reboot%{}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","shutting down for system reboot"),
+      ]));
+      
+      var msg219 = msg("shutdown", part290);
+      
+      var part291 = match("MESSAGE#218:ntpd_initres", "nwparser.payload", "ntpd exiting on signal 15%{}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	setc("event_description","ntpd exiting"),
+      ]));
+      
+      var msg220 = msg("ntpd_initres", part291);
+      
+      var part292 = match("MESSAGE#220:rsyncd", "nwparser.payload", "name lookup failed for %{saddr}: %{info}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg221 = msg("rsyncd", part292);
+      
+      var part293 = match("MESSAGE#221:rsyncd:01", "nwparser.payload", "connect from %{shost->} (%{saddr})", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg222 = msg("rsyncd:01", part293);
+      
+      var part294 = match("MESSAGE#222:rsyncd:02", "nwparser.payload", "rsync on %{filename->} from %{shost->} (%{saddr})", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg223 = msg("rsyncd:02", part294);
+      
+      var part295 = match("MESSAGE#223:rsyncd:03", "nwparser.payload", "sent %{sbytes->} bytes received %{rbytes->} bytes total size %{fld1}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var msg224 = msg("rsyncd:03", part295);
+      
+      var part296 = match("MESSAGE#224:rsyncd:04", "nwparser.payload", "building file list%{}", processor_chain([
+      	dup12,
+      	dup6,
+      	setc("event_description","building file list"),
+      	dup8,
+      ]));
+      
+      var msg225 = msg("rsyncd:04", part296);
+      
+      var select67 = linear_select([
+      	msg221,
+      	msg222,
+      	msg223,
+      	msg224,
+      	msg225,
+      ]);
+      
+      var msg226 = msg("syslog", dup76);
+      
+      var msg227 = msg("restarting", dup76);
+      
+      var part297 = match("MESSAGE#227:ipmievd", "nwparser.payload", "%{fld1}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup61,
+      ]));
+      
+      var msg228 = msg("ipmievd", part297);
+      
+      var part298 = match("MESSAGE#228:netauto_discovery", "nwparser.payload", "%{agent}: Processing path%{fld1}, vnid [%{fld2}]", processor_chain([
+      	dup58,
+      	dup6,
+      	dup8,
+      	dup60,
+      ]));
+      
+      var msg229 = msg("netauto_discovery", part298);
+      
+      var part299 = match("MESSAGE#229:netauto_discovery:01", "nwparser.payload", "%{agent}:%{fld1}(%{fld2})%{hostip}/%{fld3}:%{product}ver%{version->} device does not answer to lldpRem OID requests, skipping LLDP Neighbors poll", processor_chain([
+      	dup58,
+      	dup6,
+      	dup8,
+      	dup60,
+      	setc("event_description","device does not answer to lldpRem OID requests, skipping LLDP Neighbors poll"),
+      ]));
+      
+      var msg230 = msg("netauto_discovery:01", part299);
+      
+      var part300 = match("MESSAGE#230:netauto_discovery:02", "nwparser.payload", "%{agent}:%{space}Static address already set with IP:%{hostip}, Processing%{fld1}", processor_chain([
+      	dup58,
+      	dup6,
+      	dup8,
+      	dup60,
+      ]));
+      
+      var msg231 = msg("netauto_discovery:02", part300);
+      
+      var part301 = match("MESSAGE#231:netauto_discovery:03", "nwparser.payload", "%{agent}:%{fld1}(%{fld2})%{hostip}/%{fld3}: SNMP Credentials: Failed to authenticate", processor_chain([
+      	dup62,
+      	dup6,
+      	dup8,
+      	dup60,
+      	dup14,
+      ]));
+      
+      var msg232 = msg("netauto_discovery:03", part301);
+      
+      var select68 = linear_select([
+      	msg229,
+      	msg230,
+      	msg231,
+      	msg232,
+      ]);
+      
+      var part302 = match("MESSAGE#232:netauto_core:01", "nwparser.payload", "%{agent}: Attempting CLI on device%{device}with interface not in table, ip%{hostip}", processor_chain([
+      	dup58,
+      	dup6,
+      	dup8,
+      	dup60,
+      ]));
+      
+      var msg233 = msg("netauto_core:01", part302);
+      
+      var part303 = match("MESSAGE#233:netauto_core", "nwparser.payload", "netautoctl:%{event_description}", processor_chain([
+      	dup58,
+      	dup6,
+      	dup8,
+      	dup60,
+      ]));
+      
+      var msg234 = msg("netauto_core", part303);
+      
+      var select69 = linear_select([
+      	msg233,
+      	msg234,
+      ]);
+      
+      var part304 = match("MESSAGE#234:captured_dns_uploader", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup48,
+      	dup6,
+      	dup8,
+      	dup60,
+      	dup14,
+      ]));
+      
+      var msg235 = msg("captured_dns_uploader", part304);
+      
+      var part305 = match("MESSAGE#235:DIS", "nwparser.payload", "%{fld1}:%{fld2}: Device%{device}/%{hostip}login failure%{result}", processor_chain([
+      	dup62,
+      	dup6,
+      	dup8,
+      	dup60,
+      	dup10,
+      	dup14,
+      ]));
+      
+      var msg236 = msg("DIS", part305);
+      
+      var part306 = match("MESSAGE#236:DIS:01", "nwparser.payload", "%{fld2}: %{fld3}: Attempting discover-now for %{hostip->} on %{fld4}, using session ID", processor_chain([
+      	dup58,
+      	dup6,
+      	dup8,
+      	dup60,
+      ]));
+      
+      var msg237 = msg("DIS:01", part306);
+      
+      var select70 = linear_select([
+      	msg236,
+      	msg237,
+      ]);
+      
+      var part307 = match("MESSAGE#237:ErrorMsg", "nwparser.payload", "%{result}", processor_chain([
+      	dup63,
+      	dup6,
+      	dup8,
+      	dup60,
+      ]));
+      
+      var msg238 = msg("ErrorMsg", part307);
+      
+      var part308 = match("MESSAGE#238:tacacs_acct", "nwparser.payload", "%{fld1}: Server %{daddr->} port %{dport}: %{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup60,
+      ]));
+      
+      var msg239 = msg("tacacs_acct", part308);
+      
+      var part309 = match("MESSAGE#239:tacacs_acct:01", "nwparser.payload", "%{fld1}: Accounting request failed. %{fld2}Server is %{daddr}, port is %{dport}.", processor_chain([
+      	dup63,
+      	dup6,
+      	dup8,
+      	dup60,
+      	setc("event_description","Accounting request failed."),
+      ]));
+      
+      var msg240 = msg("tacacs_acct:01", part309);
+      
+      var part310 = match("MESSAGE#240:tacacs_acct:02", "nwparser.payload", "%{fld1}: Read %{fld2->} bytes from server %{daddr->} port %{dport}, expecting %{fld3}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup60,
+      ]));
+      
+      var msg241 = msg("tacacs_acct:02", part310);
+      
+      var select71 = linear_select([
+      	msg239,
+      	msg240,
+      	msg241,
+      ]);
+      
+      var part311 = match("MESSAGE#241:dhcpdv6", "nwparser.payload", "Relay-forward message from %{saddr_v6->} port %{sport}, link address %{fld1}, peer address %{daddr_v6}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      	setc("event_description","Relay-forward message"),
+      ]));
+      
+      var msg242 = msg("dhcpdv6", part311);
+      
+      var part312 = match("MESSAGE#242:dhcpdv6:01", "nwparser.payload", "Encapsulated Solicit message from %{saddr_v6->} port %{sport->} from client DUID %{fld1}, transaction ID %{id}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      	setc("event_description","Encapsulated Solicit message"),
+      ]));
+      
+      var msg243 = msg("dhcpdv6:01", part312);
+      
+      var part313 = match("MESSAGE#243:dhcpdv6:02", "nwparser.payload", "Client %{fld1}, IP '%{fld2}': No addresses available for this interface", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      	setc("event_description","IP unknown - No addresses available for this interface"),
+      ]));
+      
+      var msg244 = msg("dhcpdv6:02", part313);
+      
+      var part314 = match("MESSAGE#244:dhcpdv6:03", "nwparser.payload", "Encapsulating Advertise message to send to %{saddr_v6->} port %{sport}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      	setc("event_description","Encapsulating Advertise message"),
+      ]));
+      
+      var msg245 = msg("dhcpdv6:03", part314);
+      
+      var part315 = match("MESSAGE#245:dhcpdv6:04", "nwparser.payload", "Sending Relay-reply message to %{saddr_v6->} port %{sport}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      	setc("event_description","Sending Relay-reply message"),
+      ]));
+      
+      var msg246 = msg("dhcpdv6:04", part315);
+      
+      var part316 = match("MESSAGE#246:dhcpdv6:05", "nwparser.payload", "Encapsulated Information-request message from %{saddr_v6->} port %{sport}, transaction ID %{id}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      	setc("event_description","Encapsulated Information-request message"),
+      ]));
+      
+      var msg247 = msg("dhcpdv6:05", part316);
+      
+      var part317 = match("MESSAGE#247:dhcpdv6:06", "nwparser.payload", "Encapsulating Reply message to send to %{saddr_v6->} port %{sport}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      	setc("event_description","Encapsulating Reply message"),
+      ]));
+      
+      var msg248 = msg("dhcpdv6:06", part317);
+      
+      var part318 = match("MESSAGE#248:dhcpdv6:07", "nwparser.payload", "Encapsulated Renew message from %{saddr_v6->} port %{sport->} from client DUID %{fld1}, transaction ID %{id}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      	setc("event_description","Encapsulated Renew message"),
+      ]));
+      
+      var msg249 = msg("dhcpdv6:07", part318);
+      
+      var part319 = match("MESSAGE#249:dhcpdv6:08", "nwparser.payload", "Reply NA: address %{saddr_v6->} to client with duid %{fld1->} iaid = %{fld2->} static", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var msg250 = msg("dhcpdv6:08", part319);
+      
+      var msg251 = msg("dhcpdv6:09", dup68);
+      
+      var select72 = linear_select([
+      	msg242,
+      	msg243,
+      	msg244,
+      	msg245,
+      	msg246,
+      	msg247,
+      	msg248,
+      	msg249,
+      	msg250,
+      	msg251,
+      ]);
+      
+      var msg252 = msg("debug", dup68);
+      
+      var part320 = match("MESSAGE#252:cloud_api", "nwparser.payload", "proxying request to %{hostname}(%{hostip}) %{web_method->} %{url->} %{protocol->} %{info}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      	setc("event_description","proxying request"),
+      ]));
+      
+      var msg253 = msg("cloud_api", part320);
+      
+      var chain1 = processor_chain([
+      	select3,
+      	msgid_select({
+      		"DIS": select70,
+      		"ErrorMsg": msg238,
+      		"INFOBLOX-Grid": select56,
+      		"acpid": msg212,
+      		"captured_dns_uploader": msg235,
+      		"cloud_api": msg253,
+      		"controld": select66,
+      		"db_jnld": select58,
+      		"debug": msg252,
+      		"debug_mount": msg214,
+      		"dhcpd": select14,
+      		"dhcpdv6": select72,
+      		"diskcheck": msg213,
+      		"httpd": select4,
+      		"in.tftpd": select5,
+      		"init": msg147,
+      		"ipmievd": msg228,
+      		"kernel": select47,
+      		"logger": select50,
+      		"monitor": msg196,
+      		"named": select44,
+      		"netauto_core": select69,
+      		"netauto_discovery": select68,
+      		"ntpd": select15,
+      		"ntpd_initres": msg220,
+      		"ntpdate": select64,
+      		"openvpn-master": select54,
+      		"openvpn-member": select51,
+      		"phonehome": msg202,
+      		"pidof": select45,
+      		"purge_scheduled_tasks": msg203,
+      		"python": select62,
+      		"radiusd": msg137,
+      		"rc": msg138,
+      		"rc3": msg139,
+      		"rc6": msg211,
+      		"rcsysinit": select48,
+      		"restarting": msg227,
+      		"rsyncd": select67,
+      		"sSMTP": select60,
+      		"scheduled_backups": msg185,
+      		"scheduled_ftp_backups": select61,
+      		"scheduled_scp_backups": msg188,
+      		"serial_console": select65,
+      		"shutdown": msg219,
+      		"smart_check_io": msg215,
+      		"snmptrapd": select63,
+      		"speedstep_control": msg216,
+      		"sshd": select53,
+      		"syslog": msg226,
+      		"syslog-ng": msg134,
+      		"tacacs_acct": select71,
+      		"validate_dhcpd": select46,
+      		"watchdog": select49,
+      	}),
+      ]);
+      
+      var part321 = match("MESSAGE#19:dhcpd:18/0", "nwparser.payload", "%{} %{p0}");
+      
+      var part322 = match("MESSAGE#19:dhcpd:18/1_0", "nwparser.p0", "Added %{p0}");
+      
+      var part323 = match("MESSAGE#19:dhcpd:18/1_1", "nwparser.p0", "added %{p0}");
+      
+      var part324 = match("MESSAGE#25:dhcpd:03/1_0", "nwparser.p0", "%{dmacaddr->} (%{dhost}) via %{p0}");
+      
+      var part325 = match("MESSAGE#25:dhcpd:03/1_1", "nwparser.p0", "%{dmacaddr->} via %{p0}");
+      
+      var part326 = match("MESSAGE#28:dhcpd:09/0", "nwparser.payload", "DHCPREQUEST for %{saddr->} from %{p0}");
+      
+      var part327 = match("MESSAGE#28:dhcpd:09/1_0", "nwparser.p0", "%{smacaddr->} (%{shost}) via %{p0}");
+      
+      var part328 = match("MESSAGE#28:dhcpd:09/1_1", "nwparser.p0", "%{smacaddr->} via %{p0}");
+      
+      var part329 = match("MESSAGE#31:dhcpd:11/2", "nwparser.p0", "%{} %{interface}");
+      
+      var part330 = match("MESSAGE#38:dhcpd:14/2", "nwparser.p0", "%{} %{interface->} relay %{fld1->} lease-duration %{duration}");
+      
+      var part331 = match("MESSAGE#53:named:16/1_0", "nwparser.p0", "approved %{}");
+      
+      var part332 = match("MESSAGE#53:named:16/1_1", "nwparser.p0", " denied%{}");
+      
+      var part333 = match("MESSAGE#56:named:01/0", "nwparser.payload", "client %{saddr}#%{p0}");
+      
+      var part334 = match("MESSAGE#57:named:17/1_0", "nwparser.p0", "IN%{p0}");
+      
+      var part335 = match("MESSAGE#57:named:17/1_1", "nwparser.p0", "CH%{p0}");
+      
+      var part336 = match("MESSAGE#57:named:17/1_2", "nwparser.p0", "HS%{p0}");
+      
+      var part337 = match("MESSAGE#57:named:17/3_1", "nwparser.p0", "%{action->} at '%{p0}");
+      
+      var part338 = match("MESSAGE#57:named:17/4_0", "nwparser.p0", "%{hostip}.in-addr.arpa' %{p0}");
+      
+      var part339 = match("MESSAGE#57:named:17/5_0", "nwparser.p0", "%{dns_querytype->} \"%{fld3}\"");
+      
+      var part340 = match("MESSAGE#57:named:17/5_1", "nwparser.p0", "%{dns_querytype->} %{hostip}");
+      
+      var part341 = match("MESSAGE#57:named:17/5_2", "nwparser.p0", "%{dns_querytype}");
+      
+      var part342 = match("MESSAGE#60:named:19/2", "nwparser.p0", "%{event_description}");
+      
+      var part343 = match("MESSAGE#67:named:63/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3}: %{severity}: client %{p0}");
+      
+      var part344 = match("MESSAGE#67:named:63/1_0", "nwparser.p0", "%{fld9->} %{saddr}#%{p0}");
+      
+      var part345 = match("MESSAGE#67:named:63/1_1", "nwparser.p0", " %{saddr}#%{p0}");
+      
+      var part346 = match("MESSAGE#74:named:10/1_3", "nwparser.p0", "%{sport}:%{p0}");
+      
+      var part347 = match("MESSAGE#83:named:24/0", "nwparser.payload", "client %{saddr}#%{sport->} (%{p0}");
+      
+      var part348 = match("MESSAGE#7:httpd:06", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var select73 = linear_select([
+      	dup17,
+      	dup18,
+      ]);
+      
+      var select74 = linear_select([
+      	dup20,
+      	dup21,
+      ]);
+      
+      var select75 = linear_select([
+      	dup25,
+      	dup26,
+      ]);
+      
+      var part349 = match("MESSAGE#204:dhcpd:37", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup30,
+      ]));
+      
+      var select76 = linear_select([
+      	dup33,
+      	dup34,
+      ]);
+      
+      var select77 = linear_select([
+      	dup37,
+      	dup38,
+      	dup39,
+      ]);
+      
+      var select78 = linear_select([
+      	dup42,
+      	dup43,
+      	dup44,
+      ]);
+      
+      var select79 = linear_select([
+      	dup51,
+      	dup52,
+      ]);
+      
+      var part350 = match("MESSAGE#118:validate_dhcpd", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var part351 = match("MESSAGE#134:openvpn-member:01", "nwparser.payload", "%{action->} : %{event_description->} (code=%{resultcode})", processor_chain([
+      	dup15,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var part352 = match("MESSAGE#137:openvpn-member:04", "nwparser.payload", "%{severity}: %{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      ]));
+      
+      var part353 = match("MESSAGE#225:syslog", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup12,
+      	dup6,
+      	dup8,
+      	dup61,
+      ]));
+      
+- community_id:
+- add_locale: ~
+- add_fields:
+    target: ''
+    fields:
+        ecs.version: 1.5.0
diff --git a/packages/infoblox/0.1.0/dataset/nios/elasticsearch/ingest_pipeline/default.yml b/packages/infoblox/0.1.0/dataset/nios/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 0000000000..5693b4aea4
--- /dev/null
+++ b/packages/infoblox/0.1.0/dataset/nios/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,55 @@
+---
+description: Pipeline for Infoblox NIOS
+
+processors:
+  # User agent
+  - user_agent:
+        field: user_agent.original
+        ignore_missing: true
+  # IP Geolocation Lookup
+  - geoip:
+        field: source.ip
+        target_field: source.geo
+        ignore_missing: true
+  - geoip:
+        field: destination.ip
+        target_field: destination.geo
+        ignore_missing: true
+
+  # IP Autonomous System (AS) Lookup
+  - geoip:
+        database_file: GeoLite2-ASN.mmdb
+        field: source.ip
+        target_field: source.as
+        properties:
+            - asn
+            - organization_name
+        ignore_missing: true
+  - geoip:
+        database_file: GeoLite2-ASN.mmdb
+        field: destination.ip
+        target_field: destination.as
+        properties:
+            - asn
+            - organization_name
+        ignore_missing: true
+  - rename:
+        field: source.as.asn
+        target_field: source.as.number
+        ignore_missing: true
+  - rename:
+        field: source.as.organization_name
+        target_field: source.as.organization.name
+        ignore_missing: true
+  - rename:
+        field: destination.as.asn
+        target_field: destination.as.number
+        ignore_missing: true
+  - rename:
+        field: destination.as.organization_name
+        target_field: destination.as.organization.name
+        ignore_missing: true
+on_failure:
+  - append:
+        field: error.message
+        value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/infoblox/0.1.0/dataset/nios/fields/base-fields.yml b/packages/infoblox/0.1.0/dataset/nios/fields/base-fields.yml
new file mode 100644
index 0000000000..b294eaf20e
--- /dev/null
+++ b/packages/infoblox/0.1.0/dataset/nios/fields/base-fields.yml
@@ -0,0 +1,26 @@
+- name: datastream.type
+  type: constant_keyword
+  description: Datastream type.
+- name: datastream.dataset
+  type: constant_keyword
+  description: Datastream dataset.
+- name: datastream.namespace
+  type: constant_keyword
+  description: Datastream namespace.
+
+- name: dataset.type
+  type: constant_keyword
+  description: >
+    Dataset type.
+- name: dataset.name
+  type: constant_keyword
+  description: >
+    Dataset name.
+- name: dataset.namespace
+  type: constant_keyword
+  description: >
+    Dataset namespace.
+- name: "@timestamp"
+  type: date
+  description: >
+    Event timestamp.
diff --git a/packages/infoblox/0.1.0/dataset/nios/fields/ecs.yml b/packages/infoblox/0.1.0/dataset/nios/fields/ecs.yml
new file mode 100644
index 0000000000..92af91c339
--- /dev/null
+++ b/packages/infoblox/0.1.0/dataset/nios/fields/ecs.yml
@@ -0,0 +1,836 @@
+- name: log
+  type: group
+  fields:
+  - name: original
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'This is the original log message and contains the full log message
+      before splitting it up in multiple parts.
+
+      In contrast to the `message` field which can contain an extracted part of the
+      log message, this field contains the original, full log message. It can have
+      already some modifications applied like encoding or new lines removed to clean
+      up the log message.
+
+      This field is not indexed and doc_values are disabled so it can''t be queried
+      but the value can be retrieved from `_source`.'
+    example: Sep 19 08:26:10 localhost My log
+  - name: level
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Original log level of the log event.
+
+      If the source of the event provides a log level or textual severity, this is
+      the one that goes in `log.level`. If your source doesn''t specify one, you may
+      put your event transport''s severity here (e.g. Syslog severity).
+
+      Some examples are `warn`, `err`, `i`, `informational`.'
+    example: error
+  - name: syslog
+    type: group
+    fields:
+    - name: priority
+      level: extended
+      type: long
+      format: string
+      description: 'Syslog numeric priority of the event, if available.
+
+        According to RFCs 5424 and 3164, the priority is 8 * facility + severity.
+        This number is therefore expected to contain a value between 0 and 191.'
+      example: 135
+    - name: facility
+      type: group
+      fields:
+      - name: code
+        level: extended
+        type: long
+        format: string
+        description: 'The Syslog numeric facility of the log event, if available.
+
+          According to RFCs 5424 and 3164, this value should be an integer between
+          0 and 23.'
+        example: 23
+    - name: severity
+      type: group
+      fields:
+      - name: code
+        level: extended
+        type: long
+        description: 'The Syslog numeric severity of the log event, if available.
+
+          If the event source publishing via Syslog provides a different numeric severity
+          value (e.g. firewall, IDS), your source''s numeric severity should go to
+          `event.severity`. If the event source does not specify a distinct severity,
+          you can optionally copy the Syslog severity to `event.severity`.'
+        example: 3
+- name: event
+  type: group
+  fields:
+  - name: code
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Identification code for this event, if one exists.
+
+      Some event sources use event codes to identify messages unambiguously, regardless
+      of message language or wording adjustments over time. An example of this is
+      the Windows Event ID.'
+    example: 4648
+  - name: action
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'The action captured by the event.
+
+      This describes the information in the event. It is more specific than `event.category`.
+      Examples are `group-add`, `process-started`, `file-created`. The value is normally
+      defined by the implementer.'
+    example: user-password-change
+  - name: outcome
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'This is one of four ECS Categorization Fields, and indicates the
+      lowest level in the ECS category hierarchy.
+
+      `event.outcome` simply denotes whether the event represents a success or a failure
+      from the perspective of the entity that produced the event.
+
+      Note that when a single transaction is described in multiple events, each event
+      may populate different values of `event.outcome`, according to their perspective.
+
+      Also note that in the case of a compound event (a single event that contains
+      multiple logical events), this field should be populated with the value that
+      best captures the overall success or failure from the perspective of the event
+      producer.
+
+      Further note that not all events will have an associated outcome. For example,
+      this field is generally not populated for metric events, events with `event.type:info`,
+      or any events for which an outcome does not make logical sense.'
+    example: success
+  - name: category
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'This is one of four ECS Categorization Fields, and indicates the
+      second level in the ECS category hierarchy.
+
+      `event.category` represents the "big buckets" of ECS categories. For example,
+      filtering on `event.category:process` yields all events relating to process
+      activity. This field is closely related to `event.type`, which is used as a
+      subcategory.
+
+      This field is an array. This will allow proper categorization of some events
+      that fall in multiple categories.'
+    example: authentication
+  - name: timezone
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'This field should be populated when the event''s timestamp does
+      not include timezone information already (e.g. default Syslog timestamps). It''s
+      optional otherwise.
+
+      Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated
+      (e.g. "EST") or an HH:mm differential (e.g. "-05:00").'
+- name: '@timestamp'
+  level: core
+  required: true
+  type: date
+  description: 'Date/time when the event originated.
+
+    This is the date/time extracted from the event, typically representing when the
+    event was generated by the source.
+
+    If the event source has no original timestamp, this value is typically populated
+    by the first time the event was received by the pipeline.
+
+    Required field for all events.'
+  example: '2016-05-23T08:05:34.853Z'
+- name: user
+  type: group
+  fields:
+  - name: name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: Short name or login of the user.
+    example: albert
+  - name: full_name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: User's full name, if available.
+    example: Albert Einstein
+  - name: domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Name of the directory the user is a member of.
+
+      For example, an LDAP or Active Directory domain name.'
+  - name: id
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Unique identifiers of the user.
+- name: message
+  level: core
+  type: text
+  description: 'For log events the message field contains the log message, optimized
+    for viewing in a log viewer.
+
+    For structured logs without an original message field, other fields can be concatenated
+    to form a human-readable summary of the event.
+
+    If multiple messages exist, they can be combined into one message.'
+  example: Hello World
+- name: source
+  type: group
+  fields:
+  - name: ip
+    level: core
+    type: ip
+    description: 'IP address of the source.
+
+      Can be one or multiple IPv4 or IPv6 addresses.'
+  - name: port
+    level: core
+    type: long
+    format: string
+    description: Port of the source.
+  - name: address
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Some event source addresses are defined ambiguously. The event will
+      sometimes list an IP, a domain or a unix socket.  You should always store the
+      raw address in the `.address` field.
+
+      Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+      is.'
+  - name: mac
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: MAC address of the source.
+  - name: bytes
+    level: core
+    type: long
+    format: bytes
+    description: Bytes sent from the source to the destination.
+    example: 184
+  - name: nat
+    type: group
+    fields:
+    - name: ip
+      level: extended
+      type: ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+    - name: port
+      level: extended
+      type: long
+      format: string
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+  - name: domain
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Source domain.
+  - name: geo
+    type: group
+    fields:
+    - name: country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+    - name: location
+      type: group
+      fields:
+      - type: double
+        name: lat
+      - type: double
+        name: lon
+    - name: city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+- name: host
+  type: group
+  fields:
+  - name: name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Name of the host.
+
+      It can contain what `hostname` returns on Unix systems, the fully qualified
+      domain name, or a name specified by the user. The sender decides which value
+      to use.'
+  - name: ip
+    level: core
+    type: ip
+    description: Host ip addresses.
+  - name: hostname
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Hostname of the host.
+
+      It normally contains what the `hostname` command returns on the host machine.'
+  - name: mac
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Host mac addresses.
+- name: destination
+  type: group
+  fields:
+  - name: ip
+    level: core
+    type: ip
+    description: 'IP address of the destination.
+
+      Can be one or multiple IPv4 or IPv6 addresses.'
+  - name: port
+    level: core
+    type: long
+    format: string
+    description: Port of the destination.
+  - name: address
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Some event destination addresses are defined ambiguously. The event
+      will sometimes list an IP, a domain or a unix socket.  You should always store
+      the raw address in the `.address` field.
+
+      Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+      is.'
+  - name: bytes
+    level: core
+    type: long
+    format: bytes
+    description: Bytes sent from the destination to the source.
+    example: 184
+  - name: mac
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: MAC address of the destination.
+  - name: nat
+    type: group
+    fields:
+    - name: ip
+      level: extended
+      type: ip
+      description: 'Translated ip of destination based NAT sessions (e.g. internet
+        to private DMZ)
+
+        Typically used with load balancers, firewalls, or routers.'
+    - name: port
+      level: extended
+      type: long
+      format: string
+      description: 'Port the source session is translated to by NAT Device.
+
+        Typically used with load balancers, firewalls, or routers.'
+  - name: domain
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Destination domain.
+  - name: geo
+    type: group
+    fields:
+    - name: country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+    - name: location
+      type: group
+      fields:
+      - type: double
+        name: lat
+      - type: double
+        name: lon
+    - name: city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+- name: network
+  type: group
+  fields:
+  - name: protocol
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'L7 Network protocol name. ex. http, lumberjack, transport protocol.
+
+      The field value must be normalized to lowercase for querying. See the documentation
+      section "Implementing ECS".'
+    example: http
+  - name: application
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'A name given to an application level protocol. This can be arbitrarily
+      assigned for things like microservices, but also apply to things like skype,
+      icq, facebook, twitter. This would be used in situations where the vendor or
+      service can be decoded such as from the source/dest IP owners, ports, or wire
+      format.
+
+      The field value must be normalized to lowercase for querying. See the documentation
+      section "Implementing ECS".'
+    example: aim
+  - name: interface
+    type: group
+    fields:
+    - type: keyword
+      name: name
+  - name: bytes
+    level: core
+    type: long
+    format: bytes
+    description: 'Total bytes transferred in both directions.
+
+      If `source.bytes` and `destination.bytes` are known, `network.bytes` is their
+      sum.'
+    example: 368
+  - name: direction
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: "Direction of the network traffic.\nRecommended values are:\n  *\
+      \ inbound\n  * outbound\n  * internal\n  * external\n  * unknown\n\nWhen mapping\
+      \ events from a host-based monitoring context, populate this field from the\
+      \ host's point of view.\nWhen mapping events from a network or perimeter-based\
+      \ monitoring context, populate this field from the point of view of your network\
+      \ perimeter."
+    example: inbound
+  - name: packets
+    level: core
+    type: long
+    description: 'Total packets transferred in both directions.
+
+      If `source.packets` and `destination.packets` are known, `network.packets` is
+      their sum.'
+    example: 24
+  - name: forwarded_ip
+    level: core
+    type: ip
+    description: Host IP address when the source IP address is the proxy.
+    example: 192.1.1.2
+- name: observer
+  type: group
+  fields:
+  - name: version
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Observer version.
+  - name: product
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: The product name of the observer.
+    example: s200
+  - name: ingress
+    type: group
+    fields:
+    - name: interface
+      type: group
+      fields:
+      - name: name
+        level: extended
+        type: keyword
+        ignore_above: 1024
+        description: Interface name as reported by the system.
+        example: eth0
+        default_field: false
+  - name: egress
+    type: group
+    fields:
+    - name: interface
+      type: group
+      fields:
+      - name: name
+        level: extended
+        type: keyword
+        ignore_above: 1024
+        description: Interface name as reported by the system.
+        example: eth0
+        default_field: false
+- name: file
+  type: group
+  fields:
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: Name of the file including the extension, without the directory.
+    example: example.png
+  - name: directory
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: Directory where the file is located. It should include the drive
+      letter, when appropriate.
+    example: /home/alice
+  - name: size
+    level: extended
+    type: long
+    description: 'File size in bytes.
+
+      Only relevant when `file.type` is "file".'
+    example: 16384
+  - name: type
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: File type (file, dir, or symlink).
+    example: file
+  - name: extension
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: File extension.
+    example: png
+  - name: path
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: Full path to the file, including the file name. It should include
+      the drive letter, when appropriate.
+    example: /home/alice/example.png
+  - name: attributes
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Array of file attributes.
+
+      Attributes names will vary by platform. Here''s a non-exhaustive list of values
+      that are expected in this field: archive, compressed, directory, encrypted,
+      execute, hidden, read, readonly, system, write.'
+    example: '["readonly", "system"]'
+    default_field: false
+- name: url
+  type: group
+  fields:
+  - name: original
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: 'Unmodified original url as seen in the event source.
+
+      Note that in network monitoring, the observed URL may be a full URL, whereas
+      in access logs, the URL is often just represented as a path.
+
+      This field is meant to represent the URL as it was observed, complete or not.'
+    example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
+  - name: query
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'The query field describes the query string of the request, such
+      as "q=elasticsearch".
+
+      The `?` is excluded from the query string. If a URL contains no `?`, there is
+      no query field. If there is a `?` but no query, the query field exists with
+      an empty string. The `exists` query can be used to differentiate between the
+      two cases.'
+  - name: domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Domain of the url, such as "www.elastic.co".
+
+      In some cases a URL may refer to an IP and/or port directly, without a domain
+      name. In this case, the IP address would go to the `domain` field.'
+    example: www.elastic.co
+  - name: path
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: Path of the request, such as "/search".
+  - name: top_level_domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'The effective top level domain (eTLD), also known as the domain
+      suffix, is the last part of the domain name. For example, the top level domain
+      for google.com is "com".
+
+      This value can be determined precisely with a list like the public suffix list
+      (http://publicsuffix.org). Trying to approximate this by simply taking the last
+      label will not work well for effective TLDs such as "co.uk".'
+    example: co.uk
+  - name: registered_domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'The highest registered url domain, stripped of the subdomain.
+
+      For example, the registered domain for "foo.google.com" is "google.com".
+
+      This value can be determined precisely with a list like the public suffix list
+      (http://publicsuffix.org). Trying to approximate this by simply taking the last
+      two labels will not work well for TLDs such as "co.uk".'
+    example: google.com
+- name: service
+  type: group
+  fields:
+  - name: name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Name of the service data is collected from.
+
+      The name of the service is normally user given. This allows for distributed
+      services that run on multiple hosts to correlate the related instances based
+      on the name.
+
+      In the case of Elasticsearch the `service.name` could contain the cluster name.
+      For Beats the `service.name` is by default a copy of the `service.type` field
+      if no name is specified.'
+    example: elasticsearch-metrics
+- name: server
+  type: group
+  fields:
+  - name: domain
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Server domain.
+- name: process
+  type: group
+  fields:
+  - name: pid
+    level: core
+    type: long
+    format: string
+    description: Process id.
+    example: 4242
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: 'Process name.
+
+      Sometimes called program name or similar.'
+    example: ssh
+  - name: ppid
+    level: extended
+    type: long
+    format: string
+    description: Parent process' pid.
+    example: 4241
+  - name: parent
+    type: group
+    fields:
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      default_field: false
+    - name: title
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      default_field: false
+  - name: title
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: 'Process title.
+
+      The proctitle, some times the same as process name. Can also be different: for
+      example a browser setting its title to the web page currently opened.'
+- name: rule
+  type: group
+  fields:
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: The name of the rule or signature generating the event.
+    example: BLOCK_DNS_over_TLS
+    default_field: false
+- name: user_agent
+  type: group
+  fields:
+  - name: original
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+    description: Unparsed user_agent string.
+    example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15
+      (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
+- name: http
+  type: group
+  fields:
+  - name: response
+    type: group
+    fields:
+    - name: body
+      type: group
+      fields:
+      - name: content
+        level: extended
+        type: keyword
+        ignore_above: 1024
+        multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+        description: The full HTTP response body.
+        example: Hello world
+  - name: request
+    type: group
+    fields:
+    - name: referrer
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Referrer for this HTTP request.
+      example: https://blog.example.com/
+    - name: method
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'HTTP request method.
+
+        The field value must be normalized to lowercase for querying. See the documentation
+        section "Implementing ECS".'
+      example: get, post, put
+- name: geo
+  type: group
+  fields:
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'User-defined description of a location, at the level of granularity
+      they care about.
+
+      Could be the name of their data centers, the floor number, if this describes
+      a local physical entity, city names.
+
+      Not typically used in automated geolocation.'
+    example: boston-dc
+  - name: country_name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Country name.
+    example: Canada
+  - name: city_name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: City name.
+    example: Montreal
+  - name: region_name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Region name.
+    example: Quebec
+- name: dns
+  type: group
+  fields:
+  - name: question
+    type: group
+    fields:
+    - name: type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The type of record being queried.
+      example: AAAA
+  - name: answers
+    type: group
+    fields:
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The domain name to which this resource record pertains.
+
+        If a chain of CNAME is being resolved, each answer''s `name` should be the
+        one that corresponds with the answer''s `data`. It should not simply be the
+        original `question.name` repeated.'
+      example: www.google.com
+    - name: type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The type of data contained in this resource record.
+      example: CNAME
diff --git a/packages/infoblox/0.1.0/dataset/nios/fields/fields.yml b/packages/infoblox/0.1.0/dataset/nios/fields/fields.yml
new file mode 100644
index 0000000000..2abc947fe7
--- /dev/null
+++ b/packages/infoblox/0.1.0/dataset/nios/fields/fields.yml
@@ -0,0 +1,1939 @@
+- name: rsa
+  type: group
+  fields:
+  - name: internal
+    type: group
+    fields:
+    - name: msg
+      type: keyword
+      description: This key is used to capture the raw message that comes into the
+        Log Decoder
+    - name: messageid
+      type: keyword
+    - name: event_desc
+      type: keyword
+    - name: message
+      type: keyword
+      description: This key captures the contents of instant messages
+    - name: time
+      type: date
+      description: This is the time at which a session hits a NetWitness Decoder.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness.
+    - name: level
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: msg_id
+      type: keyword
+      description: This is the Message ID1 value that identifies the exact log parser
+        definition which parses a particular log session. This key should never be
+        used to parse Meta data from a session (Logs/Packets) Directly, this is a
+        Reserved key in NetWitness
+    - name: msg_vid
+      type: keyword
+      description: This is the Message ID2 value that identifies the exact log parser
+        definition which parses a particular log session. This key should never be
+        used to parse Meta data from a session (Logs/Packets) Directly, this is a
+        Reserved key in NetWitness
+    - name: data
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: obj_server
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: obj_val
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: resource
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: obj_id
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: statement
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: audit_class
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: entry
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: hcode
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: inode
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: resource_class
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: dead
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: feed_desc
+      type: keyword
+      description: This is used to capture the description of the feed. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: feed_name
+      type: keyword
+      description: This is used to capture the name of the feed. This key should never
+        be used to parse Meta data from a session (Logs/Packets) Directly, this is
+        a Reserved key in NetWitness
+    - name: cid
+      type: keyword
+      description: This is the unique identifier used to identify a NetWitness Concentrator.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: device_class
+      type: keyword
+      description: This is the Classification of the Log Event Source under a predefined
+        fixed set of Event Source Classifications. This key should never be used to
+        parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
+        key in NetWitness
+    - name: device_group
+      type: keyword
+      description: This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_host
+      type: keyword
+      description: This is the Hostname of the log Event Source sending the logs to
+        NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_ip
+      type: ip
+      description: This is the IPv4 address of the Log Event Source sending the logs
+        to NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_ipv6
+      type: ip
+      description: This is the IPv6 address of the Log Event Source sending the logs
+        to NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_type
+      type: keyword
+      description: This is the name of the log parser which parsed a given session.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: device_type_id
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: did
+      type: keyword
+      description: This is the unique identifier used to identify a NetWitness Decoder.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: entropy_req
+      type: long
+      description: This key is only used by the Entropy Parser, the Meta Type can
+        be either UInt16 or Float32 based on the configuration
+    - name: entropy_res
+      type: long
+      description: This key is only used by the Entropy Parser, the Meta Type can
+        be either UInt16 or Float32 based on the configuration
+    - name: event_name
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: feed_category
+      type: keyword
+      description: This is used to capture the category of the feed. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: forward_ip
+      type: ip
+      description: This key should be used to capture the IPV4 address of a relay
+        system which forwarded the events from the original system to NetWitness.
+    - name: forward_ipv6
+      type: ip
+      description: This key is used to capture the IPV6 address of a relay system
+        which forwarded the events from the original system to NetWitness. This key
+        should never be used to parse Meta data from a session (Logs/Packets) Directly,
+        this is a Reserved key in NetWitness
+    - name: header_id
+      type: keyword
+      description: This is the Header ID value that identifies the exact log parser
+        header definition that parses a particular log session. This key should never
+        be used to parse Meta data from a session (Logs/Packets) Directly, this is
+        a Reserved key in NetWitness
+    - name: lc_cid
+      type: keyword
+      description: This is a unique Identifier of a Log Collector. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: lc_ctime
+      type: date
+      description: This is the time at which a log is collected in a NetWitness Log
+        Collector. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: mcb_req
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        request is simply which byte for each side (0 thru 255) was seen the most
+    - name: mcb_res
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        response is simply which byte for each side (0 thru 255) was seen the most
+    - name: mcbc_req
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        count is the number of times the most common byte (above) was seen in the
+        session streams
+    - name: mcbc_res
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        count is the number of times the most common byte (above) was seen in the
+        session streams
+    - name: medium
+      type: long
+      description: "This key is used to identify if it\u2019s a log/packet session\
+        \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
+        \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
+        \ 32 = log, 33 = correlation session, &lt; 32 is packet session"
+    - name: node_name
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: nwe_callback_id
+      type: keyword
+      description: This key denotes that event is endpoint related
+    - name: parse_error
+      type: keyword
+      description: This is a special key that stores any Meta key validation error
+        found while parsing a log session. This key should never be used to parse
+        Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
+        NetWitness
+    - name: payload_req
+      type: long
+      description: This key is only used by the Entropy Parser, the payload size metrics
+        are the payload sizes of each session side at the time of parsing. However,
+        in order to keep
+    - name: payload_res
+      type: long
+      description: This key is only used by the Entropy Parser, the payload size metrics
+        are the payload sizes of each session side at the time of parsing. However,
+        in order to keep
+    - name: process_vid_dst
+      type: keyword
+      description: Endpoint generates and uses a unique virtual ID to identify any
+        similar group of process. This ID represents the target process.
+    - name: process_vid_src
+      type: keyword
+      description: Endpoint generates and uses a unique virtual ID to identify any
+        similar group of process. This ID represents the source process.
+    - name: rid
+      type: long
+      description: This is a special ID of the Remote Session created by NetWitness
+        Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: session_split
+      type: keyword
+      description: This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: site
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: size
+      type: long
+      description: This is the size of the session as seen by the NetWitness Decoder.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: sourcefile
+      type: keyword
+      description: This is the name of the log file or PCAPs that can be imported
+        into NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: ubc_req
+      type: long
+      description: This key is only used by the Entropy Parser, Unique byte count
+        is the number of unique bytes seen in each stream. 256 would mean all byte
+        values of 0 thru 255 were seen at least once
+    - name: ubc_res
+      type: long
+      description: This key is only used by the Entropy Parser, Unique byte count
+        is the number of unique bytes seen in each stream. 256 would mean all byte
+        values of 0 thru 255 were seen at least once
+    - name: word
+      type: keyword
+      description: This is used by the Word Parsing technology to capture the first
+        5 character of every word in an unparsed log
+  - name: time
+    type: group
+    fields:
+    - name: event_time
+      type: date
+      description: This key is used to capture the time mentioned in a raw session
+        that represents the actual time an event occured in a standard normalized
+        form
+    - name: duration_time
+      type: double
+      description: This key is used to capture the normalized duration/lifetime in
+        seconds.
+    - name: event_time_str
+      type: keyword
+      description: This key is used to capture the incomplete time mentioned in a
+        session as a string
+    - name: starttime
+      type: date
+      description: This key is used to capture the Start time mentioned in a session
+        in a standard form
+    - name: month
+      type: keyword
+    - name: day
+      type: keyword
+    - name: endtime
+      type: date
+      description: This key is used to capture the End time mentioned in a session
+        in a standard form
+    - name: timezone
+      type: keyword
+      description: This key is used to capture the timezone of the Event Time
+    - name: duration_str
+      type: keyword
+      description: A text string version of the duration
+    - name: date
+      type: keyword
+    - name: year
+      type: keyword
+    - name: recorded_time
+      type: date
+      description: The event time as recorded by the system the event is collected
+        from. The usage scenario is a multi-tier application where the management
+        layer of the system records it's own timestamp at the time of collection from
+        its child nodes. Must be in timestamp format.
+    - name: datetime
+      type: keyword
+    - name: effective_time
+      type: date
+      description: This key is the effective time referenced by an individual event
+        in a Standard Timestamp format
+    - name: expire_time
+      type: date
+      description: This key is the timestamp that explicitly refers to an expiration.
+    - name: process_time
+      type: keyword
+      description: Deprecated, use duration.time
+    - name: hour
+      type: keyword
+    - name: min
+      type: keyword
+    - name: timestamp
+      type: keyword
+    - name: event_queue_time
+      type: date
+      description: This key is the Time that the event was queued.
+    - name: p_time1
+      type: keyword
+    - name: tzone
+      type: keyword
+    - name: eventtime
+      type: keyword
+    - name: gmtdate
+      type: keyword
+    - name: gmttime
+      type: keyword
+    - name: p_date
+      type: keyword
+    - name: p_month
+      type: keyword
+    - name: p_time
+      type: keyword
+    - name: p_time2
+      type: keyword
+    - name: p_year
+      type: keyword
+    - name: expire_time_str
+      type: keyword
+      description: This key is used to capture incomplete timestamp that explicitly
+        refers to an expiration.
+    - name: stamp
+      type: date
+      description: Deprecated key defined only in table map.
+  - name: misc
+    type: group
+    fields:
+    - name: action
+      type: keyword
+    - name: result
+      type: keyword
+      description: This key is used to capture the outcome/result string value of
+        an action in a session.
+    - name: severity
+      type: keyword
+      description: This key is used to capture the severity given the session
+    - name: event_type
+      type: keyword
+      description: This key captures the event category type as specified by the event
+        source.
+    - name: reference_id
+      type: keyword
+      description: This key is used to capture an event id from the session directly
+    - name: version
+      type: keyword
+      description: This key captures Version of the application or OS which is generating
+        the event.
+    - name: disposition
+      type: keyword
+      description: This key captures the The end state of an action.
+    - name: result_code
+      type: keyword
+      description: This key is used to capture the outcome/result numeric value of
+        an action in a session
+    - name: category
+      type: keyword
+      description: This key is used to capture the category of an event given by the
+        vendor in the session
+    - name: obj_name
+      type: keyword
+      description: This is used to capture name of object
+    - name: obj_type
+      type: keyword
+      description: This is used to capture type of object
+    - name: event_source
+      type: keyword
+      description: "This key captures Source of the event that\u2019s not a hostname"
+    - name: log_session_id
+      type: keyword
+      description: This key is used to capture a sessionid from the session directly
+    - name: group
+      type: keyword
+      description: This key captures the Group Name value
+    - name: policy_name
+      type: keyword
+      description: This key is used to capture the Policy Name only.
+    - name: rule_name
+      type: keyword
+      description: This key captures the Rule Name
+    - name: context
+      type: keyword
+      description: This key captures Information which adds additional context to
+        the event.
+    - name: change_new
+      type: keyword
+      description: "This key is used to capture the new values of the attribute that\u2019\
+        s changing in a session"
+    - name: space
+      type: keyword
+    - name: client
+      type: keyword
+      description: This key is used to capture only the name of the client application
+        requesting resources of the server. See the user.agent meta key for capture
+        of the specific user agent identifier or browser identification string.
+    - name: msgIdPart1
+      type: keyword
+    - name: msgIdPart2
+      type: keyword
+    - name: change_old
+      type: keyword
+      description: "This key is used to capture the old value of the attribute that\u2019\
+        s changing in a session"
+    - name: operation_id
+      type: keyword
+      description: An alert number or operation number. The values should be unique
+        and non-repeating.
+    - name: event_state
+      type: keyword
+      description: This key captures the current state of the object/item referenced
+        within the event. Describing an on-going event.
+    - name: group_object
+      type: keyword
+      description: This key captures a collection/grouping of entities. Specific usage
+    - name: node
+      type: keyword
+      description: Common use case is the node name within a cluster. The cluster
+        name is reflected by the host name.
+    - name: rule
+      type: keyword
+      description: This key captures the Rule number
+    - name: device_name
+      type: keyword
+      description: 'This is used to capture name of the Device associated with the
+        node Like: a physical disk, printer, etc'
+    - name: param
+      type: keyword
+      description: This key is the parameters passed as part of a command or application,
+        etc.
+    - name: change_attrib
+      type: keyword
+      description: "This key is used to capture the name of the attribute that\u2019\
+        s changing in a session"
+    - name: event_computer
+      type: keyword
+      description: This key is a windows only concept, where this key is used to capture
+        fully qualified domain name in a windows log.
+    - name: reference_id1
+      type: keyword
+      description: This key is for Linked ID to be used as an addition to "reference.id"
+    - name: event_log
+      type: keyword
+      description: This key captures the Name of the event log
+    - name: OS
+      type: keyword
+      description: This key captures the Name of the Operating System
+    - name: terminal
+      type: keyword
+      description: This key captures the Terminal Names only
+    - name: msgIdPart3
+      type: keyword
+    - name: filter
+      type: keyword
+      description: This key captures Filter used to reduce result set
+    - name: serial_number
+      type: keyword
+      description: This key is the Serial number associated with a physical asset.
+    - name: checksum
+      type: keyword
+      description: This key is used to capture the checksum or hash of the entity
+        such as a file or process. Checksum should be used over checksum.src or checksum.dst
+        when it is unclear whether the entity is a source or target of an action.
+    - name: event_user
+      type: keyword
+      description: This key is a windows only concept, where this key is used to capture
+        combination of domain name and username in a windows log.
+    - name: virusname
+      type: keyword
+      description: This key captures the name of the virus
+    - name: content_type
+      type: keyword
+      description: This key is used to capture Content Type only.
+    - name: group_id
+      type: keyword
+      description: This key captures Group ID Number (related to the group name)
+    - name: policy_id
+      type: keyword
+      description: This key is used to capture the Policy ID only, this should be
+        a numeric value, use policy.name otherwise
+    - name: vsys
+      type: keyword
+      description: This key captures Virtual System Name
+    - name: connection_id
+      type: keyword
+      description: This key captures the Connection ID
+    - name: reference_id2
+      type: keyword
+      description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
+        or "reference.id1" value but should not be used unless the other two variables
+        are in play.
+    - name: sensor
+      type: keyword
+      description: This key captures Name of the sensor. Typically used in IDS/IPS
+        based devices
+    - name: sig_id
+      type: long
+      description: This key captures IDS/IPS Int Signature ID
+    - name: port_name
+      type: keyword
+      description: 'This key is used for Physical or logical port connection but does
+        NOT include a network port. (Example: Printer port name).'
+    - name: rule_group
+      type: keyword
+      description: This key captures the Rule group name
+    - name: risk_num
+      type: double
+      description: This key captures a Numeric Risk value
+    - name: trigger_val
+      type: keyword
+      description: This key captures the Value of the trigger or threshold condition.
+    - name: log_session_id1
+      type: keyword
+      description: This key is used to capture a Linked (Related) Session ID from
+        the session directly
+    - name: comp_version
+      type: keyword
+      description: This key captures the Version level of a sub-component of a product.
+    - name: content_version
+      type: keyword
+      description: This key captures Version level of a signature or database content.
+    - name: hardware_id
+      type: keyword
+      description: This key is used to capture unique identifier for a device or system
+        (NOT a Mac address)
+    - name: risk
+      type: keyword
+      description: This key captures the non-numeric risk value
+    - name: event_id
+      type: keyword
+    - name: reason
+      type: keyword
+    - name: status
+      type: keyword
+    - name: mail_id
+      type: keyword
+      description: This key is used to capture the mailbox id/name
+    - name: rule_uid
+      type: keyword
+      description: This key is the Unique Identifier for a rule.
+    - name: trigger_desc
+      type: keyword
+      description: This key captures the Description of the trigger or threshold condition.
+    - name: inout
+      type: keyword
+    - name: p_msgid
+      type: keyword
+    - name: data_type
+      type: keyword
+    - name: msgIdPart4
+      type: keyword
+    - name: error
+      type: keyword
+      description: This key captures All non successful Error codes or responses
+    - name: index
+      type: keyword
+    - name: listnum
+      type: keyword
+      description: This key is used to capture listname or listnumber, primarily for
+        collecting access-list
+    - name: ntype
+      type: keyword
+    - name: observed_val
+      type: keyword
+      description: This key captures the Value observed (from the perspective of the
+        device generating the log).
+    - name: policy_value
+      type: keyword
+      description: This key captures the contents of the policy. This contains details
+        about the policy
+    - name: pool_name
+      type: keyword
+      description: This key captures the name of a resource pool
+    - name: rule_template
+      type: keyword
+      description: A default set of parameters which are overlayed onto a rule (or
+        rulename) which efffectively constitutes a template
+    - name: count
+      type: keyword
+    - name: number
+      type: keyword
+    - name: sigcat
+      type: keyword
+    - name: type
+      type: keyword
+    - name: comments
+      type: keyword
+      description: Comment information provided in the log message
+    - name: doc_number
+      type: long
+      description: This key captures File Identification number
+    - name: expected_val
+      type: keyword
+      description: This key captures the Value expected (from the perspective of the
+        device generating the log).
+    - name: job_num
+      type: keyword
+      description: This key captures the Job Number
+    - name: spi_dst
+      type: keyword
+      description: Destination SPI Index
+    - name: spi_src
+      type: keyword
+      description: Source SPI Index
+    - name: code
+      type: keyword
+    - name: agent_id
+      type: keyword
+      description: This key is used to capture agent id
+    - name: message_body
+      type: keyword
+      description: This key captures the The contents of the message body.
+    - name: phone
+      type: keyword
+    - name: sig_id_str
+      type: keyword
+      description: This key captures a string object of the sigid variable.
+    - name: cmd
+      type: keyword
+    - name: misc
+      type: keyword
+    - name: name
+      type: keyword
+    - name: cpu
+      type: long
+      description: This key is the CPU time used in the execution of the event being
+        recorded.
+    - name: event_desc
+      type: keyword
+      description: This key is used to capture a description of an event available
+        directly or inferred
+    - name: sig_id1
+      type: long
+      description: This key captures IDS/IPS Int Signature ID. This must be linked
+        to the sig.id
+    - name: im_buddyid
+      type: keyword
+    - name: im_client
+      type: keyword
+    - name: im_userid
+      type: keyword
+    - name: pid
+      type: keyword
+    - name: priority
+      type: keyword
+    - name: context_subject
+      type: keyword
+      description: This key is to be used in an audit context where the subject is
+        the object being identified
+    - name: context_target
+      type: keyword
+    - name: cve
+      type: keyword
+      description: This key captures CVE (Common Vulnerabilities and Exposures) -
+        an identifier for known information security vulnerabilities.
+    - name: fcatnum
+      type: keyword
+      description: This key captures Filter Category Number. Legacy Usage
+    - name: library
+      type: keyword
+      description: This key is used to capture library information in mainframe devices
+    - name: parent_node
+      type: keyword
+      description: This key captures the Parent Node Name. Must be related to node
+        variable.
+    - name: risk_info
+      type: keyword
+      description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: tcp_flags
+      type: long
+      description: This key is captures the TCP flags set in any packet of session
+    - name: tos
+      type: long
+      description: This key describes the type of service
+    - name: vm_target
+      type: keyword
+      description: VMWare Target **VMWARE** only varaible.
+    - name: workspace
+      type: keyword
+      description: This key captures Workspace Description
+    - name: command
+      type: keyword
+    - name: event_category
+      type: keyword
+    - name: facilityname
+      type: keyword
+    - name: forensic_info
+      type: keyword
+    - name: jobname
+      type: keyword
+    - name: mode
+      type: keyword
+    - name: policy
+      type: keyword
+    - name: policy_waiver
+      type: keyword
+    - name: second
+      type: keyword
+    - name: space1
+      type: keyword
+    - name: subcategory
+      type: keyword
+    - name: tbdstr2
+      type: keyword
+    - name: alert_id
+      type: keyword
+      description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: checksum_dst
+      type: keyword
+      description: This key is used to capture the checksum or hash of the the target
+        entity such as a process or file.
+    - name: checksum_src
+      type: keyword
+      description: This key is used to capture the checksum or hash of the source
+        entity such as a file or process.
+    - name: fresult
+      type: long
+      description: This key captures the Filter Result
+    - name: payload_dst
+      type: keyword
+      description: This key is used to capture destination payload
+    - name: payload_src
+      type: keyword
+      description: This key is used to capture source payload
+    - name: pool_id
+      type: keyword
+      description: This key captures the identifier (typically numeric field) of a
+        resource pool
+    - name: process_id_val
+      type: keyword
+      description: This key is a failure key for Process ID when it is not an integer
+        value
+    - name: risk_num_comm
+      type: double
+      description: This key captures Risk Number Community
+    - name: risk_num_next
+      type: double
+      description: This key captures Risk Number NextGen
+    - name: risk_num_sand
+      type: double
+      description: This key captures Risk Number SandBox
+    - name: risk_num_static
+      type: double
+      description: This key captures Risk Number Static
+    - name: risk_suspicious
+      type: keyword
+      description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: risk_warning
+      type: keyword
+      description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: snmp_oid
+      type: keyword
+      description: SNMP Object Identifier
+    - name: sql
+      type: keyword
+      description: This key captures the SQL query
+    - name: vuln_ref
+      type: keyword
+      description: This key captures the Vulnerability Reference details
+    - name: acl_id
+      type: keyword
+    - name: acl_op
+      type: keyword
+    - name: acl_pos
+      type: keyword
+    - name: acl_table
+      type: keyword
+    - name: admin
+      type: keyword
+    - name: alarm_id
+      type: keyword
+    - name: alarmname
+      type: keyword
+    - name: app_id
+      type: keyword
+    - name: audit
+      type: keyword
+    - name: audit_object
+      type: keyword
+    - name: auditdata
+      type: keyword
+    - name: benchmark
+      type: keyword
+    - name: bypass
+      type: keyword
+    - name: cache
+      type: keyword
+    - name: cache_hit
+      type: keyword
+    - name: cefversion
+      type: keyword
+    - name: cfg_attr
+      type: keyword
+    - name: cfg_obj
+      type: keyword
+    - name: cfg_path
+      type: keyword
+    - name: changes
+      type: keyword
+    - name: client_ip
+      type: keyword
+    - name: clustermembers
+      type: keyword
+    - name: cn_acttimeout
+      type: keyword
+    - name: cn_asn_src
+      type: keyword
+    - name: cn_bgpv4nxthop
+      type: keyword
+    - name: cn_ctr_dst_code
+      type: keyword
+    - name: cn_dst_tos
+      type: keyword
+    - name: cn_dst_vlan
+      type: keyword
+    - name: cn_engine_id
+      type: keyword
+    - name: cn_engine_type
+      type: keyword
+    - name: cn_f_switch
+      type: keyword
+    - name: cn_flowsampid
+      type: keyword
+    - name: cn_flowsampintv
+      type: keyword
+    - name: cn_flowsampmode
+      type: keyword
+    - name: cn_inacttimeout
+      type: keyword
+    - name: cn_inpermbyts
+      type: keyword
+    - name: cn_inpermpckts
+      type: keyword
+    - name: cn_invalid
+      type: keyword
+    - name: cn_ip_proto_ver
+      type: keyword
+    - name: cn_ipv4_ident
+      type: keyword
+    - name: cn_l_switch
+      type: keyword
+    - name: cn_log_did
+      type: keyword
+    - name: cn_log_rid
+      type: keyword
+    - name: cn_max_ttl
+      type: keyword
+    - name: cn_maxpcktlen
+      type: keyword
+    - name: cn_min_ttl
+      type: keyword
+    - name: cn_minpcktlen
+      type: keyword
+    - name: cn_mpls_lbl_1
+      type: keyword
+    - name: cn_mpls_lbl_10
+      type: keyword
+    - name: cn_mpls_lbl_2
+      type: keyword
+    - name: cn_mpls_lbl_3
+      type: keyword
+    - name: cn_mpls_lbl_4
+      type: keyword
+    - name: cn_mpls_lbl_5
+      type: keyword
+    - name: cn_mpls_lbl_6
+      type: keyword
+    - name: cn_mpls_lbl_7
+      type: keyword
+    - name: cn_mpls_lbl_8
+      type: keyword
+    - name: cn_mpls_lbl_9
+      type: keyword
+    - name: cn_mplstoplabel
+      type: keyword
+    - name: cn_mplstoplabip
+      type: keyword
+    - name: cn_mul_dst_byt
+      type: keyword
+    - name: cn_mul_dst_pks
+      type: keyword
+    - name: cn_muligmptype
+      type: keyword
+    - name: cn_sampalgo
+      type: keyword
+    - name: cn_sampint
+      type: keyword
+    - name: cn_seqctr
+      type: keyword
+    - name: cn_spackets
+      type: keyword
+    - name: cn_src_tos
+      type: keyword
+    - name: cn_src_vlan
+      type: keyword
+    - name: cn_sysuptime
+      type: keyword
+    - name: cn_template_id
+      type: keyword
+    - name: cn_totbytsexp
+      type: keyword
+    - name: cn_totflowexp
+      type: keyword
+    - name: cn_totpcktsexp
+      type: keyword
+    - name: cn_unixnanosecs
+      type: keyword
+    - name: cn_v6flowlabel
+      type: keyword
+    - name: cn_v6optheaders
+      type: keyword
+    - name: comp_class
+      type: keyword
+    - name: comp_name
+      type: keyword
+    - name: comp_rbytes
+      type: keyword
+    - name: comp_sbytes
+      type: keyword
+    - name: cpu_data
+      type: keyword
+    - name: criticality
+      type: keyword
+    - name: cs_agency_dst
+      type: keyword
+    - name: cs_analyzedby
+      type: keyword
+    - name: cs_av_other
+      type: keyword
+    - name: cs_av_primary
+      type: keyword
+    - name: cs_av_secondary
+      type: keyword
+    - name: cs_bgpv6nxthop
+      type: keyword
+    - name: cs_bit9status
+      type: keyword
+    - name: cs_context
+      type: keyword
+    - name: cs_control
+      type: keyword
+    - name: cs_data
+      type: keyword
+    - name: cs_datecret
+      type: keyword
+    - name: cs_dst_tld
+      type: keyword
+    - name: cs_eth_dst_ven
+      type: keyword
+    - name: cs_eth_src_ven
+      type: keyword
+    - name: cs_event_uuid
+      type: keyword
+    - name: cs_filetype
+      type: keyword
+    - name: cs_fld
+      type: keyword
+    - name: cs_if_desc
+      type: keyword
+    - name: cs_if_name
+      type: keyword
+    - name: cs_ip_next_hop
+      type: keyword
+    - name: cs_ipv4dstpre
+      type: keyword
+    - name: cs_ipv4srcpre
+      type: keyword
+    - name: cs_lifetime
+      type: keyword
+    - name: cs_log_medium
+      type: keyword
+    - name: cs_loginname
+      type: keyword
+    - name: cs_modulescore
+      type: keyword
+    - name: cs_modulesign
+      type: keyword
+    - name: cs_opswatresult
+      type: keyword
+    - name: cs_payload
+      type: keyword
+    - name: cs_registrant
+      type: keyword
+    - name: cs_registrar
+      type: keyword
+    - name: cs_represult
+      type: keyword
+    - name: cs_rpayload
+      type: keyword
+    - name: cs_sampler_name
+      type: keyword
+    - name: cs_sourcemodule
+      type: keyword
+    - name: cs_streams
+      type: keyword
+    - name: cs_targetmodule
+      type: keyword
+    - name: cs_v6nxthop
+      type: keyword
+    - name: cs_whois_server
+      type: keyword
+    - name: cs_yararesult
+      type: keyword
+    - name: description
+      type: keyword
+    - name: devvendor
+      type: keyword
+    - name: distance
+      type: keyword
+    - name: dstburb
+      type: keyword
+    - name: edomain
+      type: keyword
+    - name: edomaub
+      type: keyword
+    - name: euid
+      type: keyword
+    - name: facility
+      type: keyword
+    - name: finterface
+      type: keyword
+    - name: flags
+      type: keyword
+    - name: gaddr
+      type: keyword
+    - name: id3
+      type: keyword
+    - name: im_buddyname
+      type: keyword
+    - name: im_croomid
+      type: keyword
+    - name: im_croomtype
+      type: keyword
+    - name: im_members
+      type: keyword
+    - name: im_username
+      type: keyword
+    - name: ipkt
+      type: keyword
+    - name: ipscat
+      type: keyword
+    - name: ipspri
+      type: keyword
+    - name: latitude
+      type: keyword
+    - name: linenum
+      type: keyword
+    - name: list_name
+      type: keyword
+    - name: load_data
+      type: keyword
+    - name: location_floor
+      type: keyword
+    - name: location_mark
+      type: keyword
+    - name: log_id
+      type: keyword
+    - name: log_type
+      type: keyword
+    - name: logid
+      type: keyword
+    - name: logip
+      type: keyword
+    - name: logname
+      type: keyword
+    - name: longitude
+      type: keyword
+    - name: lport
+      type: keyword
+    - name: mbug_data
+      type: keyword
+    - name: misc_name
+      type: keyword
+    - name: msg_type
+      type: keyword
+    - name: msgid
+      type: keyword
+    - name: netsessid
+      type: keyword
+    - name: num
+      type: keyword
+    - name: number1
+      type: keyword
+    - name: number2
+      type: keyword
+    - name: nwwn
+      type: keyword
+    - name: object
+      type: keyword
+    - name: operation
+      type: keyword
+    - name: opkt
+      type: keyword
+    - name: orig_from
+      type: keyword
+    - name: owner_id
+      type: keyword
+    - name: p_action
+      type: keyword
+    - name: p_filter
+      type: keyword
+    - name: p_group_object
+      type: keyword
+    - name: p_id
+      type: keyword
+    - name: p_msgid1
+      type: keyword
+    - name: p_msgid2
+      type: keyword
+    - name: p_result1
+      type: keyword
+    - name: password_chg
+      type: keyword
+    - name: password_expire
+      type: keyword
+    - name: permgranted
+      type: keyword
+    - name: permwanted
+      type: keyword
+    - name: pgid
+      type: keyword
+    - name: policyUUID
+      type: keyword
+    - name: prog_asp_num
+      type: keyword
+    - name: program
+      type: keyword
+    - name: real_data
+      type: keyword
+    - name: rec_asp_device
+      type: keyword
+    - name: rec_asp_num
+      type: keyword
+    - name: rec_library
+      type: keyword
+    - name: recordnum
+      type: keyword
+    - name: ruid
+      type: keyword
+    - name: sburb
+      type: keyword
+    - name: sdomain_fld
+      type: keyword
+    - name: sec
+      type: keyword
+    - name: sensorname
+      type: keyword
+    - name: seqnum
+      type: keyword
+    - name: session
+      type: keyword
+    - name: sessiontype
+      type: keyword
+    - name: sigUUID
+      type: keyword
+    - name: spi
+      type: keyword
+    - name: srcburb
+      type: keyword
+    - name: srcdom
+      type: keyword
+    - name: srcservice
+      type: keyword
+    - name: state
+      type: keyword
+    - name: status1
+      type: keyword
+    - name: svcno
+      type: keyword
+    - name: system
+      type: keyword
+    - name: tbdstr1
+      type: keyword
+    - name: tgtdom
+      type: keyword
+    - name: tgtdomain
+      type: keyword
+    - name: threshold
+      type: keyword
+    - name: type1
+      type: keyword
+    - name: udb_class
+      type: keyword
+    - name: url_fld
+      type: keyword
+    - name: user_div
+      type: keyword
+    - name: userid
+      type: keyword
+    - name: username_fld
+      type: keyword
+    - name: utcstamp
+      type: keyword
+    - name: v_instafname
+      type: keyword
+    - name: virt_data
+      type: keyword
+    - name: vpnid
+      type: keyword
+    - name: autorun_type
+      type: keyword
+      description: This is used to capture Auto Run type
+    - name: cc_number
+      type: long
+      description: Valid Credit Card Numbers only
+    - name: content
+      type: keyword
+      description: This key captures the content type from protocol headers
+    - name: ein_number
+      type: long
+      description: Employee Identification Numbers only
+    - name: found
+      type: keyword
+      description: This is used to capture the results of regex match
+    - name: language
+      type: keyword
+      description: This is used to capture list of languages the client support and
+        what it prefers
+    - name: lifetime
+      type: long
+      description: This key is used to capture the session lifetime in seconds.
+    - name: link
+      type: keyword
+      description: This key is used to link the sessions together. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: match
+      type: keyword
+      description: This key is for regex match name from search.ini
+    - name: param_dst
+      type: keyword
+      description: This key captures the command line/launch argument of the target
+        process or file
+    - name: param_src
+      type: keyword
+      description: This key captures source parameter
+    - name: search_text
+      type: keyword
+      description: This key captures the Search Text used
+    - name: sig_name
+      type: keyword
+      description: This key is used to capture the Signature Name only.
+    - name: snmp_value
+      type: keyword
+      description: SNMP set request value
+    - name: streams
+      type: long
+      description: This key captures number of streams in session
+  - name: db
+    type: group
+    fields:
+    - name: index
+      type: keyword
+      description: This key captures IndexID of the index.
+    - name: instance
+      type: keyword
+      description: This key is used to capture the database server instance name
+    - name: database
+      type: keyword
+      description: This key is used to capture the name of a database or an instance
+        as seen in a session
+    - name: transact_id
+      type: keyword
+      description: This key captures the SQL transantion ID of the current session
+    - name: permissions
+      type: keyword
+      description: This key captures permission or privilege level assigned to a resource.
+    - name: table_name
+      type: keyword
+      description: This key is used to capture the table name
+    - name: db_id
+      type: keyword
+      description: This key is used to capture the unique identifier for a database
+    - name: db_pid
+      type: long
+      description: This key captures the process id of a connection with database
+        server
+    - name: lread
+      type: long
+      description: This key is used for the number of logical reads
+    - name: lwrite
+      type: long
+      description: This key is used for the number of logical writes
+    - name: pread
+      type: long
+      description: This key is used for the number of physical writes
+  - name: network
+    type: group
+    fields:
+    - name: alias_host
+      type: keyword
+      description: This key should be used when the source or destination context
+        of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
+        that isnt ad.computer.
+    - name: domain
+      type: keyword
+    - name: host_dst
+      type: keyword
+      description: "This key should only be used when it\u2019s a Destination Hostname"
+    - name: network_service
+      type: keyword
+      description: This is used to capture layer 7 protocols/service names
+    - name: interface
+      type: keyword
+      description: This key should be used when the source or destination context
+        of an interface is not clear
+    - name: network_port
+      type: long
+      description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
+        used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
+    - name: eth_host
+      type: keyword
+      description: Deprecated, use alias.mac
+    - name: sinterface
+      type: keyword
+      description: "This key should only be used when it\u2019s a Source Interface"
+    - name: dinterface
+      type: keyword
+      description: "This key should only be used when it\u2019s a Destination Interface"
+    - name: vlan
+      type: long
+      description: This key should only be used to capture the ID of the Virtual LAN
+    - name: zone_src
+      type: keyword
+      description: "This key should only be used when it\u2019s a Source Zone."
+    - name: zone
+      type: keyword
+      description: This key should be used when the source or destination context
+        of a Zone is not clear
+    - name: zone_dst
+      type: keyword
+      description: "This key should only be used when it\u2019s a Destination Zone."
+    - name: gateway
+      type: keyword
+      description: This key is used to capture the IP Address of the gateway
+    - name: icmp_type
+      type: long
+      description: This key is used to capture the ICMP type only
+    - name: mask
+      type: keyword
+      description: This key is used to capture the device network IPmask.
+    - name: icmp_code
+      type: long
+      description: This key is used to capture the ICMP code only
+    - name: protocol_detail
+      type: keyword
+      description: This key should be used to capture additional protocol information
+    - name: dmask
+      type: keyword
+      description: This key is used for Destionation Device network mask
+    - name: port
+      type: long
+      description: This key should only be used to capture a Network Port when the
+        directionality is not clear
+    - name: smask
+      type: keyword
+      description: This key is used for capturing source Network Mask
+    - name: netname
+      type: keyword
+      description: This key is used to capture the network name associated with an
+        IP range. This is configured by the end user.
+    - name: paddr
+      type: ip
+      description: Deprecated
+    - name: faddr
+      type: keyword
+    - name: lhost
+      type: keyword
+    - name: origin
+      type: keyword
+    - name: remote_domain_id
+      type: keyword
+    - name: addr
+      type: keyword
+    - name: dns_a_record
+      type: keyword
+    - name: dns_ptr_record
+      type: keyword
+    - name: fhost
+      type: keyword
+    - name: fport
+      type: keyword
+    - name: laddr
+      type: keyword
+    - name: linterface
+      type: keyword
+    - name: phost
+      type: keyword
+    - name: ad_computer_dst
+      type: keyword
+      description: Deprecated, use host.dst
+    - name: eth_type
+      type: long
+      description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
+        Only
+    - name: ip_proto
+      type: long
+      description: This key should be used to capture the Protocol number, all the
+        protocol nubers are converted into string in UI
+    - name: dns_cname_record
+      type: keyword
+    - name: dns_id
+      type: keyword
+    - name: dns_opcode
+      type: keyword
+    - name: dns_resp
+      type: keyword
+    - name: dns_type
+      type: keyword
+    - name: domain1
+      type: keyword
+    - name: host_type
+      type: keyword
+    - name: packet_length
+      type: keyword
+    - name: host_orig
+      type: keyword
+      description: This is used to capture the original hostname in case of a Forwarding
+        Agent or a Proxy in between.
+    - name: rpayload
+      type: keyword
+      description: This key is used to capture the total number of payload bytes seen
+        in the retransmitted packets.
+    - name: vlan_name
+      type: keyword
+      description: This key should only be used to capture the name of the Virtual
+        LAN
+  - name: investigations
+    type: group
+    fields:
+    - name: ec_activity
+      type: keyword
+      description: This key captures the particular event activity(Ex:Logoff)
+    - name: ec_theme
+      type: keyword
+      description: This key captures the Theme of a particular Event(Ex:Authentication)
+    - name: ec_subject
+      type: keyword
+      description: This key captures the Subject of a particular Event(Ex:User)
+    - name: ec_outcome
+      type: keyword
+      description: This key captures the outcome of a particular Event(Ex:Success)
+    - name: event_cat
+      type: long
+      description: This key captures the Event category number
+    - name: event_cat_name
+      type: keyword
+      description: This key captures the event category name corresponding to the
+        event cat code
+    - name: event_vcat
+      type: keyword
+      description: This is a vendor supplied category. This should be used in situations
+        where the vendor has adopted their own event_category taxonomy.
+    - name: analysis_file
+      type: keyword
+      description: This is used to capture all indicators used in a File Analysis.
+        This key should be used to capture an analysis of a file
+    - name: analysis_service
+      type: keyword
+      description: This is used to capture all indicators used in a Service Analysis.
+        This key should be used to capture an analysis of a service
+    - name: analysis_session
+      type: keyword
+      description: This is used to capture all indicators used for a Session Analysis.
+        This key should be used to capture an analysis of a session
+    - name: boc
+      type: keyword
+      description: This is used to capture behaviour of compromise
+    - name: eoc
+      type: keyword
+      description: This is used to capture Enablers of Compromise
+    - name: inv_category
+      type: keyword
+      description: This used to capture investigation category
+    - name: inv_context
+      type: keyword
+      description: This used to capture investigation context
+    - name: ioc
+      type: keyword
+      description: This is key capture indicator of compromise
+  - name: counters
+    type: group
+    fields:
+    - name: dclass_c1
+      type: long
+      description: This is a generic counter key that should be used with the label
+        dclass.c1.str only
+    - name: dclass_c2
+      type: long
+      description: This is a generic counter key that should be used with the label
+        dclass.c2.str only
+    - name: event_counter
+      type: long
+      description: This is used to capture the number of times an event repeated
+    - name: dclass_r1
+      type: keyword
+      description: This is a generic ratio key that should be used with the label
+        dclass.r1.str only
+    - name: dclass_c3
+      type: long
+      description: This is a generic counter key that should be used with the label
+        dclass.c3.str only
+    - name: dclass_c1_str
+      type: keyword
+      description: This is a generic counter string key that should be used with the
+        label dclass.c1 only
+    - name: dclass_c2_str
+      type: keyword
+      description: This is a generic counter string key that should be used with the
+        label dclass.c2 only
+    - name: dclass_r1_str
+      type: keyword
+      description: This is a generic ratio string key that should be used with the
+        label dclass.r1 only
+    - name: dclass_r2
+      type: keyword
+      description: This is a generic ratio key that should be used with the label
+        dclass.r2.str only
+    - name: dclass_c3_str
+      type: keyword
+      description: This is a generic counter string key that should be used with the
+        label dclass.c3 only
+    - name: dclass_r3
+      type: keyword
+      description: This is a generic ratio key that should be used with the label
+        dclass.r3.str only
+    - name: dclass_r2_str
+      type: keyword
+      description: This is a generic ratio string key that should be used with the
+        label dclass.r2 only
+    - name: dclass_r3_str
+      type: keyword
+      description: This is a generic ratio string key that should be used with the
+        label dclass.r3 only
+  - name: identity
+    type: group
+    fields:
+    - name: auth_method
+      type: keyword
+      description: This key is used to capture authentication methods used only
+    - name: user_role
+      type: keyword
+      description: This key is used to capture the Role of a user only
+    - name: dn
+      type: keyword
+      description: X.500 (LDAP) Distinguished Name
+    - name: logon_type
+      type: keyword
+      description: This key is used to capture the type of logon method used.
+    - name: profile
+      type: keyword
+      description: This key is used to capture the user profile
+    - name: accesses
+      type: keyword
+      description: This key is used to capture actual privileges used in accessing
+        an object
+    - name: realm
+      type: keyword
+      description: Radius realm or similar grouping of accounts
+    - name: user_sid_dst
+      type: keyword
+      description: This key captures Destination User Session ID
+    - name: dn_src
+      type: keyword
+      description: An X.500 (LDAP) Distinguished name that is used in a context that
+        indicates a Source dn
+    - name: org
+      type: keyword
+      description: This key captures the User organization
+    - name: dn_dst
+      type: keyword
+      description: An X.500 (LDAP) Distinguished name that used in a context that
+        indicates a Destination dn
+    - name: firstname
+      type: keyword
+      description: This key is for First Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: lastname
+      type: keyword
+      description: This key is for Last Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: user_dept
+      type: keyword
+      description: User's Department Names only
+    - name: user_sid_src
+      type: keyword
+      description: This key captures Source User Session ID
+    - name: federated_sp
+      type: keyword
+      description: This key is the Federated Service Provider. This is the application
+        requesting authentication.
+    - name: federated_idp
+      type: keyword
+      description: This key is the federated Identity Provider. This is the server
+        providing the authentication.
+    - name: logon_type_desc
+      type: keyword
+      description: This key is used to capture the textual description of an integer
+        logon type as stored in the meta key 'logon.type'.
+    - name: middlename
+      type: keyword
+      description: This key is for Middle Names only, this is used for Healthcare
+        predominantly to capture Patients information
+    - name: password
+      type: keyword
+      description: This key is for Passwords seen in any session, plain text or encrypted
+    - name: host_role
+      type: keyword
+      description: This key should only be used to capture the role of a Host Machine
+    - name: ldap
+      type: keyword
+      description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
+        t have a clear query or response context"
+    - name: ldap_query
+      type: keyword
+      description: This key is the Search criteria from an LDAP search
+    - name: ldap_response
+      type: keyword
+      description: This key is to capture Results from an LDAP search
+    - name: owner
+      type: keyword
+      description: This is used to capture username the process or service is running
+        as, the author of the task
+    - name: service_account
+      type: keyword
+      description: This key is a windows specific key, used for capturing name of
+        the account a service (referenced in the event) is running under. Legacy Usage
+  - name: email
+    type: group
+    fields:
+    - name: email_dst
+      type: keyword
+      description: This key is used to capture the Destination email address only,
+        when the destination context is not clear use email
+    - name: email_src
+      type: keyword
+      description: This key is used to capture the source email address only, when
+        the source context is not clear use email
+    - name: subject
+      type: keyword
+      description: This key is used to capture the subject string from an Email only.
+    - name: email
+      type: keyword
+      description: This key is used to capture a generic email address where the source
+        or destination context is not clear
+    - name: trans_from
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: trans_to
+      type: keyword
+      description: Deprecated key defined only in table map.
+  - name: file
+    type: group
+    fields:
+    - name: privilege
+      type: keyword
+      description: Deprecated, use permissions
+    - name: attachment
+      type: keyword
+      description: This key captures the attachment file name
+    - name: filesystem
+      type: keyword
+    - name: binary
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: filename_dst
+      type: keyword
+      description: This is used to capture name of the file targeted by the action
+    - name: filename_src
+      type: keyword
+      description: This is used to capture name of the parent filename, the file which
+        performed the action
+    - name: filename_tmp
+      type: keyword
+    - name: directory_dst
+      type: keyword
+      description: <span>This key is used to capture the directory of the target process
+        or file</span>
+    - name: directory_src
+      type: keyword
+      description: This key is used to capture the directory of the source process
+        or file
+    - name: file_entropy
+      type: double
+      description: This is used to capture entropy vale of a file
+    - name: file_vendor
+      type: keyword
+      description: This is used to capture Company name of file located in version_info
+    - name: task_name
+      type: keyword
+      description: This is used to capture name of the task
+  - name: web
+    type: group
+    fields:
+    - name: fqdn
+      type: keyword
+      description: Fully Qualified Domain Names
+    - name: web_cookie
+      type: keyword
+      description: This key is used to capture the Web cookies specifically.
+    - name: alias_host
+      type: keyword
+    - name: reputation_num
+      type: double
+      description: Reputation Number of an entity. Typically used for Web Domains
+    - name: web_ref_domain
+      type: keyword
+      description: Web referer's domain
+    - name: web_ref_query
+      type: keyword
+      description: This key captures Web referer's query portion of the URL
+    - name: remote_domain
+      type: keyword
+    - name: web_ref_page
+      type: keyword
+      description: This key captures Web referer's page information
+    - name: web_ref_root
+      type: keyword
+      description: Web referer's root URL path
+    - name: cn_asn_dst
+      type: keyword
+    - name: cn_rpackets
+      type: keyword
+    - name: urlpage
+      type: keyword
+    - name: urlroot
+      type: keyword
+    - name: p_url
+      type: keyword
+    - name: p_user_agent
+      type: keyword
+    - name: p_web_cookie
+      type: keyword
+    - name: p_web_method
+      type: keyword
+    - name: p_web_referer
+      type: keyword
+    - name: web_extension_tmp
+      type: keyword
+    - name: web_page
+      type: keyword
+  - name: threat
+    type: group
+    fields:
+    - name: threat_category
+      type: keyword
+      description: This key captures Threat Name/Threat Category/Categorization of
+        alert
+    - name: threat_desc
+      type: keyword
+      description: This key is used to capture the threat description from the session
+        directly or inferred
+    - name: alert
+      type: keyword
+      description: This key is used to capture name of the alert
+    - name: threat_source
+      type: keyword
+      description: This key is used to capture source of the threat
+  - name: crypto
+    type: group
+    fields:
+    - name: crypto
+      type: keyword
+      description: This key is used to capture the Encryption Type or Encryption Key
+        only
+    - name: cipher_src
+      type: keyword
+      description: This key is for Source (Client) Cipher
+    - name: cert_subject
+      type: keyword
+      description: This key is used to capture the Certificate organization only
+    - name: peer
+      type: keyword
+      description: This key is for Encryption peer's IP Address
+    - name: cipher_size_src
+      type: long
+      description: This key captures Source (Client) Cipher Size
+    - name: ike
+      type: keyword
+      description: IKE negotiation phase.
+    - name: scheme
+      type: keyword
+      description: This key captures the Encryption scheme used
+    - name: peer_id
+      type: keyword
+      description: "This key is for Encryption peer\u2019s identity"
+    - name: sig_type
+      type: keyword
+      description: This key captures the Signature Type
+    - name: cert_issuer
+      type: keyword
+    - name: cert_host_name
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: cert_error
+      type: keyword
+      description: This key captures the Certificate Error String
+    - name: cipher_dst
+      type: keyword
+      description: This key is for Destination (Server) Cipher
+    - name: cipher_size_dst
+      type: long
+      description: This key captures Destination (Server) Cipher Size
+    - name: ssl_ver_src
+      type: keyword
+      description: Deprecated, use version
+    - name: d_certauth
+      type: keyword
+    - name: s_certauth
+      type: keyword
+    - name: ike_cookie1
+      type: keyword
+      description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
+    - name: ike_cookie2
+      type: keyword
+      description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
+    - name: cert_checksum
+      type: keyword
+    - name: cert_host_cat
+      type: keyword
+      description: This key is used for the hostname category value of a certificate
+    - name: cert_serial
+      type: keyword
+      description: This key is used to capture the Certificate serial number only
+    - name: cert_status
+      type: keyword
+      description: This key captures Certificate validation status
+    - name: ssl_ver_dst
+      type: keyword
+      description: Deprecated, use version
+    - name: cert_keysize
+      type: keyword
+    - name: cert_username
+      type: keyword
+    - name: https_insact
+      type: keyword
+    - name: https_valid
+      type: keyword
+    - name: cert_ca
+      type: keyword
+      description: This key is used to capture the Certificate signing authority only
+    - name: cert_common
+      type: keyword
+      description: This key is used to capture the Certificate common name only
+  - name: wireless
+    type: group
+    fields:
+    - name: wlan_ssid
+      type: keyword
+      description: This key is used to capture the ssid of a Wireless Session
+    - name: access_point
+      type: keyword
+      description: This key is used to capture the access point name.
+    - name: wlan_channel
+      type: long
+      description: This is used to capture the channel names
+    - name: wlan_name
+      type: keyword
+      description: This key captures either WLAN number/name
+  - name: storage
+    type: group
+    fields:
+    - name: disk_volume
+      type: keyword
+      description: A unique name assigned to logical units (volumes) within a physical
+        disk
+    - name: lun
+      type: keyword
+      description: Logical Unit Number.This key is a very useful concept in Storage.
+    - name: pwwn
+      type: keyword
+      description: This uniquely identifies a port on a HBA.
+  - name: physical
+    type: group
+    fields:
+    - name: org_dst
+      type: keyword
+      description: This is used to capture the destination organization based on the
+        GEOPIP Maxmind database.
+    - name: org_src
+      type: keyword
+      description: This is used to capture the source organization based on the GEOPIP
+        Maxmind database.
+  - name: healthcare
+    type: group
+    fields:
+    - name: patient_fname
+      type: keyword
+      description: This key is for First Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: patient_id
+      type: keyword
+      description: This key captures the unique ID for a patient
+    - name: patient_lname
+      type: keyword
+      description: This key is for Last Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: patient_mname
+      type: keyword
+      description: This key is for Middle Names only, this is used for Healthcare
+        predominantly to capture Patients information
+  - name: endpoint
+    type: group
+    fields:
+    - name: host_state
+      type: keyword
+      description: This key is used to capture the current state of the machine, such
+        as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
+        disabled</strong> and so on
+    - name: registry_key
+      type: keyword
+      description: This key captures the path to the registry key
+    - name: registry_value
+      type: keyword
+      description: This key captures values or decorators used within a registry entry
diff --git a/packages/infoblox/0.1.0/dataset/nios/manifest.yml b/packages/infoblox/0.1.0/dataset/nios/manifest.yml
new file mode 100644
index 0000000000..87fa454bbb
--- /dev/null
+++ b/packages/infoblox/0.1.0/dataset/nios/manifest.yml
@@ -0,0 +1,155 @@
+title: Infoblox NIOS logs
+release: experimental
+type: logs
+streams:
+- input: udp
+  title: Infoblox NIOS logs
+  description: Collect Infoblox NIOS logs
+  template_path: udp.yml.hbs
+  vars:
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - infoblox-nios
+      - forwarded
+  - name: udp_host
+    type: text
+    title: UDP host to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: localhost
+  - name: udp_port
+    type: integer
+    title: UDP port to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: 9511
+  - name: tz_offset
+    type: text
+    title: Timezone offset (+HH:mm format)
+    required: false
+    show_user: true
+    default: "local"
+  - name: rsa_fields
+    type: bool
+    title: Add non-ECS fields
+    required: false
+    show_user: true
+    default: true
+  - name: keep_raw_fields
+    type: bool
+    title: Keep raw parser fields
+    required: false
+    show_user: false
+    default: false
+  - name: debug
+    type: bool
+    title: Enable debug logging
+    required: false
+    show_user: false
+    default: false
+
+- input: tcp
+  title: Infoblox NIOS logs
+  description: Collect Infoblox NIOS logs
+  template_path: tcp.yml.hbs
+  vars:
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - infoblox-nios
+      - forwarded
+  - name: tcp_host
+    type: text
+    title: TCP host to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: localhost
+  - name: tcp_port
+    type: integer
+    title: TCP port to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: 9511
+  - name: tz_offset
+    type: text
+    title: Timezone offset (+HH:mm format)
+    required: false
+    show_user: true
+    default: "local"
+  - name: rsa_fields
+    type: bool
+    title: Add non-ECS fields
+    required: false
+    show_user: true
+    default: true
+  - name: keep_raw_fields
+    type: bool
+    title: Keep raw parser fields
+    required: false
+    show_user: false
+    default: false
+  - name: debug
+    type: bool
+    title: Enable debug logging
+    required: false
+    show_user: false
+    default: false
+
+- input: file
+  title: Infoblox NIOS logs
+  description: Collect Infoblox NIOS logs from file
+  vars:
+  - name: paths
+    type: text
+    title: Paths
+    multi: true
+    required: true
+    show_user: true
+    default:
+      - /var/log/infoblox-nios.log
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - infoblox-nios
+      - forwarded
+  - name: tz_offset
+    type: text
+    title: Timezone offset (+HH:mm format)
+    required: false
+    show_user: true
+    default: "local"
+  - name: rsa_fields
+    type: bool
+    title: Add non-ECS fields
+    required: false
+    show_user: true
+    default: true
+  - name: keep_raw_fields
+    type: bool
+    title: Keep raw parser fields
+    required: false
+    show_user: false
+    default: false
+  - name: debug
+    type: bool
+    title: Enable debug logging
+    required: false
+    show_user: false
+    default: false
diff --git a/packages/infoblox/0.1.0/docs/README.md b/packages/infoblox/0.1.0/docs/README.md
new file mode 100644
index 0000000000..6544df8d83
--- /dev/null
+++ b/packages/infoblox/0.1.0/docs/README.md
@@ -0,0 +1,780 @@
+# Infoblox integration
+
+This integration is for Infoblox device's logs. It includes the following
+datasets for receiving logs over syslog or read from a file:
+- `nios` dataset: supports Infoblox NIOS logs.
+
+### Nios
+
+The `nios` dataset collects Infoblox NIOS logs.
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
+| dataset.name | Dataset name. | constant_keyword |
+| dataset.namespace | Dataset namespace. | constant_keyword |
+| dataset.type | Dataset type. | constant_keyword |
+| datastream.dataset | Datastream dataset. | constant_keyword |
+| datastream.namespace | Datastream namespace. | constant_keyword |
+| datastream.type | Datastream type. | constant_keyword |
+| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| destination.bytes | Bytes sent from the destination to the source. | long |
+| destination.domain | Destination domain. | keyword |
+| destination.geo.city_name | City name. | keyword |
+| destination.geo.country_name | Country name. | keyword |
+| destination.geo.location.lat |  | double |
+| destination.geo.location.lon |  | double |
+| destination.ip | IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses. | ip |
+| destination.mac | MAC address of the destination. | keyword |
+| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip |
+| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long |
+| destination.port | Port of the destination. | long |
+| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword |
+| dns.answers.type | The type of data contained in this resource record. | keyword |
+| dns.question.type | The type of record being queried. | keyword |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword |
+| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword |
+| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword |
+| file.extension | File extension. | keyword |
+| file.name | Name of the file including the extension, without the directory. | keyword |
+| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword |
+| file.size | File size in bytes. Only relevant when `file.type` is "file". | long |
+| file.type | File type (file, dir, or symlink). | keyword |
+| geo.city_name | City name. | keyword |
+| geo.country_name | Country name. | keyword |
+| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| geo.region_name | Region name. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| http.request.method | HTTP request method. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| http.request.referrer | Referrer for this HTTP request. | keyword |
+| http.response.body.content | The full HTTP response body. | keyword |
+| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword |
+| log.original | This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. | keyword |
+| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long |
+| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. | long |
+| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text |
+| network.application | A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long |
+| network.direction | Direction of the network traffic. Recommended values are: * inbound * outbound * internal * external * unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view. When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. | keyword |
+| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip |
+| network.interface.name |  | keyword |
+| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long |
+| network.protocol | L7 Network protocol name. ex. http, lumberjack, transport protocol. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| observer.egress.interface.name | Interface name as reported by the system. | keyword |
+| observer.ingress.interface.name | Interface name as reported by the system. | keyword |
+| observer.product | The product name of the observer. | keyword |
+| observer.version | Observer version. | keyword |
+| process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.parent.name | Process name. Sometimes called program name or similar. | keyword |
+| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword |
+| process.pid | Process id. | long |
+| process.ppid | Parent process' pid. | long |
+| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword |
+| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long |
+| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword |
+| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long |
+| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword |
+| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long |
+| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword |
+| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword |
+| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword |
+| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword |
+| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword |
+| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword |
+| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword |
+| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long |
+| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword |
+| rsa.crypto.cert_checksum |  | keyword |
+| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword |
+| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword |
+| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword |
+| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword |
+| rsa.crypto.cert_issuer |  | keyword |
+| rsa.crypto.cert_keysize |  | keyword |
+| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword |
+| rsa.crypto.cert_status | This key captures Certificate validation status | keyword |
+| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword |
+| rsa.crypto.cert_username |  | keyword |
+| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword |
+| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long |
+| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long |
+| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword |
+| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword |
+| rsa.crypto.d_certauth |  | keyword |
+| rsa.crypto.https_insact |  | keyword |
+| rsa.crypto.https_valid |  | keyword |
+| rsa.crypto.ike | IKE negotiation phase. | keyword |
+| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword |
+| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword |
+| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword |
+| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword |
+| rsa.crypto.s_certauth |  | keyword |
+| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword |
+| rsa.crypto.sig_type | This key captures the Signature Type | keyword |
+| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword |
+| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword |
+| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword |
+| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword |
+| rsa.db.db_pid | This key captures the process id of a connection with database server | long |
+| rsa.db.index | This key captures IndexID of the index. | keyword |
+| rsa.db.instance | This key is used to capture the database server instance name | keyword |
+| rsa.db.lread | This key is used for the number of logical reads | long |
+| rsa.db.lwrite | This key is used for the number of logical writes | long |
+| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword |
+| rsa.db.pread | This key is used for the number of physical writes | long |
+| rsa.db.table_name | This key is used to capture the table name | keyword |
+| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword |
+| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword |
+| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword |
+| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword |
+| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword |
+| rsa.email.trans_from | Deprecated key defined only in table map. | keyword |
+| rsa.email.trans_to | Deprecated key defined only in table map. | keyword |
+| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall disabled</strong> and so on | keyword |
+| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword |
+| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword |
+| rsa.file.attachment | This key captures the attachment file name | keyword |
+| rsa.file.binary | Deprecated key defined only in table map. | keyword |
+| rsa.file.directory_dst | <span>This key is used to capture the directory of the target process or file</span> | keyword |
+| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword |
+| rsa.file.file_entropy | This is used to capture entropy vale of a file | double |
+| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword |
+| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword |
+| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword |
+| rsa.file.filename_tmp |  | keyword |
+| rsa.file.filesystem |  | keyword |
+| rsa.file.privilege | Deprecated, use permissions | keyword |
+| rsa.file.task_name | This is used to capture name of the task | keyword |
+| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword |
+| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword |
+| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword |
+| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword |
+| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword |
+| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword |
+| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword |
+| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword |
+| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword |
+| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword |
+| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword |
+| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword |
+| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword |
+| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword |
+| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.org | This key captures the User organization | keyword |
+| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword |
+| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword |
+| rsa.identity.profile | This key is used to capture the user profile | keyword |
+| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword |
+| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword |
+| rsa.identity.user_dept | User's Department Names only | keyword |
+| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword |
+| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword |
+| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword |
+| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword |
+| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.data | Deprecated key defined only in table map. | keyword |
+| rsa.internal.dead | Deprecated key defined only in table map. | long |
+| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_type_id | Deprecated key defined only in table map. | long |
+| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long |
+| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long |
+| rsa.internal.entry | Deprecated key defined only in table map. | keyword |
+| rsa.internal.event_desc |  | keyword |
+| rsa.internal.event_name | Deprecated key defined only in table map. | keyword |
+| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip |
+| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.hcode | Deprecated key defined only in table map. | keyword |
+| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.inode | Deprecated key defined only in table map. | long |
+| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date |
+| rsa.internal.level | Deprecated key defined only in table map. | long |
+| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long |
+| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long |
+| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long |
+| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long |
+| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, &lt; 32 is packet session | long |
+| rsa.internal.message | This key captures the contents of instant messages | keyword |
+| rsa.internal.messageid |  | keyword |
+| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword |
+| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.node_name | Deprecated key defined only in table map. | keyword |
+| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword |
+| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword |
+| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword |
+| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword |
+| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long |
+| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long |
+| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword |
+| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword |
+| rsa.internal.resource | Deprecated key defined only in table map. | keyword |
+| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword |
+| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long |
+| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.site | Deprecated key defined only in table map. | keyword |
+| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long |
+| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.statement | Deprecated key defined only in table map. | keyword |
+| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date |
+| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long |
+| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long |
+| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword |
+| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword |
+| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword |
+| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword |
+| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword |
+| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword |
+| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword |
+| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword |
+| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword |
+| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword |
+| rsa.investigations.event_cat | This key captures the Event category number | long |
+| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword |
+| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword |
+| rsa.investigations.inv_category | This used to capture investigation category | keyword |
+| rsa.investigations.inv_context | This used to capture investigation context | keyword |
+| rsa.investigations.ioc | This is key capture indicator of compromise | keyword |
+| rsa.misc.OS | This key captures the Name of the Operating System | keyword |
+| rsa.misc.acl_id |  | keyword |
+| rsa.misc.acl_op |  | keyword |
+| rsa.misc.acl_pos |  | keyword |
+| rsa.misc.acl_table |  | keyword |
+| rsa.misc.action |  | keyword |
+| rsa.misc.admin |  | keyword |
+| rsa.misc.agent_id | This key is used to capture agent id | keyword |
+| rsa.misc.alarm_id |  | keyword |
+| rsa.misc.alarmname |  | keyword |
+| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.app_id |  | keyword |
+| rsa.misc.audit |  | keyword |
+| rsa.misc.audit_object |  | keyword |
+| rsa.misc.auditdata |  | keyword |
+| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword |
+| rsa.misc.benchmark |  | keyword |
+| rsa.misc.bypass |  | keyword |
+| rsa.misc.cache |  | keyword |
+| rsa.misc.cache_hit |  | keyword |
+| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword |
+| rsa.misc.cc_number | Valid Credit Card Numbers only | long |
+| rsa.misc.cefversion |  | keyword |
+| rsa.misc.cfg_attr |  | keyword |
+| rsa.misc.cfg_obj |  | keyword |
+| rsa.misc.cfg_path |  | keyword |
+| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword |
+| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword |
+| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword |
+| rsa.misc.changes |  | keyword |
+| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword |
+| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword |
+| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword |
+| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword |
+| rsa.misc.client_ip |  | keyword |
+| rsa.misc.clustermembers |  | keyword |
+| rsa.misc.cmd |  | keyword |
+| rsa.misc.cn_acttimeout |  | keyword |
+| rsa.misc.cn_asn_src |  | keyword |
+| rsa.misc.cn_bgpv4nxthop |  | keyword |
+| rsa.misc.cn_ctr_dst_code |  | keyword |
+| rsa.misc.cn_dst_tos |  | keyword |
+| rsa.misc.cn_dst_vlan |  | keyword |
+| rsa.misc.cn_engine_id |  | keyword |
+| rsa.misc.cn_engine_type |  | keyword |
+| rsa.misc.cn_f_switch |  | keyword |
+| rsa.misc.cn_flowsampid |  | keyword |
+| rsa.misc.cn_flowsampintv |  | keyword |
+| rsa.misc.cn_flowsampmode |  | keyword |
+| rsa.misc.cn_inacttimeout |  | keyword |
+| rsa.misc.cn_inpermbyts |  | keyword |
+| rsa.misc.cn_inpermpckts |  | keyword |
+| rsa.misc.cn_invalid |  | keyword |
+| rsa.misc.cn_ip_proto_ver |  | keyword |
+| rsa.misc.cn_ipv4_ident |  | keyword |
+| rsa.misc.cn_l_switch |  | keyword |
+| rsa.misc.cn_log_did |  | keyword |
+| rsa.misc.cn_log_rid |  | keyword |
+| rsa.misc.cn_max_ttl |  | keyword |
+| rsa.misc.cn_maxpcktlen |  | keyword |
+| rsa.misc.cn_min_ttl |  | keyword |
+| rsa.misc.cn_minpcktlen |  | keyword |
+| rsa.misc.cn_mpls_lbl_1 |  | keyword |
+| rsa.misc.cn_mpls_lbl_10 |  | keyword |
+| rsa.misc.cn_mpls_lbl_2 |  | keyword |
+| rsa.misc.cn_mpls_lbl_3 |  | keyword |
+| rsa.misc.cn_mpls_lbl_4 |  | keyword |
+| rsa.misc.cn_mpls_lbl_5 |  | keyword |
+| rsa.misc.cn_mpls_lbl_6 |  | keyword |
+| rsa.misc.cn_mpls_lbl_7 |  | keyword |
+| rsa.misc.cn_mpls_lbl_8 |  | keyword |
+| rsa.misc.cn_mpls_lbl_9 |  | keyword |
+| rsa.misc.cn_mplstoplabel |  | keyword |
+| rsa.misc.cn_mplstoplabip |  | keyword |
+| rsa.misc.cn_mul_dst_byt |  | keyword |
+| rsa.misc.cn_mul_dst_pks |  | keyword |
+| rsa.misc.cn_muligmptype |  | keyword |
+| rsa.misc.cn_sampalgo |  | keyword |
+| rsa.misc.cn_sampint |  | keyword |
+| rsa.misc.cn_seqctr |  | keyword |
+| rsa.misc.cn_spackets |  | keyword |
+| rsa.misc.cn_src_tos |  | keyword |
+| rsa.misc.cn_src_vlan |  | keyword |
+| rsa.misc.cn_sysuptime |  | keyword |
+| rsa.misc.cn_template_id |  | keyword |
+| rsa.misc.cn_totbytsexp |  | keyword |
+| rsa.misc.cn_totflowexp |  | keyword |
+| rsa.misc.cn_totpcktsexp |  | keyword |
+| rsa.misc.cn_unixnanosecs |  | keyword |
+| rsa.misc.cn_v6flowlabel |  | keyword |
+| rsa.misc.cn_v6optheaders |  | keyword |
+| rsa.misc.code |  | keyword |
+| rsa.misc.command |  | keyword |
+| rsa.misc.comments | Comment information provided in the log message | keyword |
+| rsa.misc.comp_class |  | keyword |
+| rsa.misc.comp_name |  | keyword |
+| rsa.misc.comp_rbytes |  | keyword |
+| rsa.misc.comp_sbytes |  | keyword |
+| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword |
+| rsa.misc.connection_id | This key captures the Connection ID | keyword |
+| rsa.misc.content | This key captures the content type from protocol headers | keyword |
+| rsa.misc.content_type | This key is used to capture Content Type only. | keyword |
+| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword |
+| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword |
+| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword |
+| rsa.misc.context_target |  | keyword |
+| rsa.misc.count |  | keyword |
+| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long |
+| rsa.misc.cpu_data |  | keyword |
+| rsa.misc.criticality |  | keyword |
+| rsa.misc.cs_agency_dst |  | keyword |
+| rsa.misc.cs_analyzedby |  | keyword |
+| rsa.misc.cs_av_other |  | keyword |
+| rsa.misc.cs_av_primary |  | keyword |
+| rsa.misc.cs_av_secondary |  | keyword |
+| rsa.misc.cs_bgpv6nxthop |  | keyword |
+| rsa.misc.cs_bit9status |  | keyword |
+| rsa.misc.cs_context |  | keyword |
+| rsa.misc.cs_control |  | keyword |
+| rsa.misc.cs_data |  | keyword |
+| rsa.misc.cs_datecret |  | keyword |
+| rsa.misc.cs_dst_tld |  | keyword |
+| rsa.misc.cs_eth_dst_ven |  | keyword |
+| rsa.misc.cs_eth_src_ven |  | keyword |
+| rsa.misc.cs_event_uuid |  | keyword |
+| rsa.misc.cs_filetype |  | keyword |
+| rsa.misc.cs_fld |  | keyword |
+| rsa.misc.cs_if_desc |  | keyword |
+| rsa.misc.cs_if_name |  | keyword |
+| rsa.misc.cs_ip_next_hop |  | keyword |
+| rsa.misc.cs_ipv4dstpre |  | keyword |
+| rsa.misc.cs_ipv4srcpre |  | keyword |
+| rsa.misc.cs_lifetime |  | keyword |
+| rsa.misc.cs_log_medium |  | keyword |
+| rsa.misc.cs_loginname |  | keyword |
+| rsa.misc.cs_modulescore |  | keyword |
+| rsa.misc.cs_modulesign |  | keyword |
+| rsa.misc.cs_opswatresult |  | keyword |
+| rsa.misc.cs_payload |  | keyword |
+| rsa.misc.cs_registrant |  | keyword |
+| rsa.misc.cs_registrar |  | keyword |
+| rsa.misc.cs_represult |  | keyword |
+| rsa.misc.cs_rpayload |  | keyword |
+| rsa.misc.cs_sampler_name |  | keyword |
+| rsa.misc.cs_sourcemodule |  | keyword |
+| rsa.misc.cs_streams |  | keyword |
+| rsa.misc.cs_targetmodule |  | keyword |
+| rsa.misc.cs_v6nxthop |  | keyword |
+| rsa.misc.cs_whois_server |  | keyword |
+| rsa.misc.cs_yararesult |  | keyword |
+| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword |
+| rsa.misc.data_type |  | keyword |
+| rsa.misc.description |  | keyword |
+| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword |
+| rsa.misc.devvendor |  | keyword |
+| rsa.misc.disposition | This key captures the The end state of an action. | keyword |
+| rsa.misc.distance |  | keyword |
+| rsa.misc.doc_number | This key captures File Identification number | long |
+| rsa.misc.dstburb |  | keyword |
+| rsa.misc.edomain |  | keyword |
+| rsa.misc.edomaub |  | keyword |
+| rsa.misc.ein_number | Employee Identification Numbers only | long |
+| rsa.misc.error | This key captures All non successful Error codes or responses | keyword |
+| rsa.misc.euid |  | keyword |
+| rsa.misc.event_category |  | keyword |
+| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword |
+| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword |
+| rsa.misc.event_id |  | keyword |
+| rsa.misc.event_log | This key captures the Name of the event log | keyword |
+| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword |
+| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword |
+| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword |
+| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword |
+| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword |
+| rsa.misc.facility |  | keyword |
+| rsa.misc.facilityname |  | keyword |
+| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword |
+| rsa.misc.filter | This key captures Filter used to reduce result set | keyword |
+| rsa.misc.finterface |  | keyword |
+| rsa.misc.flags |  | keyword |
+| rsa.misc.forensic_info |  | keyword |
+| rsa.misc.found | This is used to capture the results of regex match | keyword |
+| rsa.misc.fresult | This key captures the Filter Result | long |
+| rsa.misc.gaddr |  | keyword |
+| rsa.misc.group | This key captures the Group Name value | keyword |
+| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword |
+| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword |
+| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword |
+| rsa.misc.id3 |  | keyword |
+| rsa.misc.im_buddyid |  | keyword |
+| rsa.misc.im_buddyname |  | keyword |
+| rsa.misc.im_client |  | keyword |
+| rsa.misc.im_croomid |  | keyword |
+| rsa.misc.im_croomtype |  | keyword |
+| rsa.misc.im_members |  | keyword |
+| rsa.misc.im_userid |  | keyword |
+| rsa.misc.im_username |  | keyword |
+| rsa.misc.index |  | keyword |
+| rsa.misc.inout |  | keyword |
+| rsa.misc.ipkt |  | keyword |
+| rsa.misc.ipscat |  | keyword |
+| rsa.misc.ipspri |  | keyword |
+| rsa.misc.job_num | This key captures the Job Number | keyword |
+| rsa.misc.jobname |  | keyword |
+| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword |
+| rsa.misc.latitude |  | keyword |
+| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword |
+| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long |
+| rsa.misc.linenum |  | keyword |
+| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.misc.list_name |  | keyword |
+| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword |
+| rsa.misc.load_data |  | keyword |
+| rsa.misc.location_floor |  | keyword |
+| rsa.misc.location_mark |  | keyword |
+| rsa.misc.log_id |  | keyword |
+| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword |
+| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword |
+| rsa.misc.log_type |  | keyword |
+| rsa.misc.logid |  | keyword |
+| rsa.misc.logip |  | keyword |
+| rsa.misc.logname |  | keyword |
+| rsa.misc.longitude |  | keyword |
+| rsa.misc.lport |  | keyword |
+| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword |
+| rsa.misc.match | This key is for regex match name from search.ini | keyword |
+| rsa.misc.mbug_data |  | keyword |
+| rsa.misc.message_body | This key captures the The contents of the message body. | keyword |
+| rsa.misc.misc |  | keyword |
+| rsa.misc.misc_name |  | keyword |
+| rsa.misc.mode |  | keyword |
+| rsa.misc.msgIdPart1 |  | keyword |
+| rsa.misc.msgIdPart2 |  | keyword |
+| rsa.misc.msgIdPart3 |  | keyword |
+| rsa.misc.msgIdPart4 |  | keyword |
+| rsa.misc.msg_type |  | keyword |
+| rsa.misc.msgid |  | keyword |
+| rsa.misc.name |  | keyword |
+| rsa.misc.netsessid |  | keyword |
+| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword |
+| rsa.misc.ntype |  | keyword |
+| rsa.misc.num |  | keyword |
+| rsa.misc.number |  | keyword |
+| rsa.misc.number1 |  | keyword |
+| rsa.misc.number2 |  | keyword |
+| rsa.misc.nwwn |  | keyword |
+| rsa.misc.obj_name | This is used to capture name of object | keyword |
+| rsa.misc.obj_type | This is used to capture type of object | keyword |
+| rsa.misc.object |  | keyword |
+| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword |
+| rsa.misc.operation |  | keyword |
+| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword |
+| rsa.misc.opkt |  | keyword |
+| rsa.misc.orig_from |  | keyword |
+| rsa.misc.owner_id |  | keyword |
+| rsa.misc.p_action |  | keyword |
+| rsa.misc.p_filter |  | keyword |
+| rsa.misc.p_group_object |  | keyword |
+| rsa.misc.p_id |  | keyword |
+| rsa.misc.p_msgid |  | keyword |
+| rsa.misc.p_msgid1 |  | keyword |
+| rsa.misc.p_msgid2 |  | keyword |
+| rsa.misc.p_result1 |  | keyword |
+| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword |
+| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword |
+| rsa.misc.param_src | This key captures source parameter | keyword |
+| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword |
+| rsa.misc.password_chg |  | keyword |
+| rsa.misc.password_expire |  | keyword |
+| rsa.misc.payload_dst | This key is used to capture destination payload | keyword |
+| rsa.misc.payload_src | This key is used to capture source payload | keyword |
+| rsa.misc.permgranted |  | keyword |
+| rsa.misc.permwanted |  | keyword |
+| rsa.misc.pgid |  | keyword |
+| rsa.misc.phone |  | keyword |
+| rsa.misc.pid |  | keyword |
+| rsa.misc.policy |  | keyword |
+| rsa.misc.policyUUID |  | keyword |
+| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword |
+| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword |
+| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword |
+| rsa.misc.policy_waiver |  | keyword |
+| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword |
+| rsa.misc.pool_name | This key captures the name of a resource pool | keyword |
+| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword |
+| rsa.misc.priority |  | keyword |
+| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword |
+| rsa.misc.prog_asp_num |  | keyword |
+| rsa.misc.program |  | keyword |
+| rsa.misc.real_data |  | keyword |
+| rsa.misc.reason |  | keyword |
+| rsa.misc.rec_asp_device |  | keyword |
+| rsa.misc.rec_asp_num |  | keyword |
+| rsa.misc.rec_library |  | keyword |
+| rsa.misc.recordnum |  | keyword |
+| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword |
+| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword |
+| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword |
+| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword |
+| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword |
+| rsa.misc.risk | This key captures the non-numeric risk value | keyword |
+| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.risk_num | This key captures a Numeric Risk value | double |
+| rsa.misc.risk_num_comm | This key captures Risk Number Community | double |
+| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double |
+| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double |
+| rsa.misc.risk_num_static | This key captures Risk Number Static | double |
+| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.ruid |  | keyword |
+| rsa.misc.rule | This key captures the Rule number | keyword |
+| rsa.misc.rule_group | This key captures the Rule group name | keyword |
+| rsa.misc.rule_name | This key captures the Rule Name | keyword |
+| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword |
+| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword |
+| rsa.misc.sburb |  | keyword |
+| rsa.misc.sdomain_fld |  | keyword |
+| rsa.misc.search_text | This key captures the Search Text used | keyword |
+| rsa.misc.sec |  | keyword |
+| rsa.misc.second |  | keyword |
+| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword |
+| rsa.misc.sensorname |  | keyword |
+| rsa.misc.seqnum |  | keyword |
+| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword |
+| rsa.misc.session |  | keyword |
+| rsa.misc.sessiontype |  | keyword |
+| rsa.misc.severity | This key is used to capture the severity given the session | keyword |
+| rsa.misc.sigUUID |  | keyword |
+| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long |
+| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long |
+| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword |
+| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword |
+| rsa.misc.sigcat |  | keyword |
+| rsa.misc.snmp_oid | SNMP Object Identifier | keyword |
+| rsa.misc.snmp_value | SNMP set request value | keyword |
+| rsa.misc.space |  | keyword |
+| rsa.misc.space1 |  | keyword |
+| rsa.misc.spi |  | keyword |
+| rsa.misc.spi_dst | Destination SPI Index | keyword |
+| rsa.misc.spi_src | Source SPI Index | keyword |
+| rsa.misc.sql | This key captures the SQL query | keyword |
+| rsa.misc.srcburb |  | keyword |
+| rsa.misc.srcdom |  | keyword |
+| rsa.misc.srcservice |  | keyword |
+| rsa.misc.state |  | keyword |
+| rsa.misc.status |  | keyword |
+| rsa.misc.status1 |  | keyword |
+| rsa.misc.streams | This key captures number of streams in session | long |
+| rsa.misc.subcategory |  | keyword |
+| rsa.misc.svcno |  | keyword |
+| rsa.misc.system |  | keyword |
+| rsa.misc.tbdstr1 |  | keyword |
+| rsa.misc.tbdstr2 |  | keyword |
+| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long |
+| rsa.misc.terminal | This key captures the Terminal Names only | keyword |
+| rsa.misc.tgtdom |  | keyword |
+| rsa.misc.tgtdomain |  | keyword |
+| rsa.misc.threshold |  | keyword |
+| rsa.misc.tos | This key describes the type of service | long |
+| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword |
+| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword |
+| rsa.misc.type |  | keyword |
+| rsa.misc.type1 |  | keyword |
+| rsa.misc.udb_class |  | keyword |
+| rsa.misc.url_fld |  | keyword |
+| rsa.misc.user_div |  | keyword |
+| rsa.misc.userid |  | keyword |
+| rsa.misc.username_fld |  | keyword |
+| rsa.misc.utcstamp |  | keyword |
+| rsa.misc.v_instafname |  | keyword |
+| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword |
+| rsa.misc.virt_data |  | keyword |
+| rsa.misc.virusname | This key captures the name of the virus | keyword |
+| rsa.misc.vm_target | VMWare Target **VMWARE** only varaible. | keyword |
+| rsa.misc.vpnid |  | keyword |
+| rsa.misc.vsys | This key captures Virtual System Name | keyword |
+| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword |
+| rsa.misc.workspace | This key captures Workspace Description | keyword |
+| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword |
+| rsa.network.addr |  | keyword |
+| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword |
+| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword |
+| rsa.network.dmask | This key is used for Destionation Device network mask | keyword |
+| rsa.network.dns_a_record |  | keyword |
+| rsa.network.dns_cname_record |  | keyword |
+| rsa.network.dns_id |  | keyword |
+| rsa.network.dns_opcode |  | keyword |
+| rsa.network.dns_ptr_record |  | keyword |
+| rsa.network.dns_resp |  | keyword |
+| rsa.network.dns_type |  | keyword |
+| rsa.network.domain |  | keyword |
+| rsa.network.domain1 |  | keyword |
+| rsa.network.eth_host | Deprecated, use alias.mac | keyword |
+| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long |
+| rsa.network.faddr |  | keyword |
+| rsa.network.fhost |  | keyword |
+| rsa.network.fport |  | keyword |
+| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword |
+| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword |
+| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword |
+| rsa.network.host_type |  | keyword |
+| rsa.network.icmp_code | This key is used to capture the ICMP code only | long |
+| rsa.network.icmp_type | This key is used to capture the ICMP type only | long |
+| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword |
+| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long |
+| rsa.network.laddr |  | keyword |
+| rsa.network.lhost |  | keyword |
+| rsa.network.linterface |  | keyword |
+| rsa.network.mask | This key is used to capture the device network IPmask. | keyword |
+| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword |
+| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long |
+| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword |
+| rsa.network.origin |  | keyword |
+| rsa.network.packet_length |  | keyword |
+| rsa.network.paddr | Deprecated | ip |
+| rsa.network.phost |  | keyword |
+| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long |
+| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword |
+| rsa.network.remote_domain_id |  | keyword |
+| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword |
+| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword |
+| rsa.network.smask | This key is used for capturing source Network Mask | keyword |
+| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long |
+| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword |
+| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword |
+| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword |
+| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword |
+| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword |
+| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword |
+| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword |
+| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword |
+| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword |
+| rsa.threat.alert | This key is used to capture name of the alert | keyword |
+| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword |
+| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword |
+| rsa.threat.threat_source | This key is used to capture source of the threat | keyword |
+| rsa.time.date |  | keyword |
+| rsa.time.datetime |  | keyword |
+| rsa.time.day |  | keyword |
+| rsa.time.duration_str | A text string version of the duration | keyword |
+| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double |
+| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date |
+| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date |
+| rsa.time.event_queue_time | This key is the Time that the event was queued. | date |
+| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date |
+| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword |
+| rsa.time.eventtime |  | keyword |
+| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date |
+| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword |
+| rsa.time.gmtdate |  | keyword |
+| rsa.time.gmttime |  | keyword |
+| rsa.time.hour |  | keyword |
+| rsa.time.min |  | keyword |
+| rsa.time.month |  | keyword |
+| rsa.time.p_date |  | keyword |
+| rsa.time.p_month |  | keyword |
+| rsa.time.p_time |  | keyword |
+| rsa.time.p_time1 |  | keyword |
+| rsa.time.p_time2 |  | keyword |
+| rsa.time.p_year |  | keyword |
+| rsa.time.process_time | Deprecated, use duration.time | keyword |
+| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date |
+| rsa.time.stamp | Deprecated key defined only in table map. | date |
+| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date |
+| rsa.time.timestamp |  | keyword |
+| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword |
+| rsa.time.tzone |  | keyword |
+| rsa.time.year |  | keyword |
+| rsa.web.alias_host |  | keyword |
+| rsa.web.cn_asn_dst |  | keyword |
+| rsa.web.cn_rpackets |  | keyword |
+| rsa.web.fqdn | Fully Qualified Domain Names | keyword |
+| rsa.web.p_url |  | keyword |
+| rsa.web.p_user_agent |  | keyword |
+| rsa.web.p_web_cookie |  | keyword |
+| rsa.web.p_web_method |  | keyword |
+| rsa.web.p_web_referer |  | keyword |
+| rsa.web.remote_domain |  | keyword |
+| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double |
+| rsa.web.urlpage |  | keyword |
+| rsa.web.urlroot |  | keyword |
+| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword |
+| rsa.web.web_extension_tmp |  | keyword |
+| rsa.web.web_page |  | keyword |
+| rsa.web.web_ref_domain | Web referer's domain | keyword |
+| rsa.web.web_ref_page | This key captures Web referer's page information | keyword |
+| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword |
+| rsa.web.web_ref_root | Web referer's root URL path | keyword |
+| rsa.wireless.access_point | This key is used to capture the access point name. | keyword |
+| rsa.wireless.wlan_channel | This is used to capture the channel names | long |
+| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword |
+| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword |
+| rule.name | The name of the rule or signature generating the event. | keyword |
+| server.domain | Server domain. | keyword |
+| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword |
+| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.bytes | Bytes sent from the source to the destination. | long |
+| source.domain | Source domain. | keyword |
+| source.geo.city_name | City name. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location.lat |  | double |
+| source.geo.location.lon |  | double |
+| source.ip | IP address of the source. Can be one or multiple IPv4 or IPv6 addresses. | ip |
+| source.mac | MAC address of the source. | keyword |
+| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip |
+| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long |
+| source.port | Port of the source. | long |
+| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. | keyword |
+| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | keyword |
+| url.path | Path of the request, such as "/search". | keyword |
+| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword |
+| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.google.com" is "google.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword |
+| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword |
+| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| user.full_name | User's full name, if available. | keyword |
+| user.id | Unique identifiers of the user. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user_agent.original | Unparsed user_agent string. | keyword |
diff --git a/packages/infoblox/0.1.0/img/logo.svg b/packages/infoblox/0.1.0/img/logo.svg
new file mode 100644
index 0000000000..57b4d23b16
--- /dev/null
+++ b/packages/infoblox/0.1.0/img/logo.svg
@@ -0,0 +1,93 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Generator: Adobe Illustrator 22.1.0, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 216.8 65.5" style="enable-background:new 0 0 216.8 65.5;" xml:space="preserve">
+<style type="text/css">
+	.st0{fill:#231F20;}
+	.st1{fill:#95C840;}
+	.st2{fill:#59C9E6;}
+	.st3{fill:#EBE719;}
+	.st4{fill:#50C0AF;}
+	.st5{fill:#0377BB;}
+	.st6{fill:#78BC43;}
+	.st7{fill:#109FDA;}
+</style>
+<g>
+	<g>
+		<g>
+			<g>
+				<path class="st0" d="M42.2,26.9v17.4h-4.3V28.1c0-1.5-0.3-2.7-0.8-3.4c-0.6-0.7-1.4-1.1-2.6-1.1c-0.9,0-1.9,0.3-2.9,0.8
+					c-1,0.5-2,1.3-3,2.3v17.7h-4.2v-24h3.9v3.2c1.4-1.3,2.7-2.2,3.9-2.7c1.2-0.5,2.4-0.8,3.6-0.8c2,0,3.6,0.6,4.7,1.8
+					C41.6,23,42.2,24.7,42.2,26.9"/>
+				<path class="st0" d="M56.1,11.2v3.5c-1-0.1-1.4-0.1-1.8-0.1c-0.4,0-0.7-0.1-0.9-0.1c-1,0-1.7,0.2-2.1,0.7
+					c-0.4,0.5-0.6,1.2-0.6,2.3v2.8H56v3.6h-5.3v20.4h-4.2V23.9v-3.6v-3.4c0-2,0.5-3.5,1.6-4.5c1-1,2.5-1.6,4.5-1.6
+					c0.4,0,0.9,0,1.4,0.1C54.4,11,55,11.1,56.1,11.2"/>
+				<path class="st0" d="M66.9,19.9c3.1,0,5.6,1.1,7.3,3.2c1.7,2.1,2.6,5.1,2.6,9c0,3.9-0.9,6.9-2.6,9c-1.7,2.1-4.2,3.2-7.3,3.2
+					c-3.1,0-5.6-1.1-7.3-3.2c-1.7-2.1-2.6-5.1-2.6-9c0-3.8,0.9-6.8,2.6-9C61.3,21,63.7,19.9,66.9,19.9 M66.9,23.6
+					c-1.8,0-3.2,0.7-4.2,2.1c-0.9,1.4-1.4,3.5-1.4,6.3c0,2.8,0.5,4.9,1.4,6.4c0.9,1.4,2.3,2.2,4.2,2.2c1.8,0,3.2-0.7,4.1-2.2
+					c1-1.4,1.4-3.6,1.4-6.3c0-2.8-0.5-4.9-1.4-6.4C70.1,24.3,68.7,23.6,66.9,23.6"/>
+				<rect x="104.3" y="11" class="st0" width="4.2" height="33.4"/>
+				<rect x="15.8" y="11" class="st0" width="4.2" height="33.4"/>
+				<path class="st0" d="M84.9,44.4v-2.6c0.7,0.7,1.4,1.3,2.3,1.7c1,0.5,2.2,0.8,3.5,0.8c3,0,5.3-1.1,6.9-3.2c1.7-2.2,2.5-5.2,2.5-9
+					c0-3.7-0.9-6.6-2.6-8.8c-1.7-2.2-4-3.2-6.9-3.2c-1.2,0-2.2,0.3-3.2,0.7c-1,0.5-1.8,1.2-2.5,2.2V11h-4.2v33.4H84.9z M94.3,38.5
+					c-1,1.5-2.4,2.2-4.2,2.2c-1,0-1.9-0.2-2.7-0.7c-0.8-0.5-1.7-1.2-2.4-2.2V26.4c0.8-0.9,1.6-1.7,2.4-2.1c0.8-0.5,1.7-0.7,2.6-0.7
+					c1.9,0,3.4,0.7,4.4,2.2c1,1.5,1.5,3.7,1.5,6.5C95.7,35,95.3,37.1,94.3,38.5"/>
+				<path class="st0" d="M122.5,19.9c3.1,0,5.6,1.1,7.3,3.2c1.7,2.1,2.6,5.1,2.6,9c0,3.9-0.9,6.9-2.6,9c-1.7,2.1-4.2,3.2-7.3,3.2
+					c-3.1,0-5.6-1.1-7.3-3.2c-1.7-2.1-2.6-5.1-2.6-9c0-3.8,0.9-6.8,2.6-9C116.9,21,119.4,19.9,122.5,19.9 M122.5,23.6
+					c-1.8,0-3.2,0.7-4.2,2.1c-0.9,1.4-1.4,3.5-1.4,6.3c0,2.8,0.5,4.9,1.4,6.4c0.9,1.4,2.3,2.2,4.2,2.2c1.8,0,3.2-0.7,4.1-2.2
+					c1-1.4,1.4-3.6,1.4-6.3c0-2.8-0.5-4.9-1.4-6.4C125.7,24.3,124.3,23.6,122.5,23.6"/>
+				<polygon class="st0" points="133.8,20 138.7,20 143.1,28 147.6,20 152.2,20 145.5,31.5 153.1,44.2 148.2,44.2 143,34.7 
+					137.8,44.2 133.2,44.2 140.7,31.5 				"/>
+				<path class="st1" d="M167.2,28.1l-7.2-5.4c-0.2-0.2-0.3-0.4-0.3-0.5c0-0.2,0.1-0.4,0.3-0.5c0,0,7.2-5.4,7.2-5.4
+					c0.5-0.4,1.5-0.4,2.1,0c0,0,7.2,5.4,7.2,5.4c0.2,0.2,0.3,0.4,0.3,0.5c0,0.2-0.1,0.4-0.3,0.5l-7.2,5.4
+					C168.7,28.5,167.7,28.5,167.2,28.1"/>
+				<path class="st2" d="M167.2,45.5l-7.2-5.4c-0.2-0.2-0.3-0.4-0.3-0.5c0-0.2,0.1-0.4,0.3-0.5c0,0,7.2-5.4,7.2-5.4
+					c0.5-0.4,1.5-0.4,2.1,0c0,0,7.2,5.4,7.2,5.4c0.2,0.2,0.3,0.4,0.3,0.5c0,0.2-0.1,0.4-0.3,0.5l-7.2,5.4
+					C168.7,46,167.7,46,167.2,45.5"/>
+				<path class="st3" d="M178.8,19.5l-7.2-5.4c-0.2-0.2-0.3-0.4-0.3-0.6c0-0.2,0.1-0.4,0.3-0.5c0,0,7.2-5.4,7.2-5.4
+					c0.6-0.4,1.5-0.4,2.1,0l7.2,5.4c0.2,0.2,0.3,0.4,0.3,0.5c0,0.2-0.1,0.4-0.3,0.6l-7.2,5.4C180.3,19.9,179.4,19.9,178.8,19.5"/>
+				<path class="st4" d="M178.8,36.9l-7.2-5.4c-0.2-0.2-0.3-0.4-0.3-0.5c0-0.2,0.1-0.4,0.3-0.5c0,0,7.2-5.4,7.2-5.4
+					c0.6-0.4,1.5-0.4,2.1,0l7.2,5.4c0.2,0.2,0.3,0.4,0.3,0.5c0,0.2-0.1,0.4-0.3,0.5l-7.2,5.4C180.3,37.3,179.4,37.3,178.8,36.9"/>
+				<path class="st5" d="M178.8,54.6l-7.2-5.4c-0.2-0.2-0.3-0.4-0.3-0.6c0-0.2,0.1-0.4,0.3-0.5c0,0,7.2-5.4,7.2-5.4
+					c0.6-0.4,1.5-0.4,2.1,0l7.2,5.4c0.2,0.2,0.3,0.4,0.3,0.5c0,0.2-0.1,0.4-0.3,0.6l-7.2,5.4C180.3,55,179.4,55,178.8,54.6"/>
+				<path class="st6" d="M190.4,28.1l-7.2-5.4c-0.2-0.2-0.3-0.4-0.3-0.5c0-0.2,0.1-0.4,0.3-0.5c0,0,7.2-5.4,7.2-5.4
+					c0.5-0.4,1.5-0.4,2.1,0c0,0,7.2,5.4,7.2,5.4c0.2,0.2,0.3,0.4,0.3,0.5c0,0.2-0.1,0.4-0.3,0.5l-7.2,5.4
+					C192,28.5,191,28.5,190.4,28.1"/>
+				<path class="st7" d="M190.4,45.5l-7.2-5.4c-0.2-0.2-0.3-0.4-0.3-0.5c0-0.2,0.1-0.4,0.3-0.5c0,0,7.2-5.4,7.2-5.4
+					c0.5-0.4,1.5-0.4,2.1,0c0,0,7.2,5.4,7.2,5.4c0.2,0.2,0.3,0.4,0.3,0.5c0,0.2-0.1,0.4-0.3,0.5l-7.2,5.4C192,46,191,46,190.4,45.5"
+					/>
+				<path class="st0" d="M206.1,30.9c0,1.7-1.3,3.1-3.1,3.1c-1.7,0-3.1-1.4-3.1-3.1c0-1.7,1.3-3.1,3.1-3.1
+					C204.8,27.9,206.1,29.2,206.1,30.9 M200.4,30.9c0,1.5,1.1,2.6,2.6,2.6c1.5,0,2.6-1.2,2.6-2.6c0-1.5-1.1-2.6-2.6-2.6
+					C201.6,28.3,200.4,29.5,200.4,30.9 M202.4,32.7h-0.4v-3.6h1.4c0.8,0,1.2,0.3,1.2,1c0,0.6-0.4,0.9-0.9,1l1.1,1.6h-0.5l-1-1.6
+					h-0.7V32.7z M203,30.8c0.5,0,1.1,0,1.1-0.6c0-0.5-0.4-0.6-0.8-0.6h-0.8v1.2H203z"/>
+			</g>
+		</g>
+	</g>
+	<g>
+		<path class="st0" d="M20.9,58.4l-4.5-6.1v6.1h-1v-7.6h1l4.4,6v-6h1v7.6H20.9z"/>
+		<path class="st0" d="M23.6,58.4v-7.6h5v0.8h-4.1v2.5h4V55h-4v2.6h4.1v0.8H23.6z"/>
+		<path class="st0" d="M35.4,58.4L33,55.2l-2.4,3.3h-1.2l3-3.9l-2.8-3.7h1.2l2.3,3.1l2.3-3.1h1.2l-2.8,3.7l3,3.9H35.4z"/>
+		<path class="st0" d="M39.5,58.4v-6.8h-2.4v-0.8h5.8v0.8h-2.4v6.8H39.5z"/>
+		<path class="st0" d="M47.1,58.4v-7.6h1v6.8h3.6v0.8H47.1z"/>
+		<path class="st0" d="M53,58.4v-7.6h5v0.8h-4.1v2.5h4V55h-4v2.6H58v0.8H53z"/>
+		<path class="st0" d="M61.8,58.4l-3.1-7.6h1.1l2.6,6.6l2.6-6.6h1.1L63,58.4H61.8z"/>
+		<path class="st0" d="M67,58.4v-7.6h5v0.8H68v2.5h4V55h-4v2.6h4.1v0.8H67z"/>
+		<path class="st0" d="M73.6,58.4v-7.6h1v6.8h3.6v0.8H73.6z"/>
+		<path class="st0" d="M87.8,58.4l-4.5-6.1v6.1h-1v-7.6h1l4.4,6v-6h1v7.6H87.8z"/>
+		<path class="st0" d="M90.5,58.4v-7.6h5v0.8h-4.1v2.5h4V55h-4v2.6h4.1v0.8H90.5z"/>
+		<path class="st0" d="M98.9,58.4v-6.8h-2.4v-0.8h5.8v0.8h-2.4v6.8H98.9z"/>
+		<path class="st0" d="M109.4,58.4l-1.7-6.2l-1.7,6.2h-1l-2.2-7.6h1.1l1.7,6.4l1.8-6.4h0.8l1.8,6.4l1.7-6.4h1.1l-2.2,7.6H109.4z"/>
+		<path class="st0" d="M113.2,54.6c0-2.3,1.5-3.9,3.8-3.9c2.3,0,3.8,1.7,3.8,3.9c0,2.3-1.5,3.9-3.8,3.9
+			C114.7,58.6,113.2,56.9,113.2,54.6z M119.8,54.6c0-1.8-1.1-3.1-2.8-3.1c-1.7,0-2.8,1.3-2.8,3.1c0,1.8,1.1,3.1,2.8,3.1
+			C118.7,57.7,119.8,56.4,119.8,54.6z"/>
+		<path class="st0" d="M126.7,58.4l-2-3h-1.5v3h-1v-7.6h3.1c1.4,0,2.4,0.9,2.4,2.3c0,1.4-0.9,2.1-2,2.2l2.1,3.1H126.7z M126.7,53.1
+			c0-0.9-0.6-1.5-1.5-1.5h-2v2.9h2C126.1,54.6,126.7,54,126.7,53.1z"/>
+		<path class="st0" d="M133.8,58.4l-2.9-3.4l-0.8,0.9v2.6h-1v-7.6h1v3.9l3.4-3.9h1.2l-3.2,3.6l3.5,4H133.8z"/>
+		<path class="st0" d="M136.1,58.4v-7.6h1v7.6H136.1z"/>
+		<path class="st0" d="M144.3,58.4l-4.5-6.1v6.1h-1v-7.6h1l4.4,6v-6h1v7.6H144.3z"/>
+		<path class="st0" d="M146.7,54.6c0-2.4,1.8-3.9,3.9-3.9c1.4,0,2.3,0.6,3,1.4l-0.8,0.5c-0.5-0.6-1.3-1.1-2.2-1.1
+			c-1.7,0-2.9,1.3-2.9,3.1c0,1.8,1.3,3.1,2.9,3.1c0.9,0,1.7-0.4,2.1-0.8v-1.6H150v-0.8h3.6v2.8c-0.7,0.8-1.8,1.3-3,1.3
+			C148.4,58.6,146.7,57,146.7,54.6z"/>
+	</g>
+</g>
+</svg>
diff --git a/packages/infoblox/0.1.0/manifest.yml b/packages/infoblox/0.1.0/manifest.yml
new file mode 100644
index 0000000000..204a9a56e5
--- /dev/null
+++ b/packages/infoblox/0.1.0/manifest.yml
@@ -0,0 +1,36 @@
+format_version: 1.0.0
+name: infoblox
+title: Infoblox NIOS
+version: 0.1.0
+description: Infoblox NIOS Integration
+categories: ["network"]
+release: experimental
+removable: true
+license: basic
+type: integration
+conditions:
+    kibana:
+        version: '>=7.9.0'
+    elasticsearch:
+        version: '>=7.9.0'
+config_templates:
+- name: nios
+  title: Infoblox NIOS
+  description: Collect Infoblox NIOS logs from syslog or a file.
+  inputs:
+      - type: udp
+        title: Collect logs from Infoblox NIOS via UDP
+        description: Collecting syslog from Infoblox NIOS via UDP
+      - type: tcp
+        title: Collect logs from Infoblox NIOS via TCP
+        description: Collecting syslog from Infoblox NIOS via TCP
+      - type: file
+        title: Collect logs from Infoblox NIOS via file
+        description: Collecting syslog from Infoblox NIOS via file.
+# No icon
+icons:
+ - src: /img/logo.svg
+   title: Infoblox NIOS logo
+   size: 32x32
+   type: image/svg+xml
+
diff --git a/packages/juniper/0.1.0/dataset/junos/agent/stream/stream.yml.hbs b/packages/juniper/0.1.0/dataset/junos/agent/stream/stream.yml.hbs
new file mode 100644
index 0000000000..36dd997722
--- /dev/null
+++ b/packages/juniper/0.1.0/dataset/junos/agent/stream/stream.yml.hbs
@@ -0,0 +1,12348 @@
+paths:
+{{#each paths as |path i|}}
+  - {{path}}
+{{/each}}
+exclude_files: [".gz$"]
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "Juniper"
+        product: "Junos"
+        type: "Routers"
+publisher_pipeline.disable_host: true
+
+processors:
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.error(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(populate_fields);
+      	builder.Add(restore_flags);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var dup1 = match("HEADER#3:0004/0", "message", "%{month->} %{day->} %{time->} %{p0}");
+      
+      var dup2 = match("HEADER#3:0004/1_0", "nwparser.p0", "fpc0 %{p0}");
+      
+      var dup3 = match("HEADER#3:0004/1_1", "nwparser.p0", "fpc1 %{p0}");
+      
+      var dup4 = match("HEADER#3:0004/1_2", "nwparser.p0", "fpc2 %{p0}");
+      
+      var dup5 = match("HEADER#3:0004/1_3", "nwparser.p0", "fpc3 %{p0}");
+      
+      var dup6 = match("HEADER#3:0004/1_4", "nwparser.p0", "fpc4 %{p0}");
+      
+      var dup7 = match("HEADER#3:0004/1_5", "nwparser.p0", "fpc5 %{p0}");
+      
+      var dup8 = match("HEADER#3:0004/1_11", "nwparser.p0", "ssb %{p0}");
+      
+      var dup9 = call({
+      	dest: "nwparser.payload",
+      	fn: STRCAT,
+      	args: [
+      		field("hfld2"),
+      		constant(" "),
+      		field("messageid"),
+      		constant(": "),
+      		field("payload"),
+      	],
+      });
+      
+      var dup10 = call({
+      	dest: "nwparser.payload",
+      	fn: STRCAT,
+      	args: [
+      		field("hfld1"),
+      		constant("["),
+      		field("pid"),
+      		constant("]: "),
+      		field("messageid"),
+      		constant(": "),
+      		field("payload"),
+      	],
+      });
+      
+      var dup11 = call({
+      	dest: "nwparser.payload",
+      	fn: STRCAT,
+      	args: [
+      		field("messageid"),
+      		constant(": "),
+      		field("payload"),
+      	],
+      });
+      
+      var dup12 = match("HEADER#15:0026.upd.a/1_0", "nwparser.p0", "RT_FLOW - %{p0}");
+      
+      var dup13 = match("HEADER#15:0026.upd.a/1_1", "nwparser.p0", "junos-ssl-proxy - %{p0}");
+      
+      var dup14 = match("HEADER#15:0026.upd.a/1_2", "nwparser.p0", "RT_APPQOS - %{p0}");
+      
+      var dup15 = match("HEADER#15:0026.upd.a/1_3", "nwparser.p0", "%{hfld33->} - %{p0}");
+      
+      var dup16 = match("HEADER#15:0026.upd.a/2", "nwparser.p0", "%{messageid->} [%{payload}");
+      
+      var dup17 = match("HEADER#16:0026.upd.b/0", "message", "%{event_time->} %{hfld32->} %{hhostname->} %{p0}");
+      
+      var dup18 = call({
+      	dest: "nwparser.payload",
+      	fn: STRCAT,
+      	args: [
+      		field("messageid"),
+      		constant("["),
+      		field("pid"),
+      		constant("]: "),
+      		field("payload"),
+      	],
+      });
+      
+      var dup19 = setc("messageid","JUNOSROUTER_GENERIC");
+      
+      var dup20 = setc("eventcategory","1605000000");
+      
+      var dup21 = setf("msg","$MSG");
+      
+      var dup22 = date_time({
+      	dest: "event_time",
+      	args: ["month","day","time"],
+      	fmts: [
+      		[dB,dF,dH,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup23 = setf("hostname","hhost");
+      
+      var dup24 = setc("event_description","AUDIT");
+      
+      var dup25 = setc("event_description","CRON command");
+      
+      var dup26 = setc("eventcategory","1801030000");
+      
+      var dup27 = setc("eventcategory","1801020000");
+      
+      var dup28 = setc("eventcategory","1605010000");
+      
+      var dup29 = setc("eventcategory","1603000000");
+      
+      var dup30 = setc("event_description","Process mode");
+      
+      var dup31 = setc("event_description","NTP Server Unreachable");
+      
+      var dup32 = setc("eventcategory","1401060000");
+      
+      var dup33 = setc("ec_theme","Authentication");
+      
+      var dup34 = setc("ec_subject","User");
+      
+      var dup35 = setc("ec_activity","Logon");
+      
+      var dup36 = setc("ec_outcome","Success");
+      
+      var dup37 = setc("event_description","rpd proceeding");
+      
+      var dup38 = match("MESSAGE#77:sshd:06/0", "nwparser.payload", "%{} %{p0}");
+      
+      var dup39 = match("MESSAGE#77:sshd:06/1_0", "nwparser.p0", "%{process}[%{process_id}]: %{p0}");
+      
+      var dup40 = match("MESSAGE#77:sshd:06/1_1", "nwparser.p0", "%{process}: %{p0}");
+      
+      var dup41 = setc("eventcategory","1701010000");
+      
+      var dup42 = setc("ec_outcome","Failure");
+      
+      var dup43 = setc("eventcategory","1401030000");
+      
+      var dup44 = match("MESSAGE#72:Failed:05/1_2", "nwparser.p0", "%{p0}");
+      
+      var dup45 = setc("eventcategory","1803000000");
+      
+      var dup46 = setc("event_type","VPN");
+      
+      var dup47 = setc("eventcategory","1605020000");
+      
+      var dup48 = setc("eventcategory","1602020000");
+      
+      var dup49 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{p0}");
+      
+      var dup50 = setc("eventcategory","1603020000");
+      
+      var dup51 = date_time({
+      	dest: "event_time",
+      	args: ["hfld32"],
+      	fmts: [
+      		[dW,dc("-"),dG,dc("-"),dF,dc("T"),dN,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup52 = setc("ec_subject","NetworkComm");
+      
+      var dup53 = setc("ec_activity","Create");
+      
+      var dup54 = setc("ec_activity","Stop");
+      
+      var dup55 = setc("event_description","Trap state change");
+      
+      var dup56 = setc("event_description","peer NLRI mismatch");
+      
+      var dup57 = setc("eventcategory","1605030000");
+      
+      var dup58 = setc("eventcategory","1603010000");
+      
+      var dup59 = setc("eventcategory","1606000000");
+      
+      var dup60 = setf("hostname","hhostname");
+      
+      var dup61 = date_time({
+      	dest: "event_time",
+      	args: ["hfld6"],
+      	fmts: [
+      		[dW,dc("-"),dG,dc("-"),dF,dc("T"),dN,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup62 = setc("eventcategory","1401050200");
+      
+      var dup63 = setc("event_description","Memory allocation failed during initialization for configuration load");
+      
+      var dup64 = setc("event_description","unable to run in the background as a daemon");
+      
+      var dup65 = setc("event_description","Another copy of this program is running");
+      
+      var dup66 = setc("event_description","Unable to lock PID file");
+      
+      var dup67 = setc("event_description","Unable to update process PID file");
+      
+      var dup68 = setc("eventcategory","1301000000");
+      
+      var dup69 = setc("event_description","Command stopped");
+      
+      var dup70 = setc("event_description","Unable to create pipes for command");
+      
+      var dup71 = setc("event_description","Command exited");
+      
+      var dup72 = setc("eventcategory","1603050000");
+      
+      var dup73 = setc("eventcategory","1801010000");
+      
+      var dup74 = setc("event_description","Login failure");
+      
+      var dup75 = match("MESSAGE#294:LOGIN_INFORMATION/3_0", "nwparser.p0", "User %{p0}");
+      
+      var dup76 = match("MESSAGE#294:LOGIN_INFORMATION/3_1", "nwparser.p0", "user %{p0}");
+      
+      var dup77 = setc("event_description","Unable to open file");
+      
+      var dup78 = setc("event_description","SNMP index assigned changed");
+      
+      var dup79 = setc("eventcategory","1302000000");
+      
+      var dup80 = setc("eventcategory","1001020300");
+      
+      var dup81 = setc("event_description","PFE FW SYSLOG_IP");
+      
+      var dup82 = setc("event_description","process_mode");
+      
+      var dup83 = setc("event_description","Logical interface collision");
+      
+      var dup84 = setc("event_description","excessive runtime time during action of module");
+      
+      var dup85 = setc("event_description","Reinitializing");
+      
+      var dup86 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{p0}");
+      
+      var dup87 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_0", "nwparser.p0", "%{dport}\" connection-tag=%{fld20->} service-name=\"%{p0}");
+      
+      var dup88 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_1", "nwparser.p0", "%{dport}\" service-name=\"%{p0}");
+      
+      var dup89 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_0", "nwparser.p0", "%{dtransport}\" nat-connection-tag=%{fld6->} src-nat-rule-type=%{fld20->} %{p0}");
+      
+      var dup90 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_1", "nwparser.p0", "%{dtransport}\"%{p0}");
+      
+      var dup91 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/7_1", "nwparser.p0", "%{dinterface}\"%{p0}");
+      
+      var dup92 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/8", "nwparser.p0", "]%{}");
+      
+      var dup93 = setc("eventcategory","1803010000");
+      
+      var dup94 = setc("ec_activity","Deny");
+      
+      var dup95 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_0", "nwparser.payload", "%{process}: %{event_type}: session denied%{p0}");
+      
+      var dup96 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_1", "nwparser.payload", "%{event_type}: session denied%{p0}");
+      
+      var dup97 = setc("event_description","session denied");
+      
+      var dup98 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{p0}");
+      
+      var dup99 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/2", "nwparser.p0", "%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{p0}");
+      
+      var dup100 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{rulename}\" dst-nat-rule-%{p0}");
+      
+      var dup101 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_0", "nwparser.p0", "type=%{fld7->} dst-nat-rule-name=\"%{rule_template}\"%{p0}");
+      
+      var dup102 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_1", "nwparser.p0", "name=\"%{rule_template}\"%{p0}");
+      
+      var dup103 = setc("dclass_counter1_string","No.of packets from client");
+      
+      var dup104 = setc("event_description","SNMPD AUTH FAILURE");
+      
+      var dup105 = setc("event_description","send send-type (index1) failure");
+      
+      var dup106 = setc("event_description","SNMP trap error");
+      
+      var dup107 = setc("event_description","SNMP TRAP LINK DOWN");
+      
+      var dup108 = setc("event_description","SNMP TRAP LINK UP");
+      
+      var dup109 = setc("event_description","Login Failure");
+      
+      var dup110 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' set: [%{action}] %{p0}");
+      
+      var dup111 = setc("eventcategory","1701020000");
+      
+      var dup112 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_1", "nwparser.p0", "\u003c\u003c%{change_old}> %{p0}");
+      
+      var dup113 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/2", "nwparser.p0", "%{}-> \"%{change_new}\"");
+      
+      var dup114 = setc("event_description","User set command");
+      
+      var dup115 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{p0}");
+      
+      var dup116 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_0", "nwparser.p0", "set %{p0}");
+      
+      var dup117 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_1", "nwparser.p0", "replace %{p0}");
+      
+      var dup118 = setc("event_description","User set groups to secret");
+      
+      var dup119 = setc("event_description","UI CMDLINE READ LINE");
+      
+      var dup120 = setc("event_description","User commit");
+      
+      var dup121 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_0", "nwparser.p0", "Network %{p0}");
+      
+      var dup122 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_1", "nwparser.p0", "Local %{p0}");
+      
+      var dup123 = setc("eventcategory","1401070000");
+      
+      var dup124 = setc("ec_activity","Logoff");
+      
+      var dup125 = setc("event_description","Successful login");
+      
+      var dup126 = setf("hostname","hostip");
+      
+      var dup127 = setc("event_description","TACACS+ failure");
+      
+      var dup128 = match("MESSAGE#755:node:05/0", "nwparser.payload", "%{hostname->} %{node->} %{p0}");
+      
+      var dup129 = match("MESSAGE#755:node:05/1_0", "nwparser.p0", "partner%{p0}");
+      
+      var dup130 = match("MESSAGE#755:node:05/1_1", "nwparser.p0", "actor%{p0}");
+      
+      var dup131 = setc("eventcategory","1003010000");
+      
+      var dup132 = setc("eventcategory","1901000000");
+      
+      var dup133 = linear_select([
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      ]);
+      
+      var dup134 = linear_select([
+      	dup39,
+      	dup40,
+      ]);
+      
+      var dup135 = match("MESSAGE#125:BFDD_TRAP_STATE_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: local discriminator: %{resultcode}, new state: %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup55,
+      	dup22,
+      ]));
+      
+      var dup136 = match("MESSAGE#214:DCD_MALLOC_FAILED_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed during initialization for configuration load", processor_chain([
+      	dup50,
+      	dup21,
+      	dup63,
+      	dup22,
+      ]));
+      
+      var dup137 = match("MESSAGE#225:ECCD_DAEMONIZE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}, unable to run in the background as a daemon: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup64,
+      	dup22,
+      ]));
+      
+      var dup138 = match("MESSAGE#226:ECCD_DUPLICATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Another copy of this program is running", processor_chain([
+      	dup29,
+      	dup21,
+      	dup65,
+      	dup22,
+      ]));
+      
+      var dup139 = match("MESSAGE#232:ECCD_PID_FILE_LOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lock PID file: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup66,
+      	dup22,
+      ]));
+      
+      var dup140 = match("MESSAGE#233:ECCD_PID_FILE_UPDATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to update process PID file: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup67,
+      	dup22,
+      ]));
+      
+      var dup141 = match("MESSAGE#272:LIBJNX_EXEC_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipes for command '%{action}': %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup70,
+      	dup22,
+      ]));
+      
+      var dup142 = linear_select([
+      	dup75,
+      	dup76,
+      ]);
+      
+      var dup143 = match("MESSAGE#310:MIB2D_IFD_IFINDEX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP index assigned to %{uid->} changed from %{dclass_counter1->} to %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup78,
+      	dup22,
+      ]));
+      
+      var dup144 = match("MESSAGE#412:RPD_IFL_INDEXCOLLISION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Logical interface collision -- %{result}, %{info}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup83,
+      	dup22,
+      ]));
+      
+      var dup145 = match("MESSAGE#466:RPD_SCHED_CALLBACK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime time during action of module", processor_chain([
+      	dup29,
+      	dup21,
+      	dup84,
+      	dup22,
+      ]));
+      
+      var dup146 = match("MESSAGE#482:RPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitializing", processor_chain([
+      	dup20,
+      	dup21,
+      	dup85,
+      	dup22,
+      ]));
+      
+      var dup147 = linear_select([
+      	dup87,
+      	dup88,
+      ]);
+      
+      var dup148 = linear_select([
+      	dup89,
+      	dup90,
+      ]);
+      
+      var dup149 = linear_select([
+      	dup95,
+      	dup96,
+      ]);
+      
+      var dup150 = linear_select([
+      	dup101,
+      	dup102,
+      ]);
+      
+      var dup151 = match("MESSAGE#498:RT_SCREEN_TCP", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([
+      	dup29,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var dup152 = match("MESSAGE#527:SSL_PROXY_SSL_SESSION_ALLOW", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} logical-system-name=\"%{hostname}\" session-id=\"%{sessionid}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" profile-name=\"%{rulename}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" message=\"%{info}\"]", processor_chain([
+      	dup26,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var dup153 = linear_select([
+      	dup116,
+      	dup117,
+      ]);
+      
+      var dup154 = linear_select([
+      	dup121,
+      	dup122,
+      ]);
+      
+      var dup155 = match("MESSAGE#733:WEBFILTER_URL_PERMITTED", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7->} USERNAME=%{fld8->} ROLES=%{fld9}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var dup156 = match("MESSAGE#747:cli", "nwparser.payload", "%{fld12}", processor_chain([
+      	dup47,
+      	dup46,
+      	dup22,
+      	dup21,
+      ]));
+      
+      var hdr1 = match("HEADER#0:0001", "message", "%{month->} %{day->} %{time->} %{messageid}: restart %{payload}", processor_chain([
+      	setc("header_id","0001"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant(": restart "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr2 = match("HEADER#1:0002", "message", "%{month->} %{day->} %{time->} %{messageid->} message repeated %{payload}", processor_chain([
+      	setc("header_id","0002"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant(" message repeated "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr3 = match("HEADER#2:0003", "message", "%{month->} %{day->} %{time->} ssb %{messageid}(%{hfld1}): %{payload}", processor_chain([
+      	setc("header_id","0003"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant("("),
+      			field("hfld1"),
+      			constant("): "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var part1 = match("HEADER#3:0004/1_6", "nwparser.p0", "fpc6 %{p0}");
+      
+      var part2 = match("HEADER#3:0004/1_7", "nwparser.p0", "fpc7 %{p0}");
+      
+      var part3 = match("HEADER#3:0004/1_8", "nwparser.p0", "fpc8 %{p0}");
+      
+      var part4 = match("HEADER#3:0004/1_9", "nwparser.p0", "fpc9 %{p0}");
+      
+      var part5 = match("HEADER#3:0004/1_10", "nwparser.p0", "cfeb %{p0}");
+      
+      var select1 = linear_select([
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup6,
+      	dup7,
+      	part1,
+      	part2,
+      	part3,
+      	part4,
+      	part5,
+      	dup8,
+      ]);
+      
+      var part6 = match("HEADER#3:0004/2", "nwparser.p0", "%{} %{messageid}: %{payload}");
+      
+      var all1 = all_match({
+      	processors: [
+      		dup1,
+      		select1,
+      		part6,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","0004"),
+      	]),
+      });
+      
+      var select2 = linear_select([
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup6,
+      	dup7,
+      	dup8,
+      ]);
+      
+      var part7 = match("HEADER#4:0005/2", "nwparser.p0", "%{} %{messageid->} %{payload}");
+      
+      var all2 = all_match({
+      	processors: [
+      		dup1,
+      		select2,
+      		part7,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","0005"),
+      	]),
+      });
+      
+      var hdr4 = match("HEADER#5:0007", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2}[%{hpid}]: %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0007"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld2"),
+      			constant("["),
+      			field("hpid"),
+      			constant("]: "),
+      			field("messageid"),
+      			constant(": "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr5 = match("HEADER#6:0008", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{messageid}[%{hpid}]: %{payload}", processor_chain([
+      	setc("header_id","0008"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant("["),
+      			field("hpid"),
+      			constant("]: "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr6 = match("HEADER#7:0009", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2->} IFP trace> %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0009"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld2"),
+      			constant(" IFP trace> "),
+      			field("messageid"),
+      			constant(": "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr7 = match("HEADER#8:0010", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2->} %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0010"),
+      	dup9,
+      ]));
+      
+      var hdr8 = match("HEADER#9:0029", "message", "%{month->} %{day->} %{time->} %{hostip->} %{hfld1}[%{pid}]: %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0029"),
+      	dup10,
+      ]));
+      
+      var hdr9 = match("HEADER#10:0015", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0015"),
+      	dup10,
+      ]));
+      
+      var hdr10 = match("HEADER#11:0011", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0011"),
+      	dup9,
+      ]));
+      
+      var hdr11 = match("HEADER#12:0027", "message", "%{month->} %{day->} %{time->} %{hhostname->} RT_FLOW: %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0027"),
+      	dup11,
+      ]));
+      
+      var hdr12 = match("HEADER#13:0012", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0012"),
+      	dup11,
+      ]));
+      
+      var hdr13 = match("HEADER#14:0013", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hfld32->} %{hhostname->} RT_FLOW - %{messageid->} [%{payload}", processor_chain([
+      	setc("header_id","0013"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant(" ["),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr14 = match("HEADER#15:0026.upd.a/0", "message", "%{hfld1->} %{event_time->} %{hfld32->} %{hhostname->} %{p0}");
+      
+      var all3 = all_match({
+      	processors: [
+      		hdr14,
+      		dup133,
+      		dup16,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","0026.upd.a"),
+      	]),
+      });
+      
+      var all4 = all_match({
+      	processors: [
+      		dup17,
+      		dup133,
+      		dup16,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","0026.upd.b"),
+      	]),
+      });
+      
+      var all5 = all_match({
+      	processors: [
+      		dup17,
+      		dup133,
+      		dup16,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","0026"),
+      	]),
+      });
+      
+      var hdr15 = match("HEADER#18:0014", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid}[%{hpid}]: %{payload}", processor_chain([
+      	setc("header_id","0014"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld1"),
+      			constant("["),
+      			field("pid"),
+      			constant("]: "),
+      			field("messageid"),
+      			constant("["),
+      			field("hpid"),
+      			constant("]: "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr16 = match("HEADER#19:0016", "message", "%{month->} %{day->} %{time->} %{hfld1}: %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0016"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld1"),
+      			constant(": "),
+      			field("messageid"),
+      			constant(": "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr17 = match("HEADER#20:0017", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0017"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld1"),
+      			constant("["),
+      			field("pid"),
+      			constant("]: "),
+      			field("messageid"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr18 = match("HEADER#21:0018", "message", "%{month->} %{day->} %{time->} %{hhost}: %{messageid}[%{pid}]: %{payload}", processor_chain([
+      	setc("header_id","0018"),
+      	dup18,
+      ]));
+      
+      var hdr19 = match("HEADER#22:0028", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid}[%{pid}]: %{payload}", processor_chain([
+      	setc("header_id","0028"),
+      	dup18,
+      ]));
+      
+      var hdr20 = match("HEADER#23:0019", "message", "%{month->} %{day->} %{time->} %{hhost}: %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0019"),
+      	dup11,
+      ]));
+      
+      var hdr21 = match("HEADER#24:0020", "message", "%{month->} %{day->} %{time->} %{messageid}[%{pid}]: %{payload}", processor_chain([
+      	setc("header_id","0020"),
+      	dup18,
+      ]));
+      
+      var hdr22 = match("HEADER#25:0021", "message", "%{month->} %{day->} %{time->} /%{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0021"),
+      	dup11,
+      ]));
+      
+      var hdr23 = match("HEADER#26:0022", "message", "%{month->} %{day->} %{time->} %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0022"),
+      	dup11,
+      ]));
+      
+      var hdr24 = match("HEADER#27:0023", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid}[%{pid}]: %{payload}", processor_chain([
+      	setc("header_id","0023"),
+      	dup18,
+      ]));
+      
+      var hdr25 = match("HEADER#28:0024", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0024"),
+      	dup11,
+      ]));
+      
+      var hdr26 = match("HEADER#29:0025", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{hfld2->} %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0025"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld2"),
+      			constant(" "),
+      			field("messageid"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr27 = match("HEADER#30:0031", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0031"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr28 = match("HEADER#31:0032", "message", "%{month->} %{day->} %{time->} %{hostip->} (%{hfld1}) %{hfld2->} %{messageid}[%{pid}]: %{payload}", processor_chain([
+      	setc("header_id","0032"),
+      	dup18,
+      ]));
+      
+      var hdr29 = match("HEADER#32:0033", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname->} %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0033"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld1"),
+      			constant(" "),
+      			field("hhostname"),
+      			constant(" "),
+      			field("messageid"),
+      			constant(": "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr30 = match("HEADER#33:3336", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","3336"),
+      ]));
+      
+      var hdr31 = match("HEADER#34:3339", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","3339"),
+      ]));
+      
+      var hdr32 = match("HEADER#35:3337", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","3337"),
+      ]));
+      
+      var hdr33 = match("HEADER#36:3341", "message", "%{hfld1->} %{hfld6->} %{hhostname->} %{hfld2->} %{hfld3->} %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","3341"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld2"),
+      			constant(" "),
+      			field("hfld3"),
+      			constant(" "),
+      			field("messageid"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr34 = match("HEADER#37:3338", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","3338"),
+      ]));
+      
+      var hdr35 = match("HEADER#38:3340/0", "message", "%{month->} %{day->} %{time->} %{hhost->} node%{p0}");
+      
+      var part8 = match("HEADER#38:3340/1_0", "nwparser.p0", "%{hfld1}.fpc%{hfld2}.pic%{hfld3->} %{p0}");
+      
+      var part9 = match("HEADER#38:3340/1_1", "nwparser.p0", "%{hfld1}.fpc%{hfld2->} %{p0}");
+      
+      var select3 = linear_select([
+      	part8,
+      	part9,
+      ]);
+      
+      var part10 = match("HEADER#38:3340/2", "nwparser.p0", "%{} %{payload}");
+      
+      var all6 = all_match({
+      	processors: [
+      		hdr35,
+      		select3,
+      		part10,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","3340"),
+      		setc("messageid","node"),
+      	]),
+      });
+      
+      var hdr36 = match("HEADER#39:9997/0_0", "message", "mgd[%{p0}");
+      
+      var hdr37 = match("HEADER#39:9997/0_1", "message", "rpd[%{p0}");
+      
+      var hdr38 = match("HEADER#39:9997/0_2", "message", "dcd[%{p0}");
+      
+      var select4 = linear_select([
+      	hdr36,
+      	hdr37,
+      	hdr38,
+      ]);
+      
+      var part11 = match("HEADER#39:9997/1", "nwparser.p0", "%{process_id}]:%{payload}");
+      
+      var all7 = all_match({
+      	processors: [
+      		select4,
+      		part11,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","9997"),
+      		dup19,
+      	]),
+      });
+      
+      var hdr39 = match("HEADER#40:9995", "message", "%{month->} %{day->} %{time->} %{hhost->} %{hfld1->} %{hfld2->} %{messageid}[%{hfld3}]:%{payload}", processor_chain([
+      	setc("header_id","9995"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant("["),
+      			field("hfld3"),
+      			constant("]:"),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr40 = match("HEADER#41:9994", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{hfld1->} qsfp %{payload}", processor_chain([
+      	setc("header_id","9994"),
+      	setc("messageid","qsfp"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld2"),
+      			constant(" "),
+      			field("hfld1"),
+      			constant(" qsfp "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr41 = match("HEADER#42:9999", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{hevent_type}: %{payload}", processor_chain([
+      	setc("header_id","9999"),
+      	dup19,
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hevent_type"),
+      			constant(": "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr42 = match("HEADER#43:9998", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{process}: %{payload}", processor_chain([
+      	setc("header_id","9998"),
+      	dup19,
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld2"),
+      			constant(" "),
+      			field("process"),
+      			constant(": "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var select5 = linear_select([
+      	hdr1,
+      	hdr2,
+      	hdr3,
+      	all1,
+      	all2,
+      	hdr4,
+      	hdr5,
+      	hdr6,
+      	hdr7,
+      	hdr8,
+      	hdr9,
+      	hdr10,
+      	hdr11,
+      	hdr12,
+      	hdr13,
+      	all3,
+      	all4,
+      	all5,
+      	hdr15,
+      	hdr16,
+      	hdr17,
+      	hdr18,
+      	hdr19,
+      	hdr20,
+      	hdr21,
+      	hdr22,
+      	hdr23,
+      	hdr24,
+      	hdr25,
+      	hdr26,
+      	hdr27,
+      	hdr28,
+      	hdr29,
+      	hdr30,
+      	hdr31,
+      	hdr32,
+      	hdr33,
+      	hdr34,
+      	all6,
+      	all7,
+      	hdr39,
+      	hdr40,
+      	hdr41,
+      	hdr42,
+      ]);
+      
+      var part12 = match("MESSAGE#0:/usr/sbin/sshd", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exit status %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","sshd exit status"),
+      	dup22,
+      ]));
+      
+      var msg1 = msg("/usr/sbin/sshd", part12);
+      
+      var part13 = match("MESSAGE#1:/usr/libexec/telnetd", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exit status %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","telnetd exit status"),
+      	dup22,
+      ]));
+      
+      var msg2 = msg("/usr/libexec/telnetd", part13);
+      
+      var part14 = match("MESSAGE#2:alarmd", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License color=%{severity}, class=%{device}, reason=%{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Alarm Set or Cleared"),
+      	dup22,
+      ]));
+      
+      var msg3 = msg("alarmd", part14);
+      
+      var part15 = match("MESSAGE#3:bigd", "nwparser.payload", "%{process}: Node detected UP for %{node}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Node detected UP"),
+      	dup22,
+      ]));
+      
+      var msg4 = msg("bigd", part15);
+      
+      var part16 = match("MESSAGE#4:bigd:01", "nwparser.payload", "%{process}: Monitor template id is %{id}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Monitor template id"),
+      	dup22,
+      ]));
+      
+      var msg5 = msg("bigd:01", part16);
+      
+      var select6 = linear_select([
+      	msg4,
+      	msg5,
+      ]);
+      
+      var part17 = match("MESSAGE#5:bigpipe", "nwparser.payload", "%{process}: Loading the configuration file %{filename}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Loading configuration file"),
+      	dup22,
+      ]));
+      
+      var msg6 = msg("bigpipe", part17);
+      
+      var part18 = match("MESSAGE#6:bigpipe:01", "nwparser.payload", "%{process}: Begin config install operation %{action}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Begin config install operation"),
+      	dup22,
+      ]));
+      
+      var msg7 = msg("bigpipe:01", part18);
+      
+      var part19 = match("MESSAGE#7:bigpipe:02", "nwparser.payload", "%{process}: AUDIT -- Action %{action->} User: %{username}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Audit"),
+      	dup22,
+      ]));
+      
+      var msg8 = msg("bigpipe:02", part19);
+      
+      var select7 = linear_select([
+      	msg6,
+      	msg7,
+      	msg8,
+      ]);
+      
+      var part20 = match("MESSAGE#8:bigstart", "nwparser.payload", "%{process}: shutdown %{service}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","portal shutdown"),
+      	dup22,
+      ]));
+      
+      var msg9 = msg("bigstart", part20);
+      
+      var part21 = match("MESSAGE#9:cgatool", "nwparser.payload", "%{process}: %{event_type}: generated address is %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","cga address genration"),
+      	dup22,
+      ]));
+      
+      var msg10 = msg("cgatool", part21);
+      
+      var part22 = match("MESSAGE#10:chassisd:01", "nwparser.payload", "%{process}[%{process_id}]:%{fld12}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup22,
+      	dup23,
+      ]));
+      
+      var msg11 = msg("chassisd:01", part22);
+      
+      var part23 = match("MESSAGE#11:checkd", "nwparser.payload", "%{process}: AUDIT -- Action %{action->} User: %{username}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup24,
+      	dup22,
+      ]));
+      
+      var msg12 = msg("checkd", part23);
+      
+      var part24 = match("MESSAGE#12:checkd:01", "nwparser.payload", "%{process}: exiting", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","checkd exiting"),
+      	dup22,
+      ]));
+      
+      var msg13 = msg("checkd:01", part24);
+      
+      var select8 = linear_select([
+      	msg12,
+      	msg13,
+      ]);
+      
+      var part25 = match("MESSAGE#13:cosd", "nwparser.payload", "%{process}[%{process_id}]: link protection %{dclass_counter1->} for intf %{interface}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","link protection for interface"),
+      	dup22,
+      ]));
+      
+      var msg14 = msg("cosd", part25);
+      
+      var part26 = match("MESSAGE#14:craftd", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}, %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","License expiration warning"),
+      	dup22,
+      ]));
+      
+      var msg15 = msg("craftd", part26);
+      
+      var part27 = match("MESSAGE#15:CRON/0", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) %{p0}");
+      
+      var part28 = match("MESSAGE#15:CRON/1_0", "nwparser.p0", "CMD (%{result}) ");
+      
+      var part29 = match("MESSAGE#15:CRON/1_1", "nwparser.p0", "cmd='%{result}' ");
+      
+      var select9 = linear_select([
+      	part28,
+      	part29,
+      ]);
+      
+      var all8 = all_match({
+      	processors: [
+      		part27,
+      		select9,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup21,
+      		dup25,
+      		dup22,
+      	]),
+      });
+      
+      var msg16 = msg("CRON", all8);
+      
+      var part30 = match("MESSAGE#16:Cmerror/0_0", "nwparser.payload", "%{hostname->} %{node}Cmerror: Level%{level}count increment %{dclass_counter1->} %{fld1}");
+      
+      var part31 = match("MESSAGE#16:Cmerror/0_1", "nwparser.payload", "%{fld2}");
+      
+      var select10 = linear_select([
+      	part30,
+      	part31,
+      ]);
+      
+      var all9 = all_match({
+      	processors: [
+      		select10,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup22,
+      		dup21,
+      	]),
+      });
+      
+      var msg17 = msg("Cmerror", all9);
+      
+      var part32 = match("MESSAGE#17:cron", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) %{action->} (%{filename})", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","cron RELOAD"),
+      	dup22,
+      ]));
+      
+      var msg18 = msg("cron", part32);
+      
+      var part33 = match("MESSAGE#18:CROND", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) CMD (%{action})", processor_chain([
+      	dup20,
+      	dup21,
+      	dup22,
+      	dup23,
+      ]));
+      
+      var msg19 = msg("CROND", part33);
+      
+      var part34 = match("MESSAGE#20:CROND:02", "nwparser.payload", "%{process}[%{process_id}]: pam_unix(crond:session): session closed for user %{username}", processor_chain([
+      	dup26,
+      	dup21,
+      	dup22,
+      	dup23,
+      ]));
+      
+      var msg20 = msg("CROND:02", part34);
+      
+      var select11 = linear_select([
+      	msg19,
+      	msg20,
+      ]);
+      
+      var part35 = match("MESSAGE#19:crond:01", "nwparser.payload", "%{process}[%{process_id}]: pam_unix(crond:session): session opened for user %{username->} by (uid=%{uid})", processor_chain([
+      	dup27,
+      	dup21,
+      	dup22,
+      	dup23,
+      ]));
+      
+      var msg21 = msg("crond:01", part35);
+      
+      var part36 = match("MESSAGE#21:dcd", "nwparser.payload", "%{process}[%{process_id}]: %{result->} Setting ignored, %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Setting ignored"),
+      	dup22,
+      ]));
+      
+      var msg22 = msg("dcd", part36);
+      
+      var part37 = match("MESSAGE#22:EVENT/0", "nwparser.payload", "%{process}[%{process_id}]: EVENT %{event_type->} %{interface->} index %{resultcode->} %{p0}");
+      
+      var part38 = match("MESSAGE#22:EVENT/1_0", "nwparser.p0", "%{saddr->} -> %{daddr->} \u003c\u003c%{result}> ");
+      
+      var part39 = match("MESSAGE#22:EVENT/1_1", "nwparser.p0", "\u003c\u003c%{result}> ");
+      
+      var select12 = linear_select([
+      	part38,
+      	part39,
+      ]);
+      
+      var all10 = all_match({
+      	processors: [
+      		part37,
+      		select12,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup21,
+      		setc("event_description","EVENT"),
+      		dup22,
+      	]),
+      });
+      
+      var msg23 = msg("EVENT", all10);
+      
+      var part40 = match("MESSAGE#23:ftpd", "nwparser.payload", "%{process}[%{process_id}]: connection from %{saddr->} (%{shost})", processor_chain([
+      	setc("eventcategory","1802000000"),
+      	dup21,
+      	setc("event_description","ftpd connection"),
+      	dup22,
+      ]));
+      
+      var msg24 = msg("ftpd", part40);
+      
+      var part41 = match("MESSAGE#24:ha_rto_stats_handler", "nwparser.payload", "%{hostname->} %{node}ha_rto_stats_handler:%{fld12}", processor_chain([
+      	dup28,
+      	dup22,
+      	dup21,
+      ]));
+      
+      var msg25 = msg("ha_rto_stats_handler", part41);
+      
+      var part42 = match("MESSAGE#25:hostinit", "nwparser.payload", "%{process}: %{obj_name->} -- LDAP Connection not bound correctly. %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","LDAP Connection not bound correctly"),
+      	dup22,
+      ]));
+      
+      var msg26 = msg("hostinit", part42);
+      
+      var part43 = match("MESSAGE#26:ifinfo", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> Added entry - %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","PIC_INFO debug - Added entry"),
+      	dup22,
+      ]));
+      
+      var msg27 = msg("ifinfo", part43);
+      
+      var part44 = match("MESSAGE#27:ifinfo:01", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> Initializing spu listtype %{resultcode}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","PIC_INFO debug Initializing spu"),
+      	dup22,
+      ]));
+      
+      var msg28 = msg("ifinfo:01", part44);
+      
+      var part45 = match("MESSAGE#28:ifinfo:02", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","PIC_INFO debug delete from list"),
+      	dup22,
+      ]));
+      
+      var msg29 = msg("ifinfo:02", part45);
+      
+      var select13 = linear_select([
+      	msg27,
+      	msg28,
+      	msg29,
+      ]);
+      
+      var part46 = match("MESSAGE#29:ifp_ifl_anydown_change_event", "nwparser.payload", "%{node->} %{action}> %{process}: IFL anydown change event: \"%{event_type}\"", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","IFL anydown change event"),
+      	dup22,
+      ]));
+      
+      var msg30 = msg("ifp_ifl_anydown_change_event", part46);
+      
+      var part47 = match("MESSAGE#30:ifp_ifl_config_event", "nwparser.payload", "%{node->} %{action}> %{process}: IFL config: \"%{filename}\"", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","ifp ifl config_event"),
+      	dup22,
+      ]));
+      
+      var msg31 = msg("ifp_ifl_config_event", part47);
+      
+      var part48 = match("MESSAGE#31:ifp_ifl_ext_chg", "nwparser.payload", "%{node->} %{process}: ifp ext piid %{parent_pid->} zone_id %{zone}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","ifp_ifl_ext_chg"),
+      	dup22,
+      ]));
+      
+      var msg32 = msg("ifp_ifl_ext_chg", part48);
+      
+      var part49 = match("MESSAGE#32:inetd", "nwparser.payload", "%{process}[%{process_id}]: %{protocol->} from %{saddr->} exceeded counts/min (%{result})", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","connection exceeded count limit"),
+      	dup22,
+      ]));
+      
+      var msg33 = msg("inetd", part49);
+      
+      var part50 = match("MESSAGE#33:inetd:01", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exited, status %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","exited"),
+      	dup22,
+      ]));
+      
+      var msg34 = msg("inetd:01", part50);
+      
+      var select14 = linear_select([
+      	msg33,
+      	msg34,
+      ]);
+      
+      var part51 = match("MESSAGE#34:init:04", "nwparser.payload", "%{process}: %{event_type->} current_mode=%{protocol}, requested_mode=%{result}, cmd=%{action}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup30,
+      	dup22,
+      ]));
+      
+      var msg35 = msg("init:04", part51);
+      
+      var part52 = match("MESSAGE#35:init", "nwparser.payload", "%{process}: %{event_type->} mode=%{protocol->} cmd=%{action->} master_mode=%{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup30,
+      	dup22,
+      ]));
+      
+      var msg36 = msg("init", part52);
+      
+      var part53 = match("MESSAGE#36:init:01", "nwparser.payload", "%{process}: failure target for routing set to %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","failure target for routing set"),
+      	dup22,
+      ]));
+      
+      var msg37 = msg("init:01", part53);
+      
+      var part54 = match("MESSAGE#37:init:02", "nwparser.payload", "%{process}: ntp (PID %{child_pid}) started", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","ntp started"),
+      	dup22,
+      ]));
+      
+      var msg38 = msg("init:02", part54);
+      
+      var part55 = match("MESSAGE#38:init:03", "nwparser.payload", "%{process}: product mask %{info->} model %{dclass_counter1}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","product mask and model info"),
+      	dup22,
+      ]));
+      
+      var msg39 = msg("init:03", part55);
+      
+      var select15 = linear_select([
+      	msg35,
+      	msg36,
+      	msg37,
+      	msg38,
+      	msg39,
+      ]);
+      
+      var part56 = match("MESSAGE#39:ipc_msg_write", "nwparser.payload", "%{node->} %{process}: IPC message type: %{event_type}, subtype: %{resultcode->} exceeds MTU, mtu %{dclass_counter1}, length %{dclass_counter2}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","IPC message exceeds MTU"),
+      	dup22,
+      ]));
+      
+      var msg40 = msg("ipc_msg_write", part56);
+      
+      var part57 = match("MESSAGE#40:connection_established", "nwparser.payload", "%{process}: %{service}: conn established: listener idx=%{dclass_counter1->} tnpaddr=%{dclass_counter2}", processor_chain([
+      	dup27,
+      	dup21,
+      	setc("event_description","listener connection established"),
+      	dup22,
+      ]));
+      
+      var msg41 = msg("connection_established", part57);
+      
+      var part58 = match("MESSAGE#41:connection_dropped/0", "nwparser.payload", "%{process}: %{p0}");
+      
+      var part59 = match("MESSAGE#41:connection_dropped/1_0", "nwparser.p0", "%{result}, connection dropped - src %{saddr}:%{sport->} dest %{daddr}:%{dport->} ");
+      
+      var part60 = match("MESSAGE#41:connection_dropped/1_1", "nwparser.p0", "%{result}: conn dropped: listener idx=%{dclass_counter1->} tnpaddr=%{dclass_counter2->} ");
+      
+      var select16 = linear_select([
+      	part59,
+      	part60,
+      ]);
+      
+      var all11 = all_match({
+      	processors: [
+      		part58,
+      		select16,
+      	],
+      	on_success: processor_chain([
+      		dup26,
+      		dup21,
+      		setc("event_description","connection dropped"),
+      		dup22,
+      	]),
+      });
+      
+      var msg42 = msg("connection_dropped", all11);
+      
+      var part61 = match("MESSAGE#42:kernel", "nwparser.payload", "%{process}: %{interface}: Asserting SONET alarm(s) %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Asserting SONET alarm(s)"),
+      	dup22,
+      ]));
+      
+      var msg43 = msg("kernel", part61);
+      
+      var part62 = match("MESSAGE#43:kernel:01", "nwparser.payload", "%{process}: %{interface->} down: %{result}.", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","interface down"),
+      	dup22,
+      ]));
+      
+      var msg44 = msg("kernel:01", part62);
+      
+      var part63 = match("MESSAGE#44:kernel:02", "nwparser.payload", "%{process}: %{interface}: loopback suspected; %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","loopback suspected om interface"),
+      	dup22,
+      ]));
+      
+      var msg45 = msg("kernel:02", part63);
+      
+      var part64 = match("MESSAGE#45:kernel:03", "nwparser.payload", "%{process}: %{service}: soreceive() error %{resultcode}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","soreceive error"),
+      	dup22,
+      ]));
+      
+      var msg46 = msg("kernel:03", part64);
+      
+      var part65 = match("MESSAGE#46:kernel:04", "nwparser.payload", "%{process}: %{service->} !VALID(state 4)->%{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","pfe_peer_alloc state 4"),
+      	dup22,
+      ]));
+      
+      var msg47 = msg("kernel:04", part65);
+      
+      var part66 = match("MESSAGE#47:kernel:05", "nwparser.payload", "%{fld1->} %{hostip->} (%{fld2}) %{fld3->} %{process}[%{process_id}]: NTP Server %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup31,
+      	dup22,
+      ]));
+      
+      var msg48 = msg("kernel:05", part66);
+      
+      var part67 = match("MESSAGE#48:kernel:06", "nwparser.payload", "%{fld1->} %{hostip->} %{process}[%{process_id}]: NTP Server %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup31,
+      	dup22,
+      ]));
+      
+      var msg49 = msg("kernel:06", part67);
+      
+      var select17 = linear_select([
+      	msg41,
+      	msg42,
+      	msg43,
+      	msg44,
+      	msg45,
+      	msg46,
+      	msg47,
+      	msg48,
+      	msg49,
+      ]);
+      
+      var part68 = match("MESSAGE#49:successful_login", "nwparser.payload", "%{process}: login from %{saddr->} on %{interface->} as %{username}", processor_chain([
+      	dup32,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup36,
+      	dup21,
+      	setc("event_description","successful user login"),
+      	dup22,
+      ]));
+      
+      var msg50 = msg("successful_login", part68);
+      
+      var part69 = match("MESSAGE#50:login_attempt", "nwparser.payload", "%{process}: Login attempt for user %{username->} from host %{hostip}", processor_chain([
+      	dup32,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup21,
+      	setc("event_description","user login attempt"),
+      	dup22,
+      ]));
+      
+      var msg51 = msg("login_attempt", part69);
+      
+      var part70 = match("MESSAGE#51:login", "nwparser.payload", "%{process}: PAM module %{dclass_counter1->} returned: %{space}[%{resultcode}]%{result}", processor_chain([
+      	dup32,
+      	dup33,
+      	dup36,
+      	dup21,
+      	setc("event_description","PAM module return from login"),
+      	dup22,
+      ]));
+      
+      var msg52 = msg("login", part70);
+      
+      var select18 = linear_select([
+      	msg50,
+      	msg51,
+      	msg52,
+      ]);
+      
+      var part71 = match("MESSAGE#52:lsys_ssam_handler", "nwparser.payload", "%{node->} %{process}: processing lsys root-logical-system %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","processing lsys root-logical-system"),
+      	dup22,
+      ]));
+      
+      var msg53 = msg("lsys_ssam_handler", part71);
+      
+      var part72 = match("MESSAGE#53:mcsn", "nwparser.payload", "%{process}[%{process_id}]: Removing mif from group [%{group}] %{space->} %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Removing mif  from group"),
+      	dup22,
+      ]));
+      
+      var msg54 = msg("mcsn", part72);
+      
+      var part73 = match("MESSAGE#54:mrvl_dfw_log_effuse_status", "nwparser.payload", "%{process}: Firewall rows could not be redirected on device %{device}.", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Firewall rows could not be redirected on device"),
+      	dup22,
+      ]));
+      
+      var msg55 = msg("mrvl_dfw_log_effuse_status", part73);
+      
+      var part74 = match("MESSAGE#55:MRVL-L2", "nwparser.payload", "%{process}:%{action}(),%{process_id}:MFilter (%{filter}) already exists", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","mfilter already exists for add"),
+      	dup22,
+      ]));
+      
+      var msg56 = msg("MRVL-L2", part74);
+      
+      var part75 = match("MESSAGE#56:profile_ssam_handler", "nwparser.payload", "%{node->} %{process}: processing profile SP-root %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","processing profile SP-root"),
+      	dup22,
+      ]));
+      
+      var msg57 = msg("profile_ssam_handler", part75);
+      
+      var part76 = match("MESSAGE#57:pst_nat_binding_set_profile", "nwparser.payload", "%{node->} %{process}: %{event_source}: can't get resource bucket %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","can't get resource bucket"),
+      	dup22,
+      ]));
+      
+      var msg58 = msg("pst_nat_binding_set_profile", part76);
+      
+      var part77 = match("MESSAGE#58:task_reconfigure", "nwparser.payload", "%{process}[%{process_id}]: task_reconfigure %{action}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","reinitializing done"),
+      	dup22,
+      ]));
+      
+      var msg59 = msg("task_reconfigure", part77);
+      
+      var part78 = match("MESSAGE#59:tnetd/0_0", "nwparser.payload", "%{process}[%{process_id}]:%{service}[%{fld1}]: exit status%{resultcode->} ");
+      
+      var part79 = match("MESSAGE#59:tnetd/0_1", "nwparser.payload", "%{fld3}");
+      
+      var select19 = linear_select([
+      	part78,
+      	part79,
+      ]);
+      
+      var all12 = all_match({
+      	processors: [
+      		select19,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup21,
+      		dup22,
+      		dup23,
+      	]),
+      });
+      
+      var msg60 = msg("tnetd", all12);
+      
+      var part80 = match("MESSAGE#60:PFEMAN", "nwparser.payload", "%{process}: Session manager active", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Session manager active"),
+      	dup22,
+      ]));
+      
+      var msg61 = msg("PFEMAN", part80);
+      
+      var part81 = match("MESSAGE#61:mgd", "nwparser.payload", "%{process}[%{process_id}]: Could not send message to %{service}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Could not send message to service"),
+      	dup22,
+      ]));
+      
+      var msg62 = msg("mgd", part81);
+      
+      var part82 = match("MESSAGE#62:Resolve", "nwparser.payload", "Resolve request came for an address matching on Wrong nh nh:%{result}, %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Resolve request came for an address matching on Wrong nh"),
+      	dup22,
+      ]));
+      
+      var msg63 = msg("Resolve", part82);
+      
+      var part83 = match("MESSAGE#63:respawn", "nwparser.payload", "%{process}: %{service->} exited with status = %{resultcode}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","service exited with status"),
+      	dup22,
+      ]));
+      
+      var msg64 = msg("respawn", part83);
+      
+      var part84 = match("MESSAGE#64:root", "nwparser.payload", "%{process}: %{node}: This system does not have 3-DNS or Link Controller enabled", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","system does not have 3-DNS or Link Controller enabled"),
+      	dup22,
+      ]));
+      
+      var msg65 = msg("root", part84);
+      
+      var part85 = match("MESSAGE#65:rpd", "nwparser.payload", "%{process}[%{process_id}]: Received %{result->} for intf device %{interface}; mc_ae_id %{dclass_counter1}, status %{resultcode}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Received data for interface"),
+      	dup22,
+      ]));
+      
+      var msg66 = msg("rpd", part85);
+      
+      var part86 = match("MESSAGE#66:rpd:01", "nwparser.payload", "%{process}[%{process_id}]: RSVP neighbor %{daddr->} up on interface %{interface}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","RSVP neighbor up on interface "),
+      	dup22,
+      ]));
+      
+      var msg67 = msg("rpd:01", part86);
+      
+      var part87 = match("MESSAGE#67:rpd:02", "nwparser.payload", "%{process}[%{process_id}]: %{saddr->} (%{shost}): reseting pending active connection", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","reseting pending active connection"),
+      	dup22,
+      ]));
+      
+      var msg68 = msg("rpd:02", part87);
+      
+      var part88 = match("MESSAGE#68:rpd_proceeding", "nwparser.payload", "%{process}: proceeding. %{param}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup37,
+      	dup22,
+      ]));
+      
+      var msg69 = msg("rpd_proceeding", part88);
+      
+      var select20 = linear_select([
+      	msg66,
+      	msg67,
+      	msg68,
+      	msg69,
+      ]);
+      
+      var part89 = match("MESSAGE#69:rshd", "nwparser.payload", "%{process}[%{process_id}]: %{username->} as root: cmd='%{action}'", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","user issuing command as root"),
+      	dup22,
+      ]));
+      
+      var msg70 = msg("rshd", part89);
+      
+      var part90 = match("MESSAGE#70:sfd", "nwparser.payload", "%{process}: Waiting on accept", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","sfd waiting on accept"),
+      	dup22,
+      ]));
+      
+      var msg71 = msg("sfd", part90);
+      
+      var part91 = match("MESSAGE#71:sshd", "nwparser.payload", "%{process}[%{process_id}]: Accepted password for %{username->} from %{saddr->} port %{sport->} %{protocol}", processor_chain([
+      	dup32,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup36,
+      	dup21,
+      	setc("event_description","Accepted password"),
+      	dup22,
+      ]));
+      
+      var msg72 = msg("sshd", part91);
+      
+      var part92 = match("MESSAGE#73:sshd:02", "nwparser.payload", "%{process}[%{process_id}]: Received disconnect from %{shost}: %{fld1}: %{result}", processor_chain([
+      	dup26,
+      	dup21,
+      	setc("event_description","Received disconnect"),
+      	dup22,
+      ]));
+      
+      var msg73 = msg("sshd:02", part92);
+      
+      var part93 = match("MESSAGE#74:sshd:03", "nwparser.payload", "%{process}[%{process_id}]: Did not receive identification string from %{saddr}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("result","no identification string"),
+      	setc("event_description","Did not receive identification string from peer"),
+      	dup22,
+      ]));
+      
+      var msg74 = msg("sshd:03", part93);
+      
+      var part94 = match("MESSAGE#75:sshd:04", "nwparser.payload", "%{process}[%{process_id}]: Could not write ident string to %{dhost}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Could not write ident string"),
+      	dup22,
+      ]));
+      
+      var msg75 = msg("sshd:04", part94);
+      
+      var part95 = match("MESSAGE#76:sshd:05", "nwparser.payload", "%{process}[%{process_id}]: subsystem request for netconf", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","subsystem request for netconf"),
+      	dup22,
+      ]));
+      
+      var msg76 = msg("sshd:05", part95);
+      
+      var part96 = match("MESSAGE#77:sshd:06/2", "nwparser.p0", "%{}sendmsg to %{saddr}(%{shost}).%{sport}: %{info}");
+      
+      var all13 = all_match({
+      	processors: [
+      		dup38,
+      		dup134,
+      		part96,
+      	],
+      	on_success: processor_chain([
+      		dup28,
+      		dup21,
+      		setc("event_description","send message stats"),
+      		dup22,
+      	]),
+      });
+      
+      var msg77 = msg("sshd:06", all13);
+      
+      var part97 = match("MESSAGE#78:sshd:07/2", "nwparser.p0", "%{}Added radius server %{saddr}(%{shost})");
+      
+      var all14 = all_match({
+      	processors: [
+      		dup38,
+      		dup134,
+      		part97,
+      	],
+      	on_success: processor_chain([
+      		dup41,
+      		setc("ec_theme","Configuration"),
+      		setc("ec_activity","Modify"),
+      		dup36,
+      		dup21,
+      		setc("event_description","Added radius server"),
+      		dup22,
+      	]),
+      });
+      
+      var msg78 = msg("sshd:07", all14);
+      
+      var part98 = match("MESSAGE#79:sshd:08", "nwparser.payload", "%{process}[%{process_id}]: %{result}: %{space->} [%{resultcode}]authentication error", processor_chain([
+      	setc("eventcategory","1301020000"),
+      	dup33,
+      	dup42,
+      	dup21,
+      	setc("event_description","authentication error"),
+      	dup22,
+      ]));
+      
+      var msg79 = msg("sshd:08", part98);
+      
+      var part99 = match("MESSAGE#80:sshd:09", "nwparser.payload", "%{process}[%{process_id}]: unrecognized attribute in %{policyname}: %{change_attribute}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","unrecognized attribute in policy"),
+      	dup22,
+      ]));
+      
+      var msg80 = msg("sshd:09", part99);
+      
+      var part100 = match("MESSAGE#81:sshd:10", "nwparser.payload", "%{process}: PAM module %{dclass_counter1->} returned: %{space}[%{resultcode}]%{result}", processor_chain([
+      	dup43,
+      	dup33,
+      	dup42,
+      	dup21,
+      	setc("event_description","PAM module return from sshd"),
+      	dup22,
+      ]));
+      
+      var msg81 = msg("sshd:10", part100);
+      
+      var part101 = match("MESSAGE#82:sshd:11", "nwparser.payload", "%{process}: PAM authentication chain returned: %{space}[%{resultcode}]%{result}", processor_chain([
+      	dup43,
+      	dup33,
+      	dup42,
+      	dup21,
+      	setc("event_description","PAM authentication chain return"),
+      	dup22,
+      ]));
+      
+      var msg82 = msg("sshd:11", part101);
+      
+      var part102 = match("MESSAGE#83:sshd:12", "nwparser.payload", "%{process}: %{severity}: can't get client address: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","can't get client address"),
+      	dup22,
+      ]));
+      
+      var msg83 = msg("sshd:12", part102);
+      
+      var part103 = match("MESSAGE#84:sshd:13", "nwparser.payload", "%{process}: auth server unresponsive", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","auth server unresponsive"),
+      	dup22,
+      ]));
+      
+      var msg84 = msg("sshd:13", part103);
+      
+      var part104 = match("MESSAGE#85:sshd:14", "nwparser.payload", "%{process}: %{service}: No valid RADIUS responses received", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","No valid RADIUS responses received"),
+      	dup22,
+      ]));
+      
+      var msg85 = msg("sshd:14", part104);
+      
+      var part105 = match("MESSAGE#86:sshd:15", "nwparser.payload", "%{process}: Moving to next server: %{saddr}(%{shost}).%{sport}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Moving to next server"),
+      	dup22,
+      ]));
+      
+      var msg86 = msg("sshd:15", part105);
+      
+      var part106 = match("MESSAGE#87:sshd:16", "nwparser.payload", "%{fld1->} sshd: SSHD_LOGIN_FAILED: Login failed for user '%{username}' from host '%{hostip}'.", processor_chain([
+      	dup43,
+      	dup33,
+      	dup42,
+      	dup21,
+      	setc("event_description","Login failed for user"),
+      	dup22,
+      ]));
+      
+      var msg87 = msg("sshd:16", part106);
+      
+      var select21 = linear_select([
+      	msg72,
+      	msg73,
+      	msg74,
+      	msg75,
+      	msg76,
+      	msg77,
+      	msg78,
+      	msg79,
+      	msg80,
+      	msg81,
+      	msg82,
+      	msg83,
+      	msg84,
+      	msg85,
+      	msg86,
+      	msg87,
+      ]);
+      
+      var part107 = match("MESSAGE#72:Failed:05/0", "nwparser.payload", "%{process}[%{process_id}]: Failed password for %{p0}");
+      
+      var part108 = match("MESSAGE#72:Failed:05/1_0", "nwparser.p0", "illegal user %{p0}");
+      
+      var part109 = match("MESSAGE#72:Failed:05/1_1", "nwparser.p0", "invalid user %{p0}");
+      
+      var select22 = linear_select([
+      	part108,
+      	part109,
+      	dup44,
+      ]);
+      
+      var part110 = match("MESSAGE#72:Failed:05/2", "nwparser.p0", "%{} %{username->} from %{saddr->} port %{sport->} %{protocol}");
+      
+      var all15 = all_match({
+      	processors: [
+      		part107,
+      		select22,
+      		part110,
+      	],
+      	on_success: processor_chain([
+      		dup43,
+      		dup33,
+      		dup34,
+      		dup35,
+      		dup42,
+      		dup21,
+      		setc("event_description","authentication failure"),
+      		dup22,
+      	]),
+      });
+      
+      var msg88 = msg("Failed:05", all15);
+      
+      var part111 = match("MESSAGE#746:Failed/0", "nwparser.payload", "%{hostname->} %{process}[%{process_id}]: Failed to resolve ipv%{p0}");
+      
+      var part112 = match("MESSAGE#746:Failed/1_0", "nwparser.p0", "4%{p0}");
+      
+      var part113 = match("MESSAGE#746:Failed/1_1", "nwparser.p0", "6%{p0}");
+      
+      var select23 = linear_select([
+      	part112,
+      	part113,
+      ]);
+      
+      var part114 = match("MESSAGE#746:Failed/2", "nwparser.p0", "%{}addresses for domain name %{sdomain}");
+      
+      var all16 = all_match({
+      	processors: [
+      		part111,
+      		select23,
+      		part114,
+      	],
+      	on_success: processor_chain([
+      		dup45,
+      		dup46,
+      		dup22,
+      		dup21,
+      	]),
+      });
+      
+      var msg89 = msg("Failed", all16);
+      
+      var part115 = match("MESSAGE#767:Failed:01", "nwparser.payload", "%{hostname->} %{process}[%{process_id}]: %{fld1}", processor_chain([
+      	dup45,
+      	dup22,
+      	dup21,
+      ]));
+      
+      var msg90 = msg("Failed:01", part115);
+      
+      var part116 = match("MESSAGE#768:Failed:02/0_0", "nwparser.payload", "%{fld1->} to create a route if table for Multiservice ");
+      
+      var part117 = match("MESSAGE#768:Failed:02/0_1", "nwparser.payload", "%{fld10}");
+      
+      var select24 = linear_select([
+      	part116,
+      	part117,
+      ]);
+      
+      var all17 = all_match({
+      	processors: [
+      		select24,
+      	],
+      	on_success: processor_chain([
+      		dup45,
+      		dup22,
+      		dup21,
+      		setf("hostname","hfld1"),
+      	]),
+      });
+      
+      var msg91 = msg("Failed:02", all17);
+      
+      var select25 = linear_select([
+      	msg88,
+      	msg89,
+      	msg90,
+      	msg91,
+      ]);
+      
+      var part118 = match("MESSAGE#88:syslogd", "nwparser.payload", "%{process}: restart", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","syslog daemon restart"),
+      	dup22,
+      ]));
+      
+      var msg92 = msg("syslogd", part118);
+      
+      var part119 = match("MESSAGE#89:ucd-snmp", "nwparser.payload", "%{process}[%{process_id}]: AUDIT -- Action %{action->} User: %{username}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup24,
+      	dup22,
+      ]));
+      
+      var msg93 = msg("ucd-snmp", part119);
+      
+      var part120 = match("MESSAGE#90:ucd-snmp:01", "nwparser.payload", "%{process}[%{process_id}]: Received TERM or STOP signal %{space->} %{result}.", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Received TERM or STOP signal"),
+      	dup22,
+      ]));
+      
+      var msg94 = msg("ucd-snmp:01", part120);
+      
+      var select26 = linear_select([
+      	msg93,
+      	msg94,
+      ]);
+      
+      var part121 = match("MESSAGE#91:usp_ipc_client_reconnect", "nwparser.payload", "%{node->} %{process}: failed to connect to the server: %{result->} (%{resultcode})", processor_chain([
+      	dup26,
+      	dup21,
+      	setc("event_description","failed to connect to the server"),
+      	dup22,
+      ]));
+      
+      var msg95 = msg("usp_ipc_client_reconnect", part121);
+      
+      var part122 = match("MESSAGE#92:usp_trace_ipc_disconnect", "nwparser.payload", "%{node->} %{process}:Trace client disconnected. %{result}", processor_chain([
+      	dup26,
+      	dup21,
+      	setc("event_description","Trace client disconnected"),
+      	dup22,
+      ]));
+      
+      var msg96 = msg("usp_trace_ipc_disconnect", part122);
+      
+      var part123 = match("MESSAGE#93:usp_trace_ipc_reconnect", "nwparser.payload", "%{node->} %{process}:USP trace client cannot reconnect to server", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","USP trace client cannot reconnect to server"),
+      	dup22,
+      ]));
+      
+      var msg97 = msg("usp_trace_ipc_reconnect", part123);
+      
+      var part124 = match("MESSAGE#94:uspinfo", "nwparser.payload", "%{process}: flow_print_session_summary_output received %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","flow_print_session_summary_output received"),
+      	dup22,
+      ]));
+      
+      var msg98 = msg("uspinfo", part124);
+      
+      var part125 = match("MESSAGE#95:Version", "nwparser.payload", "Version %{version->} by builder on %{event_time_string}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Version build date"),
+      	dup22,
+      ]));
+      
+      var msg99 = msg("Version", part125);
+      
+      var part126 = match("MESSAGE#96:xntpd", "nwparser.payload", "%{process}[%{process_id}]: frequency initialized %{result->} from %{filename}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","frequency initialized from file"),
+      	dup22,
+      ]));
+      
+      var msg100 = msg("xntpd", part126);
+      
+      var part127 = match("MESSAGE#97:xntpd:01", "nwparser.payload", "%{process}[%{process_id}]: ntpd %{version->} %{event_time_string->} (%{resultcode})", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","nptd version build"),
+      	dup22,
+      ]));
+      
+      var msg101 = msg("xntpd:01", part127);
+      
+      var part128 = match("MESSAGE#98:xntpd:02", "nwparser.payload", "%{process}: kernel time sync enabled %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","kernel time sync enabled"),
+      	dup22,
+      ]));
+      
+      var msg102 = msg("xntpd:02", part128);
+      
+      var part129 = match("MESSAGE#99:xntpd:03", "nwparser.payload", "%{process}[%{process_id}]: NTP Server %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup31,
+      	dup22,
+      ]));
+      
+      var msg103 = msg("xntpd:03", part129);
+      
+      var select27 = linear_select([
+      	msg100,
+      	msg101,
+      	msg102,
+      	msg103,
+      ]);
+      
+      var part130 = match("MESSAGE#100:last", "nwparser.payload", "last message repeated %{dclass_counter1->} times", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","last message repeated"),
+      	dup22,
+      ]));
+      
+      var msg104 = msg("last", part130);
+      
+      var part131 = match("MESSAGE#739:last:01", "nwparser.payload", "message repeated %{dclass_counter1->} times", processor_chain([
+      	dup47,
+      	dup46,
+      	dup22,
+      	dup21,
+      	dup23,
+      ]));
+      
+      var msg105 = msg("last:01", part131);
+      
+      var select28 = linear_select([
+      	msg104,
+      	msg105,
+      ]);
+      
+      var part132 = match("MESSAGE#101:BCHIP", "nwparser.payload", "%{process->} %{device}: cannot write ucode mask reg", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","cannot write ucode mask reg"),
+      	dup22,
+      ]));
+      
+      var msg106 = msg("BCHIP", part132);
+      
+      var part133 = match("MESSAGE#102:CM", "nwparser.payload", "%{process}(%{fld1}): Slot %{device}: On-line", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Slot on-line"),
+      	dup22,
+      ]));
+      
+      var msg107 = msg("CM", part133);
+      
+      var part134 = match("MESSAGE#103:COS", "nwparser.payload", "%{process}: Received FC->Q map, %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Received FC Q map"),
+      	dup22,
+      ]));
+      
+      var msg108 = msg("COS", part134);
+      
+      var part135 = match("MESSAGE#104:COSFPC", "nwparser.payload", "%{process}: ifd %{resultcode}: %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","ifd error"),
+      	dup22,
+      ]));
+      
+      var msg109 = msg("COSFPC", part135);
+      
+      var part136 = match("MESSAGE#105:COSMAN", "nwparser.payload", "%{process}: %{service}: delete class_to_ifl table %{dclass_counter1}, ifl %{dclass_counter2}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","delete class to ifl link"),
+      	dup22,
+      ]));
+      
+      var msg110 = msg("COSMAN", part136);
+      
+      var part137 = match("MESSAGE#106:RDP", "nwparser.payload", "%{process}: Keepalive timeout for rdp.(%{interface}).(%{device}) (%{result})", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Keepalive timeout"),
+      	dup22,
+      ]));
+      
+      var msg111 = msg("RDP", part137);
+      
+      var part138 = match("MESSAGE#107:SNTPD", "nwparser.payload", "%{process}: Initial time of day set", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Initial time of day set"),
+      	dup22,
+      ]));
+      
+      var msg112 = msg("SNTPD", part138);
+      
+      var part139 = match("MESSAGE#108:SSB", "nwparser.payload", "%{process}(%{fld1}): Slot %{device}, serial number S/N %{serial_number}.", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Slot serial number"),
+      	dup22,
+      ]));
+      
+      var msg113 = msg("SSB", part139);
+      
+      var part140 = match("MESSAGE#109:ACCT_ACCOUNTING_FERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected error %{result->} from file %{filename}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unexpected error"),
+      	dup22,
+      ]));
+      
+      var msg114 = msg("ACCT_ACCOUNTING_FERROR", part140);
+      
+      var part141 = match("MESSAGE#110:ACCT_ACCOUNTING_FOPEN_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to open file %{filename}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Failed to open file"),
+      	dup22,
+      ]));
+      
+      var msg115 = msg("ACCT_ACCOUNTING_FOPEN_ERROR", part141);
+      
+      var part142 = match("MESSAGE#111:ACCT_ACCOUNTING_SMALL_FILE_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File %{filename->} size (%{dclass_counter1}) is smaller than record size (%{dclass_counter2})", processor_chain([
+      	dup48,
+      	dup21,
+      	setc("event_description","File size mismatch"),
+      	dup22,
+      ]));
+      
+      var msg116 = msg("ACCT_ACCOUNTING_SMALL_FILE_SIZE", part142);
+      
+      var part143 = match("MESSAGE#112:ACCT_BAD_RECORD_FORMAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid statistics record: %{result}", processor_chain([
+      	dup48,
+      	dup21,
+      	setc("event_description","Invalid statistics record"),
+      	dup22,
+      ]));
+      
+      var msg117 = msg("ACCT_BAD_RECORD_FORMAT", part143);
+      
+      var part144 = match("MESSAGE#113:ACCT_CU_RTSLIB_error", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} getting class usage statistics for interface %{interface}: %{result}", processor_chain([
+      	dup48,
+      	dup21,
+      	setc("event_description","Class usage statistics error for interface"),
+      	dup22,
+      ]));
+      
+      var msg118 = msg("ACCT_CU_RTSLIB_error", part144);
+      
+      var part145 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/1_0", "nwparser.p0", "Error %{resultcode->} trying %{p0}");
+      
+      var part146 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/1_1", "nwparser.p0", "trying %{p0}");
+      
+      var select29 = linear_select([
+      	part145,
+      	part146,
+      ]);
+      
+      var part147 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/2", "nwparser.p0", "%{}to get hostname");
+      
+      var all18 = all_match({
+      	processors: [
+      		dup49,
+      		select29,
+      		part147,
+      	],
+      	on_success: processor_chain([
+      		dup48,
+      		dup21,
+      		setc("event_description","error trying to get hostname"),
+      		dup22,
+      	]),
+      });
+      
+      var msg119 = msg("ACCT_GETHOSTNAME_error", all18);
+      
+      var part148 = match("MESSAGE#115:ACCT_MALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed while reallocating %{obj_name}", processor_chain([
+      	dup50,
+      	dup21,
+      	setc("event_description","Memory allocation failure"),
+      	dup22,
+      ]));
+      
+      var msg120 = msg("ACCT_MALLOC_FAILURE", part148);
+      
+      var part149 = match("MESSAGE#116:ACCT_UNDEFINED_COUNTER_NAME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} in accounting profile %{dclass_counter1->} is not defined in a firewall using this filter profile", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Accounting profile counter not defined in firewall"),
+      	dup22,
+      ]));
+      
+      var msg121 = msg("ACCT_UNDEFINED_COUNTER_NAME", part149);
+      
+      var part150 = match("MESSAGE#117:ACCT_XFER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{result}: %{disposition}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","ACCT_XFER_FAILED"),
+      	dup22,
+      ]));
+      
+      var msg122 = msg("ACCT_XFER_FAILED", part150);
+      
+      var part151 = match("MESSAGE#118:ACCT_XFER_POPEN_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{result}: in invoking command command to transfer file %{filename}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","POPEN FAIL invoking command command to transfer file"),
+      	dup22,
+      ]));
+      
+      var msg123 = msg("ACCT_XFER_POPEN_FAIL", part151);
+      
+      var part152 = match("MESSAGE#119:APPQOS_LOG_EVENT", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} timestamp=\"%{result}\" message-type=\"%{info}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-name=\"%{protocol}\" application-name=\"%{application}\" rule-set-name=\"%{rule_group}\" rule-name=\"%{rulename}\" action=\"%{action}\" argument=\"%{fld2}\" argument1=\"%{fld3}\"]", processor_chain([
+      	dup27,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var msg124 = msg("APPQOS_LOG_EVENT", part152);
+      
+      var part153 = match("MESSAGE#120:APPTRACK_SESSION_CREATE", "nwparser.payload", "%{event_type}: AppTrack session created %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username->} %{fld10}", processor_chain([
+      	dup27,
+      	dup52,
+      	dup53,
+      	dup21,
+      	setc("result","AppTrack session created"),
+      	dup22,
+      ]));
+      
+      var msg125 = msg("APPTRACK_SESSION_CREATE", part153);
+      
+      var part154 = match("MESSAGE#121:APPTRACK_SESSION_CLOSE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" service-name=\"%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-name=\"%{rule_template}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([
+      	dup27,
+      	dup52,
+      	dup54,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var msg126 = msg("APPTRACK_SESSION_CLOSE", part154);
+      
+      var part155 = match("MESSAGE#122:APPTRACK_SESSION_CLOSE:01", "nwparser.payload", "%{event_type}: %{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{packets}(%{rbytes}) %{dclass_counter1}(%{sbytes}) %{duration->} %{username->} %{fld10}", processor_chain([
+      	dup27,
+      	dup52,
+      	dup54,
+      	dup21,
+      	dup22,
+      ]));
+      
+      var msg127 = msg("APPTRACK_SESSION_CLOSE:01", part155);
+      
+      var select30 = linear_select([
+      	msg126,
+      	msg127,
+      ]);
+      
+      var part156 = match("MESSAGE#123:APPTRACK_SESSION_VOL_UPDATE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" service-name=\"%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-name=\"%{rule_template}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([
+      	dup27,
+      	dup52,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var msg128 = msg("APPTRACK_SESSION_VOL_UPDATE", part156);
+      
+      var part157 = match("MESSAGE#124:APPTRACK_SESSION_VOL_UPDATE:01", "nwparser.payload", "%{event_type}: %{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{packets}(%{rbytes}) %{dclass_counter1}(%{sbytes}) %{duration->} %{username->} %{fld10}", processor_chain([
+      	dup27,
+      	dup52,
+      	dup21,
+      	dup22,
+      ]));
+      
+      var msg129 = msg("APPTRACK_SESSION_VOL_UPDATE:01", part157);
+      
+      var select31 = linear_select([
+      	msg128,
+      	msg129,
+      ]);
+      
+      var msg130 = msg("BFDD_TRAP_STATE_DOWN", dup135);
+      
+      var msg131 = msg("BFDD_TRAP_STATE_UP", dup135);
+      
+      var part158 = match("MESSAGE#127:bgp_connect_start", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: connect %{saddr->} (%{shost}): %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","bgp connect error"),
+      	dup22,
+      ]));
+      
+      var msg132 = msg("bgp_connect_start", part158);
+      
+      var part159 = match("MESSAGE#128:bgp_event", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}) old state %{change_old->} event %{action->} new state %{change_new}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","bgp peer state change"),
+      	dup22,
+      ]));
+      
+      var msg133 = msg("bgp_event", part159);
+      
+      var part160 = match("MESSAGE#129:bgp_listen_accept", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection attempt from unconfigured neighbor: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Connection attempt from unconfigured neighbor"),
+      	dup22,
+      ]));
+      
+      var msg134 = msg("bgp_listen_accept", part160);
+      
+      var part161 = match("MESSAGE#130:bgp_listen_reset", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","bgp reset"),
+      	dup22,
+      ]));
+      
+      var msg135 = msg("bgp_listen_reset", part161);
+      
+      var part162 = match("MESSAGE#131:bgp_nexthop_sanity", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}) next hop %{saddr->} local, %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","peer next hop local"),
+      	dup22,
+      ]));
+      
+      var msg136 = msg("bgp_nexthop_sanity", part162);
+      
+      var part163 = match("MESSAGE#132:bgp_process_caps", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{severity->} (%{action}) subcode %{version->} (%{result}) value %{disposition}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","code RED error NOTIFICATION sent"),
+      	dup22,
+      ]));
+      
+      var msg137 = msg("bgp_process_caps", part163);
+      
+      var part164 = match("MESSAGE#133:bgp_process_caps:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: mismatch NLRI with %{hostip->} (%{hostname}): peer: %{daddr->} us: %{saddr}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup56,
+      	dup22,
+      ]));
+      
+      var msg138 = msg("bgp_process_caps:01", part164);
+      
+      var select32 = linear_select([
+      	msg137,
+      	msg138,
+      ]);
+      
+      var part165 = match("MESSAGE#134:bgp_pp_recv", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: dropping %{daddr->} (%{dhost}), %{info->} (%{protocol})", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","connection collision"),
+      	setc("result","dropping connection to peer"),
+      	dup22,
+      ]));
+      
+      var msg139 = msg("bgp_pp_recv", part165);
+      
+      var part166 = match("MESSAGE#135:bgp_pp_recv:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}): received unexpected EOF", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","peer received unexpected EOF"),
+      	dup22,
+      ]));
+      
+      var msg140 = msg("bgp_pp_recv:01", part166);
+      
+      var select33 = linear_select([
+      	msg139,
+      	msg140,
+      ]);
+      
+      var part167 = match("MESSAGE#136:bgp_send", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: sending %{sbytes->} bytes to %{daddr->} (%{dhost}) blocked (%{disposition}): %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","bgp send blocked error"),
+      	dup22,
+      ]));
+      
+      var msg141 = msg("bgp_send", part167);
+      
+      var part168 = match("MESSAGE#137:bgp_traffic_timeout", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{resultcode->} (%{action}), Reason: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","bgp timeout NOTIFICATION sent"),
+      	dup22,
+      ]));
+      
+      var msg142 = msg("bgp_traffic_timeout", part168);
+      
+      var part169 = match("MESSAGE#138:BOOTPD_ARG_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Ignoring unknown option %{resultcode}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","boot argument error"),
+      	dup22,
+      ]));
+      
+      var msg143 = msg("BOOTPD_ARG_ERR", part169);
+      
+      var part170 = match("MESSAGE#139:BOOTPD_BAD_ID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected ID %{resultcode}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","boot unexpected Id value"),
+      	dup22,
+      ]));
+      
+      var msg144 = msg("BOOTPD_BAD_ID", part170);
+      
+      var part171 = match("MESSAGE#140:BOOTPD_BOOTSTRING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Boot string: %{filename}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Invalid boot string"),
+      	dup22,
+      ]));
+      
+      var msg145 = msg("BOOTPD_BOOTSTRING", part171);
+      
+      var part172 = match("MESSAGE#141:BOOTPD_CONFIG_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Problems with configuration file '%{filename}', %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","configuration file error"),
+      	dup22,
+      ]));
+      
+      var msg146 = msg("BOOTPD_CONFIG_ERR", part172);
+      
+      var part173 = match("MESSAGE#142:BOOTPD_CONF_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open configuration file '%{filename}'", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to open configuration file"),
+      	dup22,
+      ]));
+      
+      var msg147 = msg("BOOTPD_CONF_OPEN", part173);
+      
+      var part174 = match("MESSAGE#143:BOOTPD_DUP_REV", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate revision: %{version}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","boot - Duplicate revision"),
+      	dup22,
+      ]));
+      
+      var msg148 = msg("BOOTPD_DUP_REV", part174);
+      
+      var part175 = match("MESSAGE#144:BOOTPD_DUP_SLOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate slot default: %{ssid}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","boot - duplicate slot"),
+      	dup22,
+      ]));
+      
+      var msg149 = msg("BOOTPD_DUP_SLOT", part175);
+      
+      var part176 = match("MESSAGE#145:BOOTPD_MODEL_CHK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected ID %{id->} for model %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unexpected ID for model"),
+      	dup22,
+      ]));
+      
+      var msg150 = msg("BOOTPD_MODEL_CHK", part176);
+      
+      var part177 = match("MESSAGE#146:BOOTPD_MODEL_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unsupported model %{dclass_counter1}, %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unsupported model"),
+      	dup22,
+      ]));
+      
+      var msg151 = msg("BOOTPD_MODEL_ERR", part177);
+      
+      var part178 = match("MESSAGE#147:BOOTPD_NEW_CONF", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: New configuration installed", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","New configuration installed"),
+      	dup22,
+      ]));
+      
+      var msg152 = msg("BOOTPD_NEW_CONF", part178);
+      
+      var part179 = match("MESSAGE#148:BOOTPD_NO_BOOTSTRING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No boot string found for type %{filename}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","No boot string found"),
+      	dup22,
+      ]));
+      
+      var msg153 = msg("BOOTPD_NO_BOOTSTRING", part179);
+      
+      var part180 = match("MESSAGE#149:BOOTPD_NO_CONFIG", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No configuration file '%{filename}', %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","No configuration file found"),
+      	dup22,
+      ]));
+      
+      var msg154 = msg("BOOTPD_NO_CONFIG", part180);
+      
+      var part181 = match("MESSAGE#150:BOOTPD_PARSE_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename}: number parse errors on SIGHUP", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","parse errors on SIGHUP"),
+      	dup22,
+      ]));
+      
+      var msg155 = msg("BOOTPD_PARSE_ERR", part181);
+      
+      var part182 = match("MESSAGE#151:BOOTPD_REPARSE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reparsing configuration file '%{filename}'", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Reparsing configuration file"),
+      	dup22,
+      ]));
+      
+      var msg156 = msg("BOOTPD_REPARSE", part182);
+      
+      var part183 = match("MESSAGE#152:BOOTPD_SELECT_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: select: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","select error"),
+      	dup22,
+      ]));
+      
+      var msg157 = msg("BOOTPD_SELECT_ERR", part183);
+      
+      var part184 = match("MESSAGE#153:BOOTPD_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Timeout %{result->} unreasonable", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","timeout unreasonable"),
+      	dup22,
+      ]));
+      
+      var msg158 = msg("BOOTPD_TIMEOUT", part184);
+      
+      var part185 = match("MESSAGE#154:BOOTPD_VERSION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version: %{version->} built by builder on %{event_time_string}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","boot version built"),
+      	dup22,
+      ]));
+      
+      var msg159 = msg("BOOTPD_VERSION", part185);
+      
+      var part186 = match("MESSAGE#155:CHASSISD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{version->} built by builder on %{event_time_string}", processor_chain([
+      	dup57,
+      	dup21,
+      	setc("event_description","CHASSISD release built"),
+      	dup22,
+      ]));
+      
+      var msg160 = msg("CHASSISD", part186);
+      
+      var part187 = match("MESSAGE#156:CHASSISD_ARGUMENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown option %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","CHASSISD Unknown option"),
+      	dup22,
+      ]));
+      
+      var msg161 = msg("CHASSISD_ARGUMENT_ERROR", part187);
+      
+      var part188 = match("MESSAGE#157:CHASSISD_BLOWERS_SPEED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fans and impellers are now running at normal speed", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Fans and impellers are now running at normal speed"),
+      	dup22,
+      ]));
+      
+      var msg162 = msg("CHASSISD_BLOWERS_SPEED", part188);
+      
+      var part189 = match("MESSAGE#158:CHASSISD_BLOWERS_SPEED_FULL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fans and impellers being set to full speed [%{result}]", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Fans and impellers being set to full speed"),
+      	dup22,
+      ]));
+      
+      var msg163 = msg("CHASSISD_BLOWERS_SPEED_FULL", part189);
+      
+      var part190 = match("MESSAGE#159:CHASSISD_CB_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result->} reading midplane ID EEPROM, %{dclass_counter1->} %{dclass_counter2}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","reading midplane ID EEPROM"),
+      	dup22,
+      ]));
+      
+      var msg164 = msg("CHASSISD_CB_READ", part190);
+      
+      var part191 = match("MESSAGE#160:CHASSISD_COMMAND_ACK_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{device->} online ack code %{dclass_counter1->} - - %{result}, %{interface}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","CHASSISD COMMAND ACK ERROR"),
+      	dup22,
+      ]));
+      
+      var msg165 = msg("CHASSISD_COMMAND_ACK_ERROR", part191);
+      
+      var part192 = match("MESSAGE#161:CHASSISD_COMMAND_ACK_SF_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{disposition->} - %{result}, code %{resultcode}, SFM %{dclass_counter1}, FPC %{dclass_counter2}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","CHASSISD COMMAND ACK SF ERROR"),
+      	dup22,
+      ]));
+      
+      var msg166 = msg("CHASSISD_COMMAND_ACK_SF_ERROR", part192);
+      
+      var part193 = match("MESSAGE#162:CHASSISD_CONCAT_MODE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Cannot set no-concatenated mode for FPC %{dclass_counter2->} PIC %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Cannot set no-concatenated mode for FPC"),
+      	dup22,
+      ]));
+      
+      var msg167 = msg("CHASSISD_CONCAT_MODE_ERROR", part193);
+      
+      var part194 = match("MESSAGE#163:CHASSISD_CONFIG_INIT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Problems with configuration file %{filename}; %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","CONFIG File Problem"),
+      	dup22,
+      ]));
+      
+      var msg168 = msg("CHASSISD_CONFIG_INIT_ERROR", part194);
+      
+      var part195 = match("MESSAGE#164:CHASSISD_CONFIG_WARNING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename}: %{result}, FPC %{dclass_counter2->} %{resultcode}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","CHASSISD CONFIG WARNING"),
+      	dup22,
+      ]));
+      
+      var msg169 = msg("CHASSISD_CONFIG_WARNING", part195);
+      
+      var part196 = match("MESSAGE#165:CHASSISD_EXISTS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: chassisd already running; %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","chassisd already running"),
+      	dup22,
+      ]));
+      
+      var msg170 = msg("CHASSISD_EXISTS", part196);
+      
+      var part197 = match("MESSAGE#166:CHASSISD_EXISTS_TERM_OTHER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Killing existing chassisd and exiting", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Killing existing chassisd and exiting"),
+      	dup22,
+      ]));
+      
+      var msg171 = msg("CHASSISD_EXISTS_TERM_OTHER", part197);
+      
+      var part198 = match("MESSAGE#167:CHASSISD_FILE_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File open: %{filename}, error: %{resultcode->} - - %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","file open error"),
+      	dup22,
+      ]));
+      
+      var msg172 = msg("CHASSISD_FILE_OPEN", part198);
+      
+      var part199 = match("MESSAGE#168:CHASSISD_FILE_STAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File stat: %{filename}, error: %{resultcode->} - - %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","CHASSISD file statistics error"),
+      	dup22,
+      ]));
+      
+      var msg173 = msg("CHASSISD_FILE_STAT", part199);
+      
+      var part200 = match("MESSAGE#169:CHASSISD_FRU_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","CHASSISD received restart EVENT"),
+      	dup22,
+      ]));
+      
+      var msg174 = msg("CHASSISD_FRU_EVENT", part200);
+      
+      var part201 = match("MESSAGE#170:CHASSISD_FRU_IPC_WRITE_ERROR_EXT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} FRU %{filename}#%{resultcode}, %{result->} %{dclass_counter1}, %{dclass_counter2}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","CHASSISD restart WRITE_ERROR"),
+      	dup22,
+      ]));
+      
+      var msg175 = msg("CHASSISD_FRU_IPC_WRITE_ERROR_EXT", part201);
+      
+      var part202 = match("MESSAGE#171:CHASSISD_FRU_STEP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} %{resultcode->} at step %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","CHASSISD FRU STEP ERROR"),
+      	dup22,
+      ]));
+      
+      var msg176 = msg("CHASSISD_FRU_STEP_ERROR", part202);
+      
+      var part203 = match("MESSAGE#172:CHASSISD_GETTIMEOFDAY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected error from gettimeofday: %{resultcode->} - %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unexpected error from gettimeofday"),
+      	dup22,
+      ]));
+      
+      var msg177 = msg("CHASSISD_GETTIMEOFDAY", part203);
+      
+      var part204 = match("MESSAGE#173:CHASSISD_HOST_TEMP_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result->} reading host temperature sensor", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","reading host temperature sensor"),
+      	dup22,
+      ]));
+      
+      var msg178 = msg("CHASSISD_HOST_TEMP_READ", part204);
+      
+      var part205 = match("MESSAGE#174:CHASSISD_IFDEV_DETACH_ALL_PSEUDO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{disposition})", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","detaching all pseudo devices"),
+      	dup22,
+      ]));
+      
+      var msg179 = msg("CHASSISD_IFDEV_DETACH_ALL_PSEUDO", part205);
+      
+      var part206 = match("MESSAGE#175:CHASSISD_IFDEV_DETACH_FPC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{resultcode})", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","CHASSISD IFDEV DETACH FPC"),
+      	dup22,
+      ]));
+      
+      var msg180 = msg("CHASSISD_IFDEV_DETACH_FPC", part206);
+      
+      var part207 = match("MESSAGE#176:CHASSISD_IFDEV_DETACH_PIC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{resultcode})", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","CHASSISD IFDEV DETACH PIC"),
+      	dup22,
+      ]));
+      
+      var msg181 = msg("CHASSISD_IFDEV_DETACH_PIC", part207);
+      
+      var part208 = match("MESSAGE#177:CHASSISD_IFDEV_DETACH_PSEUDO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{disposition})", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","CHASSISD IFDEV DETACH PSEUDO"),
+      	dup22,
+      ]));
+      
+      var msg182 = msg("CHASSISD_IFDEV_DETACH_PSEUDO", part208);
+      
+      var part209 = match("MESSAGE#178:CHASSISD_IFDEV_DETACH_TLV_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","CHASSISD IFDEV DETACH TLV ERROR"),
+      	dup22,
+      ]));
+      
+      var msg183 = msg("CHASSISD_IFDEV_DETACH_TLV_ERROR", part209);
+      
+      var part210 = match("MESSAGE#179:CHASSISD_IFDEV_GET_BY_INDEX_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: rtslib_ifdm_get_by_index failed: %{resultcode->} - %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","rtslib_ifdm_get_by_index failed"),
+      	dup22,
+      ]));
+      
+      var msg184 = msg("CHASSISD_IFDEV_GET_BY_INDEX_FAIL", part210);
+      
+      var part211 = match("MESSAGE#180:CHASSISD_IPC_MSG_QFULL_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: type = %{dclass_counter1}, subtype = %{dclass_counter2}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Message Queue full"),
+      	dup22,
+      ]));
+      
+      var msg185 = msg("CHASSISD_IPC_MSG_QFULL_ERROR", part211);
+      
+      var part212 = match("MESSAGE#181:CHASSISD_IPC_UNEXPECTED_RECV", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received unexpected message from %{service}: type = %{dclass_counter1}, subtype = %{dclass_counter2}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Received unexpected message"),
+      	dup22,
+      ]));
+      
+      var msg186 = msg("CHASSISD_IPC_UNEXPECTED_RECV", part212);
+      
+      var part213 = match("MESSAGE#182:CHASSISD_IPC_WRITE_ERR_NO_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FRU has no connection pipe %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","FRU has no connection pipe"),
+      	dup22,
+      ]));
+      
+      var msg187 = msg("CHASSISD_IPC_WRITE_ERR_NO_PIPE", part213);
+      
+      var part214 = match("MESSAGE#183:CHASSISD_IPC_WRITE_ERR_NULL_ARGS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FRU has no connection arguments %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","FRU has no connection arguments"),
+      	dup22,
+      ]));
+      
+      var msg188 = msg("CHASSISD_IPC_WRITE_ERR_NULL_ARGS", part214);
+      
+      var part215 = match("MESSAGE#184:CHASSISD_MAC_ADDRESS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: chassisd MAC address allocation error", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","chassisd MAC address allocation error"),
+      	dup22,
+      ]));
+      
+      var msg189 = msg("CHASSISD_MAC_ADDRESS_ERROR", part215);
+      
+      var part216 = match("MESSAGE#185:CHASSISD_MAC_DEFAULT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using default MAC address base", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Using default MAC address base"),
+      	dup22,
+      ]));
+      
+      var msg190 = msg("CHASSISD_MAC_DEFAULT", part216);
+      
+      var part217 = match("MESSAGE#186:CHASSISD_MBUS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} %{resultcode}: management bus failed sanity test", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","management bus failed sanity test"),
+      	dup22,
+      ]));
+      
+      var msg191 = msg("CHASSISD_MBUS_ERROR", part217);
+      
+      var part218 = match("MESSAGE#187:CHASSISD_PARSE_COMPLETE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using new configuration", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Using new configuration"),
+      	dup22,
+      ]));
+      
+      var msg192 = msg("CHASSISD_PARSE_COMPLETE", part218);
+      
+      var part219 = match("MESSAGE#188:CHASSISD_PARSE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{resultcode->} %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","CHASSISD PARSE ERROR"),
+      	dup22,
+      ]));
+      
+      var msg193 = msg("CHASSISD_PARSE_ERROR", part219);
+      
+      var part220 = match("MESSAGE#189:CHASSISD_PARSE_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Parsing configuration file '%{filename}'", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Parsing configuration file"),
+      	dup22,
+      ]));
+      
+      var msg194 = msg("CHASSISD_PARSE_INIT", part220);
+      
+      var part221 = match("MESSAGE#190:CHASSISD_PIDFILE_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open PID file '%{filename}': %{result->} %{resultcode}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to open PID file"),
+      	dup22,
+      ]));
+      
+      var msg195 = msg("CHASSISD_PIDFILE_OPEN", part221);
+      
+      var part222 = match("MESSAGE#191:CHASSISD_PIPE_WRITE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Pipe error: %{resultcode}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Pipe error"),
+      	dup22,
+      ]));
+      
+      var msg196 = msg("CHASSISD_PIPE_WRITE_ERROR", part222);
+      
+      var part223 = match("MESSAGE#192:CHASSISD_POWER_CHECK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{device->} %{dclass_counter1->} not powering up", processor_chain([
+      	dup58,
+      	dup21,
+      	setc("event_description","device not powering up"),
+      	dup22,
+      ]));
+      
+      var msg197 = msg("CHASSISD_POWER_CHECK", part223);
+      
+      var part224 = match("MESSAGE#193:CHASSISD_RECONNECT_SUCCESSFUL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Successfully reconnected on soft restart", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Successful reconnect on soft restart"),
+      	dup22,
+      ]));
+      
+      var msg198 = msg("CHASSISD_RECONNECT_SUCCESSFUL", part224);
+      
+      var part225 = match("MESSAGE#194:CHASSISD_RELEASE_MASTERSHIP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Release mastership notification", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Release mastership notification"),
+      	dup22,
+      ]));
+      
+      var msg199 = msg("CHASSISD_RELEASE_MASTERSHIP", part225);
+      
+      var part226 = match("MESSAGE#195:CHASSISD_RE_INIT_INVALID_RE_SLOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: re_init: re %{resultcode}, %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","re_init Invalid RE slot"),
+      	dup22,
+      ]));
+      
+      var msg200 = msg("CHASSISD_RE_INIT_INVALID_RE_SLOT", part226);
+      
+      var part227 = match("MESSAGE#196:CHASSISD_ROOT_MOUNT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine the mount point for root directory: %{resultcode}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to determine mount point for root directory"),
+      	dup22,
+      ]));
+      
+      var msg201 = msg("CHASSISD_ROOT_MOUNT_ERROR", part227);
+      
+      var part228 = match("MESSAGE#197:CHASSISD_RTS_SEQ_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifmsg sequence gap %{resultcode->} - - %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","ifmsg sequence gap"),
+      	dup22,
+      ]));
+      
+      var msg202 = msg("CHASSISD_RTS_SEQ_ERROR", part228);
+      
+      var part229 = match("MESSAGE#198:CHASSISD_SBOARD_VERSION_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version mismatch: %{info}", processor_chain([
+      	setc("eventcategory","1603040000"),
+      	dup21,
+      	setc("event_description","Version mismatch"),
+      	dup22,
+      ]));
+      
+      var msg203 = msg("CHASSISD_SBOARD_VERSION_MISMATCH", part229);
+      
+      var part230 = match("MESSAGE#199:CHASSISD_SERIAL_ID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Serial ID read error: %{resultcode->} - - %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Serial ID read error"),
+      	dup22,
+      ]));
+      
+      var msg204 = msg("CHASSISD_SERIAL_ID", part230);
+      
+      var part231 = match("MESSAGE#200:CHASSISD_SMB_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: fpga download not complete: val %{resultcode}, %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","fpga download not complete"),
+      	dup22,
+      ]));
+      
+      var msg205 = msg("CHASSISD_SMB_ERROR", part231);
+      
+      var part232 = match("MESSAGE#201:CHASSISD_SNMP_TRAP6", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap generated: %{result->} (%{info})", processor_chain([
+      	dup57,
+      	dup21,
+      	setc("event_description","SNMP Trap6 generated"),
+      	dup22,
+      ]));
+      
+      var msg206 = msg("CHASSISD_SNMP_TRAP6", part232);
+      
+      var part233 = match("MESSAGE#202:CHASSISD_SNMP_TRAP7", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap: %{result}: %{info}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMP Trap7 generated"),
+      	dup22,
+      ]));
+      
+      var msg207 = msg("CHASSISD_SNMP_TRAP7", part233);
+      
+      var part234 = match("MESSAGE#203:CHASSISD_SNMP_TRAP10", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap: %{result}: %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","SNMP trap - FRU power on"),
+      	dup22,
+      ]));
+      
+      var msg208 = msg("CHASSISD_SNMP_TRAP10", part234);
+      
+      var part235 = match("MESSAGE#204:CHASSISD_TERM_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received SIGTERM request, %{result}", processor_chain([
+      	dup59,
+      	dup21,
+      	setc("event_description","Received SIGTERM request"),
+      	dup22,
+      ]));
+      
+      var msg209 = msg("CHASSISD_TERM_SIGNAL", part235);
+      
+      var part236 = match("MESSAGE#205:CHASSISD_TRACE_PIC_OFFLINE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Taking PIC offline - - FPC slot %{dclass_counter1}, PIC slot %{dclass_counter2}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Taking PIC offline"),
+      	dup22,
+      ]));
+      
+      var msg210 = msg("CHASSISD_TRACE_PIC_OFFLINE", part236);
+      
+      var part237 = match("MESSAGE#206:CHASSISD_UNEXPECTED_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} returned %{resultcode}: %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","UNEXPECTED EXIT"),
+      	dup22,
+      ]));
+      
+      var msg211 = msg("CHASSISD_UNEXPECTED_EXIT", part237);
+      
+      var part238 = match("MESSAGE#207:CHASSISD_UNSUPPORTED_MODEL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Model %{dclass_counter1->} unsupported with this version of chassisd", processor_chain([
+      	dup58,
+      	dup21,
+      	setc("event_description","Model number unsupported with this version of chassisd"),
+      	dup22,
+      ]));
+      
+      var msg212 = msg("CHASSISD_UNSUPPORTED_MODEL", part238);
+      
+      var part239 = match("MESSAGE#208:CHASSISD_VERSION_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version mismatch: %{info}", processor_chain([
+      	dup58,
+      	dup21,
+      	setc("event_description","Chassisd Version mismatch"),
+      	dup22,
+      ]));
+      
+      var msg213 = msg("CHASSISD_VERSION_MISMATCH", part239);
+      
+      var part240 = match("MESSAGE#209:CHASSISD_HIGH_TEMP_CONDITION", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} temperature=\"%{fld2}\" message=\"%{info}\"]", processor_chain([
+      	dup58,
+      	dup21,
+      	setc("event_description","CHASSISD HIGH TEMP CONDITION"),
+      	dup60,
+      	dup61,
+      ]));
+      
+      var msg214 = msg("CHASSISD_HIGH_TEMP_CONDITION", part240);
+      
+      var part241 = match("MESSAGE#210:clean_process", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: process %{agent->} RESTART mode %{event_state->} new master=%{obj_name->} old failover=%{change_old->} new failover = %{change_new}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","process RESTART mode"),
+      	dup22,
+      ]));
+      
+      var msg215 = msg("clean_process", part241);
+      
+      var part242 = match("MESSAGE#211:CM_JAVA", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Chassis %{group->} Linklocal MAC:%{macaddr}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Chassis Linklocal to MAC"),
+      	dup22,
+      ]));
+      
+      var msg216 = msg("CM_JAVA", part242);
+      
+      var part243 = match("MESSAGE#212:DCD_AS_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([
+      	dup62,
+      	dup21,
+      	setc("event_description","DCD must be run as root"),
+      	dup22,
+      ]));
+      
+      var msg217 = msg("DCD_AS_ROOT", part243);
+      
+      var part244 = match("MESSAGE#213:DCD_FILTER_LIB_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Filter library initialization failed", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Filter library initialization failed"),
+      	dup22,
+      ]));
+      
+      var msg218 = msg("DCD_FILTER_LIB_ERROR", part244);
+      
+      var msg219 = msg("DCD_MALLOC_FAILED_INIT", dup136);
+      
+      var part245 = match("MESSAGE#215:DCD_PARSE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing configuration file", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","errors while parsing configuration file"),
+      	dup22,
+      ]));
+      
+      var msg220 = msg("DCD_PARSE_EMERGENCY", part245);
+      
+      var part246 = match("MESSAGE#216:DCD_PARSE_FILTER_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing filter index file", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","errors while parsing filter index file"),
+      	dup22,
+      ]));
+      
+      var msg221 = msg("DCD_PARSE_FILTER_EMERGENCY", part246);
+      
+      var part247 = match("MESSAGE#217:DCD_PARSE_MINI_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing configuration overlay", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","errors while parsing configuration overlay"),
+      	dup22,
+      ]));
+      
+      var msg222 = msg("DCD_PARSE_MINI_EMERGENCY", part247);
+      
+      var part248 = match("MESSAGE#218:DCD_PARSE_STATE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: An unhandled state was encountered during interface parsing", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","unhandled state was encountered during interface parsing"),
+      	dup22,
+      ]));
+      
+      var msg223 = msg("DCD_PARSE_STATE_EMERGENCY", part248);
+      
+      var part249 = match("MESSAGE#219:DCD_POLICER_PARSE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing policer indexfile", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","errors while parsing policer indexfile"),
+      	dup22,
+      ]));
+      
+      var msg224 = msg("DCD_POLICER_PARSE_EMERGENCY", part249);
+      
+      var part250 = match("MESSAGE#220:DCD_PULL_LOG_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to pull file %{filename->} after %{dclass_counter1->} retries last error=%{resultcode}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Failed to pull file"),
+      	dup22,
+      ]));
+      
+      var msg225 = msg("DCD_PULL_LOG_FAILURE", part250);
+      
+      var part251 = match("MESSAGE#221:DFWD_ARGUMENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","DFWD ARGUMENT ERROR"),
+      	dup22,
+      ]));
+      
+      var msg226 = msg("DFWD_ARGUMENT_ERROR", part251);
+      
+      var msg227 = msg("DFWD_MALLOC_FAILED_INIT", dup136);
+      
+      var part252 = match("MESSAGE#223:DFWD_PARSE_FILTER_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} encountered errors while parsing filter index file", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","errors encountered while parsing filter index file"),
+      	dup22,
+      ]));
+      
+      var msg228 = msg("DFWD_PARSE_FILTER_EMERGENCY", part252);
+      
+      var part253 = match("MESSAGE#224:DFWD_PARSE_STATE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} encountered unhandled state while parsing interface", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","encountered unhandled state while parsing interface"),
+      	dup22,
+      ]));
+      
+      var msg229 = msg("DFWD_PARSE_STATE_EMERGENCY", part253);
+      
+      var msg230 = msg("ECCD_DAEMONIZE_FAILED", dup137);
+      
+      var msg231 = msg("ECCD_DUPLICATE", dup138);
+      
+      var part254 = match("MESSAGE#227:ECCD_LOOP_EXIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MainLoop return value: %{disposition}, error: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","ECCD LOOP EXIT FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg232 = msg("ECCD_LOOP_EXIT_FAILURE", part254);
+      
+      var part255 = match("MESSAGE#228:ECCD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([
+      	dup62,
+      	dup21,
+      	setc("event_description","ECCD Must be run as root"),
+      	dup22,
+      ]));
+      
+      var msg233 = msg("ECCD_NOT_ROOT", part255);
+      
+      var part256 = match("MESSAGE#229:ECCD_PCI_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: open() failed: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","ECCD PCI FILE OPEN FAILED"),
+      	dup22,
+      ]));
+      
+      var msg234 = msg("ECCD_PCI_FILE_OPEN_FAILED", part256);
+      
+      var part257 = match("MESSAGE#230:ECCD_PCI_READ_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","PCI read failure"),
+      	dup22,
+      ]));
+      
+      var msg235 = msg("ECCD_PCI_READ_FAILED", part257);
+      
+      var part258 = match("MESSAGE#231:ECCD_PCI_WRITE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","PCI write failure"),
+      	dup22,
+      ]));
+      
+      var msg236 = msg("ECCD_PCI_WRITE_FAILED", part258);
+      
+      var msg237 = msg("ECCD_PID_FILE_LOCK", dup139);
+      
+      var msg238 = msg("ECCD_PID_FILE_UPDATE", dup140);
+      
+      var part259 = match("MESSAGE#234:ECCD_TRACE_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","ECCD TRACE FILE OPEN FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg239 = msg("ECCD_TRACE_FILE_OPEN_FAILED", part259);
+      
+      var part260 = match("MESSAGE#235:ECCD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","ECCD Usage"),
+      	dup22,
+      ]));
+      
+      var msg240 = msg("ECCD_usage", part260);
+      
+      var part261 = match("MESSAGE#236:EVENTD_AUDIT_SHOW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} viewed security audit log with arguments: %{param}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","User viewed security audit log with arguments"),
+      	dup22,
+      ]));
+      
+      var msg241 = msg("EVENTD_AUDIT_SHOW", part261);
+      
+      var part262 = match("MESSAGE#237:FLOW_REASSEMBLE_SUCCEED", "nwparser.payload", "%{event_type}: Packet merged source %{saddr->} destination %{daddr->} ipid %{fld11->} succeed", processor_chain([
+      	dup20,
+      	dup21,
+      	dup22,
+      ]));
+      
+      var msg242 = msg("FLOW_REASSEMBLE_SUCCEED", part262);
+      
+      var part263 = match("MESSAGE#238:FSAD_CHANGE_FILE_OWNER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to change owner of file `%{filename}' to user %{username}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to change owner of file"),
+      	dup22,
+      ]));
+      
+      var msg243 = msg("FSAD_CHANGE_FILE_OWNER", part263);
+      
+      var part264 = match("MESSAGE#239:FSAD_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","FSAD CONFIG ERROR"),
+      	dup22,
+      ]));
+      
+      var msg244 = msg("FSAD_CONFIG_ERROR", part264);
+      
+      var part265 = match("MESSAGE#240:FSAD_CONNTIMEDOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection timed out to the client (%{shost}, %{saddr}) having request type %{obj_type}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Connection timed out to client"),
+      	dup22,
+      ]));
+      
+      var msg245 = msg("FSAD_CONNTIMEDOUT", part265);
+      
+      var part266 = match("MESSAGE#241:FSAD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","FSAD_FAILED"),
+      	dup22,
+      ]));
+      
+      var msg246 = msg("FSAD_FAILED", part266);
+      
+      var part267 = match("MESSAGE#242:FSAD_FETCHTIMEDOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fetch to server %{hostname->} for file `%{filename}' timed out", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Fetch to server to get file timed out"),
+      	dup22,
+      ]));
+      
+      var msg247 = msg("FSAD_FETCHTIMEDOUT", part267);
+      
+      var part268 = match("MESSAGE#243:FSAD_FILE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: fn failed for file `%{filename}' with error message %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","fn failed for file"),
+      	dup22,
+      ]));
+      
+      var msg248 = msg("FSAD_FILE_FAILED", part268);
+      
+      var part269 = match("MESSAGE#244:FSAD_FILE_REMOVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to remove file `%{filename}': %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to remove file"),
+      	dup22,
+      ]));
+      
+      var msg249 = msg("FSAD_FILE_REMOVE", part269);
+      
+      var part270 = match("MESSAGE#245:FSAD_FILE_RENAME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to rename file `%{filename}' to `%{resultcode}': %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to rename file"),
+      	dup22,
+      ]));
+      
+      var msg250 = msg("FSAD_FILE_RENAME", part270);
+      
+      var part271 = match("MESSAGE#246:FSAD_FILE_STAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} failed for file pathname %{filename}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","stat failed for file"),
+      	dup22,
+      ]));
+      
+      var msg251 = msg("FSAD_FILE_STAT", part271);
+      
+      var part272 = match("MESSAGE#247:FSAD_FILE_SYNC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to sync file %{filename}': %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to sync file"),
+      	dup22,
+      ]));
+      
+      var msg252 = msg("FSAD_FILE_SYNC", part272);
+      
+      var part273 = match("MESSAGE#248:FSAD_MAXCONN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Upper limit reached in fsad for handling connections", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Upper limit reached in fsad"),
+      	dup22,
+      ]));
+      
+      var msg253 = msg("FSAD_MAXCONN", part273);
+      
+      var part274 = match("MESSAGE#249:FSAD_MEMORYALLOC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} failed in the function %{action->} (%{resultcode})", processor_chain([
+      	dup50,
+      	dup21,
+      	setc("event_description","FSAD MEMORYALLOC FAILED"),
+      	dup22,
+      ]));
+      
+      var msg254 = msg("FSAD_MEMORYALLOC_FAILED", part274);
+      
+      var part275 = match("MESSAGE#250:FSAD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([
+      	dup62,
+      	dup21,
+      	setc("event_description","FSAD must be run as root"),
+      	dup22,
+      ]));
+      
+      var msg255 = msg("FSAD_NOT_ROOT", part275);
+      
+      var part276 = match("MESSAGE#251:FSAD_PARENT_DIRECTORY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: invalid directory: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","invalid directory"),
+      	dup22,
+      ]));
+      
+      var msg256 = msg("FSAD_PARENT_DIRECTORY", part276);
+      
+      var part277 = match("MESSAGE#252:FSAD_PATH_IS_DIRECTORY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File path cannot be a directory (%{filename})", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","File path cannot be a directory"),
+      	dup22,
+      ]));
+      
+      var msg257 = msg("FSAD_PATH_IS_DIRECTORY", part277);
+      
+      var part278 = match("MESSAGE#253:FSAD_PATH_IS_SPECIAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Not a regular file (%{filename})", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Not a regular file"),
+      	dup22,
+      ]));
+      
+      var msg258 = msg("FSAD_PATH_IS_SPECIAL", part278);
+      
+      var part279 = match("MESSAGE#254:FSAD_RECVERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: fsad received error message from client having request type %{obj_type->} at (%{saddr}, %{sport})", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","fsad received error message from client"),
+      	dup22,
+      ]));
+      
+      var msg259 = msg("FSAD_RECVERROR", part279);
+      
+      var part280 = match("MESSAGE#255:FSAD_TERMINATED_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Open file %{filename}` closed due to %{result}", processor_chain([
+      	dup26,
+      	dup21,
+      	setc("event_description","FSAD TERMINATED CONNECTION"),
+      	dup22,
+      ]));
+      
+      var msg260 = msg("FSAD_TERMINATED_CONNECTION", part280);
+      
+      var part281 = match("MESSAGE#256:FSAD_TERMINATING_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received terminating %{resultcode}; %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Received terminating signal"),
+      	dup22,
+      ]));
+      
+      var msg261 = msg("FSAD_TERMINATING_SIGNAL", part281);
+      
+      var part282 = match("MESSAGE#257:FSAD_TRACEOPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Open operation on trace file `%{filename}' returned error %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Open operation on trace file failed"),
+      	dup22,
+      ]));
+      
+      var msg262 = msg("FSAD_TRACEOPEN_FAILED", part282);
+      
+      var part283 = match("MESSAGE#258:FSAD_USAGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect usage, %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Incorrect FSAD usage"),
+      	dup22,
+      ]));
+      
+      var msg263 = msg("FSAD_USAGE", part283);
+      
+      var part284 = match("MESSAGE#259:GGSN_ALARM_TRAP_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","GGSN ALARM TRAP FAILED"),
+      	dup22,
+      ]));
+      
+      var msg264 = msg("GGSN_ALARM_TRAP_FAILED", part284);
+      
+      var part285 = match("MESSAGE#260:GGSN_ALARM_TRAP_SEND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","GGSN ALARM TRAP SEND FAILED"),
+      	dup22,
+      ]));
+      
+      var msg265 = msg("GGSN_ALARM_TRAP_SEND", part285);
+      
+      var part286 = match("MESSAGE#261:GGSN_TRAP_SEND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown trap request type %{obj_type}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unknown trap request type"),
+      	dup22,
+      ]));
+      
+      var msg266 = msg("GGSN_TRAP_SEND", part286);
+      
+      var part287 = match("MESSAGE#262:JADE_AUTH_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authorization failed: %{result}", processor_chain([
+      	dup68,
+      	dup33,
+      	setc("ec_subject","Service"),
+      	dup42,
+      	dup21,
+      	setc("event_description","Authorization failed"),
+      	dup22,
+      ]));
+      
+      var msg267 = msg("JADE_AUTH_ERROR", part287);
+      
+      var part288 = match("MESSAGE#263:JADE_EXEC_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: CLI %{resultcode->} %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","JADE EXEC ERROR"),
+      	dup22,
+      ]));
+      
+      var msg268 = msg("JADE_EXEC_ERROR", part288);
+      
+      var part289 = match("MESSAGE#264:JADE_NO_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Local user %{username->} does not exist", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Local user does not exist"),
+      	dup22,
+      ]));
+      
+      var msg269 = msg("JADE_NO_LOCAL_USER", part289);
+      
+      var part290 = match("MESSAGE#265:JADE_PAM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","JADE PAM error"),
+      	dup22,
+      ]));
+      
+      var msg270 = msg("JADE_PAM_ERROR", part290);
+      
+      var part291 = match("MESSAGE#266:JADE_PAM_NO_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to get local username from PAM: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to get local username from PAM"),
+      	dup22,
+      ]));
+      
+      var msg271 = msg("JADE_PAM_NO_LOCAL_USER", part291);
+      
+      var part292 = match("MESSAGE#267:KERN_ARP_ADDR_CHANGE", "nwparser.payload", "%{process}: %{event_type}: arp info overwritten for %{saddr->} from %{smacaddr->} to %{dmacaddr}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","arp info overwritten"),
+      	dup22,
+      ]));
+      
+      var msg272 = msg("KERN_ARP_ADDR_CHANGE", part292);
+      
+      var part293 = match("MESSAGE#268:KMD_PM_SA_ESTABLISHED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Local gateway: %{gateway}, Remote gateway: %{fld1}, Local ID:%{fld2}, Remote ID:%{fld3}, Direction:%{fld4}, SPI:%{fld5}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","security association has been established"),
+      	dup22,
+      ]));
+      
+      var msg273 = msg("KMD_PM_SA_ESTABLISHED", part293);
+      
+      var part294 = match("MESSAGE#269:L2CPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitialized", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Task Reinitialized"),
+      	dup60,
+      	dup22,
+      ]));
+      
+      var msg274 = msg("L2CPD_TASK_REINIT", part294);
+      
+      var part295 = match("MESSAGE#270:LIBJNX_EXEC_EXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command stopped: PID %{child_pid}, signal='%{obj_type}' %{result}, command '%{action}'", processor_chain([
+      	dup20,
+      	dup21,
+      	dup69,
+      	dup22,
+      ]));
+      
+      var msg275 = msg("LIBJNX_EXEC_EXITED", part295);
+      
+      var part296 = match("MESSAGE#271:LIBJNX_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exec failed for command '%{action}': %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Child exec failed for command"),
+      	dup22,
+      ]));
+      
+      var msg276 = msg("LIBJNX_EXEC_FAILED", part296);
+      
+      var msg277 = msg("LIBJNX_EXEC_PIPE", dup141);
+      
+      var part297 = match("MESSAGE#273:LIBJNX_EXEC_SIGNALED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command received signal: PID %{child_pid}, signal %{result}, command '%{action}'", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Command received signal"),
+      	dup22,
+      ]));
+      
+      var msg278 = msg("LIBJNX_EXEC_SIGNALED", part297);
+      
+      var part298 = match("MESSAGE#274:LIBJNX_EXEC_WEXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command exited: PID %{child_pid}, status %{result}, command '%{action}'", processor_chain([
+      	dup20,
+      	dup21,
+      	dup71,
+      	dup22,
+      ]));
+      
+      var msg279 = msg("LIBJNX_EXEC_WEXIT", part298);
+      
+      var part299 = match("MESSAGE#275:LIBJNX_FILE_COPY_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: copy_file_to_transfer_dir failed to copy from source to destination", processor_chain([
+      	dup72,
+      	dup21,
+      	setc("event_description","copy_file_to_transfer_dir failed to copy"),
+      	dup22,
+      ]));
+      
+      var msg280 = msg("LIBJNX_FILE_COPY_FAILED", part299);
+      
+      var part300 = match("MESSAGE#276:LIBJNX_PRIV_LOWER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lower privilege level: %{result}", processor_chain([
+      	dup72,
+      	dup21,
+      	setc("event_description","Unable to lower privilege level"),
+      	dup22,
+      ]));
+      
+      var msg281 = msg("LIBJNX_PRIV_LOWER_FAILED", part300);
+      
+      var part301 = match("MESSAGE#277:LIBJNX_PRIV_RAISE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to raise privilege level: %{result}", processor_chain([
+      	dup72,
+      	dup21,
+      	setc("event_description","Unable to raise privilege level"),
+      	dup22,
+      ]));
+      
+      var msg282 = msg("LIBJNX_PRIV_RAISE_FAILED", part301);
+      
+      var part302 = match("MESSAGE#278:LIBJNX_REPLICATE_RCP_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([
+      	dup72,
+      	dup21,
+      	setc("event_description","rcp failed"),
+      	dup22,
+      ]));
+      
+      var msg283 = msg("LIBJNX_REPLICATE_RCP_EXEC_FAILED", part302);
+      
+      var part303 = match("MESSAGE#279:LIBJNX_ROTATE_COMPRESS_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode->} %{dclass_counter1->} -f %{action}: %{result}", processor_chain([
+      	dup72,
+      	dup21,
+      	setc("event_description","ROTATE COMPRESS EXEC FAILED"),
+      	dup22,
+      ]));
+      
+      var msg284 = msg("LIBJNX_ROTATE_COMPRESS_EXEC_FAILED", part303);
+      
+      var part304 = match("MESSAGE#280:LIBSERVICED_CLIENT_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Client connection error: %{result}", processor_chain([
+      	dup73,
+      	dup21,
+      	setc("event_description","Client connection error"),
+      	dup22,
+      ]));
+      
+      var msg285 = msg("LIBSERVICED_CLIENT_CONNECTION", part304);
+      
+      var part305 = match("MESSAGE#281:LIBSERVICED_OUTBOUND_REQUEST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Outbound request failed for command [%{action}]: %{result}", processor_chain([
+      	dup72,
+      	dup21,
+      	setc("event_description","Outbound request failed for command"),
+      	dup22,
+      ]));
+      
+      var msg286 = msg("LIBSERVICED_OUTBOUND_REQUEST", part305);
+      
+      var part306 = match("MESSAGE#282:LIBSERVICED_SNMP_LOST_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection closed while receiving from client %{dclass_counter1}", processor_chain([
+      	dup26,
+      	dup21,
+      	setc("event_description","Connection closed while receiving from client"),
+      	dup22,
+      ]));
+      
+      var msg287 = msg("LIBSERVICED_SNMP_LOST_CONNECTION", part306);
+      
+      var part307 = match("MESSAGE#283:LIBSERVICED_SOCKET_BIND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode}: unable to bind socket %{ssid}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","unable to bind socket"),
+      	dup22,
+      ]));
+      
+      var msg288 = msg("LIBSERVICED_SOCKET_BIND", part307);
+      
+      var part308 = match("MESSAGE#284:LIBSERVICED_SOCKET_PRIVATIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to attach socket %{ssid->} to management routing instance: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to attach socket to management routing instance"),
+      	dup22,
+      ]));
+      
+      var msg289 = msg("LIBSERVICED_SOCKET_PRIVATIZE", part308);
+      
+      var part309 = match("MESSAGE#285:LICENSE_EXPIRED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","LICENSE EXPIRED"),
+      	dup22,
+      ]));
+      
+      var msg290 = msg("LICENSE_EXPIRED", part309);
+      
+      var part310 = match("MESSAGE#286:LICENSE_EXPIRED_KEY_DELETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License key \"%{filename}\" has expired.", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","License key has expired"),
+      	dup22,
+      ]));
+      
+      var msg291 = msg("LICENSE_EXPIRED_KEY_DELETED", part310);
+      
+      var part311 = match("MESSAGE#287:LICENSE_NEARING_EXPIRY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License for feature %{disposition->} %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","License key expiration soon"),
+      	dup22,
+      ]));
+      
+      var msg292 = msg("LICENSE_NEARING_EXPIRY", part311);
+      
+      var part312 = match("MESSAGE#288:LOGIN_ABORTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Client aborted login", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","client aborted login"),
+      	dup22,
+      ]));
+      
+      var msg293 = msg("LOGIN_ABORTED", part312);
+      
+      var part313 = match("MESSAGE#289:LOGIN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login failed for user %{username->} from host %{dhost}", processor_chain([
+      	dup43,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup42,
+      	dup21,
+      	dup74,
+      	dup22,
+      ]));
+      
+      var msg294 = msg("LOGIN_FAILED", part313);
+      
+      var part314 = match("MESSAGE#290:LOGIN_FAILED_INCORRECT_PASSWORD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect password for user %{username}", processor_chain([
+      	dup43,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup42,
+      	dup21,
+      	dup74,
+      	setc("result","Incorrect password for user"),
+      	dup22,
+      ]));
+      
+      var msg295 = msg("LOGIN_FAILED_INCORRECT_PASSWORD", part314);
+      
+      var part315 = match("MESSAGE#291:LOGIN_FAILED_SET_CONTEXT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to set context for user %{username}", processor_chain([
+      	dup43,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup42,
+      	dup21,
+      	dup74,
+      	setc("result","Failed to set context for user"),
+      	dup22,
+      ]));
+      
+      var msg296 = msg("LOGIN_FAILED_SET_CONTEXT", part315);
+      
+      var part316 = match("MESSAGE#292:LOGIN_FAILED_SET_LOGIN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to set login ID for user %{username}: %{dhost}", processor_chain([
+      	dup43,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup42,
+      	dup21,
+      	dup74,
+      	setc("result","Failed to set login ID for user"),
+      	dup22,
+      ]));
+      
+      var msg297 = msg("LOGIN_FAILED_SET_LOGIN", part316);
+      
+      var part317 = match("MESSAGE#293:LOGIN_HOSTNAME_UNRESOLVED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to resolve hostname %{dhost}: %{info}", processor_chain([
+      	dup43,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup42,
+      	dup21,
+      	dup74,
+      	setc("result","Unable to resolve hostname"),
+      	dup22,
+      ]));
+      
+      var msg298 = msg("LOGIN_HOSTNAME_UNRESOLVED", part317);
+      
+      var part318 = match("MESSAGE#294:LOGIN_INFORMATION/2", "nwparser.p0", "%{} %{event_type}: %{p0}");
+      
+      var part319 = match("MESSAGE#294:LOGIN_INFORMATION/4", "nwparser.p0", "%{} %{username->} logged in from host %{dhost->} on %{p0}");
+      
+      var part320 = match("MESSAGE#294:LOGIN_INFORMATION/5_0", "nwparser.p0", "device %{p0}");
+      
+      var select34 = linear_select([
+      	part320,
+      	dup44,
+      ]);
+      
+      var part321 = match("MESSAGE#294:LOGIN_INFORMATION/6", "nwparser.p0", "%{} %{terminal}");
+      
+      var all19 = all_match({
+      	processors: [
+      		dup38,
+      		dup134,
+      		part318,
+      		dup142,
+      		part319,
+      		select34,
+      		part321,
+      	],
+      	on_success: processor_chain([
+      		dup32,
+      		dup33,
+      		dup34,
+      		dup35,
+      		dup36,
+      		dup21,
+      		setc("event_description","Successful Login"),
+      		dup22,
+      	]),
+      });
+      
+      var msg299 = msg("LOGIN_INFORMATION", all19);
+      
+      var part322 = match("MESSAGE#295:LOGIN_INVALID_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No entry in local password file for user %{username}", processor_chain([
+      	dup43,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup42,
+      	dup21,
+      	dup74,
+      	setc("result","No entry in local password file for user"),
+      	dup22,
+      ]));
+      
+      var msg300 = msg("LOGIN_INVALID_LOCAL_USER", part322);
+      
+      var part323 = match("MESSAGE#296:LOGIN_MALFORMED_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid username: %{username}", processor_chain([
+      	dup43,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup42,
+      	dup21,
+      	dup74,
+      	setc("result","Invalid username"),
+      	dup22,
+      ]));
+      
+      var msg301 = msg("LOGIN_MALFORMED_USER", part323);
+      
+      var part324 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/1_0", "nwparser.p0", "PAM authentication error for user %{p0}");
+      
+      var part325 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/1_1", "nwparser.p0", "Failed password for user %{p0}");
+      
+      var select35 = linear_select([
+      	part324,
+      	part325,
+      ]);
+      
+      var part326 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/2", "nwparser.p0", "%{} %{username}");
+      
+      var all20 = all_match({
+      	processors: [
+      		dup49,
+      		select35,
+      		part326,
+      	],
+      	on_success: processor_chain([
+      		dup43,
+      		dup33,
+      		dup34,
+      		dup35,
+      		dup42,
+      		dup21,
+      		dup74,
+      		setc("result","PAM authentication error for user"),
+      		dup22,
+      	]),
+      });
+      
+      var msg302 = msg("LOGIN_PAM_AUTHENTICATION_ERROR", all20);
+      
+      var part327 = match("MESSAGE#298:LOGIN_PAM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failure while authenticating user %{username}: %{dhost}", processor_chain([
+      	dup43,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup42,
+      	dup21,
+      	setc("event_description","PAM authentication failure"),
+      	setc("result","Failure while authenticating user"),
+      	dup22,
+      ]));
+      
+      var msg303 = msg("LOGIN_PAM_ERROR", part327);
+      
+      var part328 = match("MESSAGE#299:LOGIN_PAM_MAX_RETRIES", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Too many retries while authenticating user %{username}", processor_chain([
+      	dup43,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup42,
+      	dup21,
+      	dup74,
+      	setc("result","Too many retries while authenticating user"),
+      	dup22,
+      ]));
+      
+      var msg304 = msg("LOGIN_PAM_MAX_RETRIES", part328);
+      
+      var part329 = match("MESSAGE#300:LOGIN_PAM_NONLOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} authenticated but has no local login ID", processor_chain([
+      	dup43,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup42,
+      	dup21,
+      	dup74,
+      	setc("result","User authenticated but has no local login ID"),
+      	dup22,
+      ]));
+      
+      var msg305 = msg("LOGIN_PAM_NONLOCAL_USER", part329);
+      
+      var part330 = match("MESSAGE#301:LOGIN_PAM_STOP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to end PAM session: %{info}", processor_chain([
+      	setc("eventcategory","1303000000"),
+      	dup33,
+      	dup42,
+      	dup21,
+      	setc("event_description","Failed to end PAM session"),
+      	dup22,
+      ]));
+      
+      var msg306 = msg("LOGIN_PAM_STOP", part330);
+      
+      var part331 = match("MESSAGE#302:LOGIN_PAM_USER_UNKNOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Attempt to authenticate unknown user %{username}", processor_chain([
+      	dup43,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup42,
+      	dup21,
+      	dup74,
+      	setc("result","Attempt to authenticate unknown user"),
+      	dup22,
+      ]));
+      
+      var msg307 = msg("LOGIN_PAM_USER_UNKNOWN", part331);
+      
+      var part332 = match("MESSAGE#303:LOGIN_PASSWORD_EXPIRED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Forcing change of expired password for user %{username}>", processor_chain([
+      	dup43,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup42,
+      	dup21,
+      	dup74,
+      	setc("result","Forcing change of expired password for user"),
+      	dup22,
+      ]));
+      
+      var msg308 = msg("LOGIN_PASSWORD_EXPIRED", part332);
+      
+      var part333 = match("MESSAGE#304:LOGIN_REFUSED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login of user %{username->} from host %{shost->} on %{terminal->} was refused: %{info}", processor_chain([
+      	dup43,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup42,
+      	dup21,
+      	dup74,
+      	setc("result","Login of user refused"),
+      	dup22,
+      ]));
+      
+      var msg309 = msg("LOGIN_REFUSED", part333);
+      
+      var part334 = match("MESSAGE#305:LOGIN_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} logged in as root from host %{shost->} on %{terminal}", processor_chain([
+      	dup32,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup36,
+      	dup21,
+      	setc("event_description","successful login as root"),
+      	setc("result","User logged in as root"),
+      	dup22,
+      ]));
+      
+      var msg310 = msg("LOGIN_ROOT", part334);
+      
+      var part335 = match("MESSAGE#306:LOGIN_TIMED_OUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login attempt timed out after %{dclass_counter1->} seconds", processor_chain([
+      	dup43,
+      	dup33,
+      	dup35,
+      	dup42,
+      	dup21,
+      	dup74,
+      	setc("result","Login attempt timed out"),
+      	dup22,
+      ]));
+      
+      var msg311 = msg("LOGIN_TIMED_OUT", part335);
+      
+      var part336 = match("MESSAGE#307:MIB2D_ATM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","MIB2D ATM ERROR"),
+      	dup22,
+      ]));
+      
+      var msg312 = msg("MIB2D_ATM_ERROR", part336);
+      
+      var part337 = match("MESSAGE#308:MIB2D_CONFIG_CHECK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","CONFIG CHECK FAILED"),
+      	dup22,
+      ]));
+      
+      var msg313 = msg("MIB2D_CONFIG_CHECK_FAILED", part337);
+      
+      var part338 = match("MESSAGE#309:MIB2D_FILE_OPEN_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open file '%{filename}': %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup77,
+      	dup22,
+      ]));
+      
+      var msg314 = msg("MIB2D_FILE_OPEN_FAILURE", part338);
+      
+      var msg315 = msg("MIB2D_IFD_IFINDEX_FAILURE", dup143);
+      
+      var msg316 = msg("MIB2D_IFL_IFINDEX_FAILURE", dup143);
+      
+      var part339 = match("MESSAGE#312:MIB2D_INIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: mib2d initialization failure: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","mib2d initialization failure"),
+      	dup22,
+      ]));
+      
+      var msg317 = msg("MIB2D_INIT_FAILURE", part339);
+      
+      var part340 = match("MESSAGE#313:MIB2D_KVM_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","MIB2D KVM FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg318 = msg("MIB2D_KVM_FAILURE", part340);
+      
+      var part341 = match("MESSAGE#314:MIB2D_RTSLIB_READ_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: failed in %{dclass_counter1->} %{dclass_counter2->} index (%{result})", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","MIB2D RTSLIB READ FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg319 = msg("MIB2D_RTSLIB_READ_FAILURE", part341);
+      
+      var part342 = match("MESSAGE#315:MIB2D_RTSLIB_SEQ_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: sequence mismatch (%{result}), %{action}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RTSLIB sequence mismatch"),
+      	dup22,
+      ]));
+      
+      var msg320 = msg("MIB2D_RTSLIB_SEQ_MISMATCH", part342);
+      
+      var part343 = match("MESSAGE#316:MIB2D_SYSCTL_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","MIB2D SYSCTL FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg321 = msg("MIB2D_SYSCTL_FAILURE", part343);
+      
+      var part344 = match("MESSAGE#317:MIB2D_TRAP_HEADER_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: trap_request_header failed", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","trap_request_header failed"),
+      	dup22,
+      ]));
+      
+      var msg322 = msg("MIB2D_TRAP_HEADER_FAILURE", part344);
+      
+      var part345 = match("MESSAGE#318:MIB2D_TRAP_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","MIB2D TRAP SEND FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg323 = msg("MIB2D_TRAP_SEND_FAILURE", part345);
+      
+      var part346 = match("MESSAGE#319:Multiuser", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: old requested_transition==%{change_new->} sighupped=%{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","user sighupped"),
+      	dup22,
+      ]));
+      
+      var msg324 = msg("Multiuser", part346);
+      
+      var part347 = match("MESSAGE#320:NASD_AUTHENTICATION_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate authentication handle: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to allocate authentication handle"),
+      	dup22,
+      ]));
+      
+      var msg325 = msg("NASD_AUTHENTICATION_CREATE_FAILED", part347);
+      
+      var part348 = match("MESSAGE#321:NASD_CHAP_AUTHENTICATION_IN_PROGRESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename}, authentication already in progress", processor_chain([
+      	dup79,
+      	dup33,
+      	dup42,
+      	dup21,
+      	setc("event_description","authentication already in progress"),
+      	dup22,
+      ]));
+      
+      var msg326 = msg("NASD_CHAP_AUTHENTICATION_IN_PROGRESS", part348);
+      
+      var part349 = match("MESSAGE#322:NASD_CHAP_GETHOSTNAME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: unable to obtain hostname for outgoing CHAP message: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","unable to obtain hostname for outgoing CHAP message"),
+      	dup22,
+      ]));
+      
+      var msg327 = msg("NASD_CHAP_GETHOSTNAME_FAILED", part349);
+      
+      var part350 = match("MESSAGE#323:NASD_CHAP_INVALID_CHAP_IDENTIFIER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename->} expected CHAP ID: %{resultcode}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","CHAP INVALID_CHAP IDENTIFIER"),
+      	dup22,
+      ]));
+      
+      var msg328 = msg("NASD_CHAP_INVALID_CHAP_IDENTIFIER", part350);
+      
+      var part351 = match("MESSAGE#324:NASD_CHAP_INVALID_OPCODE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}.%{dclass_counter1}: invalid operation code received %{filename}, CHAP ID: %{resultcode}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","CHAP INVALID OPCODE"),
+      	dup22,
+      ]));
+      
+      var msg329 = msg("NASD_CHAP_INVALID_OPCODE", part351);
+      
+      var part352 = match("MESSAGE#325:NASD_CHAP_LOCAL_NAME_UNAVAILABLE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine value for '%{username}' in outgoing CHAP packet", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to determine value for username in outgoing CHAP packet"),
+      	dup22,
+      ]));
+      
+      var msg330 = msg("NASD_CHAP_LOCAL_NAME_UNAVAILABLE", part352);
+      
+      var part353 = match("MESSAGE#326:NASD_CHAP_MESSAGE_UNEXPECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","CHAP MESSAGE UNEXPECTED"),
+      	dup22,
+      ]));
+      
+      var msg331 = msg("NASD_CHAP_MESSAGE_UNEXPECTED", part353);
+      
+      var part354 = match("MESSAGE#327:NASD_CHAP_REPLAY_ATTACK_DETECTED", "nwparser.payload", "%{process}[%{ssid}]: %{event_type}: %{interface}.%{dclass_counter1}: received %{filename->} %{result}.%{info}", processor_chain([
+      	dup80,
+      	dup21,
+      	setc("event_description","CHAP REPLAY ATTACK DETECTED"),
+      	dup22,
+      ]));
+      
+      var msg332 = msg("NASD_CHAP_REPLAY_ATTACK_DETECTED", part354);
+      
+      var part355 = match("MESSAGE#328:NASD_CONFIG_GET_LAST_MODIFIED_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine last modified time of JUNOS configuration database: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to determine last modified time of JUNOS configuration database"),
+      	dup22,
+      ]));
+      
+      var msg333 = msg("NASD_CONFIG_GET_LAST_MODIFIED_FAILED", part355);
+      
+      var msg334 = msg("NASD_DAEMONIZE_FAILED", dup137);
+      
+      var part356 = match("MESSAGE#330:NASD_DB_ALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate database object: %{filename}, %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to allocate database object"),
+      	dup22,
+      ]));
+      
+      var msg335 = msg("NASD_DB_ALLOC_FAILURE", part356);
+      
+      var part357 = match("MESSAGE#331:NASD_DB_TABLE_CREATE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{filename}, %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","DB TABLE CREATE FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg336 = msg("NASD_DB_TABLE_CREATE_FAILURE", part357);
+      
+      var msg337 = msg("NASD_DUPLICATE", dup138);
+      
+      var part358 = match("MESSAGE#333:NASD_EVLIB_CREATE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} with: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","EVLIB CREATE FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg338 = msg("NASD_EVLIB_CREATE_FAILURE", part358);
+      
+      var part359 = match("MESSAGE#334:NASD_EVLIB_EXIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} value: %{result}, error: %{resultcode}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","EVLIB EXIT FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg339 = msg("NASD_EVLIB_EXIT_FAILURE", part359);
+      
+      var part360 = match("MESSAGE#335:NASD_LOCAL_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate LOCAL module handle: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to allocate LOCAL module handle"),
+      	dup22,
+      ]));
+      
+      var msg340 = msg("NASD_LOCAL_CREATE_FAILED", part360);
+      
+      var part361 = match("MESSAGE#336:NASD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([
+      	dup62,
+      	dup21,
+      	setc("event_description","NASD must be run as root"),
+      	dup22,
+      ]));
+      
+      var msg341 = msg("NASD_NOT_ROOT", part361);
+      
+      var msg342 = msg("NASD_PID_FILE_LOCK", dup139);
+      
+      var msg343 = msg("NASD_PID_FILE_UPDATE", dup140);
+      
+      var part362 = match("MESSAGE#339:NASD_POST_CONFIGURE_EVENT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","POST CONFIGURE EVENT FAILED"),
+      	dup22,
+      ]));
+      
+      var msg344 = msg("NASD_POST_CONFIGURE_EVENT_FAILED", part362);
+      
+      var part363 = match("MESSAGE#340:NASD_PPP_READ_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","PPP READ FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg345 = msg("NASD_PPP_READ_FAILURE", part363);
+      
+      var part364 = match("MESSAGE#341:NASD_PPP_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to send message: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to send message"),
+      	dup22,
+      ]));
+      
+      var msg346 = msg("NASD_PPP_SEND_FAILURE", part364);
+      
+      var part365 = match("MESSAGE#342:NASD_PPP_SEND_PARTIAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to send all of message: %{resultcode}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to send all of message"),
+      	dup22,
+      ]));
+      
+      var msg347 = msg("NASD_PPP_SEND_PARTIAL", part365);
+      
+      var part366 = match("MESSAGE#343:NASD_PPP_UNRECOGNIZED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unrecognized authentication protocol: %{protocol}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unrecognized authentication protocol"),
+      	dup22,
+      ]));
+      
+      var msg348 = msg("NASD_PPP_UNRECOGNIZED", part366);
+      
+      var part367 = match("MESSAGE#344:NASD_RADIUS_ALLOCATE_PASSWORD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} when allocating password for RADIUS: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RADIUS password allocation failure"),
+      	dup22,
+      ]));
+      
+      var msg349 = msg("NASD_RADIUS_ALLOCATE_PASSWORD_FAILED", part367);
+      
+      var part368 = match("MESSAGE#345:NASD_RADIUS_CONFIG_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RADIUS CONFIG FAILED"),
+      	dup22,
+      ]));
+      
+      var msg350 = msg("NASD_RADIUS_CONFIG_FAILED", part368);
+      
+      var part369 = match("MESSAGE#346:NASD_RADIUS_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate RADIUS module handle: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to allocate RADIUS module handle"),
+      	dup22,
+      ]));
+      
+      var msg351 = msg("NASD_RADIUS_CREATE_FAILED", part369);
+      
+      var part370 = match("MESSAGE#347:NASD_RADIUS_CREATE_REQUEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RADIUS CREATE REQUEST FAILED"),
+      	dup22,
+      ]));
+      
+      var msg352 = msg("NASD_RADIUS_CREATE_REQUEST_FAILED", part370);
+      
+      var part371 = match("MESSAGE#348:NASD_RADIUS_GETHOSTNAME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain hostname for outgoing RADIUS message: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to obtain hostname for outgoing RADIUS message"),
+      	dup22,
+      ]));
+      
+      var msg353 = msg("NASD_RADIUS_GETHOSTNAME_FAILED", part371);
+      
+      var part372 = match("MESSAGE#349:NASD_RADIUS_MESSAGE_UNEXPECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown response from RADIUS server: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unknown response from RADIUS server"),
+      	dup22,
+      ]));
+      
+      var msg354 = msg("NASD_RADIUS_MESSAGE_UNEXPECTED", part372);
+      
+      var part373 = match("MESSAGE#350:NASD_RADIUS_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RADIUS OPEN FAILED"),
+      	dup22,
+      ]));
+      
+      var msg355 = msg("NASD_RADIUS_OPEN_FAILED", part373);
+      
+      var part374 = match("MESSAGE#351:NASD_RADIUS_SELECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RADIUS SELECT FAILED"),
+      	dup22,
+      ]));
+      
+      var msg356 = msg("NASD_RADIUS_SELECT_FAILED", part374);
+      
+      var part375 = match("MESSAGE#352:NASD_RADIUS_SET_TIMER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RADIUS SET TIMER FAILED"),
+      	dup22,
+      ]));
+      
+      var msg357 = msg("NASD_RADIUS_SET_TIMER_FAILED", part375);
+      
+      var part376 = match("MESSAGE#353:NASD_TRACE_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","TRACE FILE OPEN FAILED"),
+      	dup22,
+      ]));
+      
+      var msg358 = msg("NASD_TRACE_FILE_OPEN_FAILED", part376);
+      
+      var part377 = match("MESSAGE#354:NASD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","NASD Usage"),
+      	dup22,
+      ]));
+      
+      var msg359 = msg("NASD_usage", part377);
+      
+      var part378 = match("MESSAGE#355:NOTICE", "nwparser.payload", "%{agent}: %{event_type}:%{action}: %{event_description}: The %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup22,
+      ]));
+      
+      var msg360 = msg("NOTICE", part378);
+      
+      var part379 = match("MESSAGE#356:PFE_FW_SYSLOG_IP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FW: %{smacaddr->} %{fld10->} %{protocol->} %{saddr->} %{daddr->} %{sport->} %{dport->} (%{packets->} packets)", processor_chain([
+      	dup20,
+      	dup21,
+      	dup81,
+      	dup22,
+      ]));
+      
+      var msg361 = msg("PFE_FW_SYSLOG_IP", part379);
+      
+      var part380 = match("MESSAGE#357:PFE_FW_SYSLOG_IP:01", "nwparser.payload", "%{hostip->} %{hostname->} %{event_type}: FW: %{smacaddr->} %{fld10->} %{protocol->} %{saddr->} %{daddr->} %{sport->} %{dport->} (%{packets->} packets)", processor_chain([
+      	dup20,
+      	dup21,
+      	dup81,
+      	dup22,
+      ]));
+      
+      var msg362 = msg("PFE_FW_SYSLOG_IP:01", part380);
+      
+      var select36 = linear_select([
+      	msg361,
+      	msg362,
+      ]);
+      
+      var part381 = match("MESSAGE#358:PFE_NH_RESOLVE_THROTTLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Next-hop resolution requests from interface %{interface->} throttled", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Next-hop resolution requests throttled"),
+      	dup22,
+      ]));
+      
+      var msg363 = msg("PFE_NH_RESOLVE_THROTTLED", part381);
+      
+      var part382 = match("MESSAGE#359:PING_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","PING TEST COMPLETED"),
+      	dup22,
+      ]));
+      
+      var msg364 = msg("PING_TEST_COMPLETED", part382);
+      
+      var part383 = match("MESSAGE#360:PING_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","PING TEST FAILED"),
+      	dup22,
+      ]));
+      
+      var msg365 = msg("PING_TEST_FAILED", part383);
+      
+      var part384 = match("MESSAGE#361:process_mode/2", "nwparser.p0", "%{} %{p0}");
+      
+      var part385 = match("MESSAGE#361:process_mode/3_0", "nwparser.p0", "%{event_type}: %{p0}");
+      
+      var part386 = match("MESSAGE#361:process_mode/3_1", "nwparser.p0", "%{event_type->} %{p0}");
+      
+      var select37 = linear_select([
+      	part385,
+      	part386,
+      ]);
+      
+      var part387 = match("MESSAGE#361:process_mode/4", "nwparser.p0", "%{}mode=%{protocol->} cmd=%{action->} master_mode=%{result}");
+      
+      var all21 = all_match({
+      	processors: [
+      		dup38,
+      		dup134,
+      		part384,
+      		select37,
+      		part387,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup21,
+      		dup82,
+      		dup22,
+      	]),
+      });
+      
+      var msg366 = msg("process_mode", all21);
+      
+      var part388 = match("MESSAGE#362:process_mode:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: current_mode=%{protocol}, requested_mode=%{result}, cmd=%{action}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup82,
+      	dup22,
+      ]));
+      
+      var msg367 = msg("process_mode:01", part388);
+      
+      var select38 = linear_select([
+      	msg366,
+      	msg367,
+      ]);
+      
+      var part389 = match("MESSAGE#363:PWC_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} exiting with status %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","process exit with status"),
+      	dup22,
+      ]));
+      
+      var msg368 = msg("PWC_EXIT", part389);
+      
+      var part390 = match("MESSAGE#364:PWC_HOLD_RELEASE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} released child %{child_pid->} from %{dclass_counter1->} state", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Process released child from state"),
+      	dup22,
+      ]));
+      
+      var msg369 = msg("PWC_HOLD_RELEASE", part390);
+      
+      var part391 = match("MESSAGE#365:PWC_INVALID_RUNS_ARGUMENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}, not %{resultcode}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","invalid runs argument"),
+      	dup22,
+      ]));
+      
+      var msg370 = msg("PWC_INVALID_RUNS_ARGUMENT", part391);
+      
+      var part392 = match("MESSAGE#366:PWC_INVALID_TIMEOUT_ARGUMENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","INVALID TIMEOUT ARGUMENT"),
+      	dup22,
+      ]));
+      
+      var msg371 = msg("PWC_INVALID_TIMEOUT_ARGUMENT", part392);
+      
+      var part393 = match("MESSAGE#367:PWC_KILLED_BY_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc process %{agent->} received terminating signal", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","pwc process received terminating signal"),
+      	dup22,
+      ]));
+      
+      var msg372 = msg("PWC_KILLED_BY_SIGNAL", part393);
+      
+      var part394 = match("MESSAGE#368:PWC_KILL_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc is sending %{resultcode->} to child %{child_pid}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","pwc is sending kill event to child"),
+      	dup22,
+      ]));
+      
+      var msg373 = msg("PWC_KILL_EVENT", part394);
+      
+      var part395 = match("MESSAGE#369:PWC_KILL_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to kill process %{child_pid}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to kill process"),
+      	dup22,
+      ]));
+      
+      var msg374 = msg("PWC_KILL_FAILED", part395);
+      
+      var part396 = match("MESSAGE#370:PWC_KQUEUE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: kevent failed: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","kevent failed"),
+      	dup22,
+      ]));
+      
+      var msg375 = msg("PWC_KQUEUE_ERROR", part396);
+      
+      var part397 = match("MESSAGE#371:PWC_KQUEUE_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create kqueue: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to create kqueue"),
+      	dup22,
+      ]));
+      
+      var msg376 = msg("PWC_KQUEUE_INIT", part397);
+      
+      var part398 = match("MESSAGE#372:PWC_KQUEUE_REGISTER_FILTER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to register kqueue filter: %{agent->} for purpose: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Failed to register kqueue filter"),
+      	dup22,
+      ]));
+      
+      var msg377 = msg("PWC_KQUEUE_REGISTER_FILTER", part398);
+      
+      var part399 = match("MESSAGE#373:PWC_LOCKFILE_BAD_FORMAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file has bad format: %{agent}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","PID lock file has bad format"),
+      	dup22,
+      ]));
+      
+      var msg378 = msg("PWC_LOCKFILE_BAD_FORMAT", part399);
+      
+      var part400 = match("MESSAGE#374:PWC_LOCKFILE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file had error: %{agent}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","PID lock file error"),
+      	dup22,
+      ]));
+      
+      var msg379 = msg("PWC_LOCKFILE_ERROR", part400);
+      
+      var part401 = match("MESSAGE#375:PWC_LOCKFILE_MISSING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file not found: %{agent}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","PID lock file not found"),
+      	dup22,
+      ]));
+      
+      var msg380 = msg("PWC_LOCKFILE_MISSING", part401);
+      
+      var part402 = match("MESSAGE#376:PWC_LOCKFILE_NOT_LOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file not locked: %{agent}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","PID lock file not locked"),
+      	dup22,
+      ]));
+      
+      var msg381 = msg("PWC_LOCKFILE_NOT_LOCKED", part402);
+      
+      var part403 = match("MESSAGE#377:PWC_NO_PROCESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No process specified", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","No process specified for PWC"),
+      	dup22,
+      ]));
+      
+      var msg382 = msg("PWC_NO_PROCESS", part403);
+      
+      var part404 = match("MESSAGE#378:PWC_PROCESS_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc process %{agent->} child %{child_pid->} exited with status %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","pwc process exited with status"),
+      	dup22,
+      ]));
+      
+      var msg383 = msg("PWC_PROCESS_EXIT", part404);
+      
+      var part405 = match("MESSAGE#379:PWC_PROCESS_FORCED_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} forcing hold down of child %{child_pid->} until signal", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Process forcing hold down of child until signalled"),
+      	dup22,
+      ]));
+      
+      var msg384 = msg("PWC_PROCESS_FORCED_HOLD", part405);
+      
+      var part406 = match("MESSAGE#380:PWC_PROCESS_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} holding down child %{child_pid->} until signal", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Process holding down child until signalled"),
+      	dup22,
+      ]));
+      
+      var msg385 = msg("PWC_PROCESS_HOLD", part406);
+      
+      var part407 = match("MESSAGE#381:PWC_PROCESS_HOLD_SKIPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} will not down child %{child_pid->} because of %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Process not holding down child"),
+      	dup22,
+      ]));
+      
+      var msg386 = msg("PWC_PROCESS_HOLD_SKIPPED", part407);
+      
+      var part408 = match("MESSAGE#382:PWC_PROCESS_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to create child process with pidpopen: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Failed to create child process with pidpopen"),
+      	dup22,
+      ]));
+      
+      var msg387 = msg("PWC_PROCESS_OPEN", part408);
+      
+      var part409 = match("MESSAGE#383:PWC_PROCESS_TIMED_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} holding down child %{child_pid->} %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Process holding down child"),
+      	dup22,
+      ]));
+      
+      var msg388 = msg("PWC_PROCESS_TIMED_HOLD", part409);
+      
+      var part410 = match("MESSAGE#384:PWC_PROCESS_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child timed out %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Child process timed out"),
+      	dup22,
+      ]));
+      
+      var msg389 = msg("PWC_PROCESS_TIMEOUT", part410);
+      
+      var part411 = match("MESSAGE#385:PWC_SIGNAL_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: signal(%{agent}) failed: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","signal failure"),
+      	dup22,
+      ]));
+      
+      var msg390 = msg("PWC_SIGNAL_INIT", part411);
+      
+      var part412 = match("MESSAGE#386:PWC_SOCKET_CONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to connect socket to %{agent}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to connect socket to service"),
+      	dup22,
+      ]));
+      
+      var msg391 = msg("PWC_SOCKET_CONNECT", part412);
+      
+      var part413 = match("MESSAGE#387:PWC_SOCKET_CREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to create socket: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Failed to create socket"),
+      	dup22,
+      ]));
+      
+      var msg392 = msg("PWC_SOCKET_CREATE", part413);
+      
+      var part414 = match("MESSAGE#388:PWC_SOCKET_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to set socket option %{agent}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to set socket option"),
+      	dup22,
+      ]));
+      
+      var msg393 = msg("PWC_SOCKET_OPTION", part414);
+      
+      var part415 = match("MESSAGE#389:PWC_STDOUT_WRITE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Write to stdout failed: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Write to stdout failed"),
+      	dup22,
+      ]));
+      
+      var msg394 = msg("PWC_STDOUT_WRITE", part415);
+      
+      var part416 = match("MESSAGE#390:PWC_SYSTEM_CALL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","PWC SYSTEM CALL"),
+      	dup22,
+      ]));
+      
+      var msg395 = msg("PWC_SYSTEM_CALL", part416);
+      
+      var part417 = match("MESSAGE#391:PWC_UNKNOWN_KILL_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown kill option [%{agent}]", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unknown kill option"),
+      	dup22,
+      ]));
+      
+      var msg396 = msg("PWC_UNKNOWN_KILL_OPTION", part417);
+      
+      var part418 = match("MESSAGE#392:RMOPD_ADDRESS_MULTICAST_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Multicast address is not allowed", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Multicast address not allowed"),
+      	dup22,
+      ]));
+      
+      var msg397 = msg("RMOPD_ADDRESS_MULTICAST_INVALID", part418);
+      
+      var part419 = match("MESSAGE#393:RMOPD_ADDRESS_SOURCE_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Source address invalid: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RMOPD ADDRESS SOURCE INVALID"),
+      	dup22,
+      ]));
+      
+      var msg398 = msg("RMOPD_ADDRESS_SOURCE_INVALID", part419);
+      
+      var part420 = match("MESSAGE#394:RMOPD_ADDRESS_STRING_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to convert numeric address to string: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to convert numeric address to string"),
+      	dup22,
+      ]));
+      
+      var msg399 = msg("RMOPD_ADDRESS_STRING_FAILURE", part420);
+      
+      var part421 = match("MESSAGE#395:RMOPD_ADDRESS_TARGET_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: rmop_util_set_address status message: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","rmop_util_set_address status message invalid"),
+      	dup22,
+      ]));
+      
+      var msg400 = msg("RMOPD_ADDRESS_TARGET_INVALID", part421);
+      
+      var msg401 = msg("RMOPD_DUPLICATE", dup138);
+      
+      var part422 = match("MESSAGE#397:RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Only IPv4 source address is supported", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Only IPv4 source address is supported"),
+      	dup22,
+      ]));
+      
+      var msg402 = msg("RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED", part422);
+      
+      var part423 = match("MESSAGE#398:RMOPD_ICMP_SENDMSG_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{fld1}: No route to host", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","No route to host"),
+      	dup22,
+      ]));
+      
+      var msg403 = msg("RMOPD_ICMP_SENDMSG_FAILURE", part423);
+      
+      var part424 = match("MESSAGE#399:RMOPD_IFINDEX_NOT_ACTIVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifindex: %{interface}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","IFINDEX NOT ACTIVE"),
+      	dup22,
+      ]));
+      
+      var msg404 = msg("RMOPD_IFINDEX_NOT_ACTIVE", part424);
+      
+      var part425 = match("MESSAGE#400:RMOPD_IFINDEX_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for %{interface}, message: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","IFINDEX NO INFO"),
+      	dup22,
+      ]));
+      
+      var msg405 = msg("RMOPD_IFINDEX_NO_INFO", part425);
+      
+      var part426 = match("MESSAGE#401:RMOPD_IFNAME_NOT_ACTIVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifname: %{interface}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RMOPD IFNAME NOT ACTIVE"),
+      	dup22,
+      ]));
+      
+      var msg406 = msg("RMOPD_IFNAME_NOT_ACTIVE", part426);
+      
+      var part427 = match("MESSAGE#402:RMOPD_IFNAME_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for %{interface}, message: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","IFNAME NO INFO"),
+      	dup22,
+      ]));
+      
+      var msg407 = msg("RMOPD_IFNAME_NO_INFO", part427);
+      
+      var part428 = match("MESSAGE#403:RMOPD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([
+      	dup62,
+      	dup21,
+      	setc("event_description","RMOPD Must be run as root"),
+      	dup22,
+      ]));
+      
+      var msg408 = msg("RMOPD_NOT_ROOT", part428);
+      
+      var part429 = match("MESSAGE#404:RMOPD_ROUTING_INSTANCE_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for routing instance %{agent}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","No information for routing instance"),
+      	dup22,
+      ]));
+      
+      var msg409 = msg("RMOPD_ROUTING_INSTANCE_NO_INFO", part429);
+      
+      var part430 = match("MESSAGE#405:RMOPD_TRACEROUTE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","TRACEROUTE ERROR"),
+      	dup22,
+      ]));
+      
+      var msg410 = msg("RMOPD_TRACEROUTE_ERROR", part430);
+      
+      var part431 = match("MESSAGE#406:RMOPD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","RMOPD usage"),
+      	dup22,
+      ]));
+      
+      var msg411 = msg("RMOPD_usage", part431);
+      
+      var part432 = match("MESSAGE#407:RPD_ABORT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} version built by builder on %{dclass_counter1}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RPD ABORT"),
+      	dup22,
+      ]));
+      
+      var msg412 = msg("RPD_ABORT", part432);
+      
+      var part433 = match("MESSAGE#408:RPD_ACTIVE_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Exiting with active tasks: %{agent}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RPD exiting with active tasks"),
+      	dup22,
+      ]));
+      
+      var msg413 = msg("RPD_ACTIVE_TERMINATE", part433);
+      
+      var part434 = match("MESSAGE#409:RPD_ASSERT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Assertion failed %{resultcode}: file \"%{filename}\", line %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RPD Assertion failed"),
+      	dup22,
+      ]));
+      
+      var msg414 = msg("RPD_ASSERT", part434);
+      
+      var part435 = match("MESSAGE#410:RPD_ASSERT_SOFT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Soft assertion failed %{resultcode}: file \"%{filename}\", line %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RPD Soft assertion failed"),
+      	dup22,
+      ]));
+      
+      var msg415 = msg("RPD_ASSERT_SOFT", part435);
+      
+      var part436 = match("MESSAGE#411:RPD_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} version built by builder on %{dclass_counter1}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","RPD EXIT"),
+      	dup22,
+      ]));
+      
+      var msg416 = msg("RPD_EXIT", part436);
+      
+      var msg417 = msg("RPD_IFL_INDEXCOLLISION", dup144);
+      
+      var msg418 = msg("RPD_IFL_NAMECOLLISION", dup144);
+      
+      var part437 = match("MESSAGE#414:RPD_ISIS_ADJDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS lost %{dclass_counter1->} adjacency to %{dclass_counter2->} on %{interface}, %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","IS-IS lost adjacency"),
+      	dup22,
+      ]));
+      
+      var msg419 = msg("RPD_ISIS_ADJDOWN", part437);
+      
+      var part438 = match("MESSAGE#415:RPD_ISIS_ADJUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS new %{dclass_counter1->} adjacency to %{dclass_counter2->} %{interface}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","IS-IS new adjacency"),
+      	dup22,
+      ]));
+      
+      var msg420 = msg("RPD_ISIS_ADJUP", part438);
+      
+      var part439 = match("MESSAGE#416:RPD_ISIS_ADJUPNOIP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS new %{dclass_counter1->} adjacency to %{dclass_counter2->} %{interface->} without an address", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","IS-IS new adjacency without an address"),
+      	dup22,
+      ]));
+      
+      var msg421 = msg("RPD_ISIS_ADJUPNOIP", part439);
+      
+      var part440 = match("MESSAGE#417:RPD_ISIS_LSPCKSUM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS %{dclass_counter1->} LSP checksum error, interface %{interface}, LSP id %{id}, sequence %{dclass_counter2}, checksum %{resultcode}, lifetime %{fld2}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","IS-IS LSP checksum error on iterface"),
+      	dup22,
+      ]));
+      
+      var msg422 = msg("RPD_ISIS_LSPCKSUM", part440);
+      
+      var part441 = match("MESSAGE#418:RPD_ISIS_OVERLOAD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS database overload", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","IS-IS database overload"),
+      	dup22,
+      ]));
+      
+      var msg423 = msg("RPD_ISIS_OVERLOAD", part441);
+      
+      var part442 = match("MESSAGE#419:RPD_KRT_AFUNSUPRT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode}: received %{agent->} message with unsupported address family %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","message with unsupported address family received"),
+      	dup22,
+      ]));
+      
+      var msg424 = msg("RPD_KRT_AFUNSUPRT", part442);
+      
+      var part443 = match("MESSAGE#420:RPD_KRT_CCC_IFL_MODIFY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}, error", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RPD KRT CCC IFL MODIFY"),
+      	dup22,
+      ]));
+      
+      var msg425 = msg("RPD_KRT_CCC_IFL_MODIFY", part443);
+      
+      var part444 = match("MESSAGE#421:RPD_KRT_DELETED_RTT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: received deleted routing table from the kernel for family %{dclass_counter1->} table ID %{dclass_counter2}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","received deleted routing table from kernel"),
+      	dup22,
+      ]));
+      
+      var msg426 = msg("RPD_KRT_DELETED_RTT", part444);
+      
+      var part445 = match("MESSAGE#422:RPD_KRT_IFA_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifa generation mismatch -- %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","ifa generation mismatch"),
+      	dup22,
+      ]));
+      
+      var msg427 = msg("RPD_KRT_IFA_GENERATION", part445);
+      
+      var part446 = match("MESSAGE#423:RPD_KRT_IFDCHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} CHANGE for ifd %{interface->} failed, error \"%{result}\"", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","CHANGE for ifd failed"),
+      	dup22,
+      ]));
+      
+      var msg428 = msg("RPD_KRT_IFDCHANGE", part446);
+      
+      var part447 = match("MESSAGE#424:RPD_KRT_IFDEST_GET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} SERVICE: %{service->} for ifd %{interface->} failed, error \"%{result}\"", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","GET SERVICE failure on interface"),
+      	dup22,
+      ]));
+      
+      var msg429 = msg("RPD_KRT_IFDEST_GET", part447);
+      
+      var part448 = match("MESSAGE#425:RPD_KRT_IFDGET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} GET index for ifd interface failed, error \"%{result}\"", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","GET index for ifd interface failed"),
+      	dup22,
+      ]));
+      
+      var msg430 = msg("RPD_KRT_IFDGET", part448);
+      
+      var part449 = match("MESSAGE#426:RPD_KRT_IFD_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifd %{dclass_counter1->} generation mismatch -- %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","ifd generation mismatch"),
+      	dup22,
+      ]));
+      
+      var msg431 = msg("RPD_KRT_IFD_GENERATION", part449);
+      
+      var part450 = match("MESSAGE#427:RPD_KRT_IFL_CELL_RELAY_MODE_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl : %{agent}, %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","KRT IFL CELL RELAY MODE INVALID"),
+      	dup22,
+      ]));
+      
+      var msg432 = msg("RPD_KRT_IFL_CELL_RELAY_MODE_INVALID", part450);
+      
+      var part451 = match("MESSAGE#428:RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl : %{agent}, %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","KRT IFL CELL RELAY MODE UNSPECIFIED"),
+      	dup22,
+      ]));
+      
+      var msg433 = msg("RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED", part451);
+      
+      var part452 = match("MESSAGE#429:RPD_KRT_IFL_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl %{interface->} generation mismatch -- %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","ifl generation mismatch"),
+      	dup22,
+      ]));
+      
+      var msg434 = msg("RPD_KRT_IFL_GENERATION", part452);
+      
+      var part453 = match("MESSAGE#430:RPD_KRT_KERNEL_BAD_ROUTE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: lost %{interface->} %{dclass_counter1->} for route %{dclass_counter2}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","lost interface for route"),
+      	dup22,
+      ]));
+      
+      var msg435 = msg("RPD_KRT_KERNEL_BAD_ROUTE", part453);
+      
+      var part454 = match("MESSAGE#431:RPD_KRT_NEXTHOP_OVERFLOW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: number of next hops (%{dclass_counter1}) exceeded the maximum allowed (%{dclass_counter2}) -- %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","number of next hops exceeded the maximum"),
+      	dup22,
+      ]));
+      
+      var msg436 = msg("RPD_KRT_NEXTHOP_OVERFLOW", part454);
+      
+      var part455 = match("MESSAGE#432:RPD_KRT_NOIFD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No device %{dclass_counter1->} for interface %{interface}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","No device for interface"),
+      	dup22,
+      ]));
+      
+      var msg437 = msg("RPD_KRT_NOIFD", part455);
+      
+      var part456 = match("MESSAGE#433:RPD_KRT_UNKNOWN_RTT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: received routing table message for unknown table with kernel ID %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","received routing table message for unknown table"),
+      	dup22,
+      ]));
+      
+      var msg438 = msg("RPD_KRT_UNKNOWN_RTT", part456);
+      
+      var part457 = match("MESSAGE#434:RPD_KRT_VERSION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket version mismatch (%{info}) -- %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Routing socket version mismatch"),
+      	dup22,
+      ]));
+      
+      var msg439 = msg("RPD_KRT_VERSION", part457);
+      
+      var part458 = match("MESSAGE#435:RPD_KRT_VERSIONNONE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket message type %{agent}'s version is not supported by kernel, %{info->} -- %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Routing socket message type not supported by kernel"),
+      	dup22,
+      ]));
+      
+      var msg440 = msg("RPD_KRT_VERSIONNONE", part458);
+      
+      var part459 = match("MESSAGE#436:RPD_KRT_VERSIONOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket message type %{agent}'s version is older than expected (%{info}) -- %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Routing socket message type version is older than expected"),
+      	dup22,
+      ]));
+      
+      var msg441 = msg("RPD_KRT_VERSIONOLD", part459);
+      
+      var part460 = match("MESSAGE#437:RPD_LDP_INTF_BLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate session ID detected from %{daddr}, interface %{interface}, %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Duplicate session ID detected"),
+      	dup22,
+      ]));
+      
+      var msg442 = msg("RPD_LDP_INTF_BLOCKED", part460);
+      
+      var part461 = match("MESSAGE#438:RPD_LDP_INTF_UNBLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP interface %{interface->} is now %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","LDP interface now unblocked"),
+      	dup22,
+      ]));
+      
+      var msg443 = msg("RPD_LDP_INTF_UNBLOCKED", part461);
+      
+      var part462 = match("MESSAGE#439:RPD_LDP_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP neighbor %{daddr->} (%{interface}) is %{result}", processor_chain([
+      	setc("eventcategory","1603030000"),
+      	dup21,
+      	setc("event_description","LDP neighbor down"),
+      	dup22,
+      ]));
+      
+      var msg444 = msg("RPD_LDP_NBRDOWN", part462);
+      
+      var part463 = match("MESSAGE#440:RPD_LDP_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP neighbor %{daddr->} (%{interface}) is %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","LDP neighbor up"),
+      	dup22,
+      ]));
+      
+      var msg445 = msg("RPD_LDP_NBRUP", part463);
+      
+      var part464 = match("MESSAGE#441:RPD_LDP_SESSIONDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP session %{daddr->} is down, %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","LDP session down"),
+      	dup22,
+      ]));
+      
+      var msg446 = msg("RPD_LDP_SESSIONDOWN", part464);
+      
+      var part465 = match("MESSAGE#442:RPD_LDP_SESSIONUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP session %{daddr->} is up", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","LDP session up"),
+      	dup22,
+      ]));
+      
+      var msg447 = msg("RPD_LDP_SESSIONUP", part465);
+      
+      var part466 = match("MESSAGE#443:RPD_LOCK_FLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain a lock on %{agent}, %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to obtain a lock"),
+      	dup22,
+      ]));
+      
+      var msg448 = msg("RPD_LOCK_FLOCKED", part466);
+      
+      var part467 = match("MESSAGE#444:RPD_LOCK_LOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain a lock on %{agent}, %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to obtain service lock"),
+      	dup22,
+      ]));
+      
+      var msg449 = msg("RPD_LOCK_LOCKED", part467);
+      
+      var part468 = match("MESSAGE#445:RPD_MPLS_LSP_CHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result->} Route %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","MPLS LSP CHANGE"),
+      	dup22,
+      ]));
+      
+      var msg450 = msg("RPD_MPLS_LSP_CHANGE", part468);
+      
+      var part469 = match("MESSAGE#446:RPD_MPLS_LSP_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","MPLS LSP DOWN"),
+      	dup22,
+      ]));
+      
+      var msg451 = msg("RPD_MPLS_LSP_DOWN", part469);
+      
+      var part470 = match("MESSAGE#447:RPD_MPLS_LSP_SWITCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result}, Route %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","MPLS LSP SWITCH"),
+      	dup22,
+      ]));
+      
+      var msg452 = msg("RPD_MPLS_LSP_SWITCH", part470);
+      
+      var part471 = match("MESSAGE#448:RPD_MPLS_LSP_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result->} Route %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","MPLS LSP UP"),
+      	dup22,
+      ]));
+      
+      var msg453 = msg("RPD_MPLS_LSP_UP", part471);
+      
+      var part472 = match("MESSAGE#449:RPD_MSDP_PEER_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MSDP peer %{group->} %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","MSDP PEER DOWN"),
+      	dup22,
+      ]));
+      
+      var msg454 = msg("RPD_MSDP_PEER_DOWN", part472);
+      
+      var part473 = match("MESSAGE#450:RPD_MSDP_PEER_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MSDP peer %{group->} %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","MSDP PEER UP"),
+      	dup22,
+      ]));
+      
+      var msg455 = msg("RPD_MSDP_PEER_UP", part473);
+      
+      var part474 = match("MESSAGE#451:RPD_OSPF_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: OSPF neighbor %{daddr->} (%{interface}) %{disposition->} due to %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","OSPF neighbor down"),
+      	dup22,
+      ]));
+      
+      var msg456 = msg("RPD_OSPF_NBRDOWN", part474);
+      
+      var part475 = match("MESSAGE#452:RPD_OSPF_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: OSPF neighbor %{daddr->} (%{interface}) %{disposition->} due to %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","OSPF neighbor up"),
+      	dup22,
+      ]));
+      
+      var msg457 = msg("RPD_OSPF_NBRUP", part475);
+      
+      var part476 = match("MESSAGE#453:RPD_OS_MEMHIGH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using %{dclass_counter1->} KB of memory, %{info}", processor_chain([
+      	dup50,
+      	dup21,
+      	setc("event_description","OS MEMHIGH"),
+      	dup22,
+      ]));
+      
+      var msg458 = msg("RPD_OS_MEMHIGH", part476);
+      
+      var part477 = match("MESSAGE#454:RPD_PIM_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PIM neighbor %{daddr->} timeout interface %{interface}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","PIM neighbor down"),
+      	setc("result","timeout"),
+      	dup22,
+      ]));
+      
+      var msg459 = msg("RPD_PIM_NBRDOWN", part477);
+      
+      var part478 = match("MESSAGE#455:RPD_PIM_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PIM new neighbor %{daddr->} interface %{interface}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","PIM neighbor up"),
+      	dup22,
+      ]));
+      
+      var msg460 = msg("RPD_PIM_NBRUP", part478);
+      
+      var part479 = match("MESSAGE#456:RPD_RDISC_CKSUM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Bad checksum for router solicitation from %{saddr->} to %{daddr}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Bad checksum for router solicitation"),
+      	dup22,
+      ]));
+      
+      var msg461 = msg("RPD_RDISC_CKSUM", part479);
+      
+      var part480 = match("MESSAGE#457:RPD_RDISC_NOMULTI", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Ignoring interface %{dclass_counter1->} on %{interface->} -- %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Ignoring interface"),
+      	dup22,
+      ]));
+      
+      var msg462 = msg("RPD_RDISC_NOMULTI", part480);
+      
+      var part481 = match("MESSAGE#458:RPD_RDISC_NORECVIF", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to locate interface for router solicitation from %{saddr->} to %{daddr}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to locate interface for router"),
+      	dup22,
+      ]));
+      
+      var msg463 = msg("RPD_RDISC_NORECVIF", part481);
+      
+      var part482 = match("MESSAGE#459:RPD_RDISC_SOLICITADDR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Expected multicast (%{dclass_counter1}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Expected multicast for router solicitation"),
+      	dup22,
+      ]));
+      
+      var msg464 = msg("RPD_RDISC_SOLICITADDR", part482);
+      
+      var part483 = match("MESSAGE#460:RPD_RDISC_SOLICITICMP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Nonzero ICMP code (%{resultcode}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Nonzero ICMP code for router solicitation"),
+      	dup22,
+      ]));
+      
+      var msg465 = msg("RPD_RDISC_SOLICITICMP", part483);
+      
+      var part484 = match("MESSAGE#461:RPD_RDISC_SOLICITLEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Insufficient length (%{dclass_counter1}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Insufficient length for router solicitation"),
+      	dup22,
+      ]));
+      
+      var msg466 = msg("RPD_RDISC_SOLICITLEN", part484);
+      
+      var part485 = match("MESSAGE#462:RPD_RIP_AUTH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Update with invalid authentication from %{saddr->} (%{interface})", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RIP update with invalid authentication"),
+      	dup22,
+      ]));
+      
+      var msg467 = msg("RPD_RIP_AUTH", part485);
+      
+      var part486 = match("MESSAGE#463:RPD_RIP_JOIN_BROADCAST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to get broadcast address %{interface}; %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RIP - unable to get broadcast address"),
+      	dup22,
+      ]));
+      
+      var msg468 = msg("RPD_RIP_JOIN_BROADCAST", part486);
+      
+      var part487 = match("MESSAGE#464:RPD_RIP_JOIN_MULTICAST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to join multicast group %{interface}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RIP - Unable to join multicast group"),
+      	dup22,
+      ]));
+      
+      var msg469 = msg("RPD_RIP_JOIN_MULTICAST", part487);
+      
+      var part488 = match("MESSAGE#465:RPD_RT_IFUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: UP route for interface %{interface->} index %{dclass_counter1->} %{saddr}/%{dclass_counter2}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","RIP interface up"),
+      	dup22,
+      ]));
+      
+      var msg470 = msg("RPD_RT_IFUP", part488);
+      
+      var msg471 = msg("RPD_SCHED_CALLBACK_LONGRUNTIME", dup145);
+      
+      var part489 = match("MESSAGE#467:RPD_SCHED_CUMULATIVE_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime (%{result}) after action of module", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","excessive runtime after action of module"),
+      	dup22,
+      ]));
+      
+      var msg472 = msg("RPD_SCHED_CUMULATIVE_LONGRUNTIME", part489);
+      
+      var msg473 = msg("RPD_SCHED_MODULE_LONGRUNTIME", dup145);
+      
+      var part490 = match("MESSAGE#469:RPD_SCHED_TASK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} ran for %{dclass_counter1}(%{dclass_counter2})", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","task extended runtime"),
+      	dup22,
+      ]));
+      
+      var msg474 = msg("RPD_SCHED_TASK_LONGRUNTIME", part490);
+      
+      var part491 = match("MESSAGE#470:RPD_SIGNAL_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} termination signal received", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","termination signal received for service"),
+      	dup22,
+      ]));
+      
+      var msg475 = msg("RPD_SIGNAL_TERMINATE", part491);
+      
+      var part492 = match("MESSAGE#471:RPD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Start %{dclass_counter1->} version version built %{dclass_counter2}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","version built"),
+      	dup22,
+      ]));
+      
+      var msg476 = msg("RPD_START", part492);
+      
+      var part493 = match("MESSAGE#472:RPD_SYSTEM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: detail: %{action}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","system command"),
+      	dup22,
+      ]));
+      
+      var msg477 = msg("RPD_SYSTEM", part493);
+      
+      var part494 = match("MESSAGE#473:RPD_TASK_BEGIN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Commencing routing updates, version %{dclass_counter1}, built %{dclass_counter2->} by builder", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Commencing routing updates"),
+      	dup22,
+      ]));
+      
+      var msg478 = msg("RPD_TASK_BEGIN", part494);
+      
+      var part495 = match("MESSAGE#474:RPD_TASK_CHILDKILLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2->} %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","task killed by signal"),
+      	dup22,
+      ]));
+      
+      var msg479 = msg("RPD_TASK_CHILDKILLED", part495);
+      
+      var part496 = match("MESSAGE#475:RPD_TASK_CHILDSTOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2->} %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","task stopped by signal"),
+      	dup22,
+      ]));
+      
+      var msg480 = msg("RPD_TASK_CHILDSTOPPED", part496);
+      
+      var part497 = match("MESSAGE#476:RPD_TASK_FORK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fork task: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to fork task"),
+      	dup22,
+      ]));
+      
+      var msg481 = msg("RPD_TASK_FORK", part497);
+      
+      var part498 = match("MESSAGE#477:RPD_TASK_GETWD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: getwd: %{action}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","RPD TASK GETWD"),
+      	dup22,
+      ]));
+      
+      var msg482 = msg("RPD_TASK_GETWD", part498);
+      
+      var part499 = match("MESSAGE#478:RPD_TASK_NOREINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitialization not possible", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Reinitialization not possible"),
+      	dup22,
+      ]));
+      
+      var msg483 = msg("RPD_TASK_NOREINIT", part499);
+      
+      var part500 = match("MESSAGE#479:RPD_TASK_PIDCLOSED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to close and remove %{agent}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to close and remove task"),
+      	dup22,
+      ]));
+      
+      var msg484 = msg("RPD_TASK_PIDCLOSED", part500);
+      
+      var part501 = match("MESSAGE#480:RPD_TASK_PIDFLOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: flock(%{agent}, %{action}): %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RPD TASK PIDFLOCK"),
+      	dup22,
+      ]));
+      
+      var msg485 = msg("RPD_TASK_PIDFLOCK", part501);
+      
+      var part502 = match("MESSAGE#481:RPD_TASK_PIDWRITE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to write %{agent}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to write"),
+      	dup22,
+      ]));
+      
+      var msg486 = msg("RPD_TASK_PIDWRITE", part502);
+      
+      var msg487 = msg("RPD_TASK_REINIT", dup146);
+      
+      var part503 = match("MESSAGE#483:RPD_TASK_SIGNALIGNORE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: sigaction(%{result}): %{resultcode}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","ignoring task signal"),
+      	dup22,
+      ]));
+      
+      var msg488 = msg("RPD_TASK_SIGNALIGNORE", part503);
+      
+      var part504 = match("MESSAGE#484:RT_COS", "nwparser.payload", "%{process}: %{event_type}: COS IPC op %{dclass_counter1->} (%{agent}) failed, err %{resultcode->} (%{result})", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","COS IPC op failed"),
+      	dup22,
+      ]));
+      
+      var msg489 = msg("RT_COS", part504);
+      
+      var part505 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/2", "nwparser.p0", "%{fld5}\" nat-source-address=\"%{stransaddr}\" nat-source-port=\"%{stransport}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{p0}");
+      
+      var part506 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{fld10}\" dst-nat-rule-%{p0}");
+      
+      var part507 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/5_0", "nwparser.p0", "type=%{fld21->} dst-nat-rule-name=\"%{fld11}\"%{p0}");
+      
+      var part508 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/5_1", "nwparser.p0", "name=\"%{fld11}\"%{p0}");
+      
+      var select39 = linear_select([
+      	part507,
+      	part508,
+      ]);
+      
+      var part509 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/6", "nwparser.p0", "%{}protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{fld13}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{p0}");
+      
+      var part510 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/7_0", "nwparser.p0", "%{dinterface}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" encrypted=%{fld8->} %{p0}");
+      
+      var select40 = linear_select([
+      	part510,
+      	dup91,
+      ]);
+      
+      var all22 = all_match({
+      	processors: [
+      		dup86,
+      		dup147,
+      		part505,
+      		dup148,
+      		part506,
+      		select39,
+      		part509,
+      		select40,
+      		dup92,
+      	],
+      	on_success: processor_chain([
+      		dup27,
+      		dup52,
+      		dup53,
+      		dup21,
+      		dup51,
+      	]),
+      });
+      
+      var msg490 = msg("RT_FLOW_SESSION_CREATE:02", all22);
+      
+      var part511 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/1_0", "nwparser.p0", "%{dport}\" service-name=\"%{service}\" nat-source-address=\"%{stransaddr}\" nat-source-port=\"%{stransport}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-type=\"%{fld20}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-type=\"%{fld10}\" dst-nat-rule-name=\"%{rule_template}\"%{p0}");
+      
+      var part512 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/1_1", "nwparser.p0", "%{dport}\"%{p0}");
+      
+      var select41 = linear_select([
+      	part511,
+      	part512,
+      ]);
+      
+      var part513 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/2", "nwparser.p0", "%{}protocol-id=\"%{protocol}\" policy-name=\"%{p0}");
+      
+      var part514 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/3_0", "nwparser.p0", "%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" username=\"%{username}\" roles=\"%{fld50}\" packet-incoming-interface=\"%{dinterface}\" application=\"%{application}\" nested-application=\"%{fld7}\" encrypted=\"%{fld8}\"%{p0}");
+      
+      var part515 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/3_1", "nwparser.p0", "%{policyname}\"%{p0}");
+      
+      var select42 = linear_select([
+      	part514,
+      	part515,
+      ]);
+      
+      var all23 = all_match({
+      	processors: [
+      		dup86,
+      		select41,
+      		part513,
+      		select42,
+      		dup92,
+      	],
+      	on_success: processor_chain([
+      		dup27,
+      		dup52,
+      		dup53,
+      		dup21,
+      		dup51,
+      	]),
+      });
+      
+      var msg491 = msg("RT_FLOW_SESSION_CREATE", all23);
+      
+      var part516 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/0_0", "nwparser.payload", "%{process}: %{event_type}: session created%{p0}");
+      
+      var part517 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/0_1", "nwparser.payload", "%{event_type}: session created%{p0}");
+      
+      var select43 = linear_select([
+      	part516,
+      	part517,
+      ]);
+      
+      var part518 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/1", "nwparser.p0", "%{} %{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{p0}");
+      
+      var part519 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_0", "nwparser.p0", "%{rulename->} %{rule_template->} %{fld12->} %{fld13->} %{fld14->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username}(%{fld10}) %{interface->} %{protocol->} %{fld15->} UNKNOWN UNKNOWN ");
+      
+      var part520 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_1", "nwparser.p0", "%{rulename->} %{rule_template->} %{fld12->} %{fld13->} %{fld14->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username}(%{fld10}) %{interface->} %{fld15->} ");
+      
+      var part521 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_2", "nwparser.p0", "%{info->} ");
+      
+      var select44 = linear_select([
+      	part519,
+      	part520,
+      	part521,
+      ]);
+      
+      var all24 = all_match({
+      	processors: [
+      		select43,
+      		part518,
+      		select44,
+      	],
+      	on_success: processor_chain([
+      		dup27,
+      		dup52,
+      		dup53,
+      		dup21,
+      		setc("event_description","session created"),
+      		dup22,
+      	]),
+      });
+      
+      var msg492 = msg("RT_FLOW_SESSION_CREATE:01", all24);
+      
+      var select45 = linear_select([
+      	msg490,
+      	msg491,
+      	msg492,
+      ]);
+      
+      var part522 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/2", "nwparser.p0", "%{fld5}\" protocol-id=\"%{protocol}\" icmp-type=\"%{obj_type}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{user_role}\" packet-incoming-interface=\"%{p0}");
+      
+      var part523 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/3_0", "nwparser.p0", "%{dinterface}\" encrypted=\"%{fld16}\" reason=\"%{result}\" src-vrf-grp=\"%{fld99}\" dst-vrf-grp=\"%{fld98}\"%{p0}");
+      
+      var part524 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/3_1", "nwparser.p0", "%{dinterface}\" encrypted=%{fld16->} reason=\"%{result}\"%{p0}");
+      
+      var select46 = linear_select([
+      	part523,
+      	part524,
+      	dup91,
+      ]);
+      
+      var all25 = all_match({
+      	processors: [
+      		dup86,
+      		dup147,
+      		part522,
+      		select46,
+      		dup92,
+      	],
+      	on_success: processor_chain([
+      		dup93,
+      		dup52,
+      		dup94,
+      		dup21,
+      		dup51,
+      	]),
+      });
+      
+      var msg493 = msg("RT_FLOW_SESSION_DENY:02", all25);
+      
+      var part525 = match("MESSAGE#489:RT_FLOW_SESSION_DENY", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" icmp-type=\"%{obj_type}\" policy-name=\"%{policyname}\"]", processor_chain([
+      	dup93,
+      	dup52,
+      	dup94,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var msg494 = msg("RT_FLOW_SESSION_DENY", part525);
+      
+      var part526 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/1", "nwparser.p0", "%{} %{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{fld1->} %{result->} %{src_zone->} %{dst_zone->} HTTP %{info}");
+      
+      var all26 = all_match({
+      	processors: [
+      		dup149,
+      		part526,
+      	],
+      	on_success: processor_chain([
+      		dup26,
+      		dup52,
+      		dup94,
+      		dup21,
+      		dup97,
+      		dup22,
+      	]),
+      });
+      
+      var msg495 = msg("RT_FLOW_SESSION_DENY:03", all26);
+      
+      var part527 = match("MESSAGE#491:RT_FLOW_SESSION_DENY:01/1", "nwparser.p0", "%{} %{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{fld1->} %{result->} %{src_zone->} %{dst_zone}");
+      
+      var all27 = all_match({
+      	processors: [
+      		dup149,
+      		part527,
+      	],
+      	on_success: processor_chain([
+      		dup26,
+      		dup52,
+      		dup94,
+      		dup21,
+      		dup97,
+      		dup22,
+      	]),
+      });
+      
+      var msg496 = msg("RT_FLOW_SESSION_DENY:01", all27);
+      
+      var select47 = linear_select([
+      	msg493,
+      	msg494,
+      	msg495,
+      	msg496,
+      ]);
+      
+      var part528 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/6", "nwparser.p0", "%{}protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{p0}");
+      
+      var part529 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/7_0", "nwparser.p0", "%{duration}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{dinterface}\" encrypted=%{fld16->} %{p0}");
+      
+      var part530 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/7_1", "nwparser.p0", "%{duration}\"%{p0}");
+      
+      var select48 = linear_select([
+      	part529,
+      	part530,
+      ]);
+      
+      var all28 = all_match({
+      	processors: [
+      		dup98,
+      		dup147,
+      		dup99,
+      		dup148,
+      		dup100,
+      		dup150,
+      		part528,
+      		select48,
+      		dup92,
+      	],
+      	on_success: processor_chain([
+      		dup26,
+      		dup52,
+      		dup54,
+      		dup103,
+      		dup21,
+      		dup51,
+      	]),
+      });
+      
+      var msg497 = msg("RT_FLOW_SESSION_CLOSE:01", all28);
+      
+      var part531 = match("MESSAGE#493:RT_FLOW_SESSION_CLOSE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" inbound-packets=\"%{packets}\" inbound-bytes=\"%{rbytes}\" outbound-packets=\"%{dclass_counter1}\" outbound-bytes=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([
+      	dup26,
+      	dup52,
+      	dup54,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var msg498 = msg("RT_FLOW_SESSION_CLOSE", part531);
+      
+      var part532 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/0_0", "nwparser.payload", "%{process}: %{event_type}: session closed%{p0}");
+      
+      var part533 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/0_1", "nwparser.payload", "%{event_type}: session closed%{p0}");
+      
+      var select49 = linear_select([
+      	part532,
+      	part533,
+      ]);
+      
+      var part534 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/1", "nwparser.p0", "%{} %{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{info}");
+      
+      var all29 = all_match({
+      	processors: [
+      		select49,
+      		part534,
+      	],
+      	on_success: processor_chain([
+      		dup26,
+      		dup52,
+      		dup54,
+      		dup21,
+      		setc("event_description","session closed"),
+      		dup22,
+      	]),
+      });
+      
+      var msg499 = msg("RT_FLOW_SESSION_CLOSE:02", all29);
+      
+      var part535 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/6", "nwparser.p0", "%{}protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" %{p0}");
+      
+      var part536 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/7_0", "nwparser.p0", " elapsed-time=\"%{duration}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{dinterface}\" encrypted=%{fld16->} %{p0}");
+      
+      var part537 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/7_1", "nwparser.p0", " elapsed-time=\"%{duration}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{user_role}\" packet-incoming-interface=\"%{dinterface}\" %{p0}");
+      
+      var part538 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/7_2", "nwparser.p0", "elapsed-time=\"%{duration}\"%{p0}");
+      
+      var select50 = linear_select([
+      	part536,
+      	part537,
+      	part538,
+      ]);
+      
+      var part539 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/8", "nwparser.p0", "] session closed %{fld60}: %{fld51}/%{fld52}->%{fld53}/%{fld54->} %{fld55->} %{fld56}/%{fld57}->%{fld58}/%{fld59->} %{info}");
+      
+      var all30 = all_match({
+      	processors: [
+      		dup98,
+      		dup147,
+      		dup99,
+      		dup148,
+      		dup100,
+      		dup150,
+      		part535,
+      		select50,
+      		part539,
+      	],
+      	on_success: processor_chain([
+      		dup26,
+      		dup52,
+      		dup54,
+      		dup103,
+      		dup21,
+      		dup51,
+      		dup60,
+      	]),
+      });
+      
+      var msg500 = msg("RT_FLOW_SESSION_CLOSE:03", all30);
+      
+      var select51 = linear_select([
+      	msg497,
+      	msg498,
+      	msg499,
+      	msg500,
+      ]);
+      
+      var part540 = match("MESSAGE#496:RT_SCREEN_IP", "nwparser.payload", "%{process}: %{event_type}: Fragmented traffic! source:%{saddr}, destination: %{daddr}, protocol-id: %{protocol}, zone name: %{zone}, interface name: %{interface}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Fragmented traffic"),
+      	dup22,
+      ]));
+      
+      var msg501 = msg("RT_SCREEN_IP", part540);
+      
+      var part541 = match("MESSAGE#497:RT_SCREEN_IP:01", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" protocol-id=\"%{protocol}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([
+      	dup29,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var msg502 = msg("RT_SCREEN_IP:01", part541);
+      
+      var select52 = linear_select([
+      	msg501,
+      	msg502,
+      ]);
+      
+      var msg503 = msg("RT_SCREEN_TCP", dup151);
+      
+      var part542 = match("MESSAGE#499:RT_SCREEN_SESSION_LIMIT", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" message=\"%{info}\" ip-address=\"%{hostip}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([
+      	dup29,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var msg504 = msg("RT_SCREEN_SESSION_LIMIT", part542);
+      
+      var msg505 = msg("RT_SCREEN_UDP", dup151);
+      
+      var part543 = match("MESSAGE#501:SERVICED_CLIENT_CONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: attempt to connect to interface failed with error: %{result}", processor_chain([
+      	dup26,
+      	dup21,
+      	setc("event_description","attempt to connect to interface failed"),
+      	dup22,
+      ]));
+      
+      var msg506 = msg("SERVICED_CLIENT_CONNECT", part543);
+      
+      var part544 = match("MESSAGE#502:SERVICED_CLIENT_DISCONNECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unexpected termination of connection to interface", processor_chain([
+      	dup26,
+      	dup21,
+      	setc("event_description","unexpected termination of connection"),
+      	dup22,
+      ]));
+      
+      var msg507 = msg("SERVICED_CLIENT_DISCONNECTED", part544);
+      
+      var part545 = match("MESSAGE#503:SERVICED_CLIENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: client interface connection failure: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","client interface connection failure"),
+      	dup22,
+      ]));
+      
+      var msg508 = msg("SERVICED_CLIENT_ERROR", part545);
+      
+      var part546 = match("MESSAGE#504:SERVICED_COMMAND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: remote command execution failed with error: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","remote command execution failed"),
+      	dup22,
+      ]));
+      
+      var msg509 = msg("SERVICED_COMMAND_FAILED", part546);
+      
+      var part547 = match("MESSAGE#505:SERVICED_COMMIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: client failed to commit configuration with error: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","client commit configuration failed"),
+      	dup22,
+      ]));
+      
+      var msg510 = msg("SERVICED_COMMIT_FAILED", part547);
+      
+      var part548 = match("MESSAGE#506:SERVICED_CONFIGURATION_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: configuration process failed with error: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","configuration process failed"),
+      	dup22,
+      ]));
+      
+      var msg511 = msg("SERVICED_CONFIGURATION_FAILED", part548);
+      
+      var part549 = match("MESSAGE#507:SERVICED_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SERVICED CONFIG ERROR"),
+      	dup22,
+      ]));
+      
+      var msg512 = msg("SERVICED_CONFIG_ERROR", part549);
+      
+      var part550 = match("MESSAGE#508:SERVICED_CONFIG_FILE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} failed to read path with error: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","service failed to read path"),
+      	dup22,
+      ]));
+      
+      var msg513 = msg("SERVICED_CONFIG_FILE", part550);
+      
+      var part551 = match("MESSAGE#509:SERVICED_CONNECTION_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SERVICED CONNECTION ERROR"),
+      	dup22,
+      ]));
+      
+      var msg514 = msg("SERVICED_CONNECTION_ERROR", part551);
+      
+      var part552 = match("MESSAGE#510:SERVICED_DISABLED_GGSN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: GGSN services disabled: object: %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","GGSN services disabled"),
+      	dup22,
+      ]));
+      
+      var msg515 = msg("SERVICED_DISABLED_GGSN", part552);
+      
+      var msg516 = msg("SERVICED_DUPLICATE", dup138);
+      
+      var part553 = match("MESSAGE#512:SERVICED_EVENT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: event function %{dclass_counter2->} failed with error: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","event function failed"),
+      	dup22,
+      ]));
+      
+      var msg517 = msg("SERVICED_EVENT_FAILED", part553);
+      
+      var part554 = match("MESSAGE#513:SERVICED_INIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: initialization failed with error: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","service initialization failed"),
+      	dup22,
+      ]));
+      
+      var msg518 = msg("SERVICED_INIT_FAILED", part554);
+      
+      var part555 = match("MESSAGE#514:SERVICED_MALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: failed to allocate [%{dclass_counter2}] object [%{dclass_counter1->} bytes %{bytes}]: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","memory allocation failure"),
+      	dup22,
+      ]));
+      
+      var msg519 = msg("SERVICED_MALLOC_FAILURE", part555);
+      
+      var part556 = match("MESSAGE#515:SERVICED_NETWORK_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} had error: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","NETWORK FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg520 = msg("SERVICED_NETWORK_FAILURE", part556);
+      
+      var part557 = match("MESSAGE#516:SERVICED_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([
+      	dup62,
+      	dup21,
+      	setc("event_description","SERVICED must be run as root"),
+      	dup22,
+      ]));
+      
+      var msg521 = msg("SERVICED_NOT_ROOT", part557);
+      
+      var msg522 = msg("SERVICED_PID_FILE_LOCK", dup139);
+      
+      var msg523 = msg("SERVICED_PID_FILE_UPDATE", dup140);
+      
+      var part558 = match("MESSAGE#519:SERVICED_RTSOCK_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: routing socket sequence error, %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","routing socket sequence error"),
+      	dup22,
+      ]));
+      
+      var msg524 = msg("SERVICED_RTSOCK_SEQUENCE", part558);
+      
+      var part559 = match("MESSAGE#520:SERVICED_SIGNAL_HANDLER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: set up of signal name handler failed with error: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","set up of signal name handler failed"),
+      	dup22,
+      ]));
+      
+      var msg525 = msg("SERVICED_SIGNAL_HANDLER", part559);
+      
+      var part560 = match("MESSAGE#521:SERVICED_SOCKET_CREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket create failed with error: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","socket create failed with error"),
+      	dup22,
+      ]));
+      
+      var msg526 = msg("SERVICED_SOCKET_CREATE", part560);
+      
+      var part561 = match("MESSAGE#522:SERVICED_SOCKET_IO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket function %{dclass_counter2->} failed with error: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","socket function failed"),
+      	dup22,
+      ]));
+      
+      var msg527 = msg("SERVICED_SOCKET_IO", part561);
+      
+      var part562 = match("MESSAGE#523:SERVICED_SOCKET_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unable to set socket option %{dclass_counter2}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","unable to set socket option"),
+      	dup22,
+      ]));
+      
+      var msg528 = msg("SERVICED_SOCKET_OPTION", part562);
+      
+      var part563 = match("MESSAGE#524:SERVICED_STDLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} had error: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","STDLIB FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg529 = msg("SERVICED_STDLIB_FAILURE", part563);
+      
+      var part564 = match("MESSAGE#525:SERVICED_USAGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect usage: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Incorrect service usage"),
+      	dup22,
+      ]));
+      
+      var msg530 = msg("SERVICED_USAGE", part564);
+      
+      var part565 = match("MESSAGE#526:SERVICED_WORK_INCONSISTENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: object has unexpected value %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","object has unexpected value"),
+      	dup22,
+      ]));
+      
+      var msg531 = msg("SERVICED_WORK_INCONSISTENCY", part565);
+      
+      var msg532 = msg("SSL_PROXY_SSL_SESSION_ALLOW", dup152);
+      
+      var msg533 = msg("SSL_PROXY_SSL_SESSION_DROP", dup152);
+      
+      var msg534 = msg("SSL_PROXY_SESSION_IGNORE", dup152);
+      
+      var part566 = match("MESSAGE#530:SNMP_NS_LOG_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NET-SNMP version %{version->} AgentX subagent connected", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","AgentX subagent connected"),
+      	dup60,
+      	dup22,
+      ]));
+      
+      var msg535 = msg("SNMP_NS_LOG_INFO", part566);
+      
+      var part567 = match("MESSAGE#531:SNMP_SUBAGENT_IPC_REG_ROWS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ns_subagent_register_mibs: registering %{dclass_counter1->} rows", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","ns_subagent registering rows"),
+      	dup60,
+      	dup22,
+      ]));
+      
+      var msg536 = msg("SNMP_SUBAGENT_IPC_REG_ROWS", part567);
+      
+      var part568 = match("MESSAGE#532:SNMPD_ACCESS_GROUP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} access group %{group}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMPD ACCESS GROUP ERROR"),
+      	dup22,
+      ]));
+      
+      var msg537 = msg("SNMPD_ACCESS_GROUP_ERROR", part568);
+      
+      var part569 = match("MESSAGE#533:SNMPD_AUTH_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unauthorized SNMP community from %{daddr->} to unknown community name (%{pool_name})", processor_chain([
+      	dup29,
+      	dup21,
+      	dup104,
+      	setc("result","unauthorized SNMP community to unknown community name"),
+      	dup22,
+      ]));
+      
+      var msg538 = msg("SNMPD_AUTH_FAILURE", part569);
+      
+      var part570 = match("MESSAGE#534:SNMPD_AUTH_FAILURE:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: failed input interface authorization from %{daddr->} to unknown (%{pool_name})", processor_chain([
+      	dup29,
+      	dup21,
+      	dup104,
+      	setc("result","failed input interface authorization to unknown"),
+      	dup22,
+      ]));
+      
+      var msg539 = msg("SNMPD_AUTH_FAILURE:01", part570);
+      
+      var part571 = match("MESSAGE#535:SNMPD_AUTH_FAILURE:02", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unauthorized SNMP community from %{daddr->} to %{saddr->} (%{pool_name})", processor_chain([
+      	dup29,
+      	dup21,
+      	dup104,
+      	setc("result","unauthorized SNMP community "),
+      	dup22,
+      ]));
+      
+      var msg540 = msg("SNMPD_AUTH_FAILURE:02", part571);
+      
+      var part572 = match("MESSAGE#595:SNMPD_AUTH_FAILURE:03", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} function-name=\"%{fld1}\" message=\"%{info}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" index1=\"%{fld4}\"]", processor_chain([
+      	dup29,
+      	dup21,
+      	dup104,
+      	dup60,
+      	dup61,
+      ]));
+      
+      var msg541 = msg("SNMPD_AUTH_FAILURE:03", part572);
+      
+      var select53 = linear_select([
+      	msg538,
+      	msg539,
+      	msg540,
+      	msg541,
+      ]);
+      
+      var part573 = match("MESSAGE#536:SNMPD_AUTH_PRIVILEGES_EXCEEDED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{saddr}: request exceeded community privileges", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMP request exceeded community privileges"),
+      	dup22,
+      ]));
+      
+      var msg542 = msg("SNMPD_AUTH_PRIVILEGES_EXCEEDED", part573);
+      
+      var part574 = match("MESSAGE#537:SNMPD_AUTH_RESTRICTED_ADDRESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: request from address %{daddr->} not allowed", processor_chain([
+      	dup47,
+      	dup21,
+      	setc("event_description","SNMPD AUTH RESTRICTED ADDRESS"),
+      	setc("result","request not allowed"),
+      	dup22,
+      ]));
+      
+      var msg543 = msg("SNMPD_AUTH_RESTRICTED_ADDRESS", part574);
+      
+      var part575 = match("MESSAGE#538:SNMPD_AUTH_WRONG_PDU_TYPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{saddr}: unauthorized SNMP PDU type: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","unauthorized SNMP PDU type"),
+      	dup22,
+      ]));
+      
+      var msg544 = msg("SNMPD_AUTH_WRONG_PDU_TYPE", part575);
+      
+      var part576 = match("MESSAGE#539:SNMPD_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Configuration database has errors", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Configuration database has errors"),
+      	dup22,
+      ]));
+      
+      var msg545 = msg("SNMPD_CONFIG_ERROR", part576);
+      
+      var part577 = match("MESSAGE#540:SNMPD_CONTEXT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} context %{dclass_counter2}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMPD CONTEXT ERROR"),
+      	dup22,
+      ]));
+      
+      var msg546 = msg("SNMPD_CONTEXT_ERROR", part577);
+      
+      var part578 = match("MESSAGE#541:SNMPD_ENGINE_FILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2}: operation: %{dclass_counter1->} %{agent}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMPD ENGINE FILE FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg547 = msg("SNMPD_ENGINE_FILE_FAILURE", part578);
+      
+      var part579 = match("MESSAGE#542:SNMPD_ENGINE_PROCESS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: from-path: undecodable/unmatched subagent response", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description"," from-path - SNMP undecodable/unmatched subagent response"),
+      	dup22,
+      ]));
+      
+      var msg548 = msg("SNMPD_ENGINE_PROCESS_ERROR", part579);
+      
+      var part580 = match("MESSAGE#543:SNMPD_FILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: fopen %{dclass_counter2}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMPD FILE FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg549 = msg("SNMPD_FILE_FAILURE", part580);
+      
+      var part581 = match("MESSAGE#544:SNMPD_GROUP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} group: '%{group}' user '%{username}' model '%{version}'", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMPD GROUP ERROR"),
+      	dup22,
+      ]));
+      
+      var msg550 = msg("SNMPD_GROUP_ERROR", part581);
+      
+      var part582 = match("MESSAGE#545:SNMPD_INIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: snmpd initialization failure: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","snmpd initialization failure"),
+      	dup22,
+      ]));
+      
+      var msg551 = msg("SNMPD_INIT_FAILED", part582);
+      
+      var part583 = match("MESSAGE#546:SNMPD_LIBJUNIPER_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: system_default_inaddr: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","LIBJUNIPER FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg552 = msg("SNMPD_LIBJUNIPER_FAILURE", part583);
+      
+      var part584 = match("MESSAGE#547:SNMPD_LOOPBACK_ADDR_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","LOOPBACK ADDR ERROR"),
+      	dup22,
+      ]));
+      
+      var msg553 = msg("SNMPD_LOOPBACK_ADDR_ERROR", part584);
+      
+      var part585 = match("MESSAGE#548:SNMPD_MEMORY_FREED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: called for freed - already freed", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","duplicate memory free"),
+      	dup22,
+      ]));
+      
+      var msg554 = msg("SNMPD_MEMORY_FREED", part585);
+      
+      var part586 = match("MESSAGE#549:SNMPD_RADIX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: radix_add failed: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","radix_add failed"),
+      	dup22,
+      ]));
+      
+      var msg555 = msg("SNMPD_RADIX_FAILURE", part586);
+      
+      var part587 = match("MESSAGE#550:SNMPD_RECEIVE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: receive %{dclass_counter1->} failure: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMPD RECEIVE FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg556 = msg("SNMPD_RECEIVE_FAILURE", part587);
+      
+      var part588 = match("MESSAGE#551:SNMPD_RMONFILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2}: operation: %{dclass_counter1->} %{agent}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RMONFILE FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg557 = msg("SNMPD_RMONFILE_FAILURE", part588);
+      
+      var part589 = match("MESSAGE#552:SNMPD_RMON_COOKIE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: Null cookie", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Null cookie"),
+      	dup22,
+      ]));
+      
+      var msg558 = msg("SNMPD_RMON_COOKIE", part589);
+      
+      var part590 = match("MESSAGE#553:SNMPD_RMON_EVENTLOG", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","RMON EVENTLOG"),
+      	dup22,
+      ]));
+      
+      var msg559 = msg("SNMPD_RMON_EVENTLOG", part590);
+      
+      var part591 = match("MESSAGE#554:SNMPD_RMON_IOERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: Received io error, %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Received io error"),
+      	dup22,
+      ]));
+      
+      var msg560 = msg("SNMPD_RMON_IOERROR", part591);
+      
+      var part592 = match("MESSAGE#555:SNMPD_RMON_MIBERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: internal Get request error: description, %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","internal Get request error"),
+      	dup22,
+      ]));
+      
+      var msg561 = msg("SNMPD_RMON_MIBERROR", part592);
+      
+      var part593 = match("MESSAGE#556:SNMPD_RTSLIB_ASYNC_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: sequence mismatch %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","sequence mismatch"),
+      	dup22,
+      ]));
+      
+      var msg562 = msg("SNMPD_RTSLIB_ASYNC_EVENT", part593);
+      
+      var part594 = match("MESSAGE#557:SNMPD_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: send send-type (index1) failure: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup105,
+      	dup22,
+      ]));
+      
+      var msg563 = msg("SNMPD_SEND_FAILURE", part594);
+      
+      var part595 = match("MESSAGE#558:SNMPD_SEND_FAILURE:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: send to (%{saddr}) failure: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup105,
+      	dup22,
+      ]));
+      
+      var msg564 = msg("SNMPD_SEND_FAILURE:01", part595);
+      
+      var select54 = linear_select([
+      	msg563,
+      	msg564,
+      ]);
+      
+      var part596 = match("MESSAGE#559:SNMPD_SOCKET_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket failure: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMPD SOCKET FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg565 = msg("SNMPD_SOCKET_FAILURE", part596);
+      
+      var part597 = match("MESSAGE#560:SNMPD_SUBAGENT_NO_BUFFERS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No buffers available for subagent (%{agent})", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","No buffers available for subagent"),
+      	dup22,
+      ]));
+      
+      var msg566 = msg("SNMPD_SUBAGENT_NO_BUFFERS", part597);
+      
+      var part598 = match("MESSAGE#561:SNMPD_SUBAGENT_SEND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Send to subagent failed (%{agent}): %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Send to subagent failed"),
+      	dup22,
+      ]));
+      
+      var msg567 = msg("SNMPD_SUBAGENT_SEND_FAILED", part598);
+      
+      var part599 = match("MESSAGE#562:SNMPD_SYSLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: system function '%{dclass_counter1}' failed: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","system function failed"),
+      	dup22,
+      ]));
+      
+      var msg568 = msg("SNMPD_SYSLIB_FAILURE", part599);
+      
+      var part600 = match("MESSAGE#563:SNMPD_THROTTLE_QUEUE_DRAINED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: cleared all throttled traps", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","cleared all throttled traps"),
+      	dup22,
+      ]));
+      
+      var msg569 = msg("SNMPD_THROTTLE_QUEUE_DRAINED", part600);
+      
+      var part601 = match("MESSAGE#564:SNMPD_TRAP_COLD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap: cold start", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","SNMP trap: cold start"),
+      	dup22,
+      ]));
+      
+      var msg570 = msg("SNMPD_TRAP_COLD_START", part601);
+      
+      var part602 = match("MESSAGE#565:SNMPD_TRAP_GEN_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{resultcode->} (%{result})", processor_chain([
+      	dup29,
+      	dup21,
+      	dup106,
+      	dup22,
+      ]));
+      
+      var msg571 = msg("SNMPD_TRAP_GEN_FAILURE", part602);
+      
+      var part603 = match("MESSAGE#566:SNMPD_TRAP_GEN_FAILURE2", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{dclass_counter2->} %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup106,
+      	dup22,
+      ]));
+      
+      var msg572 = msg("SNMPD_TRAP_GEN_FAILURE2", part603);
+      
+      var part604 = match("MESSAGE#567:SNMPD_TRAP_INVALID_DATA", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{result->} (%{dclass_counter2}) received", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMPD TRAP INVALID DATA"),
+      	dup22,
+      ]));
+      
+      var msg573 = msg("SNMPD_TRAP_INVALID_DATA", part604);
+      
+      var part605 = match("MESSAGE#568:SNMPD_TRAP_NOT_ENOUGH_VARBINDS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{info->} (%{result})", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMPD TRAP ERROR"),
+      	dup22,
+      ]));
+      
+      var msg574 = msg("SNMPD_TRAP_NOT_ENOUGH_VARBINDS", part605);
+      
+      var part606 = match("MESSAGE#569:SNMPD_TRAP_QUEUED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Adding trap to %{dclass_counter2->} to %{obj_name->} queue, %{dclass_counter1->} traps in queue", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Adding trap to queue"),
+      	dup22,
+      ]));
+      
+      var msg575 = msg("SNMPD_TRAP_QUEUED", part606);
+      
+      var part607 = match("MESSAGE#570:SNMPD_TRAP_QUEUE_DRAINED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: traps queued to %{obj_name->} sent successfully", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","traps queued - sent successfully"),
+      	dup22,
+      ]));
+      
+      var msg576 = msg("SNMPD_TRAP_QUEUE_DRAINED", part607);
+      
+      var part608 = match("MESSAGE#571:SNMPD_TRAP_QUEUE_MAX_ATTEMPTS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: after %{dclass_counter1->} attempts, deleting %{dclass_counter2->} traps queued to %{obj_name}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMPD TRAP QUEUE MAX_ATTEMPTS - deleting some traps"),
+      	dup22,
+      ]));
+      
+      var msg577 = msg("SNMPD_TRAP_QUEUE_MAX_ATTEMPTS", part608);
+      
+      var part609 = match("MESSAGE#572:SNMPD_TRAP_QUEUE_MAX_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: maximum queue size exceeded (%{dclass_counter1}), discarding trap to %{dclass_counter2->} from %{obj_name->} queue", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","SNMP TRAP maximum queue size exceeded"),
+      	dup22,
+      ]));
+      
+      var msg578 = msg("SNMPD_TRAP_QUEUE_MAX_SIZE", part609);
+      
+      var part610 = match("MESSAGE#573:SNMPD_TRAP_THROTTLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: traps throttled after %{dclass_counter1->} traps", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","SNMP traps throttled"),
+      	dup22,
+      ]));
+      
+      var msg579 = msg("SNMPD_TRAP_THROTTLED", part610);
+      
+      var part611 = match("MESSAGE#574:SNMPD_TRAP_TYPE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unknown trap type requested (%{obj_type->} )", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","unknown SNMP trap type requested"),
+      	dup22,
+      ]));
+      
+      var msg580 = msg("SNMPD_TRAP_TYPE_ERROR", part611);
+      
+      var part612 = match("MESSAGE#575:SNMPD_TRAP_VARBIND_TYPE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: expecting %{dclass_counter1->} varbind to be VT_NUMBER (%{resultcode->} )", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMPD TRAP VARBIND TYPE ERROR"),
+      	dup22,
+      ]));
+      
+      var msg581 = msg("SNMPD_TRAP_VARBIND_TYPE_ERROR", part612);
+      
+      var part613 = match("MESSAGE#576:SNMPD_TRAP_VERSION_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: invalid version signature (%{result})", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMPD TRAP ERROR - invalid version signature"),
+      	dup22,
+      ]));
+      
+      var msg582 = msg("SNMPD_TRAP_VERSION_ERROR", part613);
+      
+      var part614 = match("MESSAGE#577:SNMPD_TRAP_WARM_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap: warm start", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","SNMPD TRAP WARM START"),
+      	dup22,
+      ]));
+      
+      var msg583 = msg("SNMPD_TRAP_WARM_START", part614);
+      
+      var part615 = match("MESSAGE#578:SNMPD_USER_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} user '%{username}' %{dclass_counter2}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMPD USER ERROR"),
+      	dup22,
+      ]));
+      
+      var msg584 = msg("SNMPD_USER_ERROR", part615);
+      
+      var part616 = match("MESSAGE#579:SNMPD_VIEW_DELETE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: deleting view %{dclass_counter2->} %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","SNMP deleting view"),
+      	dup22,
+      ]));
+      
+      var msg585 = msg("SNMPD_VIEW_DELETE", part616);
+      
+      var part617 = match("MESSAGE#580:SNMPD_VIEW_INSTALL_DEFAULT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} installing default %{dclass_counter1->} view %{dclass_counter2}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","installing default SNMP view"),
+      	dup22,
+      ]));
+      
+      var msg586 = msg("SNMPD_VIEW_INSTALL_DEFAULT", part617);
+      
+      var part618 = match("MESSAGE#581:SNMPD_VIEW_OID_PARSE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: oid parsing failed for view %{dclass_counter2->} oid %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","oid parsing failed for SNMP view"),
+      	dup22,
+      ]));
+      
+      var msg587 = msg("SNMPD_VIEW_OID_PARSE", part618);
+      
+      var part619 = match("MESSAGE#582:SNMP_GET_ERROR1", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMP_GET_ERROR 1"),
+      	dup22,
+      ]));
+      
+      var msg588 = msg("SNMP_GET_ERROR1", part619);
+      
+      var part620 = match("MESSAGE#583:SNMP_GET_ERROR2", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMP GET ERROR 2"),
+      	dup22,
+      ]));
+      
+      var msg589 = msg("SNMP_GET_ERROR2", part620);
+      
+      var part621 = match("MESSAGE#584:SNMP_GET_ERROR3", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMP GET ERROR 3"),
+      	dup22,
+      ]));
+      
+      var msg590 = msg("SNMP_GET_ERROR3", part621);
+      
+      var part622 = match("MESSAGE#585:SNMP_GET_ERROR4", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMP GET ERROR 4"),
+      	dup22,
+      ]));
+      
+      var msg591 = msg("SNMP_GET_ERROR4", part622);
+      
+      var part623 = match("MESSAGE#586:SNMP_RTSLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: rtslib-error: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMP RTSLIB FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg592 = msg("SNMP_RTSLIB_FAILURE", part623);
+      
+      var part624 = match("MESSAGE#587:SNMP_TRAP_LINK_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifIndex %{dclass_counter1}, ifAdminStatus %{resultcode}, ifOperStatus %{result}, ifName %{interface}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup107,
+      	dup22,
+      ]));
+      
+      var msg593 = msg("SNMP_TRAP_LINK_DOWN", part624);
+      
+      var part625 = match("MESSAGE#596:SNMP_TRAP_LINK_DOWN:01", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} snmp-interface-index=\"%{fld1}\" admin-status=\"%{fld3}\" operational-status=\"%{fld2}\" interface-name=\"%{interface}\"]", processor_chain([
+      	dup29,
+      	dup21,
+      	dup107,
+      	dup60,
+      	dup61,
+      ]));
+      
+      var msg594 = msg("SNMP_TRAP_LINK_DOWN:01", part625);
+      
+      var select55 = linear_select([
+      	msg593,
+      	msg594,
+      ]);
+      
+      var part626 = match("MESSAGE#588:SNMP_TRAP_LINK_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifIndex %{dclass_counter1}, ifAdminStatus %{resultcode}, ifOperStatus %{result}, ifName %{interface}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup108,
+      	dup22,
+      ]));
+      
+      var msg595 = msg("SNMP_TRAP_LINK_UP", part626);
+      
+      var part627 = match("MESSAGE#597:SNMP_TRAP_LINK_UP:01", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} snmp-interface-index=\"%{fld1}\" admin-status=\"%{fld3}\" operational-status=\"%{event_state}\" interface-name=\"%{interface}\"]", processor_chain([
+      	dup20,
+      	dup21,
+      	dup108,
+      	dup60,
+      	dup61,
+      ]));
+      
+      var msg596 = msg("SNMP_TRAP_LINK_UP:01", part627);
+      
+      var select56 = linear_select([
+      	msg595,
+      	msg596,
+      ]);
+      
+      var part628 = match("MESSAGE#589:SNMP_TRAP_PING_PROBE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMP TRAP PING PROBE FAILED"),
+      	dup22,
+      ]));
+      
+      var msg597 = msg("SNMP_TRAP_PING_PROBE_FAILED", part628);
+      
+      var part629 = match("MESSAGE#590:SNMP_TRAP_PING_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","SNMP TRAP PING TEST COMPLETED"),
+      	dup22,
+      ]));
+      
+      var msg598 = msg("SNMP_TRAP_PING_TEST_COMPLETED", part629);
+      
+      var part630 = match("MESSAGE#591:SNMP_TRAP_PING_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMP TRAP PING TEST FAILED"),
+      	dup22,
+      ]));
+      
+      var msg599 = msg("SNMP_TRAP_PING_TEST_FAILED", part630);
+      
+      var part631 = match("MESSAGE#592:SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","SNMP TRAP TRACE ROUTE PATH CHANGE"),
+      	dup22,
+      ]));
+      
+      var msg600 = msg("SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE", part631);
+      
+      var part632 = match("MESSAGE#593:SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","SNMP TRAP TRACE ROUTE TEST COMPLETED"),
+      	dup22,
+      ]));
+      
+      var msg601 = msg("SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED", part632);
+      
+      var part633 = match("MESSAGE#594:SNMP_TRAP_TRACE_ROUTE_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMP TRAP TRACE ROUTE TEST FAILED"),
+      	dup22,
+      ]));
+      
+      var msg602 = msg("SNMP_TRAP_TRACE_ROUTE_TEST_FAILED", part633);
+      
+      var part634 = match("MESSAGE#598:SSHD_LOGIN_FAILED", "nwparser.payload", "%{process}: %{event_type}: Login failed for user '%{username}' from host '%{saddr}'", processor_chain([
+      	dup43,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup42,
+      	dup21,
+      	dup109,
+      	dup22,
+      ]));
+      
+      var msg603 = msg("SSHD_LOGIN_FAILED", part634);
+      
+      var part635 = match("MESSAGE#599:SSHD_LOGIN_FAILED:01", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} username=\"%{username}\" source-address=\"%{saddr}\"]", processor_chain([
+      	dup43,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup42,
+      	dup21,
+      	dup109,
+      	dup60,
+      	dup51,
+      	setf("process","hfld33"),
+      ]));
+      
+      var msg604 = msg("SSHD_LOGIN_FAILED:01", part635);
+      
+      var select57 = linear_select([
+      	msg603,
+      	msg604,
+      ]);
+      
+      var part636 = match("MESSAGE#600:task_connect", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: task %{agent->} addr %{daddr}+%{dport}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","task connect failure"),
+      	dup22,
+      ]));
+      
+      var msg605 = msg("task_connect", part636);
+      
+      var msg606 = msg("TASK_TASK_REINIT", dup146);
+      
+      var part637 = match("MESSAGE#602:TFTPD_AF_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected address family %{dclass_counter2}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unexpected address family"),
+      	dup22,
+      ]));
+      
+      var msg607 = msg("TFTPD_AF_ERR", part637);
+      
+      var part638 = match("MESSAGE#603:TFTPD_BIND_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: bind: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","TFTPD BIND ERROR"),
+      	dup22,
+      ]));
+      
+      var msg608 = msg("TFTPD_BIND_ERR", part638);
+      
+      var part639 = match("MESSAGE#604:TFTPD_CONNECT_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: connect: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","TFTPD CONNECT ERROR"),
+      	dup22,
+      ]));
+      
+      var msg609 = msg("TFTPD_CONNECT_ERR", part639);
+      
+      var part640 = match("MESSAGE#605:TFTPD_CONNECT_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: TFTP %{protocol->} from address %{daddr->} port %{dport->} file %{filename}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","TFTPD CONNECT INFO"),
+      	dup22,
+      ]));
+      
+      var msg610 = msg("TFTPD_CONNECT_INFO", part640);
+      
+      var part641 = match("MESSAGE#606:TFTPD_CREATE_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: check_space %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","TFTPD CREATE ERROR"),
+      	dup22,
+      ]));
+      
+      var msg611 = msg("TFTPD_CREATE_ERR", part641);
+      
+      var part642 = match("MESSAGE#607:TFTPD_FIO_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","TFTPD FIO ERR"),
+      	dup22,
+      ]));
+      
+      var msg612 = msg("TFTPD_FIO_ERR", part642);
+      
+      var part643 = match("MESSAGE#608:TFTPD_FORK_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: fork: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","TFTPD FORK ERROR"),
+      	dup22,
+      ]));
+      
+      var msg613 = msg("TFTPD_FORK_ERR", part643);
+      
+      var part644 = match("MESSAGE#609:TFTPD_NAK_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: nak error %{resultcode}, %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","TFTPD NAK ERROR"),
+      	dup22,
+      ]));
+      
+      var msg614 = msg("TFTPD_NAK_ERR", part644);
+      
+      var part645 = match("MESSAGE#610:TFTPD_OPEN_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open file '%{filename}', error: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup77,
+      	dup22,
+      ]));
+      
+      var msg615 = msg("TFTPD_OPEN_ERR", part645);
+      
+      var part646 = match("MESSAGE#611:TFTPD_RECVCOMPLETE_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received %{dclass_counter1->} blocks of %{dclass_counter2->} size for file '%{filename}'", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","TFTPD RECVCOMPLETE INFO"),
+      	dup22,
+      ]));
+      
+      var msg616 = msg("TFTPD_RECVCOMPLETE_INFO", part646);
+      
+      var part647 = match("MESSAGE#612:TFTPD_RECVFROM_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: recvfrom: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","TFTPD RECVFROM ERROR"),
+      	dup22,
+      ]));
+      
+      var msg617 = msg("TFTPD_RECVFROM_ERR", part647);
+      
+      var part648 = match("MESSAGE#613:TFTPD_RECV_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: recv: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","TFTPD RECV ERROR"),
+      	dup22,
+      ]));
+      
+      var msg618 = msg("TFTPD_RECV_ERR", part648);
+      
+      var part649 = match("MESSAGE#614:TFTPD_SENDCOMPLETE_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Sent %{dclass_counter1->} blocks of %{dclass_counter2->} and %{info->} for file '%{filename}'", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","TFTPD SENDCOMPLETE INFO"),
+      	dup22,
+      ]));
+      
+      var msg619 = msg("TFTPD_SENDCOMPLETE_INFO", part649);
+      
+      var part650 = match("MESSAGE#615:TFTPD_SEND_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: send: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","TFTPD SEND ERROR"),
+      	dup22,
+      ]));
+      
+      var msg620 = msg("TFTPD_SEND_ERR", part650);
+      
+      var part651 = match("MESSAGE#616:TFTPD_SOCKET_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: socket: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","TFTPD SOCKET ERROR"),
+      	dup22,
+      ]));
+      
+      var msg621 = msg("TFTPD_SOCKET_ERR", part651);
+      
+      var part652 = match("MESSAGE#617:TFTPD_STATFS_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: statfs %{agent}, error: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","TFTPD STATFS ERROR"),
+      	dup22,
+      ]));
+      
+      var msg622 = msg("TFTPD_STATFS_ERR", part652);
+      
+      var part653 = match("MESSAGE#618:TNP", "nwparser.payload", "%{process}: %{event_type}: adding neighbor %{dclass_counter1->} to interface %{interface}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","adding neighbor to interface"),
+      	dup22,
+      ]));
+      
+      var msg623 = msg("TNP", part653);
+      
+      var part654 = match("MESSAGE#619:trace_on", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: tracing to %{fld33->} started", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","tracing to file"),
+      	dup22,
+      	call({
+      		dest: "nwparser.filename",
+      		fn: RMQ,
+      		args: [
+      			field("fld33"),
+      		],
+      	}),
+      ]));
+      
+      var msg624 = msg("trace_on", part654);
+      
+      var part655 = match("MESSAGE#620:trace_rotate", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: rotating %{filename}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","trace rotating file"),
+      	dup22,
+      ]));
+      
+      var msg625 = msg("trace_rotate", part655);
+      
+      var part656 = match("MESSAGE#621:transfer-file", "nwparser.payload", "%{process}: %{event_type}: Transferred %{filename}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","transfered file"),
+      	dup22,
+      ]));
+      
+      var msg626 = msg("transfer-file", part656);
+      
+      var part657 = match("MESSAGE#622:ttloop", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer died: %{result}: %{resultcode}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","ttloop - peer died"),
+      	dup22,
+      ]));
+      
+      var msg627 = msg("ttloop", part657);
+      
+      var part658 = match("MESSAGE#623:UI_AUTH_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authenticated user '%{username}' at permission level '%{privilege}'", processor_chain([
+      	dup79,
+      	dup33,
+      	dup34,
+      	dup36,
+      	dup21,
+      	setc("event_description","Authenticated user"),
+      	dup22,
+      ]));
+      
+      var msg628 = msg("UI_AUTH_EVENT", part658);
+      
+      var part659 = match("MESSAGE#624:UI_AUTH_INVALID_CHALLENGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received invalid authentication challenge for user '%{username}': response", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Received invalid authentication challenge for user response"),
+      	dup22,
+      ]));
+      
+      var msg629 = msg("UI_AUTH_INVALID_CHALLENGE", part659);
+      
+      var part660 = match("MESSAGE#625:UI_BOOTTIME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fetch boot time: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to fetch boot time"),
+      	dup22,
+      ]));
+      
+      var msg630 = msg("UI_BOOTTIME_FAILED", part660);
+      
+      var part661 = match("MESSAGE#626:UI_CFG_AUDIT_NEW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' %{dclass_counter2->} path unknown", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","user path unknown"),
+      	dup22,
+      ]));
+      
+      var msg631 = msg("UI_CFG_AUDIT_NEW", part661);
+      
+      var part662 = match("MESSAGE#627:UI_CFG_AUDIT_NEW:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' insert: [edit-config config %{filename->} security policies %{policyname}] %{info}", processor_chain([
+      	dup41,
+      	dup21,
+      	setc("event_description"," user Inserted Security Policies in config"),
+      	dup22,
+      ]));
+      
+      var msg632 = msg("UI_CFG_AUDIT_NEW:01", part662);
+      
+      var select58 = linear_select([
+      	msg631,
+      	msg632,
+      ]);
+      
+      var part663 = match("MESSAGE#628:UI_CFG_AUDIT_OTHER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' delete: [%{filename}]", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","User deleted file"),
+      	setc("action","delete"),
+      	dup22,
+      ]));
+      
+      var msg633 = msg("UI_CFG_AUDIT_OTHER", part663);
+      
+      var part664 = match("MESSAGE#629:UI_CFG_AUDIT_OTHER:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' rollback: %{filename}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","User rollback file"),
+      	dup22,
+      ]));
+      
+      var msg634 = msg("UI_CFG_AUDIT_OTHER:01", part664);
+      
+      var part665 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_0", "nwparser.p0", "\"%{info}\" ");
+      
+      var part666 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_1", "nwparser.p0", "%{space->} ");
+      
+      var select59 = linear_select([
+      	part665,
+      	part666,
+      ]);
+      
+      var all31 = all_match({
+      	processors: [
+      		dup110,
+      		select59,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup21,
+      		setc("event_description","User set"),
+      		dup22,
+      	]),
+      });
+      
+      var msg635 = msg("UI_CFG_AUDIT_OTHER:02", all31);
+      
+      var part667 = match("MESSAGE#631:UI_CFG_AUDIT_OTHER:03", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' replace: [edit-config config %{filename->} applications %{info}]", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","User config replace"),
+      	setc("action","replace"),
+      	dup22,
+      ]));
+      
+      var msg636 = msg("UI_CFG_AUDIT_OTHER:03", part667);
+      
+      var part668 = match("MESSAGE#632:UI_CFG_AUDIT_OTHER:04", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' deactivate: [groups %{info}]", processor_chain([
+      	setc("eventcategory","1701070000"),
+      	dup21,
+      	setc("event_description","User deactivating group(s)"),
+      	setc("action","deactivate"),
+      	dup22,
+      ]));
+      
+      var msg637 = msg("UI_CFG_AUDIT_OTHER:04", part668);
+      
+      var part669 = match("MESSAGE#633:UI_CFG_AUDIT_OTHER:05", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' update: %{filename}", processor_chain([
+      	dup111,
+      	dup21,
+      	setc("event_description","User updates config file"),
+      	setc("action","update"),
+      	dup22,
+      ]));
+      
+      var msg638 = msg("UI_CFG_AUDIT_OTHER:05", part669);
+      
+      var select60 = linear_select([
+      	msg633,
+      	msg634,
+      	msg635,
+      	msg636,
+      	msg637,
+      	msg638,
+      ]);
+      
+      var part670 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_0", "nwparser.p0", "\"%{change_old}\" %{p0}");
+      
+      var select61 = linear_select([
+      	part670,
+      	dup112,
+      ]);
+      
+      var all32 = all_match({
+      	processors: [
+      		dup110,
+      		select61,
+      		dup113,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup21,
+      		dup114,
+      		dup22,
+      	]),
+      });
+      
+      var msg639 = msg("UI_CFG_AUDIT_SET:01", all32);
+      
+      var part671 = match("MESSAGE#635:UI_CFG_AUDIT_SET:02/1_0", "nwparser.p0", "\"%{change_old->} %{p0}");
+      
+      var select62 = linear_select([
+      	part671,
+      	dup112,
+      ]);
+      
+      var all33 = all_match({
+      	processors: [
+      		dup110,
+      		select62,
+      		dup113,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup21,
+      		dup114,
+      		dup22,
+      	]),
+      });
+      
+      var msg640 = msg("UI_CFG_AUDIT_SET:02", all33);
+      
+      var part672 = match("MESSAGE#636:UI_CFG_AUDIT_SET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' replace: [edit-config config %{filename->} applications %{info}] \u003c\u003c%{disposition}> -> \"%{agent}\"", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","User replace config application(s)"),
+      	dup22,
+      ]));
+      
+      var msg641 = msg("UI_CFG_AUDIT_SET", part672);
+      
+      var select63 = linear_select([
+      	msg639,
+      	msg640,
+      	msg641,
+      ]);
+      
+      var part673 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/2", "nwparser.p0", ": [groups %{info->} secret]");
+      
+      var all34 = all_match({
+      	processors: [
+      		dup115,
+      		dup153,
+      		part673,
+      	],
+      	on_success: processor_chain([
+      		dup111,
+      		dup21,
+      		dup118,
+      		dup22,
+      	]),
+      });
+      
+      var msg642 = msg("UI_CFG_AUDIT_SET_SECRET:01", all34);
+      
+      var part674 = match("MESSAGE#638:UI_CFG_AUDIT_SET_SECRET:02/2", "nwparser.p0", ": [%{info}]");
+      
+      var all35 = all_match({
+      	processors: [
+      		dup115,
+      		dup153,
+      		part674,
+      	],
+      	on_success: processor_chain([
+      		dup111,
+      		dup21,
+      		dup118,
+      		dup22,
+      	]),
+      });
+      
+      var msg643 = msg("UI_CFG_AUDIT_SET_SECRET:02", all35);
+      
+      var part675 = match("MESSAGE#639:UI_CFG_AUDIT_SET_SECRET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' %{dclass_counter2->} %{directory}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","UI CFG AUDIT SET SECRET"),
+      	dup22,
+      ]));
+      
+      var msg644 = msg("UI_CFG_AUDIT_SET_SECRET", part675);
+      
+      var select64 = linear_select([
+      	msg642,
+      	msg643,
+      	msg644,
+      ]);
+      
+      var part676 = match("MESSAGE#640:UI_CHILD_ARGS_EXCEEDED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Too many arguments for child process '%{agent}'", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Too many arguments for child process"),
+      	dup22,
+      ]));
+      
+      var msg645 = msg("UI_CHILD_ARGS_EXCEEDED", part676);
+      
+      var part677 = match("MESSAGE#641:UI_CHILD_CHANGE_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to switch to local user: %{username}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to switch to local user"),
+      	dup22,
+      ]));
+      
+      var msg646 = msg("UI_CHILD_CHANGE_USER", part677);
+      
+      var part678 = match("MESSAGE#642:UI_CHILD_EXEC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exec failed for command '%{action}': %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Child exec failed"),
+      	dup22,
+      ]));
+      
+      var msg647 = msg("UI_CHILD_EXEC", part678);
+      
+      var part679 = match("MESSAGE#643:UI_CHILD_EXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exited: PID %{child_pid}, status %{result}, command '%{action}'", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Child exited"),
+      	dup22,
+      ]));
+      
+      var msg648 = msg("UI_CHILD_EXITED", part679);
+      
+      var part680 = match("MESSAGE#644:UI_CHILD_FOPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to append to log '%{filename}': %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to append to log"),
+      	dup22,
+      ]));
+      
+      var msg649 = msg("UI_CHILD_FOPEN", part680);
+      
+      var part681 = match("MESSAGE#645:UI_CHILD_PIPE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipe for command '%{action}': %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to create pipe for command"),
+      	dup22,
+      ]));
+      
+      var msg650 = msg("UI_CHILD_PIPE_FAILED", part681);
+      
+      var part682 = match("MESSAGE#646:UI_CHILD_SIGNALED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child received signal: PID %{child_pid}, signal %{result}: %{resultcode}, command='%{action}'", processor_chain([
+      	dup20,
+      	dup21,
+      	dup60,
+      	setc("event_description","Child received signal"),
+      	dup22,
+      ]));
+      
+      var msg651 = msg("UI_CHILD_SIGNALED", part682);
+      
+      var part683 = match("MESSAGE#647:UI_CHILD_STOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child stopped: PID %{child_pid}, signal=%{resultcode->} command='%{action}')", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Child stopped"),
+      	dup22,
+      ]));
+      
+      var msg652 = msg("UI_CHILD_STOPPED", part683);
+      
+      var part684 = match("MESSAGE#648:UI_CHILD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Starting child '%{agent}'", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Starting child"),
+      	dup22,
+      ]));
+      
+      var msg653 = msg("UI_CHILD_START", part684);
+      
+      var part685 = match("MESSAGE#649:UI_CHILD_STATUS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Cleanup child '%{agent}', PID %{child_pid}, status %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Cleanup child"),
+      	dup22,
+      ]));
+      
+      var msg654 = msg("UI_CHILD_STATUS", part685);
+      
+      var part686 = match("MESSAGE#650:UI_CHILD_WAITPID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: waitpid failed: PID %{child_pid}, rc %{dclass_counter2}, status %{resultcode}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","waitpid failed"),
+      	dup22,
+      ]));
+      
+      var msg655 = msg("UI_CHILD_WAITPID", part686);
+      
+      var part687 = match("MESSAGE#651:UI_CLI_IDLE_TIMEOUT", "nwparser.payload", "%{event_type}: Idle timeout for user '%{username}' exceeded and %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Idle timeout for user exceeded"),
+      	dup22,
+      ]));
+      
+      var msg656 = msg("UI_CLI_IDLE_TIMEOUT", part687);
+      
+      var part688 = match("MESSAGE#652:UI_CMDLINE_READ_LINE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}', command '%{action}'", processor_chain([
+      	dup20,
+      	dup21,
+      	dup119,
+      	dup22,
+      ]));
+      
+      var msg657 = msg("UI_CMDLINE_READ_LINE", part688);
+      
+      var part689 = match("MESSAGE#653:UI_CMDSET_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command execution failed for '%{agent}': %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Command execution failed"),
+      	dup22,
+      ]));
+      
+      var msg658 = msg("UI_CMDSET_EXEC_FAILED", part689);
+      
+      var part690 = match("MESSAGE#654:UI_CMDSET_FORK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fork command '%{agent}': %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to fork command"),
+      	dup22,
+      ]));
+      
+      var msg659 = msg("UI_CMDSET_FORK_FAILED", part690);
+      
+      var msg660 = msg("UI_CMDSET_PIPE_FAILED", dup141);
+      
+      var part691 = match("MESSAGE#656:UI_CMDSET_STOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command stopped: PID %{child_pid}, signal '%{resultcode}, command '%{action}'", processor_chain([
+      	dup29,
+      	dup21,
+      	dup69,
+      	dup22,
+      ]));
+      
+      var msg661 = msg("UI_CMDSET_STOPPED", part691);
+      
+      var part692 = match("MESSAGE#657:UI_CMDSET_WEXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command exited: PID %{child_pid}, status %{resultcode}, command '%{action}'", processor_chain([
+      	dup29,
+      	dup21,
+      	dup71,
+      	dup22,
+      ]));
+      
+      var msg662 = msg("UI_CMDSET_WEXITED", part692);
+      
+      var part693 = match("MESSAGE#658:UI_CMD_AUTH_REGEX_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid '%{action}' command authorization regular expression '%{agent}': %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Invalid regexp command"),
+      	dup22,
+      ]));
+      
+      var msg663 = msg("UI_CMD_AUTH_REGEX_INVALID", part693);
+      
+      var part694 = match("MESSAGE#659:UI_COMMIT/1_0", "nwparser.p0", "requested '%{action}' operation (comment:%{info}) ");
+      
+      var part695 = match("MESSAGE#659:UI_COMMIT/1_1", "nwparser.p0", "performed %{action->} ");
+      
+      var select65 = linear_select([
+      	part694,
+      	part695,
+      ]);
+      
+      var all36 = all_match({
+      	processors: [
+      		dup115,
+      		select65,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup21,
+      		dup120,
+      		dup22,
+      	]),
+      });
+      
+      var msg664 = msg("UI_COMMIT", all36);
+      
+      var part696 = match("MESSAGE#660:UI_COMMIT_AT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup120,
+      	dup22,
+      ]));
+      
+      var msg665 = msg("UI_COMMIT_AT", part696);
+      
+      var part697 = match("MESSAGE#661:UI_COMMIT_AT_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: '%{agent}' was successful", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","User commit successful"),
+      	dup22,
+      ]));
+      
+      var msg666 = msg("UI_COMMIT_AT_COMPLETED", part697);
+      
+      var part698 = match("MESSAGE#662:UI_COMMIT_AT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}, %{info}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","User commit failed"),
+      	dup22,
+      ]));
+      
+      var msg667 = msg("UI_COMMIT_AT_FAILED", part698);
+      
+      var part699 = match("MESSAGE#663:UI_COMMIT_COMPRESS_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to compress file %{filename}'", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to compress file"),
+      	dup22,
+      ]));
+      
+      var msg668 = msg("UI_COMMIT_COMPRESS_FAILED", part699);
+      
+      var part700 = match("MESSAGE#664:UI_COMMIT_CONFIRMED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed '%{action}'", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","UI COMMIT CONFIRMED"),
+      	dup22,
+      ]));
+      
+      var msg669 = msg("UI_COMMIT_CONFIRMED", part700);
+      
+      var part701 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: '%{action}' must be confirmed within %{p0}");
+      
+      var part702 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/1_0", "nwparser.p0", "minutes %{dclass_counter1->} ");
+      
+      var part703 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/1_1", "nwparser.p0", "%{dclass_counter1->} minutes ");
+      
+      var select66 = linear_select([
+      	part702,
+      	part703,
+      ]);
+      
+      var all37 = all_match({
+      	processors: [
+      		part701,
+      		select66,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup21,
+      		setc("event_description","COMMIT must be confirmed within # minutes"),
+      		dup22,
+      	]),
+      });
+      
+      var msg670 = msg("UI_COMMIT_CONFIRMED_REMINDER", all37);
+      
+      var part704 = match("MESSAGE#666:UI_COMMIT_CONFIRMED_TIMED/2", "nwparser.p0", "%{}'%{username}' performed '%{action}'");
+      
+      var all38 = all_match({
+      	processors: [
+      		dup49,
+      		dup142,
+      		part704,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup21,
+      		setc("event_description","user performed commit confirm"),
+      		dup22,
+      	]),
+      });
+      
+      var msg671 = msg("UI_COMMIT_CONFIRMED_TIMED", all38);
+      
+      var part705 = match("MESSAGE#667:UI_COMMIT_EMPTY_CONTAINER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Skipped empty object %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Skipped empty object"),
+      	dup22,
+      ]));
+      
+      var msg672 = msg("UI_COMMIT_EMPTY_CONTAINER", part705);
+      
+      var part706 = match("MESSAGE#668:UI_COMMIT_NOT_CONFIRMED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Commit was not confirmed; %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","COMMIT NOT CONFIRMED"),
+      	dup22,
+      ]));
+      
+      var msg673 = msg("UI_COMMIT_NOT_CONFIRMED", part706);
+      
+      var part707 = match("MESSAGE#669:UI_COMMIT_PROGRESS/1_0", "nwparser.p0", "commit %{p0}");
+      
+      var part708 = match("MESSAGE#669:UI_COMMIT_PROGRESS/1_1", "nwparser.p0", "Commit operation in progress %{p0}");
+      
+      var select67 = linear_select([
+      	part707,
+      	part708,
+      ]);
+      
+      var part709 = match("MESSAGE#669:UI_COMMIT_PROGRESS/2", "nwparser.p0", ": %{action}");
+      
+      var all39 = all_match({
+      	processors: [
+      		dup49,
+      		select67,
+      		part709,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup21,
+      		setc("event_description","Commit operation in progress"),
+      		dup22,
+      	]),
+      });
+      
+      var msg674 = msg("UI_COMMIT_PROGRESS", all39);
+      
+      var part710 = match("MESSAGE#670:UI_COMMIT_QUIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{action}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","COMMIT QUIT"),
+      	dup22,
+      ]));
+      
+      var msg675 = msg("UI_COMMIT_QUIT", part710);
+      
+      var part711 = match("MESSAGE#671:UI_COMMIT_ROLLBACK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Automatic rollback failed", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Automatic rollback failed"),
+      	dup22,
+      ]));
+      
+      var msg676 = msg("UI_COMMIT_ROLLBACK_FAILED", part711);
+      
+      var part712 = match("MESSAGE#672:UI_COMMIT_SYNC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{action}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","COMMIT SYNC"),
+      	dup22,
+      ]));
+      
+      var msg677 = msg("UI_COMMIT_SYNC", part712);
+      
+      var part713 = match("MESSAGE#673:UI_COMMIT_SYNC_FORCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: All logins to local configuration database were terminated because %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","All logins to local configuration database were terminated"),
+      	dup22,
+      ]));
+      
+      var msg678 = msg("UI_COMMIT_SYNC_FORCE", part713);
+      
+      var part714 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process: %{agent}, path: %{p0}");
+      
+      var part715 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/1_0", "nwparser.p0", "[%{filename}], %{p0}");
+      
+      var part716 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/1_1", "nwparser.p0", "%{filename}, %{p0}");
+      
+      var select68 = linear_select([
+      	part715,
+      	part716,
+      ]);
+      
+      var part717 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/2", "nwparser.p0", "%{}statement: %{info->} %{p0}");
+      
+      var part718 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/3_0", "nwparser.p0", ", error: %{result->} ");
+      
+      var part719 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/3_1", "nwparser.p0", "%{space}");
+      
+      var select69 = linear_select([
+      	part718,
+      	part719,
+      ]);
+      
+      var all40 = all_match({
+      	processors: [
+      		part714,
+      		select68,
+      		part717,
+      		select69,
+      	],
+      	on_success: processor_chain([
+      		dup29,
+      		dup21,
+      		setc("event_description","CONFIGURATION ERROR"),
+      		dup22,
+      	]),
+      });
+      
+      var msg679 = msg("UI_CONFIGURATION_ERROR", all40);
+      
+      var part720 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/2", "nwparser.p0", "%{}socket connection accept failed: %{result}");
+      
+      var all41 = all_match({
+      	processors: [
+      		dup49,
+      		dup154,
+      		part720,
+      	],
+      	on_success: processor_chain([
+      		dup29,
+      		dup21,
+      		setc("event_description","socket connection accept failed"),
+      		dup22,
+      	]),
+      });
+      
+      var msg680 = msg("UI_DAEMON_ACCEPT_FAILED", all41);
+      
+      var part721 = match("MESSAGE#676:UI_DAEMON_FORK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create session child: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to create session child"),
+      	dup22,
+      ]));
+      
+      var msg681 = msg("UI_DAEMON_FORK_FAILED", part721);
+      
+      var part722 = match("MESSAGE#677:UI_DAEMON_SELECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: select failed: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","DAEMON SELECT FAILED"),
+      	dup22,
+      ]));
+      
+      var msg682 = msg("UI_DAEMON_SELECT_FAILED", part722);
+      
+      var part723 = match("MESSAGE#678:UI_DAEMON_SOCKET_FAILED/2", "nwparser.p0", "%{}socket create failed: %{result}");
+      
+      var all42 = all_match({
+      	processors: [
+      		dup49,
+      		dup154,
+      		part723,
+      	],
+      	on_success: processor_chain([
+      		dup29,
+      		dup21,
+      		setc("event_description","socket create failed"),
+      		dup22,
+      	]),
+      });
+      
+      var msg683 = msg("UI_DAEMON_SOCKET_FAILED", all42);
+      
+      var part724 = match("MESSAGE#679:UI_DBASE_ACCESS_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to reaccess database file '%{filename}', address %{interface}, size %{dclass_counter1}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to reaccess database file"),
+      	dup22,
+      ]));
+      
+      var msg684 = msg("UI_DBASE_ACCESS_FAILED", part724);
+      
+      var part725 = match("MESSAGE#680:UI_DBASE_CHECKOUT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database '%{filename}' is out of data and needs to be rebuilt", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Database is out of data"),
+      	dup22,
+      ]));
+      
+      var msg685 = msg("UI_DBASE_CHECKOUT_FAILED", part725);
+      
+      var part726 = match("MESSAGE#681:UI_DBASE_EXTEND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to extend database file '%{filename}' to size %{dclass_counter1}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to extend database file"),
+      	dup22,
+      ]));
+      
+      var msg686 = msg("UI_DBASE_EXTEND_FAILED", part726);
+      
+      var part727 = match("MESSAGE#682:UI_DBASE_LOGIN_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' entering configuration mode", processor_chain([
+      	dup32,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup36,
+      	dup21,
+      	setc("event_description","User entering configuration mode"),
+      	dup22,
+      ]));
+      
+      var msg687 = msg("UI_DBASE_LOGIN_EVENT", part727);
+      
+      var part728 = match("MESSAGE#683:UI_DBASE_LOGOUT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{event_description}", processor_chain([
+      	dup123,
+      	dup33,
+      	dup34,
+      	dup124,
+      	dup36,
+      	dup21,
+      	setc("event_description","User exiting configuration mode"),
+      	dup22,
+      ]));
+      
+      var msg688 = msg("UI_DBASE_LOGOUT_EVENT", part728);
+      
+      var part729 = match("MESSAGE#684:UI_DBASE_MISMATCH_EXTENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header extent mismatch for file '%{agent}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Database header extent mismatch"),
+      	dup22,
+      ]));
+      
+      var msg689 = msg("UI_DBASE_MISMATCH_EXTENT", part729);
+      
+      var part730 = match("MESSAGE#685:UI_DBASE_MISMATCH_MAJOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header major version number mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Database header major version number mismatch"),
+      	dup22,
+      ]));
+      
+      var msg690 = msg("UI_DBASE_MISMATCH_MAJOR", part730);
+      
+      var part731 = match("MESSAGE#686:UI_DBASE_MISMATCH_MINOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header minor version number mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Database header minor version number mismatch"),
+      	dup22,
+      ]));
+      
+      var msg691 = msg("UI_DBASE_MISMATCH_MINOR", part731);
+      
+      var part732 = match("MESSAGE#687:UI_DBASE_MISMATCH_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header sequence numbers mismatch for file '%{filename}'", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Database header sequence numbers mismatch"),
+      	dup22,
+      ]));
+      
+      var msg692 = msg("UI_DBASE_MISMATCH_SEQUENCE", part732);
+      
+      var part733 = match("MESSAGE#688:UI_DBASE_MISMATCH_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header size mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Database header size mismatch"),
+      	dup22,
+      ]));
+      
+      var msg693 = msg("UI_DBASE_MISMATCH_SIZE", part733);
+      
+      var part734 = match("MESSAGE#689:UI_DBASE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database open failed for file '%{filename}': %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Database open failed"),
+      	dup22,
+      ]));
+      
+      var msg694 = msg("UI_DBASE_OPEN_FAILED", part734);
+      
+      var part735 = match("MESSAGE#690:UI_DBASE_REBUILD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} Automatic rebuild of the database '%{filename}' failed", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","DBASE REBUILD FAILED"),
+      	dup22,
+      ]));
+      
+      var msg695 = msg("UI_DBASE_REBUILD_FAILED", part735);
+      
+      var part736 = match("MESSAGE#691:UI_DBASE_REBUILD_SCHEMA_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Automatic rebuild of the database failed", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Automatic rebuild of the database failed"),
+      	dup22,
+      ]));
+      
+      var msg696 = msg("UI_DBASE_REBUILD_SCHEMA_FAILED", part736);
+      
+      var part737 = match("MESSAGE#692:UI_DBASE_REBUILD_STARTED/1_1", "nwparser.p0", "Automatic %{p0}");
+      
+      var select70 = linear_select([
+      	dup75,
+      	part737,
+      ]);
+      
+      var part738 = match("MESSAGE#692:UI_DBASE_REBUILD_STARTED/2", "nwparser.p0", "%{} %{username->} rebuild/rollback of the database '%{filename}' started");
+      
+      var all43 = all_match({
+      	processors: [
+      		dup49,
+      		select70,
+      		part738,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup21,
+      		setc("event_description","DBASE REBUILD STARTED"),
+      		dup22,
+      	]),
+      });
+      
+      var msg697 = msg("UI_DBASE_REBUILD_STARTED", all43);
+      
+      var part739 = match("MESSAGE#693:UI_DBASE_RECREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' attempting database re-creation", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","user attempting database re-creation"),
+      	dup22,
+      ]));
+      
+      var msg698 = msg("UI_DBASE_RECREATE", part739);
+      
+      var part740 = match("MESSAGE#694:UI_DBASE_REOPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reopen of the database failed", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Reopen of the database failed"),
+      	dup22,
+      ]));
+      
+      var msg699 = msg("UI_DBASE_REOPEN_FAILED", part740);
+      
+      var part741 = match("MESSAGE#695:UI_DUPLICATE_UID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Users %{username->} have the same UID %{uid}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Users have the same UID"),
+      	dup22,
+      ]));
+      
+      var msg700 = msg("UI_DUPLICATE_UID", part741);
+      
+      var part742 = match("MESSAGE#696:UI_JUNOSCRIPT_CMD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' used JUNOScript client to run command '%{action}'", processor_chain([
+      	setc("eventcategory","1401050100"),
+      	dup21,
+      	setc("event_description","User used JUNOScript client to run command"),
+      	dup22,
+      ]));
+      
+      var msg701 = msg("UI_JUNOSCRIPT_CMD", part742);
+      
+      var part743 = match("MESSAGE#697:UI_JUNOSCRIPT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: JUNOScript error: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","JUNOScript error"),
+      	dup22,
+      ]));
+      
+      var msg702 = msg("UI_JUNOSCRIPT_ERROR", part743);
+      
+      var part744 = match("MESSAGE#698:UI_LOAD_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' is performing a '%{action}'", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","User command"),
+      	dup22,
+      ]));
+      
+      var msg703 = msg("UI_LOAD_EVENT", part744);
+      
+      var part745 = match("MESSAGE#699:UI_LOAD_JUNOS_DEFAULT_FILE_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Loading the default config from %{filename}", processor_chain([
+      	setc("eventcategory","1701040000"),
+      	dup21,
+      	setc("event_description","Loading default config from file"),
+      	dup22,
+      ]));
+      
+      var msg704 = msg("UI_LOAD_JUNOS_DEFAULT_FILE_EVENT", part745);
+      
+      var part746 = match("MESSAGE#700:UI_LOGIN_EVENT:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' login, class '%{group}' [%{fld01}], %{info->} '%{saddr->} %{sport->} %{daddr->} %{dport}', client-mode '%{fld02}'", processor_chain([
+      	dup32,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup36,
+      	dup21,
+      	dup125,
+      	dup126,
+      	dup22,
+      ]));
+      
+      var msg705 = msg("UI_LOGIN_EVENT:01", part746);
+      
+      var part747 = match("MESSAGE#701:UI_LOGIN_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' login, class '%{group}' %{info}", processor_chain([
+      	dup32,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup36,
+      	dup21,
+      	dup125,
+      	dup22,
+      ]));
+      
+      var msg706 = msg("UI_LOGIN_EVENT", part747);
+      
+      var select71 = linear_select([
+      	msg705,
+      	msg706,
+      ]);
+      
+      var part748 = match("MESSAGE#702:UI_LOGOUT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' logout", processor_chain([
+      	dup123,
+      	dup33,
+      	dup34,
+      	dup124,
+      	dup36,
+      	dup21,
+      	setc("event_description","User logout"),
+      	dup22,
+      ]));
+      
+      var msg707 = msg("UI_LOGOUT_EVENT", part748);
+      
+      var part749 = match("MESSAGE#703:UI_LOST_CONN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Lost connection to daemon %{agent}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Lost connection to daemon"),
+      	dup22,
+      ]));
+      
+      var msg708 = msg("UI_LOST_CONN", part749);
+      
+      var part750 = match("MESSAGE#704:UI_MASTERSHIP_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} by '%{username}'", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","MASTERSHIP EVENT"),
+      	dup22,
+      ]));
+      
+      var msg709 = msg("UI_MASTERSHIP_EVENT", part750);
+      
+      var part751 = match("MESSAGE#705:UI_MGD_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Terminating operation: exit status %{resultcode}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Terminating operation"),
+      	dup22,
+      ]));
+      
+      var msg710 = msg("UI_MGD_TERMINATE", part751);
+      
+      var part752 = match("MESSAGE#706:UI_NETCONF_CMD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' used NETCONF client to run command '%{action}'", processor_chain([
+      	dup28,
+      	dup21,
+      	setc("event_description","User used NETCONF client to run command"),
+      	dup22,
+      ]));
+      
+      var msg711 = msg("UI_NETCONF_CMD", part752);
+      
+      var part753 = match("MESSAGE#707:UI_READ_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: read failed for peer %{hostname}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","read failed for peer"),
+      	dup22,
+      ]));
+      
+      var msg712 = msg("UI_READ_FAILED", part753);
+      
+      var part754 = match("MESSAGE#708:UI_READ_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Timeout on read of peer %{hostname}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Timeout on read of peer"),
+      	dup22,
+      ]));
+      
+      var msg713 = msg("UI_READ_TIMEOUT", part754);
+      
+      var part755 = match("MESSAGE#709:UI_REBOOT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: System %{action->} by '%{username}'", processor_chain([
+      	dup59,
+      	dup21,
+      	setc("event_description","System reboot or halt"),
+      	dup22,
+      ]));
+      
+      var msg714 = msg("UI_REBOOT_EVENT", part755);
+      
+      var part756 = match("MESSAGE#710:UI_RESTART_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' restarting daemon %{service}", processor_chain([
+      	dup28,
+      	dup21,
+      	setc("event_description","user restarting daemon"),
+      	dup22,
+      ]));
+      
+      var msg715 = msg("UI_RESTART_EVENT", part756);
+      
+      var part757 = match("MESSAGE#711:UI_SCHEMA_CHECKOUT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema is out of date and %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Schema is out of date"),
+      	dup22,
+      ]));
+      
+      var msg716 = msg("UI_SCHEMA_CHECKOUT_FAILED", part757);
+      
+      var part758 = match("MESSAGE#712:UI_SCHEMA_MISMATCH_MAJOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema major version mismatch for package %{filename->} %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Schema major version mismatch"),
+      	dup22,
+      ]));
+      
+      var msg717 = msg("UI_SCHEMA_MISMATCH_MAJOR", part758);
+      
+      var part759 = match("MESSAGE#713:UI_SCHEMA_MISMATCH_MINOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema minor version mismatch for package %{filename->} %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Schema minor version mismatch"),
+      	dup22,
+      ]));
+      
+      var msg718 = msg("UI_SCHEMA_MISMATCH_MINOR", part759);
+      
+      var part760 = match("MESSAGE#714:UI_SCHEMA_MISMATCH_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema header sequence numbers mismatch for package %{filename}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Schema header sequence numbers mismatch"),
+      	dup22,
+      ]));
+      
+      var msg719 = msg("UI_SCHEMA_MISMATCH_SEQUENCE", part760);
+      
+      var part761 = match("MESSAGE#715:UI_SCHEMA_SEQUENCE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema sequence number mismatch", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Schema sequence number mismatch"),
+      	dup22,
+      ]));
+      
+      var msg720 = msg("UI_SCHEMA_SEQUENCE_ERROR", part761);
+      
+      var part762 = match("MESSAGE#716:UI_SYNC_OTHER_RE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Configuration synchronization with remote Routing Engine %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Configuration synchronization with remote Routing Engine"),
+      	dup22,
+      ]));
+      
+      var msg721 = msg("UI_SYNC_OTHER_RE", part762);
+      
+      var part763 = match("MESSAGE#717:UI_TACPLUS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: TACACS+ failure: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup127,
+      	dup22,
+      ]));
+      
+      var msg722 = msg("UI_TACPLUS_ERROR", part763);
+      
+      var part764 = match("MESSAGE#718:UI_VERSION_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fetch system version: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to fetch system version"),
+      	dup22,
+      ]));
+      
+      var msg723 = msg("UI_VERSION_FAILED", part764);
+      
+      var part765 = match("MESSAGE#719:UI_WRITE_RECONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Re-establishing connection to peer %{hostname}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Re-establishing connection to peer"),
+      	dup22,
+      ]));
+      
+      var msg724 = msg("UI_WRITE_RECONNECT", part765);
+      
+      var part766 = match("MESSAGE#720:VRRPD_NEWMASTER_TRAP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Interface %{interface->} (local addr: %{saddr}) is now master for %{username}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Interface new master for User"),
+      	dup22,
+      ]));
+      
+      var msg725 = msg("VRRPD_NEWMASTER_TRAP", part766);
+      
+      var part767 = match("MESSAGE#721:WEB_AUTH_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to authenticate %{obj_name->} (username %{c_username})", processor_chain([
+      	dup68,
+      	dup33,
+      	dup34,
+      	dup42,
+      	dup21,
+      	setc("event_description","Unable to authenticate client"),
+      	dup22,
+      ]));
+      
+      var msg726 = msg("WEB_AUTH_FAIL", part767);
+      
+      var part768 = match("MESSAGE#722:WEB_AUTH_SUCCESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authenticated %{agent->} client (username %{c_username})", processor_chain([
+      	dup79,
+      	dup33,
+      	dup34,
+      	dup36,
+      	dup21,
+      	setc("event_description","Authenticated client"),
+      	dup22,
+      ]));
+      
+      var msg727 = msg("WEB_AUTH_SUCCESS", part768);
+      
+      var part769 = match("MESSAGE#723:WEB_INTERFACE_UNAUTH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Web services request received from unauthorized interface %{interface}", processor_chain([
+      	setc("eventcategory","1001030300"),
+      	dup21,
+      	setc("event_description","web request from unauthorized interface"),
+      	dup22,
+      ]));
+      
+      var msg728 = msg("WEB_INTERFACE_UNAUTH", part769);
+      
+      var part770 = match("MESSAGE#724:WEB_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to read from client: %{result}", processor_chain([
+      	dup73,
+      	dup21,
+      	setc("event_description","Unable to read from client"),
+      	dup22,
+      ]));
+      
+      var msg729 = msg("WEB_READ", part770);
+      
+      var part771 = match("MESSAGE#725:WEBFILTER_REQUEST_NOT_CHECKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Error encountered: %{result}, failed to check request %{url}", processor_chain([
+      	setc("eventcategory","1204020100"),
+      	dup21,
+      	setc("event_description","failed to check web request"),
+      	dup22,
+      ]));
+      
+      var msg730 = msg("WEBFILTER_REQUEST_NOT_CHECKED", part771);
+      
+      var part772 = match("MESSAGE#726:FLOW_REASSEMBLE_FAIL", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" destination-address=\"%{daddr}\" assembly-id=\"%{fld1}\"]", processor_chain([
+      	dup73,
+      	dup52,
+      	dup42,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var msg731 = msg("FLOW_REASSEMBLE_FAIL", part772);
+      
+      var part773 = match("MESSAGE#727:eswd", "nwparser.payload", "%{process}[%{process_id}]: Bridge Address: add %{macaddr}", processor_chain([
+      	dup28,
+      	dup21,
+      	setc("event_description","Bridge Address"),
+      	dup22,
+      ]));
+      
+      var msg732 = msg("eswd", part773);
+      
+      var part774 = match("MESSAGE#728:eswd:01", "nwparser.payload", "%{process}[%{process_id}]: %{info}: STP state for interface %{interface->} context id %{id->} changed from %{fld3}", processor_chain([
+      	dup28,
+      	dup21,
+      	setc("event_description","ESWD STP State Change Info"),
+      	dup22,
+      ]));
+      
+      var msg733 = msg("eswd:01", part774);
+      
+      var select72 = linear_select([
+      	msg732,
+      	msg733,
+      ]);
+      
+      var part775 = match("MESSAGE#729:/usr/sbin/cron", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) CMD ( %{action})", processor_chain([
+      	dup28,
+      	dup21,
+      	dup25,
+      	dup22,
+      ]));
+      
+      var msg734 = msg("/usr/sbin/cron", part775);
+      
+      var part776 = match("MESSAGE#730:chassism:02", "nwparser.payload", "%{process}[%{process_id}]: %{info}: ifd %{interface->} %{action}", processor_chain([
+      	dup28,
+      	dup21,
+      	setc("event_description","Link status change event"),
+      	dup22,
+      ]));
+      
+      var msg735 = msg("chassism:02", part776);
+      
+      var part777 = match("MESSAGE#731:chassism:01", "nwparser.payload", "%{process}[%{process_id}]: %{info}: %{interface}, %{action}", processor_chain([
+      	dup28,
+      	dup21,
+      	setc("event_description","ifd process flaps"),
+      	dup22,
+      ]));
+      
+      var msg736 = msg("chassism:01", part777);
+      
+      var part778 = match("MESSAGE#732:chassism", "nwparser.payload", "%{process}[%{process_id}]: %{info}: %{action}", processor_chain([
+      	dup28,
+      	dup21,
+      	setc("event_description","IFCM "),
+      	dup22,
+      ]));
+      
+      var msg737 = msg("chassism", part778);
+      
+      var select73 = linear_select([
+      	msg735,
+      	msg736,
+      	msg737,
+      ]);
+      
+      var msg738 = msg("WEBFILTER_URL_PERMITTED", dup155);
+      
+      var part779 = match("MESSAGE#734:WEBFILTER_URL_PERMITTED:01", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var msg739 = msg("WEBFILTER_URL_PERMITTED:01", part779);
+      
+      var part780 = match("MESSAGE#735:WEBFILTER_URL_PERMITTED:03", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=%{fld4}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var msg740 = msg("WEBFILTER_URL_PERMITTED:03", part780);
+      
+      var part781 = match("MESSAGE#736:WEBFILTER_URL_PERMITTED:02", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=%{url}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var msg741 = msg("WEBFILTER_URL_PERMITTED:02", part781);
+      
+      var select74 = linear_select([
+      	msg738,
+      	msg739,
+      	msg740,
+      	msg741,
+      ]);
+      
+      var msg742 = msg("WEBFILTER_URL_BLOCKED", dup155);
+      
+      var part782 = match("MESSAGE#738:WEBFILTER_URL_BLOCKED:01", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var msg743 = msg("WEBFILTER_URL_BLOCKED:01", part782);
+      
+      var select75 = linear_select([
+      	msg742,
+      	msg743,
+      ]);
+      
+      var part783 = match("MESSAGE#740:SECINTEL_NETWORK_CONNECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> Access url %{url->} on port %{network_port->} failed\u003c\u003c%{result}>.", processor_chain([
+      	dup45,
+      	dup46,
+      	dup22,
+      	dup21,
+      	dup126,
+      ]));
+      
+      var msg744 = msg("SECINTEL_NETWORK_CONNECT_FAILED", part783);
+      
+      var part784 = match("MESSAGE#741:AAMWD_NETWORK_CONNECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> Access host %{hostname->} on ip %{hostip->} port %{network_port->} %{result}.", processor_chain([
+      	dup45,
+      	dup46,
+      	dup22,
+      ]));
+      
+      var msg745 = msg("AAMWD_NETWORK_CONNECT_FAILED", part784);
+      
+      var part785 = match("MESSAGE#742:PKID_UNABLE_TO_GET_CRL", "nwparser.payload", "%{process}[%{process_id}]: %{id}: Failed to retrieve CRL from received file for %{node}", processor_chain([
+      	dup45,
+      	dup46,
+      	dup22,
+      	dup21,
+      	dup126,
+      ]));
+      
+      var msg746 = msg("PKID_UNABLE_TO_GET_CRL", part785);
+      
+      var part786 = match("MESSAGE#743:SECINTEL_ERROR_OTHERS", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> %{result}", processor_chain([
+      	dup45,
+      	dup46,
+      	dup22,
+      	dup21,
+      	dup126,
+      ]));
+      
+      var msg747 = msg("SECINTEL_ERROR_OTHERS", part786);
+      
+      var part787 = match("MESSAGE#744:JSRPD_HA_CONTROL_LINK_UP", "nwparser.payload", "%{process}[%{process_id}]: %{id}: HA control link monitor status is marked up", processor_chain([
+      	dup47,
+      	dup46,
+      	dup22,
+      	dup21,
+      	dup126,
+      ]));
+      
+      var msg748 = msg("JSRPD_HA_CONTROL_LINK_UP", part787);
+      
+      var part788 = match("MESSAGE#745:LACPD_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: LACPD_TIMEOUT: %{sinterface}: %{event_description}", processor_chain([
+      	dup45,
+      	dup46,
+      	dup22,
+      	dup21,
+      	dup126,
+      ]));
+      
+      var msg749 = msg("LACPD_TIMEOUT", part788);
+      
+      var msg750 = msg("cli", dup156);
+      
+      var msg751 = msg("pfed", dup156);
+      
+      var msg752 = msg("idpinfo", dup156);
+      
+      var msg753 = msg("kmd", dup156);
+      
+      var part789 = match("MESSAGE#751:node:01", "nwparser.payload", "%{hostname->} %{node->} Next-hop resolution requests from interface %{interface->} throttled", processor_chain([
+      	dup20,
+      	dup22,
+      	dup21,
+      ]));
+      
+      var msg754 = msg("node:01", part789);
+      
+      var part790 = match("MESSAGE#752:node:02", "nwparser.payload", "%{hostname->} %{node->} %{process}: Trying peer connection, status %{resultcode}, attempt %{fld1}", processor_chain([
+      	dup20,
+      	dup22,
+      	dup21,
+      ]));
+      
+      var msg755 = msg("node:02", part790);
+      
+      var part791 = match("MESSAGE#753:node:03", "nwparser.payload", "%{hostname->} %{node->} %{process}: trying master connection, status %{resultcode}, attempt %{fld1}", processor_chain([
+      	dup20,
+      	dup22,
+      	dup21,
+      ]));
+      
+      var msg756 = msg("node:03", part791);
+      
+      var part792 = match("MESSAGE#754:node:04", "nwparser.payload", "%{hostname->} %{node->} %{fld1->} key %{fld2->} %{fld3->} port priority %{fld6->} %{fld4->} port %{portname->} %{fld5->} state %{resultcode}", processor_chain([
+      	dup20,
+      	dup22,
+      	dup21,
+      ]));
+      
+      var msg757 = msg("node:04", part792);
+      
+      var select76 = linear_select([
+      	dup129,
+      	dup130,
+      ]);
+      
+      var part793 = match("MESSAGE#755:node:05/2", "nwparser.p0", "%{}sys priority %{fld4->} %{p0}");
+      
+      var select77 = linear_select([
+      	dup130,
+      	dup129,
+      ]);
+      
+      var part794 = match("MESSAGE#755:node:05/4", "nwparser.p0", "%{}sys %{interface}");
+      
+      var all44 = all_match({
+      	processors: [
+      		dup128,
+      		select76,
+      		part793,
+      		select77,
+      		part794,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup22,
+      		dup21,
+      	]),
+      });
+      
+      var msg758 = msg("node:05", all44);
+      
+      var part795 = match("MESSAGE#756:node:06/1_0", "nwparser.p0", "dst mac %{dinterface}");
+      
+      var part796 = match("MESSAGE#756:node:06/1_1", "nwparser.p0", "src mac %{sinterface->} ether type %{fld1}");
+      
+      var select78 = linear_select([
+      	part795,
+      	part796,
+      ]);
+      
+      var all45 = all_match({
+      	processors: [
+      		dup128,
+      		select78,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup22,
+      		dup21,
+      	]),
+      });
+      
+      var msg759 = msg("node:06", all45);
+      
+      var part797 = match("MESSAGE#757:node:07", "nwparser.payload", "%{hostname->} %{node->} %{process}: interface %{interface->} trigger reth_scan", processor_chain([
+      	dup20,
+      	dup22,
+      	dup21,
+      ]));
+      
+      var msg760 = msg("node:07", part797);
+      
+      var part798 = match("MESSAGE#758:node:08", "nwparser.payload", "%{hostname->} %{node->} %{process}: %{info}", processor_chain([
+      	dup20,
+      	dup22,
+      	dup21,
+      ]));
+      
+      var msg761 = msg("node:08", part798);
+      
+      var part799 = match("MESSAGE#759:node:09", "nwparser.payload", "%{hostname->} %{node->} %{fld1}", processor_chain([
+      	dup20,
+      	dup22,
+      	dup21,
+      ]));
+      
+      var msg762 = msg("node:09", part799);
+      
+      var select79 = linear_select([
+      	msg754,
+      	msg755,
+      	msg756,
+      	msg757,
+      	msg758,
+      	msg759,
+      	msg760,
+      	msg761,
+      	msg762,
+      ]);
+      
+      var part800 = match("MESSAGE#760:(FPC:01", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: deleting active remote neighbor entry %{fld2->} from interface %{interface}.", processor_chain([
+      	dup20,
+      	dup22,
+      	dup21,
+      	dup23,
+      ]));
+      
+      var msg763 = msg("(FPC:01", part800);
+      
+      var part801 = match("MESSAGE#761:(FPC:02", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type->} deleting nb %{fld2->} on ifd %{interface->} for cid %{fld3->} from active neighbor table", processor_chain([
+      	dup20,
+      	dup22,
+      	dup21,
+      	dup23,
+      ]));
+      
+      var msg764 = msg("(FPC:02", part801);
+      
+      var part802 = match("MESSAGE#762:(FPC:03/0", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: M%{p0}");
+      
+      var part803 = match("MESSAGE#762:(FPC:03/1_0", "nwparser.p0", "DOWN %{p0}");
+      
+      var part804 = match("MESSAGE#762:(FPC:03/1_1", "nwparser.p0", "UP %{p0}");
+      
+      var select80 = linear_select([
+      	part803,
+      	part804,
+      ]);
+      
+      var part805 = match("MESSAGE#762:(FPC:03/2", "nwparser.p0", "%{}received for interface %{interface}, member of %{fld4}");
+      
+      var all46 = all_match({
+      	processors: [
+      		part802,
+      		select80,
+      		part805,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup22,
+      		dup21,
+      		dup23,
+      	]),
+      });
+      
+      var msg765 = msg("(FPC:03", all46);
+      
+      var part806 = match("MESSAGE#763:(FPC:04", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: ifd=%{interface}, ifd flags=%{fld2}", processor_chain([
+      	dup20,
+      	dup22,
+      	dup21,
+      	dup23,
+      ]));
+      
+      var msg766 = msg("(FPC:04", part806);
+      
+      var part807 = match("MESSAGE#764:(FPC:05", "nwparser.payload", "%{fld1}) %{node->} kernel: rdp keepalive expired, connection dropped - src %{fld3}:%{fld2->} dest %{fld4}:%{fld5}", processor_chain([
+      	dup20,
+      	dup22,
+      	dup21,
+      	dup23,
+      ]));
+      
+      var msg767 = msg("(FPC:05", part807);
+      
+      var part808 = match("MESSAGE#765:(FPC", "nwparser.payload", "%{fld1}) %{node->} %{fld10}", processor_chain([
+      	dup20,
+      	dup22,
+      	dup21,
+      	dup23,
+      ]));
+      
+      var msg768 = msg("(FPC", part808);
+      
+      var select81 = linear_select([
+      	msg763,
+      	msg764,
+      	msg765,
+      	msg766,
+      	msg767,
+      	msg768,
+      ]);
+      
+      var part809 = match("MESSAGE#766:tnp.bootpd", "nwparser.payload", "%{process}[%{process_id}]:%{fld1}", processor_chain([
+      	dup47,
+      	dup22,
+      	dup21,
+      	dup23,
+      ]));
+      
+      var msg769 = msg("tnp.bootpd", part809);
+      
+      var part810 = match("MESSAGE#769:AAMW_ACTION_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} hostname=\"%{hostname}\" file-category=\"%{fld9}\" verdict-number=\"%{fld10}\" action=\"%{action}\" list-hit=\"%{fld19}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" policy-name=\"%{policyname}\" username=\"%{username}\" roles=\"%{user_role}\" session-id-32=\"%{sessionid}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" url=\"%{url}\"] %{fld27}", processor_chain([
+      	dup47,
+      	dup51,
+      	dup21,
+      	dup60,
+      ]));
+      
+      var msg770 = msg("AAMW_ACTION_LOG", part810);
+      
+      var part811 = match("MESSAGE#770:AAMW_HOST_INFECTED_EVENT_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} timestamp=\"%{fld30}\" tenant-id=\"%{fld1}\" client-ip-str=\"%{hostip}\" hostname=\"%{hostname}\" status=\"%{fld13}\" policy-name=\"%{policyname}\" verdict-number=\"%{fld15}\" state=\"%{fld16}\" reason=\"%{result}\" message=\"%{info}\" %{fld3}", processor_chain([
+      	dup131,
+      	dup51,
+      	dup21,
+      	dup60,
+      ]));
+      
+      var msg771 = msg("AAMW_HOST_INFECTED_EVENT_LOG", part811);
+      
+      var part812 = match("MESSAGE#771:AAMW_MALWARE_EVENT_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} timestamp=\"%{fld30}\" tenant-id=\"%{fld1}\" sample-sha256=\"%{checksum}\" client-ip-str=\"%{hostip}\" verdict-number=\"%{fld26}\" malware-info=\"%{threat_name}\" username=\"%{username}\" hostname=\"%{hostname}\" %{fld3}", processor_chain([
+      	dup131,
+      	dup51,
+      	dup21,
+      ]));
+      
+      var msg772 = msg("AAMW_MALWARE_EVENT_LOG", part812);
+      
+      var part813 = match("MESSAGE#772:IDP_ATTACK_LOG_EVENT", "nwparser.payload", "%{event_type}[junos@%{fld32->} epoch-time=\"%{fld1}\" message-type=\"%{info}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-name=\"%{protocol}\" service-name=\"%{service}\" application-name=\"%{application}\" rule-name=\"%{fld5}\" rulebase-name=\"%{rulename}\" policy-name=\"%{policyname}\" export-id=\"%{fld6}\" repeat-count=\"%{fld7}\" action=\"%{action}\" threat-severity=\"%{severity}\" attack-name=\"%{threat_name}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" elapsed-time=%{fld8->} inbound-bytes=\"%{rbytes}\" outbound-bytes=\"%{sbytes}\" inbound-packets=\"%{packets}\" outbound-packets=\"%{dclass_counter1}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" packet-log-id=\"%{fld9}\" alert=\"%{fld19}\" username=\"%{username}\" roles=\"%{fld15}\" message=\"%{fld28}\" %{fld3}", processor_chain([
+      	dup80,
+      	dup51,
+      	dup21,
+      	dup60,
+      ]));
+      
+      var msg773 = msg("IDP_ATTACK_LOG_EVENT", part813);
+      
+      var part814 = match("MESSAGE#773:RT_SCREEN_ICMP", "nwparser.payload", "%{event_type}[junos@%{fld32->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"] %{fld23}", processor_chain([
+      	dup80,
+      	dup51,
+      	dup21,
+      	dup60,
+      ]));
+      
+      var msg774 = msg("RT_SCREEN_ICMP", part814);
+      
+      var part815 = match("MESSAGE#774:SECINTEL_ACTION_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} category=\"%{fld1}\" sub-category=\"%{fld2}\" action=\"%{action}\" action-detail=\"%{fld4}\" http-host=\"%{fld17}\" threat-severity=\"%{severity}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" application=\"%{fld5}\" nested-application=\"%{fld6}\" feed-name=\"%{fld18}\" policy-name=\"%{policyname}\" profile-name=\"%{rulename}\" username=\"%{username}\" roles=\"%{user_role}\" session-id-32=\"%{sessionid}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\"]%{fld10}", processor_chain([
+      	dup45,
+      	dup51,
+      	dup21,
+      	dup60,
+      ]));
+      
+      var msg775 = msg("SECINTEL_ACTION_LOG", part815);
+      
+      var part816 = match("MESSAGE#775:qsfp/0", "nwparser.payload", "%{hostname->} %{p0}");
+      
+      var part817 = match("MESSAGE#775:qsfp/1_0", "nwparser.p0", "%{fld2->} %{fld3->} %{process}: qsfp-%{interface->} Chan# %{p0}");
+      
+      var part818 = match("MESSAGE#775:qsfp/1_1", "nwparser.p0", "%{fld2->} qsfp-%{interface->} Chan# %{p0}");
+      
+      var select82 = linear_select([
+      	part817,
+      	part818,
+      ]);
+      
+      var part819 = match("MESSAGE#775:qsfp/2", "nwparser.p0", "%{fld5}:%{event_description}");
+      
+      var all47 = all_match({
+      	processors: [
+      		part816,
+      		select82,
+      		part819,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup21,
+      		dup22,
+      	]),
+      });
+      
+      var msg776 = msg("qsfp", all47);
+      
+      var part820 = match("MESSAGE#776:JUNOSROUTER_GENERIC:03", "nwparser.payload", "%{event_type}: User '%{username}', command '%{action}'", processor_chain([
+      	dup20,
+      	dup21,
+      	dup119,
+      	dup22,
+      ]));
+      
+      var msg777 = msg("JUNOSROUTER_GENERIC:03", part820);
+      
+      var part821 = match("MESSAGE#777:JUNOSROUTER_GENERIC:04", "nwparser.payload", "%{event_type}: User '%{username}' %{fld1}", processor_chain([
+      	dup123,
+      	dup33,
+      	dup34,
+      	dup124,
+      	dup36,
+      	dup21,
+      	setc("event_description","LOGOUT"),
+      	dup22,
+      ]));
+      
+      var msg778 = msg("JUNOSROUTER_GENERIC:04", part821);
+      
+      var part822 = match("MESSAGE#778:JUNOSROUTER_GENERIC:05", "nwparser.payload", "%{event_type}: TACACS+ failure: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup127,
+      	dup22,
+      ]));
+      
+      var msg779 = msg("JUNOSROUTER_GENERIC:05", part822);
+      
+      var part823 = match("MESSAGE#779:JUNOSROUTER_GENERIC:06", "nwparser.payload", "%{event_type}: mismatch NLRI with %{hostip->} (%{hostname}): peer: %{daddr->} us: %{saddr}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup56,
+      	dup22,
+      ]));
+      
+      var msg780 = msg("JUNOSROUTER_GENERIC:06", part823);
+      
+      var part824 = match("MESSAGE#780:JUNOSROUTER_GENERIC:07", "nwparser.payload", "%{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{resultcode->} (%{action}), Reason: %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup37,
+      	dup22,
+      ]));
+      
+      var msg781 = msg("JUNOSROUTER_GENERIC:07", part824);
+      
+      var part825 = match("MESSAGE#781:JUNOSROUTER_GENERIC:08/0", "nwparser.payload", "%{event_type}: NOTIFICATION received from %{p0}");
+      
+      var part826 = match("MESSAGE#781:JUNOSROUTER_GENERIC:08/1_0", "nwparser.p0", "%{daddr->} (%{dhost}): code %{resultcode->} (%{action}), socket buffer sndcc: %{fld1->} rcvcc: %{fld2->} TCP state: %{event_state}, snd_una: %{fld3->} snd_nxt: %{fld4->} snd_wnd: %{fld5->} rcv_nxt: %{fld6->} rcv_adv: %{fld7}, hold timer %{fld8}");
+      
+      var part827 = match("MESSAGE#781:JUNOSROUTER_GENERIC:08/1_1", "nwparser.p0", "%{daddr->} (%{dhost}): code %{resultcode->} (%{action})");
+      
+      var select83 = linear_select([
+      	part826,
+      	part827,
+      ]);
+      
+      var all48 = all_match({
+      	processors: [
+      		part825,
+      		select83,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup21,
+      		dup37,
+      		dup22,
+      	]),
+      });
+      
+      var msg782 = msg("JUNOSROUTER_GENERIC:08", all48);
+      
+      var part828 = match("MESSAGE#782:JUNOSROUTER_GENERIC:09", "nwparser.payload", "%{event_type}: [edit interfaces%{interface}unit%{fld1}family inet address%{hostip}/%{network_port}] :%{event_description}:%{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup22,
+      ]));
+      
+      var msg783 = msg("JUNOSROUTER_GENERIC:09", part828);
+      
+      var part829 = match("MESSAGE#783:JUNOSROUTER_GENERIC:01", "nwparser.payload", "%{event_type->} Interface Monitor failed %{fld1}", processor_chain([
+      	dup132,
+      	dup22,
+      	dup21,
+      	setc("event_description","Interface Monitor failed "),
+      	dup23,
+      ]));
+      
+      var msg784 = msg("JUNOSROUTER_GENERIC:01", part829);
+      
+      var part830 = match("MESSAGE#784:JUNOSROUTER_GENERIC:02", "nwparser.payload", "%{event_type->} Interface Monitor failure recovered %{fld1}", processor_chain([
+      	dup132,
+      	dup22,
+      	dup21,
+      	setc("event_description","Interface Monitor failure recovered"),
+      	dup23,
+      ]));
+      
+      var msg785 = msg("JUNOSROUTER_GENERIC:02", part830);
+      
+      var part831 = match("MESSAGE#785:JUNOSROUTER_GENERIC", "nwparser.payload", "%{event_type->} %{fld1}", processor_chain([
+      	dup132,
+      	dup22,
+      	dup21,
+      	dup23,
+      ]));
+      
+      var msg786 = msg("JUNOSROUTER_GENERIC", part831);
+      
+      var select84 = linear_select([
+      	msg777,
+      	msg778,
+      	msg779,
+      	msg780,
+      	msg781,
+      	msg782,
+      	msg783,
+      	msg784,
+      	msg785,
+      	msg786,
+      ]);
+      
+      var chain1 = processor_chain([
+      	select5,
+      	msgid_select({
+      		"(FPC": select81,
+      		"/usr/libexec/telnetd": msg2,
+      		"/usr/sbin/cron": msg734,
+      		"/usr/sbin/sshd": msg1,
+      		"AAMWD_NETWORK_CONNECT_FAILED": msg745,
+      		"AAMW_ACTION_LOG": msg770,
+      		"AAMW_HOST_INFECTED_EVENT_LOG": msg771,
+      		"AAMW_MALWARE_EVENT_LOG": msg772,
+      		"ACCT_ACCOUNTING_FERROR": msg114,
+      		"ACCT_ACCOUNTING_FOPEN_ERROR": msg115,
+      		"ACCT_ACCOUNTING_SMALL_FILE_SIZE": msg116,
+      		"ACCT_BAD_RECORD_FORMAT": msg117,
+      		"ACCT_CU_RTSLIB_error": msg118,
+      		"ACCT_GETHOSTNAME_error": msg119,
+      		"ACCT_MALLOC_FAILURE": msg120,
+      		"ACCT_UNDEFINED_COUNTER_NAME": msg121,
+      		"ACCT_XFER_FAILED": msg122,
+      		"ACCT_XFER_POPEN_FAIL": msg123,
+      		"APPQOS_LOG_EVENT": msg124,
+      		"APPTRACK_SESSION_CLOSE": select30,
+      		"APPTRACK_SESSION_CREATE": msg125,
+      		"APPTRACK_SESSION_VOL_UPDATE": select31,
+      		"BCHIP": msg106,
+      		"BFDD_TRAP_STATE_DOWN": msg130,
+      		"BFDD_TRAP_STATE_UP": msg131,
+      		"BOOTPD_ARG_ERR": msg143,
+      		"BOOTPD_BAD_ID": msg144,
+      		"BOOTPD_BOOTSTRING": msg145,
+      		"BOOTPD_CONFIG_ERR": msg146,
+      		"BOOTPD_CONF_OPEN": msg147,
+      		"BOOTPD_DUP_REV": msg148,
+      		"BOOTPD_DUP_SLOT": msg149,
+      		"BOOTPD_MODEL_CHK": msg150,
+      		"BOOTPD_MODEL_ERR": msg151,
+      		"BOOTPD_NEW_CONF": msg152,
+      		"BOOTPD_NO_BOOTSTRING": msg153,
+      		"BOOTPD_NO_CONFIG": msg154,
+      		"BOOTPD_PARSE_ERR": msg155,
+      		"BOOTPD_REPARSE": msg156,
+      		"BOOTPD_SELECT_ERR": msg157,
+      		"BOOTPD_TIMEOUT": msg158,
+      		"BOOTPD_VERSION": msg159,
+      		"CHASSISD": msg160,
+      		"CHASSISD_ARGUMENT_ERROR": msg161,
+      		"CHASSISD_BLOWERS_SPEED": msg162,
+      		"CHASSISD_BLOWERS_SPEED_FULL": msg163,
+      		"CHASSISD_CB_READ": msg164,
+      		"CHASSISD_COMMAND_ACK_ERROR": msg165,
+      		"CHASSISD_COMMAND_ACK_SF_ERROR": msg166,
+      		"CHASSISD_CONCAT_MODE_ERROR": msg167,
+      		"CHASSISD_CONFIG_INIT_ERROR": msg168,
+      		"CHASSISD_CONFIG_WARNING": msg169,
+      		"CHASSISD_EXISTS": msg170,
+      		"CHASSISD_EXISTS_TERM_OTHER": msg171,
+      		"CHASSISD_FILE_OPEN": msg172,
+      		"CHASSISD_FILE_STAT": msg173,
+      		"CHASSISD_FRU_EVENT": msg174,
+      		"CHASSISD_FRU_IPC_WRITE_ERROR_EXT": msg175,
+      		"CHASSISD_FRU_STEP_ERROR": msg176,
+      		"CHASSISD_GETTIMEOFDAY": msg177,
+      		"CHASSISD_HIGH_TEMP_CONDITION": msg214,
+      		"CHASSISD_HOST_TEMP_READ": msg178,
+      		"CHASSISD_IFDEV_DETACH_ALL_PSEUDO": msg179,
+      		"CHASSISD_IFDEV_DETACH_FPC": msg180,
+      		"CHASSISD_IFDEV_DETACH_PIC": msg181,
+      		"CHASSISD_IFDEV_DETACH_PSEUDO": msg182,
+      		"CHASSISD_IFDEV_DETACH_TLV_ERROR": msg183,
+      		"CHASSISD_IFDEV_GET_BY_INDEX_FAIL": msg184,
+      		"CHASSISD_IPC_MSG_QFULL_ERROR": msg185,
+      		"CHASSISD_IPC_UNEXPECTED_RECV": msg186,
+      		"CHASSISD_IPC_WRITE_ERR_NO_PIPE": msg187,
+      		"CHASSISD_IPC_WRITE_ERR_NULL_ARGS": msg188,
+      		"CHASSISD_MAC_ADDRESS_ERROR": msg189,
+      		"CHASSISD_MAC_DEFAULT": msg190,
+      		"CHASSISD_MBUS_ERROR": msg191,
+      		"CHASSISD_PARSE_COMPLETE": msg192,
+      		"CHASSISD_PARSE_ERROR": msg193,
+      		"CHASSISD_PARSE_INIT": msg194,
+      		"CHASSISD_PIDFILE_OPEN": msg195,
+      		"CHASSISD_PIPE_WRITE_ERROR": msg196,
+      		"CHASSISD_POWER_CHECK": msg197,
+      		"CHASSISD_RECONNECT_SUCCESSFUL": msg198,
+      		"CHASSISD_RELEASE_MASTERSHIP": msg199,
+      		"CHASSISD_RE_INIT_INVALID_RE_SLOT": msg200,
+      		"CHASSISD_ROOT_MOUNT_ERROR": msg201,
+      		"CHASSISD_RTS_SEQ_ERROR": msg202,
+      		"CHASSISD_SBOARD_VERSION_MISMATCH": msg203,
+      		"CHASSISD_SERIAL_ID": msg204,
+      		"CHASSISD_SMB_ERROR": msg205,
+      		"CHASSISD_SNMP_TRAP10": msg208,
+      		"CHASSISD_SNMP_TRAP6": msg206,
+      		"CHASSISD_SNMP_TRAP7": msg207,
+      		"CHASSISD_TERM_SIGNAL": msg209,
+      		"CHASSISD_TRACE_PIC_OFFLINE": msg210,
+      		"CHASSISD_UNEXPECTED_EXIT": msg211,
+      		"CHASSISD_UNSUPPORTED_MODEL": msg212,
+      		"CHASSISD_VERSION_MISMATCH": msg213,
+      		"CM": msg107,
+      		"CM_JAVA": msg216,
+      		"COS": msg108,
+      		"COSFPC": msg109,
+      		"COSMAN": msg110,
+      		"CRON": msg16,
+      		"CROND": select11,
+      		"Cmerror": msg17,
+      		"DCD_AS_ROOT": msg217,
+      		"DCD_FILTER_LIB_ERROR": msg218,
+      		"DCD_MALLOC_FAILED_INIT": msg219,
+      		"DCD_PARSE_EMERGENCY": msg220,
+      		"DCD_PARSE_FILTER_EMERGENCY": msg221,
+      		"DCD_PARSE_MINI_EMERGENCY": msg222,
+      		"DCD_PARSE_STATE_EMERGENCY": msg223,
+      		"DCD_POLICER_PARSE_EMERGENCY": msg224,
+      		"DCD_PULL_LOG_FAILURE": msg225,
+      		"DFWD_ARGUMENT_ERROR": msg226,
+      		"DFWD_MALLOC_FAILED_INIT": msg227,
+      		"DFWD_PARSE_FILTER_EMERGENCY": msg228,
+      		"DFWD_PARSE_STATE_EMERGENCY": msg229,
+      		"ECCD_DAEMONIZE_FAILED": msg230,
+      		"ECCD_DUPLICATE": msg231,
+      		"ECCD_LOOP_EXIT_FAILURE": msg232,
+      		"ECCD_NOT_ROOT": msg233,
+      		"ECCD_PCI_FILE_OPEN_FAILED": msg234,
+      		"ECCD_PCI_READ_FAILED": msg235,
+      		"ECCD_PCI_WRITE_FAILED": msg236,
+      		"ECCD_PID_FILE_LOCK": msg237,
+      		"ECCD_PID_FILE_UPDATE": msg238,
+      		"ECCD_TRACE_FILE_OPEN_FAILED": msg239,
+      		"ECCD_usage": msg240,
+      		"EVENT": msg23,
+      		"EVENTD_AUDIT_SHOW": msg241,
+      		"FLOW_REASSEMBLE_FAIL": msg731,
+      		"FLOW_REASSEMBLE_SUCCEED": msg242,
+      		"FSAD_CHANGE_FILE_OWNER": msg243,
+      		"FSAD_CONFIG_ERROR": msg244,
+      		"FSAD_CONNTIMEDOUT": msg245,
+      		"FSAD_FAILED": msg246,
+      		"FSAD_FETCHTIMEDOUT": msg247,
+      		"FSAD_FILE_FAILED": msg248,
+      		"FSAD_FILE_REMOVE": msg249,
+      		"FSAD_FILE_RENAME": msg250,
+      		"FSAD_FILE_STAT": msg251,
+      		"FSAD_FILE_SYNC": msg252,
+      		"FSAD_MAXCONN": msg253,
+      		"FSAD_MEMORYALLOC_FAILED": msg254,
+      		"FSAD_NOT_ROOT": msg255,
+      		"FSAD_PARENT_DIRECTORY": msg256,
+      		"FSAD_PATH_IS_DIRECTORY": msg257,
+      		"FSAD_PATH_IS_SPECIAL": msg258,
+      		"FSAD_RECVERROR": msg259,
+      		"FSAD_TERMINATED_CONNECTION": msg260,
+      		"FSAD_TERMINATING_SIGNAL": msg261,
+      		"FSAD_TRACEOPEN_FAILED": msg262,
+      		"FSAD_USAGE": msg263,
+      		"Failed": select25,
+      		"GGSN_ALARM_TRAP_FAILED": msg264,
+      		"GGSN_ALARM_TRAP_SEND": msg265,
+      		"GGSN_TRAP_SEND": msg266,
+      		"IDP_ATTACK_LOG_EVENT": msg773,
+      		"JADE_AUTH_ERROR": msg267,
+      		"JADE_EXEC_ERROR": msg268,
+      		"JADE_NO_LOCAL_USER": msg269,
+      		"JADE_PAM_ERROR": msg270,
+      		"JADE_PAM_NO_LOCAL_USER": msg271,
+      		"JSRPD_HA_CONTROL_LINK_UP": msg748,
+      		"JUNOSROUTER_GENERIC": select84,
+      		"KERN_ARP_ADDR_CHANGE": msg272,
+      		"KMD_PM_SA_ESTABLISHED": msg273,
+      		"L2CPD_TASK_REINIT": msg274,
+      		"LACPD_TIMEOUT": msg749,
+      		"LIBJNX_EXEC_EXITED": msg275,
+      		"LIBJNX_EXEC_FAILED": msg276,
+      		"LIBJNX_EXEC_PIPE": msg277,
+      		"LIBJNX_EXEC_SIGNALED": msg278,
+      		"LIBJNX_EXEC_WEXIT": msg279,
+      		"LIBJNX_FILE_COPY_FAILED": msg280,
+      		"LIBJNX_PRIV_LOWER_FAILED": msg281,
+      		"LIBJNX_PRIV_RAISE_FAILED": msg282,
+      		"LIBJNX_REPLICATE_RCP_EXEC_FAILED": msg283,
+      		"LIBJNX_ROTATE_COMPRESS_EXEC_FAILED": msg284,
+      		"LIBSERVICED_CLIENT_CONNECTION": msg285,
+      		"LIBSERVICED_OUTBOUND_REQUEST": msg286,
+      		"LIBSERVICED_SNMP_LOST_CONNECTION": msg287,
+      		"LIBSERVICED_SOCKET_BIND": msg288,
+      		"LIBSERVICED_SOCKET_PRIVATIZE": msg289,
+      		"LICENSE_EXPIRED": msg290,
+      		"LICENSE_EXPIRED_KEY_DELETED": msg291,
+      		"LICENSE_NEARING_EXPIRY": msg292,
+      		"LOGIN_ABORTED": msg293,
+      		"LOGIN_FAILED": msg294,
+      		"LOGIN_FAILED_INCORRECT_PASSWORD": msg295,
+      		"LOGIN_FAILED_SET_CONTEXT": msg296,
+      		"LOGIN_FAILED_SET_LOGIN": msg297,
+      		"LOGIN_HOSTNAME_UNRESOLVED": msg298,
+      		"LOGIN_INFORMATION": msg299,
+      		"LOGIN_INVALID_LOCAL_USER": msg300,
+      		"LOGIN_MALFORMED_USER": msg301,
+      		"LOGIN_PAM_AUTHENTICATION_ERROR": msg302,
+      		"LOGIN_PAM_ERROR": msg303,
+      		"LOGIN_PAM_MAX_RETRIES": msg304,
+      		"LOGIN_PAM_NONLOCAL_USER": msg305,
+      		"LOGIN_PAM_STOP": msg306,
+      		"LOGIN_PAM_USER_UNKNOWN": msg307,
+      		"LOGIN_PASSWORD_EXPIRED": msg308,
+      		"LOGIN_REFUSED": msg309,
+      		"LOGIN_ROOT": msg310,
+      		"LOGIN_TIMED_OUT": msg311,
+      		"MIB2D_ATM_ERROR": msg312,
+      		"MIB2D_CONFIG_CHECK_FAILED": msg313,
+      		"MIB2D_FILE_OPEN_FAILURE": msg314,
+      		"MIB2D_IFD_IFINDEX_FAILURE": msg315,
+      		"MIB2D_IFL_IFINDEX_FAILURE": msg316,
+      		"MIB2D_INIT_FAILURE": msg317,
+      		"MIB2D_KVM_FAILURE": msg318,
+      		"MIB2D_RTSLIB_READ_FAILURE": msg319,
+      		"MIB2D_RTSLIB_SEQ_MISMATCH": msg320,
+      		"MIB2D_SYSCTL_FAILURE": msg321,
+      		"MIB2D_TRAP_HEADER_FAILURE": msg322,
+      		"MIB2D_TRAP_SEND_FAILURE": msg323,
+      		"MRVL-L2": msg56,
+      		"Multiuser": msg324,
+      		"NASD_AUTHENTICATION_CREATE_FAILED": msg325,
+      		"NASD_CHAP_AUTHENTICATION_IN_PROGRESS": msg326,
+      		"NASD_CHAP_GETHOSTNAME_FAILED": msg327,
+      		"NASD_CHAP_INVALID_CHAP_IDENTIFIER": msg328,
+      		"NASD_CHAP_INVALID_OPCODE": msg329,
+      		"NASD_CHAP_LOCAL_NAME_UNAVAILABLE": msg330,
+      		"NASD_CHAP_MESSAGE_UNEXPECTED": msg331,
+      		"NASD_CHAP_REPLAY_ATTACK_DETECTED": msg332,
+      		"NASD_CONFIG_GET_LAST_MODIFIED_FAILED": msg333,
+      		"NASD_DAEMONIZE_FAILED": msg334,
+      		"NASD_DB_ALLOC_FAILURE": msg335,
+      		"NASD_DB_TABLE_CREATE_FAILURE": msg336,
+      		"NASD_DUPLICATE": msg337,
+      		"NASD_EVLIB_CREATE_FAILURE": msg338,
+      		"NASD_EVLIB_EXIT_FAILURE": msg339,
+      		"NASD_LOCAL_CREATE_FAILED": msg340,
+      		"NASD_NOT_ROOT": msg341,
+      		"NASD_PID_FILE_LOCK": msg342,
+      		"NASD_PID_FILE_UPDATE": msg343,
+      		"NASD_POST_CONFIGURE_EVENT_FAILED": msg344,
+      		"NASD_PPP_READ_FAILURE": msg345,
+      		"NASD_PPP_SEND_FAILURE": msg346,
+      		"NASD_PPP_SEND_PARTIAL": msg347,
+      		"NASD_PPP_UNRECOGNIZED": msg348,
+      		"NASD_RADIUS_ALLOCATE_PASSWORD_FAILED": msg349,
+      		"NASD_RADIUS_CONFIG_FAILED": msg350,
+      		"NASD_RADIUS_CREATE_FAILED": msg351,
+      		"NASD_RADIUS_CREATE_REQUEST_FAILED": msg352,
+      		"NASD_RADIUS_GETHOSTNAME_FAILED": msg353,
+      		"NASD_RADIUS_MESSAGE_UNEXPECTED": msg354,
+      		"NASD_RADIUS_OPEN_FAILED": msg355,
+      		"NASD_RADIUS_SELECT_FAILED": msg356,
+      		"NASD_RADIUS_SET_TIMER_FAILED": msg357,
+      		"NASD_TRACE_FILE_OPEN_FAILED": msg358,
+      		"NASD_usage": msg359,
+      		"NOTICE": msg360,
+      		"PFEMAN": msg61,
+      		"PFE_FW_SYSLOG_IP": select36,
+      		"PFE_NH_RESOLVE_THROTTLED": msg363,
+      		"PING_TEST_COMPLETED": msg364,
+      		"PING_TEST_FAILED": msg365,
+      		"PKID_UNABLE_TO_GET_CRL": msg746,
+      		"PWC_EXIT": msg368,
+      		"PWC_HOLD_RELEASE": msg369,
+      		"PWC_INVALID_RUNS_ARGUMENT": msg370,
+      		"PWC_INVALID_TIMEOUT_ARGUMENT": msg371,
+      		"PWC_KILLED_BY_SIGNAL": msg372,
+      		"PWC_KILL_EVENT": msg373,
+      		"PWC_KILL_FAILED": msg374,
+      		"PWC_KQUEUE_ERROR": msg375,
+      		"PWC_KQUEUE_INIT": msg376,
+      		"PWC_KQUEUE_REGISTER_FILTER": msg377,
+      		"PWC_LOCKFILE_BAD_FORMAT": msg378,
+      		"PWC_LOCKFILE_ERROR": msg379,
+      		"PWC_LOCKFILE_MISSING": msg380,
+      		"PWC_LOCKFILE_NOT_LOCKED": msg381,
+      		"PWC_NO_PROCESS": msg382,
+      		"PWC_PROCESS_EXIT": msg383,
+      		"PWC_PROCESS_FORCED_HOLD": msg384,
+      		"PWC_PROCESS_HOLD": msg385,
+      		"PWC_PROCESS_HOLD_SKIPPED": msg386,
+      		"PWC_PROCESS_OPEN": msg387,
+      		"PWC_PROCESS_TIMED_HOLD": msg388,
+      		"PWC_PROCESS_TIMEOUT": msg389,
+      		"PWC_SIGNAL_INIT": msg390,
+      		"PWC_SOCKET_CONNECT": msg391,
+      		"PWC_SOCKET_CREATE": msg392,
+      		"PWC_SOCKET_OPTION": msg393,
+      		"PWC_STDOUT_WRITE": msg394,
+      		"PWC_SYSTEM_CALL": msg395,
+      		"PWC_UNKNOWN_KILL_OPTION": msg396,
+      		"RDP": msg111,
+      		"RMOPD_ADDRESS_MULTICAST_INVALID": msg397,
+      		"RMOPD_ADDRESS_SOURCE_INVALID": msg398,
+      		"RMOPD_ADDRESS_STRING_FAILURE": msg399,
+      		"RMOPD_ADDRESS_TARGET_INVALID": msg400,
+      		"RMOPD_DUPLICATE": msg401,
+      		"RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED": msg402,
+      		"RMOPD_ICMP_SENDMSG_FAILURE": msg403,
+      		"RMOPD_IFINDEX_NOT_ACTIVE": msg404,
+      		"RMOPD_IFINDEX_NO_INFO": msg405,
+      		"RMOPD_IFNAME_NOT_ACTIVE": msg406,
+      		"RMOPD_IFNAME_NO_INFO": msg407,
+      		"RMOPD_NOT_ROOT": msg408,
+      		"RMOPD_ROUTING_INSTANCE_NO_INFO": msg409,
+      		"RMOPD_TRACEROUTE_ERROR": msg410,
+      		"RMOPD_usage": msg411,
+      		"RPD_ABORT": msg412,
+      		"RPD_ACTIVE_TERMINATE": msg413,
+      		"RPD_ASSERT": msg414,
+      		"RPD_ASSERT_SOFT": msg415,
+      		"RPD_EXIT": msg416,
+      		"RPD_IFL_INDEXCOLLISION": msg417,
+      		"RPD_IFL_NAMECOLLISION": msg418,
+      		"RPD_ISIS_ADJDOWN": msg419,
+      		"RPD_ISIS_ADJUP": msg420,
+      		"RPD_ISIS_ADJUPNOIP": msg421,
+      		"RPD_ISIS_LSPCKSUM": msg422,
+      		"RPD_ISIS_OVERLOAD": msg423,
+      		"RPD_KRT_AFUNSUPRT": msg424,
+      		"RPD_KRT_CCC_IFL_MODIFY": msg425,
+      		"RPD_KRT_DELETED_RTT": msg426,
+      		"RPD_KRT_IFA_GENERATION": msg427,
+      		"RPD_KRT_IFDCHANGE": msg428,
+      		"RPD_KRT_IFDEST_GET": msg429,
+      		"RPD_KRT_IFDGET": msg430,
+      		"RPD_KRT_IFD_GENERATION": msg431,
+      		"RPD_KRT_IFL_CELL_RELAY_MODE_INVALID": msg432,
+      		"RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED": msg433,
+      		"RPD_KRT_IFL_GENERATION": msg434,
+      		"RPD_KRT_KERNEL_BAD_ROUTE": msg435,
+      		"RPD_KRT_NEXTHOP_OVERFLOW": msg436,
+      		"RPD_KRT_NOIFD": msg437,
+      		"RPD_KRT_UNKNOWN_RTT": msg438,
+      		"RPD_KRT_VERSION": msg439,
+      		"RPD_KRT_VERSIONNONE": msg440,
+      		"RPD_KRT_VERSIONOLD": msg441,
+      		"RPD_LDP_INTF_BLOCKED": msg442,
+      		"RPD_LDP_INTF_UNBLOCKED": msg443,
+      		"RPD_LDP_NBRDOWN": msg444,
+      		"RPD_LDP_NBRUP": msg445,
+      		"RPD_LDP_SESSIONDOWN": msg446,
+      		"RPD_LDP_SESSIONUP": msg447,
+      		"RPD_LOCK_FLOCKED": msg448,
+      		"RPD_LOCK_LOCKED": msg449,
+      		"RPD_MPLS_LSP_CHANGE": msg450,
+      		"RPD_MPLS_LSP_DOWN": msg451,
+      		"RPD_MPLS_LSP_SWITCH": msg452,
+      		"RPD_MPLS_LSP_UP": msg453,
+      		"RPD_MSDP_PEER_DOWN": msg454,
+      		"RPD_MSDP_PEER_UP": msg455,
+      		"RPD_OSPF_NBRDOWN": msg456,
+      		"RPD_OSPF_NBRUP": msg457,
+      		"RPD_OS_MEMHIGH": msg458,
+      		"RPD_PIM_NBRDOWN": msg459,
+      		"RPD_PIM_NBRUP": msg460,
+      		"RPD_RDISC_CKSUM": msg461,
+      		"RPD_RDISC_NOMULTI": msg462,
+      		"RPD_RDISC_NORECVIF": msg463,
+      		"RPD_RDISC_SOLICITADDR": msg464,
+      		"RPD_RDISC_SOLICITICMP": msg465,
+      		"RPD_RDISC_SOLICITLEN": msg466,
+      		"RPD_RIP_AUTH": msg467,
+      		"RPD_RIP_JOIN_BROADCAST": msg468,
+      		"RPD_RIP_JOIN_MULTICAST": msg469,
+      		"RPD_RT_IFUP": msg470,
+      		"RPD_SCHED_CALLBACK_LONGRUNTIME": msg471,
+      		"RPD_SCHED_CUMULATIVE_LONGRUNTIME": msg472,
+      		"RPD_SCHED_MODULE_LONGRUNTIME": msg473,
+      		"RPD_SCHED_TASK_LONGRUNTIME": msg474,
+      		"RPD_SIGNAL_TERMINATE": msg475,
+      		"RPD_START": msg476,
+      		"RPD_SYSTEM": msg477,
+      		"RPD_TASK_BEGIN": msg478,
+      		"RPD_TASK_CHILDKILLED": msg479,
+      		"RPD_TASK_CHILDSTOPPED": msg480,
+      		"RPD_TASK_FORK": msg481,
+      		"RPD_TASK_GETWD": msg482,
+      		"RPD_TASK_NOREINIT": msg483,
+      		"RPD_TASK_PIDCLOSED": msg484,
+      		"RPD_TASK_PIDFLOCK": msg485,
+      		"RPD_TASK_PIDWRITE": msg486,
+      		"RPD_TASK_REINIT": msg487,
+      		"RPD_TASK_SIGNALIGNORE": msg488,
+      		"RT_COS": msg489,
+      		"RT_FLOW_SESSION_CLOSE": select51,
+      		"RT_FLOW_SESSION_CREATE": select45,
+      		"RT_FLOW_SESSION_DENY": select47,
+      		"RT_SCREEN_ICMP": msg774,
+      		"RT_SCREEN_IP": select52,
+      		"RT_SCREEN_SESSION_LIMIT": msg504,
+      		"RT_SCREEN_TCP": msg503,
+      		"RT_SCREEN_UDP": msg505,
+      		"Resolve": msg63,
+      		"SECINTEL_ACTION_LOG": msg775,
+      		"SECINTEL_ERROR_OTHERS": msg747,
+      		"SECINTEL_NETWORK_CONNECT_FAILED": msg744,
+      		"SERVICED_CLIENT_CONNECT": msg506,
+      		"SERVICED_CLIENT_DISCONNECTED": msg507,
+      		"SERVICED_CLIENT_ERROR": msg508,
+      		"SERVICED_COMMAND_FAILED": msg509,
+      		"SERVICED_COMMIT_FAILED": msg510,
+      		"SERVICED_CONFIGURATION_FAILED": msg511,
+      		"SERVICED_CONFIG_ERROR": msg512,
+      		"SERVICED_CONFIG_FILE": msg513,
+      		"SERVICED_CONNECTION_ERROR": msg514,
+      		"SERVICED_DISABLED_GGSN": msg515,
+      		"SERVICED_DUPLICATE": msg516,
+      		"SERVICED_EVENT_FAILED": msg517,
+      		"SERVICED_INIT_FAILED": msg518,
+      		"SERVICED_MALLOC_FAILURE": msg519,
+      		"SERVICED_NETWORK_FAILURE": msg520,
+      		"SERVICED_NOT_ROOT": msg521,
+      		"SERVICED_PID_FILE_LOCK": msg522,
+      		"SERVICED_PID_FILE_UPDATE": msg523,
+      		"SERVICED_RTSOCK_SEQUENCE": msg524,
+      		"SERVICED_SIGNAL_HANDLER": msg525,
+      		"SERVICED_SOCKET_CREATE": msg526,
+      		"SERVICED_SOCKET_IO": msg527,
+      		"SERVICED_SOCKET_OPTION": msg528,
+      		"SERVICED_STDLIB_FAILURE": msg529,
+      		"SERVICED_USAGE": msg530,
+      		"SERVICED_WORK_INCONSISTENCY": msg531,
+      		"SNMPD_ACCESS_GROUP_ERROR": msg537,
+      		"SNMPD_AUTH_FAILURE": select53,
+      		"SNMPD_AUTH_PRIVILEGES_EXCEEDED": msg542,
+      		"SNMPD_AUTH_RESTRICTED_ADDRESS": msg543,
+      		"SNMPD_AUTH_WRONG_PDU_TYPE": msg544,
+      		"SNMPD_CONFIG_ERROR": msg545,
+      		"SNMPD_CONTEXT_ERROR": msg546,
+      		"SNMPD_ENGINE_FILE_FAILURE": msg547,
+      		"SNMPD_ENGINE_PROCESS_ERROR": msg548,
+      		"SNMPD_FILE_FAILURE": msg549,
+      		"SNMPD_GROUP_ERROR": msg550,
+      		"SNMPD_INIT_FAILED": msg551,
+      		"SNMPD_LIBJUNIPER_FAILURE": msg552,
+      		"SNMPD_LOOPBACK_ADDR_ERROR": msg553,
+      		"SNMPD_MEMORY_FREED": msg554,
+      		"SNMPD_RADIX_FAILURE": msg555,
+      		"SNMPD_RECEIVE_FAILURE": msg556,
+      		"SNMPD_RMONFILE_FAILURE": msg557,
+      		"SNMPD_RMON_COOKIE": msg558,
+      		"SNMPD_RMON_EVENTLOG": msg559,
+      		"SNMPD_RMON_IOERROR": msg560,
+      		"SNMPD_RMON_MIBERROR": msg561,
+      		"SNMPD_RTSLIB_ASYNC_EVENT": msg562,
+      		"SNMPD_SEND_FAILURE": select54,
+      		"SNMPD_SOCKET_FAILURE": msg565,
+      		"SNMPD_SUBAGENT_NO_BUFFERS": msg566,
+      		"SNMPD_SUBAGENT_SEND_FAILED": msg567,
+      		"SNMPD_SYSLIB_FAILURE": msg568,
+      		"SNMPD_THROTTLE_QUEUE_DRAINED": msg569,
+      		"SNMPD_TRAP_COLD_START": msg570,
+      		"SNMPD_TRAP_GEN_FAILURE": msg571,
+      		"SNMPD_TRAP_GEN_FAILURE2": msg572,
+      		"SNMPD_TRAP_INVALID_DATA": msg573,
+      		"SNMPD_TRAP_NOT_ENOUGH_VARBINDS": msg574,
+      		"SNMPD_TRAP_QUEUED": msg575,
+      		"SNMPD_TRAP_QUEUE_DRAINED": msg576,
+      		"SNMPD_TRAP_QUEUE_MAX_ATTEMPTS": msg577,
+      		"SNMPD_TRAP_QUEUE_MAX_SIZE": msg578,
+      		"SNMPD_TRAP_THROTTLED": msg579,
+      		"SNMPD_TRAP_TYPE_ERROR": msg580,
+      		"SNMPD_TRAP_VARBIND_TYPE_ERROR": msg581,
+      		"SNMPD_TRAP_VERSION_ERROR": msg582,
+      		"SNMPD_TRAP_WARM_START": msg583,
+      		"SNMPD_USER_ERROR": msg584,
+      		"SNMPD_VIEW_DELETE": msg585,
+      		"SNMPD_VIEW_INSTALL_DEFAULT": msg586,
+      		"SNMPD_VIEW_OID_PARSE": msg587,
+      		"SNMP_GET_ERROR1": msg588,
+      		"SNMP_GET_ERROR2": msg589,
+      		"SNMP_GET_ERROR3": msg590,
+      		"SNMP_GET_ERROR4": msg591,
+      		"SNMP_NS_LOG_INFO": msg535,
+      		"SNMP_RTSLIB_FAILURE": msg592,
+      		"SNMP_SUBAGENT_IPC_REG_ROWS": msg536,
+      		"SNMP_TRAP_LINK_DOWN": select55,
+      		"SNMP_TRAP_LINK_UP": select56,
+      		"SNMP_TRAP_PING_PROBE_FAILED": msg597,
+      		"SNMP_TRAP_PING_TEST_COMPLETED": msg598,
+      		"SNMP_TRAP_PING_TEST_FAILED": msg599,
+      		"SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE": msg600,
+      		"SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED": msg601,
+      		"SNMP_TRAP_TRACE_ROUTE_TEST_FAILED": msg602,
+      		"SNTPD": msg112,
+      		"SSB": msg113,
+      		"SSHD_LOGIN_FAILED": select57,
+      		"SSL_PROXY_SESSION_IGNORE": msg534,
+      		"SSL_PROXY_SSL_SESSION_ALLOW": msg532,
+      		"SSL_PROXY_SSL_SESSION_DROP": msg533,
+      		"TASK_TASK_REINIT": msg606,
+      		"TFTPD_AF_ERR": msg607,
+      		"TFTPD_BIND_ERR": msg608,
+      		"TFTPD_CONNECT_ERR": msg609,
+      		"TFTPD_CONNECT_INFO": msg610,
+      		"TFTPD_CREATE_ERR": msg611,
+      		"TFTPD_FIO_ERR": msg612,
+      		"TFTPD_FORK_ERR": msg613,
+      		"TFTPD_NAK_ERR": msg614,
+      		"TFTPD_OPEN_ERR": msg615,
+      		"TFTPD_RECVCOMPLETE_INFO": msg616,
+      		"TFTPD_RECVFROM_ERR": msg617,
+      		"TFTPD_RECV_ERR": msg618,
+      		"TFTPD_SENDCOMPLETE_INFO": msg619,
+      		"TFTPD_SEND_ERR": msg620,
+      		"TFTPD_SOCKET_ERR": msg621,
+      		"TFTPD_STATFS_ERR": msg622,
+      		"TNP": msg623,
+      		"UI_AUTH_EVENT": msg628,
+      		"UI_AUTH_INVALID_CHALLENGE": msg629,
+      		"UI_BOOTTIME_FAILED": msg630,
+      		"UI_CFG_AUDIT_NEW": select58,
+      		"UI_CFG_AUDIT_OTHER": select60,
+      		"UI_CFG_AUDIT_SET": select63,
+      		"UI_CFG_AUDIT_SET_SECRET": select64,
+      		"UI_CHILD_ARGS_EXCEEDED": msg645,
+      		"UI_CHILD_CHANGE_USER": msg646,
+      		"UI_CHILD_EXEC": msg647,
+      		"UI_CHILD_EXITED": msg648,
+      		"UI_CHILD_FOPEN": msg649,
+      		"UI_CHILD_PIPE_FAILED": msg650,
+      		"UI_CHILD_SIGNALED": msg651,
+      		"UI_CHILD_START": msg653,
+      		"UI_CHILD_STATUS": msg654,
+      		"UI_CHILD_STOPPED": msg652,
+      		"UI_CHILD_WAITPID": msg655,
+      		"UI_CLI_IDLE_TIMEOUT": msg656,
+      		"UI_CMDLINE_READ_LINE": msg657,
+      		"UI_CMDSET_EXEC_FAILED": msg658,
+      		"UI_CMDSET_FORK_FAILED": msg659,
+      		"UI_CMDSET_PIPE_FAILED": msg660,
+      		"UI_CMDSET_STOPPED": msg661,
+      		"UI_CMDSET_WEXITED": msg662,
+      		"UI_CMD_AUTH_REGEX_INVALID": msg663,
+      		"UI_COMMIT": msg664,
+      		"UI_COMMIT_AT": msg665,
+      		"UI_COMMIT_AT_COMPLETED": msg666,
+      		"UI_COMMIT_AT_FAILED": msg667,
+      		"UI_COMMIT_COMPRESS_FAILED": msg668,
+      		"UI_COMMIT_CONFIRMED": msg669,
+      		"UI_COMMIT_CONFIRMED_REMINDER": msg670,
+      		"UI_COMMIT_CONFIRMED_TIMED": msg671,
+      		"UI_COMMIT_EMPTY_CONTAINER": msg672,
+      		"UI_COMMIT_NOT_CONFIRMED": msg673,
+      		"UI_COMMIT_PROGRESS": msg674,
+      		"UI_COMMIT_QUIT": msg675,
+      		"UI_COMMIT_ROLLBACK_FAILED": msg676,
+      		"UI_COMMIT_SYNC": msg677,
+      		"UI_COMMIT_SYNC_FORCE": msg678,
+      		"UI_CONFIGURATION_ERROR": msg679,
+      		"UI_DAEMON_ACCEPT_FAILED": msg680,
+      		"UI_DAEMON_FORK_FAILED": msg681,
+      		"UI_DAEMON_SELECT_FAILED": msg682,
+      		"UI_DAEMON_SOCKET_FAILED": msg683,
+      		"UI_DBASE_ACCESS_FAILED": msg684,
+      		"UI_DBASE_CHECKOUT_FAILED": msg685,
+      		"UI_DBASE_EXTEND_FAILED": msg686,
+      		"UI_DBASE_LOGIN_EVENT": msg687,
+      		"UI_DBASE_LOGOUT_EVENT": msg688,
+      		"UI_DBASE_MISMATCH_EXTENT": msg689,
+      		"UI_DBASE_MISMATCH_MAJOR": msg690,
+      		"UI_DBASE_MISMATCH_MINOR": msg691,
+      		"UI_DBASE_MISMATCH_SEQUENCE": msg692,
+      		"UI_DBASE_MISMATCH_SIZE": msg693,
+      		"UI_DBASE_OPEN_FAILED": msg694,
+      		"UI_DBASE_REBUILD_FAILED": msg695,
+      		"UI_DBASE_REBUILD_SCHEMA_FAILED": msg696,
+      		"UI_DBASE_REBUILD_STARTED": msg697,
+      		"UI_DBASE_RECREATE": msg698,
+      		"UI_DBASE_REOPEN_FAILED": msg699,
+      		"UI_DUPLICATE_UID": msg700,
+      		"UI_JUNOSCRIPT_CMD": msg701,
+      		"UI_JUNOSCRIPT_ERROR": msg702,
+      		"UI_LOAD_EVENT": msg703,
+      		"UI_LOAD_JUNOS_DEFAULT_FILE_EVENT": msg704,
+      		"UI_LOGIN_EVENT": select71,
+      		"UI_LOGOUT_EVENT": msg707,
+      		"UI_LOST_CONN": msg708,
+      		"UI_MASTERSHIP_EVENT": msg709,
+      		"UI_MGD_TERMINATE": msg710,
+      		"UI_NETCONF_CMD": msg711,
+      		"UI_READ_FAILED": msg712,
+      		"UI_READ_TIMEOUT": msg713,
+      		"UI_REBOOT_EVENT": msg714,
+      		"UI_RESTART_EVENT": msg715,
+      		"UI_SCHEMA_CHECKOUT_FAILED": msg716,
+      		"UI_SCHEMA_MISMATCH_MAJOR": msg717,
+      		"UI_SCHEMA_MISMATCH_MINOR": msg718,
+      		"UI_SCHEMA_MISMATCH_SEQUENCE": msg719,
+      		"UI_SCHEMA_SEQUENCE_ERROR": msg720,
+      		"UI_SYNC_OTHER_RE": msg721,
+      		"UI_TACPLUS_ERROR": msg722,
+      		"UI_VERSION_FAILED": msg723,
+      		"UI_WRITE_RECONNECT": msg724,
+      		"VRRPD_NEWMASTER_TRAP": msg725,
+      		"Version": msg99,
+      		"WEBFILTER_REQUEST_NOT_CHECKED": msg730,
+      		"WEBFILTER_URL_BLOCKED": select75,
+      		"WEBFILTER_URL_PERMITTED": select74,
+      		"WEB_AUTH_FAIL": msg726,
+      		"WEB_AUTH_SUCCESS": msg727,
+      		"WEB_INTERFACE_UNAUTH": msg728,
+      		"WEB_READ": msg729,
+      		"alarmd": msg3,
+      		"bgp_connect_start": msg132,
+      		"bgp_event": msg133,
+      		"bgp_listen_accept": msg134,
+      		"bgp_listen_reset": msg135,
+      		"bgp_nexthop_sanity": msg136,
+      		"bgp_pp_recv": select33,
+      		"bgp_process_caps": select32,
+      		"bgp_send": msg141,
+      		"bgp_traffic_timeout": msg142,
+      		"bigd": select6,
+      		"bigpipe": select7,
+      		"bigstart": msg9,
+      		"cgatool": msg10,
+      		"chassisd": msg11,
+      		"chassism": select73,
+      		"checkd": select8,
+      		"clean_process": msg215,
+      		"cli": msg750,
+      		"cosd": msg14,
+      		"craftd": msg15,
+      		"cron": msg18,
+      		"crond": msg21,
+      		"dcd": msg22,
+      		"eswd": select72,
+      		"ftpd": msg24,
+      		"ha_rto_stats_handler": msg25,
+      		"hostinit": msg26,
+      		"idpinfo": msg752,
+      		"ifinfo": select13,
+      		"ifp_ifl_anydown_change_event": msg30,
+      		"ifp_ifl_config_event": msg31,
+      		"ifp_ifl_ext_chg": msg32,
+      		"inetd": select14,
+      		"init": select15,
+      		"ipc_msg_write": msg40,
+      		"kernel": select17,
+      		"kmd": msg753,
+      		"last": select28,
+      		"login": select18,
+      		"lsys_ssam_handler": msg53,
+      		"mcsn": msg54,
+      		"mgd": msg62,
+      		"mrvl_dfw_log_effuse_status": msg55,
+      		"node": select79,
+      		"pfed": msg751,
+      		"process_mode": select38,
+      		"profile_ssam_handler": msg57,
+      		"pst_nat_binding_set_profile": msg58,
+      		"qsfp": msg776,
+      		"respawn": msg64,
+      		"root": msg65,
+      		"rpd": select20,
+      		"rshd": msg70,
+      		"sfd": msg71,
+      		"sshd": select21,
+      		"syslogd": msg92,
+      		"task_connect": msg605,
+      		"task_reconfigure": msg59,
+      		"tnetd": msg60,
+      		"tnp.bootpd": msg769,
+      		"trace_on": msg624,
+      		"trace_rotate": msg625,
+      		"transfer-file": msg626,
+      		"ttloop": msg627,
+      		"ucd-snmp": select26,
+      		"usp_ipc_client_reconnect": msg95,
+      		"usp_trace_ipc_disconnect": msg96,
+      		"usp_trace_ipc_reconnect": msg97,
+      		"uspinfo": msg98,
+      		"xntpd": select27,
+      	}),
+      ]);
+      
+      var hdr43 = match("HEADER#3:0004/0", "message", "%{month->} %{day->} %{time->} %{p0}");
+      
+      var part832 = match("HEADER#3:0004/1_0", "nwparser.p0", "fpc0 %{p0}");
+      
+      var part833 = match("HEADER#3:0004/1_1", "nwparser.p0", "fpc1 %{p0}");
+      
+      var part834 = match("HEADER#3:0004/1_2", "nwparser.p0", "fpc2 %{p0}");
+      
+      var part835 = match("HEADER#3:0004/1_3", "nwparser.p0", "fpc3 %{p0}");
+      
+      var part836 = match("HEADER#3:0004/1_4", "nwparser.p0", "fpc4 %{p0}");
+      
+      var part837 = match("HEADER#3:0004/1_5", "nwparser.p0", "fpc5 %{p0}");
+      
+      var part838 = match("HEADER#3:0004/1_11", "nwparser.p0", "ssb %{p0}");
+      
+      var part839 = match("HEADER#15:0026.upd.a/1_0", "nwparser.p0", "RT_FLOW - %{p0}");
+      
+      var part840 = match("HEADER#15:0026.upd.a/1_1", "nwparser.p0", "junos-ssl-proxy - %{p0}");
+      
+      var part841 = match("HEADER#15:0026.upd.a/1_2", "nwparser.p0", "RT_APPQOS - %{p0}");
+      
+      var part842 = match("HEADER#15:0026.upd.a/1_3", "nwparser.p0", "%{hfld33->} - %{p0}");
+      
+      var part843 = match("HEADER#15:0026.upd.a/2", "nwparser.p0", "%{messageid->} [%{payload}");
+      
+      var hdr44 = match("HEADER#16:0026.upd.b/0", "message", "%{event_time->} %{hfld32->} %{hhostname->} %{p0}");
+      
+      var part844 = match("MESSAGE#77:sshd:06/0", "nwparser.payload", "%{} %{p0}");
+      
+      var part845 = match("MESSAGE#77:sshd:06/1_0", "nwparser.p0", "%{process}[%{process_id}]: %{p0}");
+      
+      var part846 = match("MESSAGE#77:sshd:06/1_1", "nwparser.p0", "%{process}: %{p0}");
+      
+      var part847 = match("MESSAGE#72:Failed:05/1_2", "nwparser.p0", "%{p0}");
+      
+      var part848 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{p0}");
+      
+      var part849 = match("MESSAGE#294:LOGIN_INFORMATION/3_0", "nwparser.p0", "User %{p0}");
+      
+      var part850 = match("MESSAGE#294:LOGIN_INFORMATION/3_1", "nwparser.p0", "user %{p0}");
+      
+      var part851 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{p0}");
+      
+      var part852 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_0", "nwparser.p0", "%{dport}\" connection-tag=%{fld20->} service-name=\"%{p0}");
+      
+      var part853 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_1", "nwparser.p0", "%{dport}\" service-name=\"%{p0}");
+      
+      var part854 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_0", "nwparser.p0", "%{dtransport}\" nat-connection-tag=%{fld6->} src-nat-rule-type=%{fld20->} %{p0}");
+      
+      var part855 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_1", "nwparser.p0", "%{dtransport}\"%{p0}");
+      
+      var part856 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/7_1", "nwparser.p0", "%{dinterface}\"%{p0}");
+      
+      var part857 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/8", "nwparser.p0", "]%{}");
+      
+      var part858 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_0", "nwparser.payload", "%{process}: %{event_type}: session denied%{p0}");
+      
+      var part859 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_1", "nwparser.payload", "%{event_type}: session denied%{p0}");
+      
+      var part860 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{p0}");
+      
+      var part861 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/2", "nwparser.p0", "%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{p0}");
+      
+      var part862 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{rulename}\" dst-nat-rule-%{p0}");
+      
+      var part863 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_0", "nwparser.p0", "type=%{fld7->} dst-nat-rule-name=\"%{rule_template}\"%{p0}");
+      
+      var part864 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_1", "nwparser.p0", "name=\"%{rule_template}\"%{p0}");
+      
+      var part865 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' set: [%{action}] %{p0}");
+      
+      var part866 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_1", "nwparser.p0", "\u003c\u003c%{change_old}> %{p0}");
+      
+      var part867 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/2", "nwparser.p0", "%{}-> \"%{change_new}\"");
+      
+      var part868 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{p0}");
+      
+      var part869 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_0", "nwparser.p0", "set %{p0}");
+      
+      var part870 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_1", "nwparser.p0", "replace %{p0}");
+      
+      var part871 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_0", "nwparser.p0", "Network %{p0}");
+      
+      var part872 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_1", "nwparser.p0", "Local %{p0}");
+      
+      var part873 = match("MESSAGE#755:node:05/0", "nwparser.payload", "%{hostname->} %{node->} %{p0}");
+      
+      var part874 = match("MESSAGE#755:node:05/1_0", "nwparser.p0", "partner%{p0}");
+      
+      var part875 = match("MESSAGE#755:node:05/1_1", "nwparser.p0", "actor%{p0}");
+      
+      var select85 = linear_select([
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      ]);
+      
+      var select86 = linear_select([
+      	dup39,
+      	dup40,
+      ]);
+      
+      var part876 = match("MESSAGE#125:BFDD_TRAP_STATE_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: local discriminator: %{resultcode}, new state: %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup55,
+      	dup22,
+      ]));
+      
+      var part877 = match("MESSAGE#214:DCD_MALLOC_FAILED_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed during initialization for configuration load", processor_chain([
+      	dup50,
+      	dup21,
+      	dup63,
+      	dup22,
+      ]));
+      
+      var part878 = match("MESSAGE#225:ECCD_DAEMONIZE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}, unable to run in the background as a daemon: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup64,
+      	dup22,
+      ]));
+      
+      var part879 = match("MESSAGE#226:ECCD_DUPLICATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Another copy of this program is running", processor_chain([
+      	dup29,
+      	dup21,
+      	dup65,
+      	dup22,
+      ]));
+      
+      var part880 = match("MESSAGE#232:ECCD_PID_FILE_LOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lock PID file: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup66,
+      	dup22,
+      ]));
+      
+      var part881 = match("MESSAGE#233:ECCD_PID_FILE_UPDATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to update process PID file: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup67,
+      	dup22,
+      ]));
+      
+      var part882 = match("MESSAGE#272:LIBJNX_EXEC_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipes for command '%{action}': %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup70,
+      	dup22,
+      ]));
+      
+      var select87 = linear_select([
+      	dup75,
+      	dup76,
+      ]);
+      
+      var part883 = match("MESSAGE#310:MIB2D_IFD_IFINDEX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP index assigned to %{uid->} changed from %{dclass_counter1->} to %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup78,
+      	dup22,
+      ]));
+      
+      var part884 = match("MESSAGE#412:RPD_IFL_INDEXCOLLISION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Logical interface collision -- %{result}, %{info}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup83,
+      	dup22,
+      ]));
+      
+      var part885 = match("MESSAGE#466:RPD_SCHED_CALLBACK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime time during action of module", processor_chain([
+      	dup29,
+      	dup21,
+      	dup84,
+      	dup22,
+      ]));
+      
+      var part886 = match("MESSAGE#482:RPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitializing", processor_chain([
+      	dup20,
+      	dup21,
+      	dup85,
+      	dup22,
+      ]));
+      
+      var select88 = linear_select([
+      	dup87,
+      	dup88,
+      ]);
+      
+      var select89 = linear_select([
+      	dup89,
+      	dup90,
+      ]);
+      
+      var select90 = linear_select([
+      	dup95,
+      	dup96,
+      ]);
+      
+      var select91 = linear_select([
+      	dup101,
+      	dup102,
+      ]);
+      
+      var part887 = match("MESSAGE#498:RT_SCREEN_TCP", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([
+      	dup29,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var part888 = match("MESSAGE#527:SSL_PROXY_SSL_SESSION_ALLOW", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} logical-system-name=\"%{hostname}\" session-id=\"%{sessionid}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" profile-name=\"%{rulename}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" message=\"%{info}\"]", processor_chain([
+      	dup26,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var select92 = linear_select([
+      	dup116,
+      	dup117,
+      ]);
+      
+      var select93 = linear_select([
+      	dup121,
+      	dup122,
+      ]);
+      
+      var part889 = match("MESSAGE#733:WEBFILTER_URL_PERMITTED", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7->} USERNAME=%{fld8->} ROLES=%{fld9}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var part890 = match("MESSAGE#747:cli", "nwparser.payload", "%{fld12}", processor_chain([
+      	dup47,
+      	dup46,
+      	dup22,
+      	dup21,
+      ]));
+      
+- community_id:
+- add_locale: ~
+- add_fields:
+    target: ''
+    fields:
+        ecs.version: 1.5.0
diff --git a/packages/juniper/0.1.0/dataset/junos/agent/stream/tcp.yml.hbs b/packages/juniper/0.1.0/dataset/junos/agent/stream/tcp.yml.hbs
new file mode 100644
index 0000000000..66edb71634
--- /dev/null
+++ b/packages/juniper/0.1.0/dataset/junos/agent/stream/tcp.yml.hbs
@@ -0,0 +1,12345 @@
+tcp:
+host: "{{tcp_host}}:{{tcp_port}}"
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "Juniper"
+        product: "Junos"
+        type: "Routers"
+publisher_pipeline.disable_host: true
+
+processors:
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.error(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(populate_fields);
+      	builder.Add(restore_flags);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var dup1 = match("HEADER#3:0004/0", "message", "%{month->} %{day->} %{time->} %{p0}");
+      
+      var dup2 = match("HEADER#3:0004/1_0", "nwparser.p0", "fpc0 %{p0}");
+      
+      var dup3 = match("HEADER#3:0004/1_1", "nwparser.p0", "fpc1 %{p0}");
+      
+      var dup4 = match("HEADER#3:0004/1_2", "nwparser.p0", "fpc2 %{p0}");
+      
+      var dup5 = match("HEADER#3:0004/1_3", "nwparser.p0", "fpc3 %{p0}");
+      
+      var dup6 = match("HEADER#3:0004/1_4", "nwparser.p0", "fpc4 %{p0}");
+      
+      var dup7 = match("HEADER#3:0004/1_5", "nwparser.p0", "fpc5 %{p0}");
+      
+      var dup8 = match("HEADER#3:0004/1_11", "nwparser.p0", "ssb %{p0}");
+      
+      var dup9 = call({
+      	dest: "nwparser.payload",
+      	fn: STRCAT,
+      	args: [
+      		field("hfld2"),
+      		constant(" "),
+      		field("messageid"),
+      		constant(": "),
+      		field("payload"),
+      	],
+      });
+      
+      var dup10 = call({
+      	dest: "nwparser.payload",
+      	fn: STRCAT,
+      	args: [
+      		field("hfld1"),
+      		constant("["),
+      		field("pid"),
+      		constant("]: "),
+      		field("messageid"),
+      		constant(": "),
+      		field("payload"),
+      	],
+      });
+      
+      var dup11 = call({
+      	dest: "nwparser.payload",
+      	fn: STRCAT,
+      	args: [
+      		field("messageid"),
+      		constant(": "),
+      		field("payload"),
+      	],
+      });
+      
+      var dup12 = match("HEADER#15:0026.upd.a/1_0", "nwparser.p0", "RT_FLOW - %{p0}");
+      
+      var dup13 = match("HEADER#15:0026.upd.a/1_1", "nwparser.p0", "junos-ssl-proxy - %{p0}");
+      
+      var dup14 = match("HEADER#15:0026.upd.a/1_2", "nwparser.p0", "RT_APPQOS - %{p0}");
+      
+      var dup15 = match("HEADER#15:0026.upd.a/1_3", "nwparser.p0", "%{hfld33->} - %{p0}");
+      
+      var dup16 = match("HEADER#15:0026.upd.a/2", "nwparser.p0", "%{messageid->} [%{payload}");
+      
+      var dup17 = match("HEADER#16:0026.upd.b/0", "message", "%{event_time->} %{hfld32->} %{hhostname->} %{p0}");
+      
+      var dup18 = call({
+      	dest: "nwparser.payload",
+      	fn: STRCAT,
+      	args: [
+      		field("messageid"),
+      		constant("["),
+      		field("pid"),
+      		constant("]: "),
+      		field("payload"),
+      	],
+      });
+      
+      var dup19 = setc("messageid","JUNOSROUTER_GENERIC");
+      
+      var dup20 = setc("eventcategory","1605000000");
+      
+      var dup21 = setf("msg","$MSG");
+      
+      var dup22 = date_time({
+      	dest: "event_time",
+      	args: ["month","day","time"],
+      	fmts: [
+      		[dB,dF,dH,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup23 = setf("hostname","hhost");
+      
+      var dup24 = setc("event_description","AUDIT");
+      
+      var dup25 = setc("event_description","CRON command");
+      
+      var dup26 = setc("eventcategory","1801030000");
+      
+      var dup27 = setc("eventcategory","1801020000");
+      
+      var dup28 = setc("eventcategory","1605010000");
+      
+      var dup29 = setc("eventcategory","1603000000");
+      
+      var dup30 = setc("event_description","Process mode");
+      
+      var dup31 = setc("event_description","NTP Server Unreachable");
+      
+      var dup32 = setc("eventcategory","1401060000");
+      
+      var dup33 = setc("ec_theme","Authentication");
+      
+      var dup34 = setc("ec_subject","User");
+      
+      var dup35 = setc("ec_activity","Logon");
+      
+      var dup36 = setc("ec_outcome","Success");
+      
+      var dup37 = setc("event_description","rpd proceeding");
+      
+      var dup38 = match("MESSAGE#77:sshd:06/0", "nwparser.payload", "%{} %{p0}");
+      
+      var dup39 = match("MESSAGE#77:sshd:06/1_0", "nwparser.p0", "%{process}[%{process_id}]: %{p0}");
+      
+      var dup40 = match("MESSAGE#77:sshd:06/1_1", "nwparser.p0", "%{process}: %{p0}");
+      
+      var dup41 = setc("eventcategory","1701010000");
+      
+      var dup42 = setc("ec_outcome","Failure");
+      
+      var dup43 = setc("eventcategory","1401030000");
+      
+      var dup44 = match("MESSAGE#72:Failed:05/1_2", "nwparser.p0", "%{p0}");
+      
+      var dup45 = setc("eventcategory","1803000000");
+      
+      var dup46 = setc("event_type","VPN");
+      
+      var dup47 = setc("eventcategory","1605020000");
+      
+      var dup48 = setc("eventcategory","1602020000");
+      
+      var dup49 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{p0}");
+      
+      var dup50 = setc("eventcategory","1603020000");
+      
+      var dup51 = date_time({
+      	dest: "event_time",
+      	args: ["hfld32"],
+      	fmts: [
+      		[dW,dc("-"),dG,dc("-"),dF,dc("T"),dN,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup52 = setc("ec_subject","NetworkComm");
+      
+      var dup53 = setc("ec_activity","Create");
+      
+      var dup54 = setc("ec_activity","Stop");
+      
+      var dup55 = setc("event_description","Trap state change");
+      
+      var dup56 = setc("event_description","peer NLRI mismatch");
+      
+      var dup57 = setc("eventcategory","1605030000");
+      
+      var dup58 = setc("eventcategory","1603010000");
+      
+      var dup59 = setc("eventcategory","1606000000");
+      
+      var dup60 = setf("hostname","hhostname");
+      
+      var dup61 = date_time({
+      	dest: "event_time",
+      	args: ["hfld6"],
+      	fmts: [
+      		[dW,dc("-"),dG,dc("-"),dF,dc("T"),dN,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup62 = setc("eventcategory","1401050200");
+      
+      var dup63 = setc("event_description","Memory allocation failed during initialization for configuration load");
+      
+      var dup64 = setc("event_description","unable to run in the background as a daemon");
+      
+      var dup65 = setc("event_description","Another copy of this program is running");
+      
+      var dup66 = setc("event_description","Unable to lock PID file");
+      
+      var dup67 = setc("event_description","Unable to update process PID file");
+      
+      var dup68 = setc("eventcategory","1301000000");
+      
+      var dup69 = setc("event_description","Command stopped");
+      
+      var dup70 = setc("event_description","Unable to create pipes for command");
+      
+      var dup71 = setc("event_description","Command exited");
+      
+      var dup72 = setc("eventcategory","1603050000");
+      
+      var dup73 = setc("eventcategory","1801010000");
+      
+      var dup74 = setc("event_description","Login failure");
+      
+      var dup75 = match("MESSAGE#294:LOGIN_INFORMATION/3_0", "nwparser.p0", "User %{p0}");
+      
+      var dup76 = match("MESSAGE#294:LOGIN_INFORMATION/3_1", "nwparser.p0", "user %{p0}");
+      
+      var dup77 = setc("event_description","Unable to open file");
+      
+      var dup78 = setc("event_description","SNMP index assigned changed");
+      
+      var dup79 = setc("eventcategory","1302000000");
+      
+      var dup80 = setc("eventcategory","1001020300");
+      
+      var dup81 = setc("event_description","PFE FW SYSLOG_IP");
+      
+      var dup82 = setc("event_description","process_mode");
+      
+      var dup83 = setc("event_description","Logical interface collision");
+      
+      var dup84 = setc("event_description","excessive runtime time during action of module");
+      
+      var dup85 = setc("event_description","Reinitializing");
+      
+      var dup86 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{p0}");
+      
+      var dup87 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_0", "nwparser.p0", "%{dport}\" connection-tag=%{fld20->} service-name=\"%{p0}");
+      
+      var dup88 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_1", "nwparser.p0", "%{dport}\" service-name=\"%{p0}");
+      
+      var dup89 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_0", "nwparser.p0", "%{dtransport}\" nat-connection-tag=%{fld6->} src-nat-rule-type=%{fld20->} %{p0}");
+      
+      var dup90 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_1", "nwparser.p0", "%{dtransport}\"%{p0}");
+      
+      var dup91 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/7_1", "nwparser.p0", "%{dinterface}\"%{p0}");
+      
+      var dup92 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/8", "nwparser.p0", "]%{}");
+      
+      var dup93 = setc("eventcategory","1803010000");
+      
+      var dup94 = setc("ec_activity","Deny");
+      
+      var dup95 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_0", "nwparser.payload", "%{process}: %{event_type}: session denied%{p0}");
+      
+      var dup96 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_1", "nwparser.payload", "%{event_type}: session denied%{p0}");
+      
+      var dup97 = setc("event_description","session denied");
+      
+      var dup98 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{p0}");
+      
+      var dup99 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/2", "nwparser.p0", "%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{p0}");
+      
+      var dup100 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{rulename}\" dst-nat-rule-%{p0}");
+      
+      var dup101 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_0", "nwparser.p0", "type=%{fld7->} dst-nat-rule-name=\"%{rule_template}\"%{p0}");
+      
+      var dup102 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_1", "nwparser.p0", "name=\"%{rule_template}\"%{p0}");
+      
+      var dup103 = setc("dclass_counter1_string","No.of packets from client");
+      
+      var dup104 = setc("event_description","SNMPD AUTH FAILURE");
+      
+      var dup105 = setc("event_description","send send-type (index1) failure");
+      
+      var dup106 = setc("event_description","SNMP trap error");
+      
+      var dup107 = setc("event_description","SNMP TRAP LINK DOWN");
+      
+      var dup108 = setc("event_description","SNMP TRAP LINK UP");
+      
+      var dup109 = setc("event_description","Login Failure");
+      
+      var dup110 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' set: [%{action}] %{p0}");
+      
+      var dup111 = setc("eventcategory","1701020000");
+      
+      var dup112 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_1", "nwparser.p0", "\u003c\u003c%{change_old}> %{p0}");
+      
+      var dup113 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/2", "nwparser.p0", "%{}-> \"%{change_new}\"");
+      
+      var dup114 = setc("event_description","User set command");
+      
+      var dup115 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{p0}");
+      
+      var dup116 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_0", "nwparser.p0", "set %{p0}");
+      
+      var dup117 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_1", "nwparser.p0", "replace %{p0}");
+      
+      var dup118 = setc("event_description","User set groups to secret");
+      
+      var dup119 = setc("event_description","UI CMDLINE READ LINE");
+      
+      var dup120 = setc("event_description","User commit");
+      
+      var dup121 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_0", "nwparser.p0", "Network %{p0}");
+      
+      var dup122 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_1", "nwparser.p0", "Local %{p0}");
+      
+      var dup123 = setc("eventcategory","1401070000");
+      
+      var dup124 = setc("ec_activity","Logoff");
+      
+      var dup125 = setc("event_description","Successful login");
+      
+      var dup126 = setf("hostname","hostip");
+      
+      var dup127 = setc("event_description","TACACS+ failure");
+      
+      var dup128 = match("MESSAGE#755:node:05/0", "nwparser.payload", "%{hostname->} %{node->} %{p0}");
+      
+      var dup129 = match("MESSAGE#755:node:05/1_0", "nwparser.p0", "partner%{p0}");
+      
+      var dup130 = match("MESSAGE#755:node:05/1_1", "nwparser.p0", "actor%{p0}");
+      
+      var dup131 = setc("eventcategory","1003010000");
+      
+      var dup132 = setc("eventcategory","1901000000");
+      
+      var dup133 = linear_select([
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      ]);
+      
+      var dup134 = linear_select([
+      	dup39,
+      	dup40,
+      ]);
+      
+      var dup135 = match("MESSAGE#125:BFDD_TRAP_STATE_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: local discriminator: %{resultcode}, new state: %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup55,
+      	dup22,
+      ]));
+      
+      var dup136 = match("MESSAGE#214:DCD_MALLOC_FAILED_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed during initialization for configuration load", processor_chain([
+      	dup50,
+      	dup21,
+      	dup63,
+      	dup22,
+      ]));
+      
+      var dup137 = match("MESSAGE#225:ECCD_DAEMONIZE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}, unable to run in the background as a daemon: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup64,
+      	dup22,
+      ]));
+      
+      var dup138 = match("MESSAGE#226:ECCD_DUPLICATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Another copy of this program is running", processor_chain([
+      	dup29,
+      	dup21,
+      	dup65,
+      	dup22,
+      ]));
+      
+      var dup139 = match("MESSAGE#232:ECCD_PID_FILE_LOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lock PID file: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup66,
+      	dup22,
+      ]));
+      
+      var dup140 = match("MESSAGE#233:ECCD_PID_FILE_UPDATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to update process PID file: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup67,
+      	dup22,
+      ]));
+      
+      var dup141 = match("MESSAGE#272:LIBJNX_EXEC_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipes for command '%{action}': %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup70,
+      	dup22,
+      ]));
+      
+      var dup142 = linear_select([
+      	dup75,
+      	dup76,
+      ]);
+      
+      var dup143 = match("MESSAGE#310:MIB2D_IFD_IFINDEX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP index assigned to %{uid->} changed from %{dclass_counter1->} to %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup78,
+      	dup22,
+      ]));
+      
+      var dup144 = match("MESSAGE#412:RPD_IFL_INDEXCOLLISION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Logical interface collision -- %{result}, %{info}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup83,
+      	dup22,
+      ]));
+      
+      var dup145 = match("MESSAGE#466:RPD_SCHED_CALLBACK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime time during action of module", processor_chain([
+      	dup29,
+      	dup21,
+      	dup84,
+      	dup22,
+      ]));
+      
+      var dup146 = match("MESSAGE#482:RPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitializing", processor_chain([
+      	dup20,
+      	dup21,
+      	dup85,
+      	dup22,
+      ]));
+      
+      var dup147 = linear_select([
+      	dup87,
+      	dup88,
+      ]);
+      
+      var dup148 = linear_select([
+      	dup89,
+      	dup90,
+      ]);
+      
+      var dup149 = linear_select([
+      	dup95,
+      	dup96,
+      ]);
+      
+      var dup150 = linear_select([
+      	dup101,
+      	dup102,
+      ]);
+      
+      var dup151 = match("MESSAGE#498:RT_SCREEN_TCP", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([
+      	dup29,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var dup152 = match("MESSAGE#527:SSL_PROXY_SSL_SESSION_ALLOW", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} logical-system-name=\"%{hostname}\" session-id=\"%{sessionid}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" profile-name=\"%{rulename}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" message=\"%{info}\"]", processor_chain([
+      	dup26,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var dup153 = linear_select([
+      	dup116,
+      	dup117,
+      ]);
+      
+      var dup154 = linear_select([
+      	dup121,
+      	dup122,
+      ]);
+      
+      var dup155 = match("MESSAGE#733:WEBFILTER_URL_PERMITTED", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7->} USERNAME=%{fld8->} ROLES=%{fld9}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var dup156 = match("MESSAGE#747:cli", "nwparser.payload", "%{fld12}", processor_chain([
+      	dup47,
+      	dup46,
+      	dup22,
+      	dup21,
+      ]));
+      
+      var hdr1 = match("HEADER#0:0001", "message", "%{month->} %{day->} %{time->} %{messageid}: restart %{payload}", processor_chain([
+      	setc("header_id","0001"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant(": restart "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr2 = match("HEADER#1:0002", "message", "%{month->} %{day->} %{time->} %{messageid->} message repeated %{payload}", processor_chain([
+      	setc("header_id","0002"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant(" message repeated "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr3 = match("HEADER#2:0003", "message", "%{month->} %{day->} %{time->} ssb %{messageid}(%{hfld1}): %{payload}", processor_chain([
+      	setc("header_id","0003"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant("("),
+      			field("hfld1"),
+      			constant("): "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var part1 = match("HEADER#3:0004/1_6", "nwparser.p0", "fpc6 %{p0}");
+      
+      var part2 = match("HEADER#3:0004/1_7", "nwparser.p0", "fpc7 %{p0}");
+      
+      var part3 = match("HEADER#3:0004/1_8", "nwparser.p0", "fpc8 %{p0}");
+      
+      var part4 = match("HEADER#3:0004/1_9", "nwparser.p0", "fpc9 %{p0}");
+      
+      var part5 = match("HEADER#3:0004/1_10", "nwparser.p0", "cfeb %{p0}");
+      
+      var select1 = linear_select([
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup6,
+      	dup7,
+      	part1,
+      	part2,
+      	part3,
+      	part4,
+      	part5,
+      	dup8,
+      ]);
+      
+      var part6 = match("HEADER#3:0004/2", "nwparser.p0", "%{} %{messageid}: %{payload}");
+      
+      var all1 = all_match({
+      	processors: [
+      		dup1,
+      		select1,
+      		part6,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","0004"),
+      	]),
+      });
+      
+      var select2 = linear_select([
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup6,
+      	dup7,
+      	dup8,
+      ]);
+      
+      var part7 = match("HEADER#4:0005/2", "nwparser.p0", "%{} %{messageid->} %{payload}");
+      
+      var all2 = all_match({
+      	processors: [
+      		dup1,
+      		select2,
+      		part7,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","0005"),
+      	]),
+      });
+      
+      var hdr4 = match("HEADER#5:0007", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2}[%{hpid}]: %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0007"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld2"),
+      			constant("["),
+      			field("hpid"),
+      			constant("]: "),
+      			field("messageid"),
+      			constant(": "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr5 = match("HEADER#6:0008", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{messageid}[%{hpid}]: %{payload}", processor_chain([
+      	setc("header_id","0008"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant("["),
+      			field("hpid"),
+      			constant("]: "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr6 = match("HEADER#7:0009", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2->} IFP trace> %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0009"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld2"),
+      			constant(" IFP trace> "),
+      			field("messageid"),
+      			constant(": "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr7 = match("HEADER#8:0010", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2->} %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0010"),
+      	dup9,
+      ]));
+      
+      var hdr8 = match("HEADER#9:0029", "message", "%{month->} %{day->} %{time->} %{hostip->} %{hfld1}[%{pid}]: %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0029"),
+      	dup10,
+      ]));
+      
+      var hdr9 = match("HEADER#10:0015", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0015"),
+      	dup10,
+      ]));
+      
+      var hdr10 = match("HEADER#11:0011", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0011"),
+      	dup9,
+      ]));
+      
+      var hdr11 = match("HEADER#12:0027", "message", "%{month->} %{day->} %{time->} %{hhostname->} RT_FLOW: %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0027"),
+      	dup11,
+      ]));
+      
+      var hdr12 = match("HEADER#13:0012", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0012"),
+      	dup11,
+      ]));
+      
+      var hdr13 = match("HEADER#14:0013", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hfld32->} %{hhostname->} RT_FLOW - %{messageid->} [%{payload}", processor_chain([
+      	setc("header_id","0013"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant(" ["),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr14 = match("HEADER#15:0026.upd.a/0", "message", "%{hfld1->} %{event_time->} %{hfld32->} %{hhostname->} %{p0}");
+      
+      var all3 = all_match({
+      	processors: [
+      		hdr14,
+      		dup133,
+      		dup16,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","0026.upd.a"),
+      	]),
+      });
+      
+      var all4 = all_match({
+      	processors: [
+      		dup17,
+      		dup133,
+      		dup16,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","0026.upd.b"),
+      	]),
+      });
+      
+      var all5 = all_match({
+      	processors: [
+      		dup17,
+      		dup133,
+      		dup16,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","0026"),
+      	]),
+      });
+      
+      var hdr15 = match("HEADER#18:0014", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid}[%{hpid}]: %{payload}", processor_chain([
+      	setc("header_id","0014"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld1"),
+      			constant("["),
+      			field("pid"),
+      			constant("]: "),
+      			field("messageid"),
+      			constant("["),
+      			field("hpid"),
+      			constant("]: "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr16 = match("HEADER#19:0016", "message", "%{month->} %{day->} %{time->} %{hfld1}: %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0016"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld1"),
+      			constant(": "),
+      			field("messageid"),
+      			constant(": "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr17 = match("HEADER#20:0017", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0017"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld1"),
+      			constant("["),
+      			field("pid"),
+      			constant("]: "),
+      			field("messageid"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr18 = match("HEADER#21:0018", "message", "%{month->} %{day->} %{time->} %{hhost}: %{messageid}[%{pid}]: %{payload}", processor_chain([
+      	setc("header_id","0018"),
+      	dup18,
+      ]));
+      
+      var hdr19 = match("HEADER#22:0028", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid}[%{pid}]: %{payload}", processor_chain([
+      	setc("header_id","0028"),
+      	dup18,
+      ]));
+      
+      var hdr20 = match("HEADER#23:0019", "message", "%{month->} %{day->} %{time->} %{hhost}: %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0019"),
+      	dup11,
+      ]));
+      
+      var hdr21 = match("HEADER#24:0020", "message", "%{month->} %{day->} %{time->} %{messageid}[%{pid}]: %{payload}", processor_chain([
+      	setc("header_id","0020"),
+      	dup18,
+      ]));
+      
+      var hdr22 = match("HEADER#25:0021", "message", "%{month->} %{day->} %{time->} /%{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0021"),
+      	dup11,
+      ]));
+      
+      var hdr23 = match("HEADER#26:0022", "message", "%{month->} %{day->} %{time->} %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0022"),
+      	dup11,
+      ]));
+      
+      var hdr24 = match("HEADER#27:0023", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid}[%{pid}]: %{payload}", processor_chain([
+      	setc("header_id","0023"),
+      	dup18,
+      ]));
+      
+      var hdr25 = match("HEADER#28:0024", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0024"),
+      	dup11,
+      ]));
+      
+      var hdr26 = match("HEADER#29:0025", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{hfld2->} %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0025"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld2"),
+      			constant(" "),
+      			field("messageid"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr27 = match("HEADER#30:0031", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0031"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr28 = match("HEADER#31:0032", "message", "%{month->} %{day->} %{time->} %{hostip->} (%{hfld1}) %{hfld2->} %{messageid}[%{pid}]: %{payload}", processor_chain([
+      	setc("header_id","0032"),
+      	dup18,
+      ]));
+      
+      var hdr29 = match("HEADER#32:0033", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname->} %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0033"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld1"),
+      			constant(" "),
+      			field("hhostname"),
+      			constant(" "),
+      			field("messageid"),
+      			constant(": "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr30 = match("HEADER#33:3336", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","3336"),
+      ]));
+      
+      var hdr31 = match("HEADER#34:3339", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","3339"),
+      ]));
+      
+      var hdr32 = match("HEADER#35:3337", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","3337"),
+      ]));
+      
+      var hdr33 = match("HEADER#36:3341", "message", "%{hfld1->} %{hfld6->} %{hhostname->} %{hfld2->} %{hfld3->} %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","3341"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld2"),
+      			constant(" "),
+      			field("hfld3"),
+      			constant(" "),
+      			field("messageid"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr34 = match("HEADER#37:3338", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","3338"),
+      ]));
+      
+      var hdr35 = match("HEADER#38:3340/0", "message", "%{month->} %{day->} %{time->} %{hhost->} node%{p0}");
+      
+      var part8 = match("HEADER#38:3340/1_0", "nwparser.p0", "%{hfld1}.fpc%{hfld2}.pic%{hfld3->} %{p0}");
+      
+      var part9 = match("HEADER#38:3340/1_1", "nwparser.p0", "%{hfld1}.fpc%{hfld2->} %{p0}");
+      
+      var select3 = linear_select([
+      	part8,
+      	part9,
+      ]);
+      
+      var part10 = match("HEADER#38:3340/2", "nwparser.p0", "%{} %{payload}");
+      
+      var all6 = all_match({
+      	processors: [
+      		hdr35,
+      		select3,
+      		part10,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","3340"),
+      		setc("messageid","node"),
+      	]),
+      });
+      
+      var hdr36 = match("HEADER#39:9997/0_0", "message", "mgd[%{p0}");
+      
+      var hdr37 = match("HEADER#39:9997/0_1", "message", "rpd[%{p0}");
+      
+      var hdr38 = match("HEADER#39:9997/0_2", "message", "dcd[%{p0}");
+      
+      var select4 = linear_select([
+      	hdr36,
+      	hdr37,
+      	hdr38,
+      ]);
+      
+      var part11 = match("HEADER#39:9997/1", "nwparser.p0", "%{process_id}]:%{payload}");
+      
+      var all7 = all_match({
+      	processors: [
+      		select4,
+      		part11,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","9997"),
+      		dup19,
+      	]),
+      });
+      
+      var hdr39 = match("HEADER#40:9995", "message", "%{month->} %{day->} %{time->} %{hhost->} %{hfld1->} %{hfld2->} %{messageid}[%{hfld3}]:%{payload}", processor_chain([
+      	setc("header_id","9995"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant("["),
+      			field("hfld3"),
+      			constant("]:"),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr40 = match("HEADER#41:9994", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{hfld1->} qsfp %{payload}", processor_chain([
+      	setc("header_id","9994"),
+      	setc("messageid","qsfp"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld2"),
+      			constant(" "),
+      			field("hfld1"),
+      			constant(" qsfp "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr41 = match("HEADER#42:9999", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{hevent_type}: %{payload}", processor_chain([
+      	setc("header_id","9999"),
+      	dup19,
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hevent_type"),
+      			constant(": "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr42 = match("HEADER#43:9998", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{process}: %{payload}", processor_chain([
+      	setc("header_id","9998"),
+      	dup19,
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld2"),
+      			constant(" "),
+      			field("process"),
+      			constant(": "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var select5 = linear_select([
+      	hdr1,
+      	hdr2,
+      	hdr3,
+      	all1,
+      	all2,
+      	hdr4,
+      	hdr5,
+      	hdr6,
+      	hdr7,
+      	hdr8,
+      	hdr9,
+      	hdr10,
+      	hdr11,
+      	hdr12,
+      	hdr13,
+      	all3,
+      	all4,
+      	all5,
+      	hdr15,
+      	hdr16,
+      	hdr17,
+      	hdr18,
+      	hdr19,
+      	hdr20,
+      	hdr21,
+      	hdr22,
+      	hdr23,
+      	hdr24,
+      	hdr25,
+      	hdr26,
+      	hdr27,
+      	hdr28,
+      	hdr29,
+      	hdr30,
+      	hdr31,
+      	hdr32,
+      	hdr33,
+      	hdr34,
+      	all6,
+      	all7,
+      	hdr39,
+      	hdr40,
+      	hdr41,
+      	hdr42,
+      ]);
+      
+      var part12 = match("MESSAGE#0:/usr/sbin/sshd", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exit status %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","sshd exit status"),
+      	dup22,
+      ]));
+      
+      var msg1 = msg("/usr/sbin/sshd", part12);
+      
+      var part13 = match("MESSAGE#1:/usr/libexec/telnetd", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exit status %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","telnetd exit status"),
+      	dup22,
+      ]));
+      
+      var msg2 = msg("/usr/libexec/telnetd", part13);
+      
+      var part14 = match("MESSAGE#2:alarmd", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License color=%{severity}, class=%{device}, reason=%{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Alarm Set or Cleared"),
+      	dup22,
+      ]));
+      
+      var msg3 = msg("alarmd", part14);
+      
+      var part15 = match("MESSAGE#3:bigd", "nwparser.payload", "%{process}: Node detected UP for %{node}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Node detected UP"),
+      	dup22,
+      ]));
+      
+      var msg4 = msg("bigd", part15);
+      
+      var part16 = match("MESSAGE#4:bigd:01", "nwparser.payload", "%{process}: Monitor template id is %{id}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Monitor template id"),
+      	dup22,
+      ]));
+      
+      var msg5 = msg("bigd:01", part16);
+      
+      var select6 = linear_select([
+      	msg4,
+      	msg5,
+      ]);
+      
+      var part17 = match("MESSAGE#5:bigpipe", "nwparser.payload", "%{process}: Loading the configuration file %{filename}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Loading configuration file"),
+      	dup22,
+      ]));
+      
+      var msg6 = msg("bigpipe", part17);
+      
+      var part18 = match("MESSAGE#6:bigpipe:01", "nwparser.payload", "%{process}: Begin config install operation %{action}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Begin config install operation"),
+      	dup22,
+      ]));
+      
+      var msg7 = msg("bigpipe:01", part18);
+      
+      var part19 = match("MESSAGE#7:bigpipe:02", "nwparser.payload", "%{process}: AUDIT -- Action %{action->} User: %{username}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Audit"),
+      	dup22,
+      ]));
+      
+      var msg8 = msg("bigpipe:02", part19);
+      
+      var select7 = linear_select([
+      	msg6,
+      	msg7,
+      	msg8,
+      ]);
+      
+      var part20 = match("MESSAGE#8:bigstart", "nwparser.payload", "%{process}: shutdown %{service}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","portal shutdown"),
+      	dup22,
+      ]));
+      
+      var msg9 = msg("bigstart", part20);
+      
+      var part21 = match("MESSAGE#9:cgatool", "nwparser.payload", "%{process}: %{event_type}: generated address is %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","cga address genration"),
+      	dup22,
+      ]));
+      
+      var msg10 = msg("cgatool", part21);
+      
+      var part22 = match("MESSAGE#10:chassisd:01", "nwparser.payload", "%{process}[%{process_id}]:%{fld12}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup22,
+      	dup23,
+      ]));
+      
+      var msg11 = msg("chassisd:01", part22);
+      
+      var part23 = match("MESSAGE#11:checkd", "nwparser.payload", "%{process}: AUDIT -- Action %{action->} User: %{username}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup24,
+      	dup22,
+      ]));
+      
+      var msg12 = msg("checkd", part23);
+      
+      var part24 = match("MESSAGE#12:checkd:01", "nwparser.payload", "%{process}: exiting", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","checkd exiting"),
+      	dup22,
+      ]));
+      
+      var msg13 = msg("checkd:01", part24);
+      
+      var select8 = linear_select([
+      	msg12,
+      	msg13,
+      ]);
+      
+      var part25 = match("MESSAGE#13:cosd", "nwparser.payload", "%{process}[%{process_id}]: link protection %{dclass_counter1->} for intf %{interface}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","link protection for interface"),
+      	dup22,
+      ]));
+      
+      var msg14 = msg("cosd", part25);
+      
+      var part26 = match("MESSAGE#14:craftd", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}, %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","License expiration warning"),
+      	dup22,
+      ]));
+      
+      var msg15 = msg("craftd", part26);
+      
+      var part27 = match("MESSAGE#15:CRON/0", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) %{p0}");
+      
+      var part28 = match("MESSAGE#15:CRON/1_0", "nwparser.p0", "CMD (%{result}) ");
+      
+      var part29 = match("MESSAGE#15:CRON/1_1", "nwparser.p0", "cmd='%{result}' ");
+      
+      var select9 = linear_select([
+      	part28,
+      	part29,
+      ]);
+      
+      var all8 = all_match({
+      	processors: [
+      		part27,
+      		select9,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup21,
+      		dup25,
+      		dup22,
+      	]),
+      });
+      
+      var msg16 = msg("CRON", all8);
+      
+      var part30 = match("MESSAGE#16:Cmerror/0_0", "nwparser.payload", "%{hostname->} %{node}Cmerror: Level%{level}count increment %{dclass_counter1->} %{fld1}");
+      
+      var part31 = match("MESSAGE#16:Cmerror/0_1", "nwparser.payload", "%{fld2}");
+      
+      var select10 = linear_select([
+      	part30,
+      	part31,
+      ]);
+      
+      var all9 = all_match({
+      	processors: [
+      		select10,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup22,
+      		dup21,
+      	]),
+      });
+      
+      var msg17 = msg("Cmerror", all9);
+      
+      var part32 = match("MESSAGE#17:cron", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) %{action->} (%{filename})", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","cron RELOAD"),
+      	dup22,
+      ]));
+      
+      var msg18 = msg("cron", part32);
+      
+      var part33 = match("MESSAGE#18:CROND", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) CMD (%{action})", processor_chain([
+      	dup20,
+      	dup21,
+      	dup22,
+      	dup23,
+      ]));
+      
+      var msg19 = msg("CROND", part33);
+      
+      var part34 = match("MESSAGE#20:CROND:02", "nwparser.payload", "%{process}[%{process_id}]: pam_unix(crond:session): session closed for user %{username}", processor_chain([
+      	dup26,
+      	dup21,
+      	dup22,
+      	dup23,
+      ]));
+      
+      var msg20 = msg("CROND:02", part34);
+      
+      var select11 = linear_select([
+      	msg19,
+      	msg20,
+      ]);
+      
+      var part35 = match("MESSAGE#19:crond:01", "nwparser.payload", "%{process}[%{process_id}]: pam_unix(crond:session): session opened for user %{username->} by (uid=%{uid})", processor_chain([
+      	dup27,
+      	dup21,
+      	dup22,
+      	dup23,
+      ]));
+      
+      var msg21 = msg("crond:01", part35);
+      
+      var part36 = match("MESSAGE#21:dcd", "nwparser.payload", "%{process}[%{process_id}]: %{result->} Setting ignored, %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Setting ignored"),
+      	dup22,
+      ]));
+      
+      var msg22 = msg("dcd", part36);
+      
+      var part37 = match("MESSAGE#22:EVENT/0", "nwparser.payload", "%{process}[%{process_id}]: EVENT %{event_type->} %{interface->} index %{resultcode->} %{p0}");
+      
+      var part38 = match("MESSAGE#22:EVENT/1_0", "nwparser.p0", "%{saddr->} -> %{daddr->} \u003c\u003c%{result}> ");
+      
+      var part39 = match("MESSAGE#22:EVENT/1_1", "nwparser.p0", "\u003c\u003c%{result}> ");
+      
+      var select12 = linear_select([
+      	part38,
+      	part39,
+      ]);
+      
+      var all10 = all_match({
+      	processors: [
+      		part37,
+      		select12,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup21,
+      		setc("event_description","EVENT"),
+      		dup22,
+      	]),
+      });
+      
+      var msg23 = msg("EVENT", all10);
+      
+      var part40 = match("MESSAGE#23:ftpd", "nwparser.payload", "%{process}[%{process_id}]: connection from %{saddr->} (%{shost})", processor_chain([
+      	setc("eventcategory","1802000000"),
+      	dup21,
+      	setc("event_description","ftpd connection"),
+      	dup22,
+      ]));
+      
+      var msg24 = msg("ftpd", part40);
+      
+      var part41 = match("MESSAGE#24:ha_rto_stats_handler", "nwparser.payload", "%{hostname->} %{node}ha_rto_stats_handler:%{fld12}", processor_chain([
+      	dup28,
+      	dup22,
+      	dup21,
+      ]));
+      
+      var msg25 = msg("ha_rto_stats_handler", part41);
+      
+      var part42 = match("MESSAGE#25:hostinit", "nwparser.payload", "%{process}: %{obj_name->} -- LDAP Connection not bound correctly. %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","LDAP Connection not bound correctly"),
+      	dup22,
+      ]));
+      
+      var msg26 = msg("hostinit", part42);
+      
+      var part43 = match("MESSAGE#26:ifinfo", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> Added entry - %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","PIC_INFO debug - Added entry"),
+      	dup22,
+      ]));
+      
+      var msg27 = msg("ifinfo", part43);
+      
+      var part44 = match("MESSAGE#27:ifinfo:01", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> Initializing spu listtype %{resultcode}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","PIC_INFO debug Initializing spu"),
+      	dup22,
+      ]));
+      
+      var msg28 = msg("ifinfo:01", part44);
+      
+      var part45 = match("MESSAGE#28:ifinfo:02", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","PIC_INFO debug delete from list"),
+      	dup22,
+      ]));
+      
+      var msg29 = msg("ifinfo:02", part45);
+      
+      var select13 = linear_select([
+      	msg27,
+      	msg28,
+      	msg29,
+      ]);
+      
+      var part46 = match("MESSAGE#29:ifp_ifl_anydown_change_event", "nwparser.payload", "%{node->} %{action}> %{process}: IFL anydown change event: \"%{event_type}\"", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","IFL anydown change event"),
+      	dup22,
+      ]));
+      
+      var msg30 = msg("ifp_ifl_anydown_change_event", part46);
+      
+      var part47 = match("MESSAGE#30:ifp_ifl_config_event", "nwparser.payload", "%{node->} %{action}> %{process}: IFL config: \"%{filename}\"", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","ifp ifl config_event"),
+      	dup22,
+      ]));
+      
+      var msg31 = msg("ifp_ifl_config_event", part47);
+      
+      var part48 = match("MESSAGE#31:ifp_ifl_ext_chg", "nwparser.payload", "%{node->} %{process}: ifp ext piid %{parent_pid->} zone_id %{zone}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","ifp_ifl_ext_chg"),
+      	dup22,
+      ]));
+      
+      var msg32 = msg("ifp_ifl_ext_chg", part48);
+      
+      var part49 = match("MESSAGE#32:inetd", "nwparser.payload", "%{process}[%{process_id}]: %{protocol->} from %{saddr->} exceeded counts/min (%{result})", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","connection exceeded count limit"),
+      	dup22,
+      ]));
+      
+      var msg33 = msg("inetd", part49);
+      
+      var part50 = match("MESSAGE#33:inetd:01", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exited, status %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","exited"),
+      	dup22,
+      ]));
+      
+      var msg34 = msg("inetd:01", part50);
+      
+      var select14 = linear_select([
+      	msg33,
+      	msg34,
+      ]);
+      
+      var part51 = match("MESSAGE#34:init:04", "nwparser.payload", "%{process}: %{event_type->} current_mode=%{protocol}, requested_mode=%{result}, cmd=%{action}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup30,
+      	dup22,
+      ]));
+      
+      var msg35 = msg("init:04", part51);
+      
+      var part52 = match("MESSAGE#35:init", "nwparser.payload", "%{process}: %{event_type->} mode=%{protocol->} cmd=%{action->} master_mode=%{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup30,
+      	dup22,
+      ]));
+      
+      var msg36 = msg("init", part52);
+      
+      var part53 = match("MESSAGE#36:init:01", "nwparser.payload", "%{process}: failure target for routing set to %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","failure target for routing set"),
+      	dup22,
+      ]));
+      
+      var msg37 = msg("init:01", part53);
+      
+      var part54 = match("MESSAGE#37:init:02", "nwparser.payload", "%{process}: ntp (PID %{child_pid}) started", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","ntp started"),
+      	dup22,
+      ]));
+      
+      var msg38 = msg("init:02", part54);
+      
+      var part55 = match("MESSAGE#38:init:03", "nwparser.payload", "%{process}: product mask %{info->} model %{dclass_counter1}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","product mask and model info"),
+      	dup22,
+      ]));
+      
+      var msg39 = msg("init:03", part55);
+      
+      var select15 = linear_select([
+      	msg35,
+      	msg36,
+      	msg37,
+      	msg38,
+      	msg39,
+      ]);
+      
+      var part56 = match("MESSAGE#39:ipc_msg_write", "nwparser.payload", "%{node->} %{process}: IPC message type: %{event_type}, subtype: %{resultcode->} exceeds MTU, mtu %{dclass_counter1}, length %{dclass_counter2}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","IPC message exceeds MTU"),
+      	dup22,
+      ]));
+      
+      var msg40 = msg("ipc_msg_write", part56);
+      
+      var part57 = match("MESSAGE#40:connection_established", "nwparser.payload", "%{process}: %{service}: conn established: listener idx=%{dclass_counter1->} tnpaddr=%{dclass_counter2}", processor_chain([
+      	dup27,
+      	dup21,
+      	setc("event_description","listener connection established"),
+      	dup22,
+      ]));
+      
+      var msg41 = msg("connection_established", part57);
+      
+      var part58 = match("MESSAGE#41:connection_dropped/0", "nwparser.payload", "%{process}: %{p0}");
+      
+      var part59 = match("MESSAGE#41:connection_dropped/1_0", "nwparser.p0", "%{result}, connection dropped - src %{saddr}:%{sport->} dest %{daddr}:%{dport->} ");
+      
+      var part60 = match("MESSAGE#41:connection_dropped/1_1", "nwparser.p0", "%{result}: conn dropped: listener idx=%{dclass_counter1->} tnpaddr=%{dclass_counter2->} ");
+      
+      var select16 = linear_select([
+      	part59,
+      	part60,
+      ]);
+      
+      var all11 = all_match({
+      	processors: [
+      		part58,
+      		select16,
+      	],
+      	on_success: processor_chain([
+      		dup26,
+      		dup21,
+      		setc("event_description","connection dropped"),
+      		dup22,
+      	]),
+      });
+      
+      var msg42 = msg("connection_dropped", all11);
+      
+      var part61 = match("MESSAGE#42:kernel", "nwparser.payload", "%{process}: %{interface}: Asserting SONET alarm(s) %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Asserting SONET alarm(s)"),
+      	dup22,
+      ]));
+      
+      var msg43 = msg("kernel", part61);
+      
+      var part62 = match("MESSAGE#43:kernel:01", "nwparser.payload", "%{process}: %{interface->} down: %{result}.", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","interface down"),
+      	dup22,
+      ]));
+      
+      var msg44 = msg("kernel:01", part62);
+      
+      var part63 = match("MESSAGE#44:kernel:02", "nwparser.payload", "%{process}: %{interface}: loopback suspected; %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","loopback suspected om interface"),
+      	dup22,
+      ]));
+      
+      var msg45 = msg("kernel:02", part63);
+      
+      var part64 = match("MESSAGE#45:kernel:03", "nwparser.payload", "%{process}: %{service}: soreceive() error %{resultcode}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","soreceive error"),
+      	dup22,
+      ]));
+      
+      var msg46 = msg("kernel:03", part64);
+      
+      var part65 = match("MESSAGE#46:kernel:04", "nwparser.payload", "%{process}: %{service->} !VALID(state 4)->%{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","pfe_peer_alloc state 4"),
+      	dup22,
+      ]));
+      
+      var msg47 = msg("kernel:04", part65);
+      
+      var part66 = match("MESSAGE#47:kernel:05", "nwparser.payload", "%{fld1->} %{hostip->} (%{fld2}) %{fld3->} %{process}[%{process_id}]: NTP Server %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup31,
+      	dup22,
+      ]));
+      
+      var msg48 = msg("kernel:05", part66);
+      
+      var part67 = match("MESSAGE#48:kernel:06", "nwparser.payload", "%{fld1->} %{hostip->} %{process}[%{process_id}]: NTP Server %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup31,
+      	dup22,
+      ]));
+      
+      var msg49 = msg("kernel:06", part67);
+      
+      var select17 = linear_select([
+      	msg41,
+      	msg42,
+      	msg43,
+      	msg44,
+      	msg45,
+      	msg46,
+      	msg47,
+      	msg48,
+      	msg49,
+      ]);
+      
+      var part68 = match("MESSAGE#49:successful_login", "nwparser.payload", "%{process}: login from %{saddr->} on %{interface->} as %{username}", processor_chain([
+      	dup32,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup36,
+      	dup21,
+      	setc("event_description","successful user login"),
+      	dup22,
+      ]));
+      
+      var msg50 = msg("successful_login", part68);
+      
+      var part69 = match("MESSAGE#50:login_attempt", "nwparser.payload", "%{process}: Login attempt for user %{username->} from host %{hostip}", processor_chain([
+      	dup32,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup21,
+      	setc("event_description","user login attempt"),
+      	dup22,
+      ]));
+      
+      var msg51 = msg("login_attempt", part69);
+      
+      var part70 = match("MESSAGE#51:login", "nwparser.payload", "%{process}: PAM module %{dclass_counter1->} returned: %{space}[%{resultcode}]%{result}", processor_chain([
+      	dup32,
+      	dup33,
+      	dup36,
+      	dup21,
+      	setc("event_description","PAM module return from login"),
+      	dup22,
+      ]));
+      
+      var msg52 = msg("login", part70);
+      
+      var select18 = linear_select([
+      	msg50,
+      	msg51,
+      	msg52,
+      ]);
+      
+      var part71 = match("MESSAGE#52:lsys_ssam_handler", "nwparser.payload", "%{node->} %{process}: processing lsys root-logical-system %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","processing lsys root-logical-system"),
+      	dup22,
+      ]));
+      
+      var msg53 = msg("lsys_ssam_handler", part71);
+      
+      var part72 = match("MESSAGE#53:mcsn", "nwparser.payload", "%{process}[%{process_id}]: Removing mif from group [%{group}] %{space->} %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Removing mif  from group"),
+      	dup22,
+      ]));
+      
+      var msg54 = msg("mcsn", part72);
+      
+      var part73 = match("MESSAGE#54:mrvl_dfw_log_effuse_status", "nwparser.payload", "%{process}: Firewall rows could not be redirected on device %{device}.", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Firewall rows could not be redirected on device"),
+      	dup22,
+      ]));
+      
+      var msg55 = msg("mrvl_dfw_log_effuse_status", part73);
+      
+      var part74 = match("MESSAGE#55:MRVL-L2", "nwparser.payload", "%{process}:%{action}(),%{process_id}:MFilter (%{filter}) already exists", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","mfilter already exists for add"),
+      	dup22,
+      ]));
+      
+      var msg56 = msg("MRVL-L2", part74);
+      
+      var part75 = match("MESSAGE#56:profile_ssam_handler", "nwparser.payload", "%{node->} %{process}: processing profile SP-root %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","processing profile SP-root"),
+      	dup22,
+      ]));
+      
+      var msg57 = msg("profile_ssam_handler", part75);
+      
+      var part76 = match("MESSAGE#57:pst_nat_binding_set_profile", "nwparser.payload", "%{node->} %{process}: %{event_source}: can't get resource bucket %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","can't get resource bucket"),
+      	dup22,
+      ]));
+      
+      var msg58 = msg("pst_nat_binding_set_profile", part76);
+      
+      var part77 = match("MESSAGE#58:task_reconfigure", "nwparser.payload", "%{process}[%{process_id}]: task_reconfigure %{action}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","reinitializing done"),
+      	dup22,
+      ]));
+      
+      var msg59 = msg("task_reconfigure", part77);
+      
+      var part78 = match("MESSAGE#59:tnetd/0_0", "nwparser.payload", "%{process}[%{process_id}]:%{service}[%{fld1}]: exit status%{resultcode->} ");
+      
+      var part79 = match("MESSAGE#59:tnetd/0_1", "nwparser.payload", "%{fld3}");
+      
+      var select19 = linear_select([
+      	part78,
+      	part79,
+      ]);
+      
+      var all12 = all_match({
+      	processors: [
+      		select19,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup21,
+      		dup22,
+      		dup23,
+      	]),
+      });
+      
+      var msg60 = msg("tnetd", all12);
+      
+      var part80 = match("MESSAGE#60:PFEMAN", "nwparser.payload", "%{process}: Session manager active", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Session manager active"),
+      	dup22,
+      ]));
+      
+      var msg61 = msg("PFEMAN", part80);
+      
+      var part81 = match("MESSAGE#61:mgd", "nwparser.payload", "%{process}[%{process_id}]: Could not send message to %{service}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Could not send message to service"),
+      	dup22,
+      ]));
+      
+      var msg62 = msg("mgd", part81);
+      
+      var part82 = match("MESSAGE#62:Resolve", "nwparser.payload", "Resolve request came for an address matching on Wrong nh nh:%{result}, %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Resolve request came for an address matching on Wrong nh"),
+      	dup22,
+      ]));
+      
+      var msg63 = msg("Resolve", part82);
+      
+      var part83 = match("MESSAGE#63:respawn", "nwparser.payload", "%{process}: %{service->} exited with status = %{resultcode}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","service exited with status"),
+      	dup22,
+      ]));
+      
+      var msg64 = msg("respawn", part83);
+      
+      var part84 = match("MESSAGE#64:root", "nwparser.payload", "%{process}: %{node}: This system does not have 3-DNS or Link Controller enabled", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","system does not have 3-DNS or Link Controller enabled"),
+      	dup22,
+      ]));
+      
+      var msg65 = msg("root", part84);
+      
+      var part85 = match("MESSAGE#65:rpd", "nwparser.payload", "%{process}[%{process_id}]: Received %{result->} for intf device %{interface}; mc_ae_id %{dclass_counter1}, status %{resultcode}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Received data for interface"),
+      	dup22,
+      ]));
+      
+      var msg66 = msg("rpd", part85);
+      
+      var part86 = match("MESSAGE#66:rpd:01", "nwparser.payload", "%{process}[%{process_id}]: RSVP neighbor %{daddr->} up on interface %{interface}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","RSVP neighbor up on interface "),
+      	dup22,
+      ]));
+      
+      var msg67 = msg("rpd:01", part86);
+      
+      var part87 = match("MESSAGE#67:rpd:02", "nwparser.payload", "%{process}[%{process_id}]: %{saddr->} (%{shost}): reseting pending active connection", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","reseting pending active connection"),
+      	dup22,
+      ]));
+      
+      var msg68 = msg("rpd:02", part87);
+      
+      var part88 = match("MESSAGE#68:rpd_proceeding", "nwparser.payload", "%{process}: proceeding. %{param}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup37,
+      	dup22,
+      ]));
+      
+      var msg69 = msg("rpd_proceeding", part88);
+      
+      var select20 = linear_select([
+      	msg66,
+      	msg67,
+      	msg68,
+      	msg69,
+      ]);
+      
+      var part89 = match("MESSAGE#69:rshd", "nwparser.payload", "%{process}[%{process_id}]: %{username->} as root: cmd='%{action}'", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","user issuing command as root"),
+      	dup22,
+      ]));
+      
+      var msg70 = msg("rshd", part89);
+      
+      var part90 = match("MESSAGE#70:sfd", "nwparser.payload", "%{process}: Waiting on accept", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","sfd waiting on accept"),
+      	dup22,
+      ]));
+      
+      var msg71 = msg("sfd", part90);
+      
+      var part91 = match("MESSAGE#71:sshd", "nwparser.payload", "%{process}[%{process_id}]: Accepted password for %{username->} from %{saddr->} port %{sport->} %{protocol}", processor_chain([
+      	dup32,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup36,
+      	dup21,
+      	setc("event_description","Accepted password"),
+      	dup22,
+      ]));
+      
+      var msg72 = msg("sshd", part91);
+      
+      var part92 = match("MESSAGE#73:sshd:02", "nwparser.payload", "%{process}[%{process_id}]: Received disconnect from %{shost}: %{fld1}: %{result}", processor_chain([
+      	dup26,
+      	dup21,
+      	setc("event_description","Received disconnect"),
+      	dup22,
+      ]));
+      
+      var msg73 = msg("sshd:02", part92);
+      
+      var part93 = match("MESSAGE#74:sshd:03", "nwparser.payload", "%{process}[%{process_id}]: Did not receive identification string from %{saddr}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("result","no identification string"),
+      	setc("event_description","Did not receive identification string from peer"),
+      	dup22,
+      ]));
+      
+      var msg74 = msg("sshd:03", part93);
+      
+      var part94 = match("MESSAGE#75:sshd:04", "nwparser.payload", "%{process}[%{process_id}]: Could not write ident string to %{dhost}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Could not write ident string"),
+      	dup22,
+      ]));
+      
+      var msg75 = msg("sshd:04", part94);
+      
+      var part95 = match("MESSAGE#76:sshd:05", "nwparser.payload", "%{process}[%{process_id}]: subsystem request for netconf", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","subsystem request for netconf"),
+      	dup22,
+      ]));
+      
+      var msg76 = msg("sshd:05", part95);
+      
+      var part96 = match("MESSAGE#77:sshd:06/2", "nwparser.p0", "%{}sendmsg to %{saddr}(%{shost}).%{sport}: %{info}");
+      
+      var all13 = all_match({
+      	processors: [
+      		dup38,
+      		dup134,
+      		part96,
+      	],
+      	on_success: processor_chain([
+      		dup28,
+      		dup21,
+      		setc("event_description","send message stats"),
+      		dup22,
+      	]),
+      });
+      
+      var msg77 = msg("sshd:06", all13);
+      
+      var part97 = match("MESSAGE#78:sshd:07/2", "nwparser.p0", "%{}Added radius server %{saddr}(%{shost})");
+      
+      var all14 = all_match({
+      	processors: [
+      		dup38,
+      		dup134,
+      		part97,
+      	],
+      	on_success: processor_chain([
+      		dup41,
+      		setc("ec_theme","Configuration"),
+      		setc("ec_activity","Modify"),
+      		dup36,
+      		dup21,
+      		setc("event_description","Added radius server"),
+      		dup22,
+      	]),
+      });
+      
+      var msg78 = msg("sshd:07", all14);
+      
+      var part98 = match("MESSAGE#79:sshd:08", "nwparser.payload", "%{process}[%{process_id}]: %{result}: %{space->} [%{resultcode}]authentication error", processor_chain([
+      	setc("eventcategory","1301020000"),
+      	dup33,
+      	dup42,
+      	dup21,
+      	setc("event_description","authentication error"),
+      	dup22,
+      ]));
+      
+      var msg79 = msg("sshd:08", part98);
+      
+      var part99 = match("MESSAGE#80:sshd:09", "nwparser.payload", "%{process}[%{process_id}]: unrecognized attribute in %{policyname}: %{change_attribute}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","unrecognized attribute in policy"),
+      	dup22,
+      ]));
+      
+      var msg80 = msg("sshd:09", part99);
+      
+      var part100 = match("MESSAGE#81:sshd:10", "nwparser.payload", "%{process}: PAM module %{dclass_counter1->} returned: %{space}[%{resultcode}]%{result}", processor_chain([
+      	dup43,
+      	dup33,
+      	dup42,
+      	dup21,
+      	setc("event_description","PAM module return from sshd"),
+      	dup22,
+      ]));
+      
+      var msg81 = msg("sshd:10", part100);
+      
+      var part101 = match("MESSAGE#82:sshd:11", "nwparser.payload", "%{process}: PAM authentication chain returned: %{space}[%{resultcode}]%{result}", processor_chain([
+      	dup43,
+      	dup33,
+      	dup42,
+      	dup21,
+      	setc("event_description","PAM authentication chain return"),
+      	dup22,
+      ]));
+      
+      var msg82 = msg("sshd:11", part101);
+      
+      var part102 = match("MESSAGE#83:sshd:12", "nwparser.payload", "%{process}: %{severity}: can't get client address: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","can't get client address"),
+      	dup22,
+      ]));
+      
+      var msg83 = msg("sshd:12", part102);
+      
+      var part103 = match("MESSAGE#84:sshd:13", "nwparser.payload", "%{process}: auth server unresponsive", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","auth server unresponsive"),
+      	dup22,
+      ]));
+      
+      var msg84 = msg("sshd:13", part103);
+      
+      var part104 = match("MESSAGE#85:sshd:14", "nwparser.payload", "%{process}: %{service}: No valid RADIUS responses received", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","No valid RADIUS responses received"),
+      	dup22,
+      ]));
+      
+      var msg85 = msg("sshd:14", part104);
+      
+      var part105 = match("MESSAGE#86:sshd:15", "nwparser.payload", "%{process}: Moving to next server: %{saddr}(%{shost}).%{sport}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Moving to next server"),
+      	dup22,
+      ]));
+      
+      var msg86 = msg("sshd:15", part105);
+      
+      var part106 = match("MESSAGE#87:sshd:16", "nwparser.payload", "%{fld1->} sshd: SSHD_LOGIN_FAILED: Login failed for user '%{username}' from host '%{hostip}'.", processor_chain([
+      	dup43,
+      	dup33,
+      	dup42,
+      	dup21,
+      	setc("event_description","Login failed for user"),
+      	dup22,
+      ]));
+      
+      var msg87 = msg("sshd:16", part106);
+      
+      var select21 = linear_select([
+      	msg72,
+      	msg73,
+      	msg74,
+      	msg75,
+      	msg76,
+      	msg77,
+      	msg78,
+      	msg79,
+      	msg80,
+      	msg81,
+      	msg82,
+      	msg83,
+      	msg84,
+      	msg85,
+      	msg86,
+      	msg87,
+      ]);
+      
+      var part107 = match("MESSAGE#72:Failed:05/0", "nwparser.payload", "%{process}[%{process_id}]: Failed password for %{p0}");
+      
+      var part108 = match("MESSAGE#72:Failed:05/1_0", "nwparser.p0", "illegal user %{p0}");
+      
+      var part109 = match("MESSAGE#72:Failed:05/1_1", "nwparser.p0", "invalid user %{p0}");
+      
+      var select22 = linear_select([
+      	part108,
+      	part109,
+      	dup44,
+      ]);
+      
+      var part110 = match("MESSAGE#72:Failed:05/2", "nwparser.p0", "%{} %{username->} from %{saddr->} port %{sport->} %{protocol}");
+      
+      var all15 = all_match({
+      	processors: [
+      		part107,
+      		select22,
+      		part110,
+      	],
+      	on_success: processor_chain([
+      		dup43,
+      		dup33,
+      		dup34,
+      		dup35,
+      		dup42,
+      		dup21,
+      		setc("event_description","authentication failure"),
+      		dup22,
+      	]),
+      });
+      
+      var msg88 = msg("Failed:05", all15);
+      
+      var part111 = match("MESSAGE#746:Failed/0", "nwparser.payload", "%{hostname->} %{process}[%{process_id}]: Failed to resolve ipv%{p0}");
+      
+      var part112 = match("MESSAGE#746:Failed/1_0", "nwparser.p0", "4%{p0}");
+      
+      var part113 = match("MESSAGE#746:Failed/1_1", "nwparser.p0", "6%{p0}");
+      
+      var select23 = linear_select([
+      	part112,
+      	part113,
+      ]);
+      
+      var part114 = match("MESSAGE#746:Failed/2", "nwparser.p0", "%{}addresses for domain name %{sdomain}");
+      
+      var all16 = all_match({
+      	processors: [
+      		part111,
+      		select23,
+      		part114,
+      	],
+      	on_success: processor_chain([
+      		dup45,
+      		dup46,
+      		dup22,
+      		dup21,
+      	]),
+      });
+      
+      var msg89 = msg("Failed", all16);
+      
+      var part115 = match("MESSAGE#767:Failed:01", "nwparser.payload", "%{hostname->} %{process}[%{process_id}]: %{fld1}", processor_chain([
+      	dup45,
+      	dup22,
+      	dup21,
+      ]));
+      
+      var msg90 = msg("Failed:01", part115);
+      
+      var part116 = match("MESSAGE#768:Failed:02/0_0", "nwparser.payload", "%{fld1->} to create a route if table for Multiservice ");
+      
+      var part117 = match("MESSAGE#768:Failed:02/0_1", "nwparser.payload", "%{fld10}");
+      
+      var select24 = linear_select([
+      	part116,
+      	part117,
+      ]);
+      
+      var all17 = all_match({
+      	processors: [
+      		select24,
+      	],
+      	on_success: processor_chain([
+      		dup45,
+      		dup22,
+      		dup21,
+      		setf("hostname","hfld1"),
+      	]),
+      });
+      
+      var msg91 = msg("Failed:02", all17);
+      
+      var select25 = linear_select([
+      	msg88,
+      	msg89,
+      	msg90,
+      	msg91,
+      ]);
+      
+      var part118 = match("MESSAGE#88:syslogd", "nwparser.payload", "%{process}: restart", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","syslog daemon restart"),
+      	dup22,
+      ]));
+      
+      var msg92 = msg("syslogd", part118);
+      
+      var part119 = match("MESSAGE#89:ucd-snmp", "nwparser.payload", "%{process}[%{process_id}]: AUDIT -- Action %{action->} User: %{username}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup24,
+      	dup22,
+      ]));
+      
+      var msg93 = msg("ucd-snmp", part119);
+      
+      var part120 = match("MESSAGE#90:ucd-snmp:01", "nwparser.payload", "%{process}[%{process_id}]: Received TERM or STOP signal %{space->} %{result}.", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Received TERM or STOP signal"),
+      	dup22,
+      ]));
+      
+      var msg94 = msg("ucd-snmp:01", part120);
+      
+      var select26 = linear_select([
+      	msg93,
+      	msg94,
+      ]);
+      
+      var part121 = match("MESSAGE#91:usp_ipc_client_reconnect", "nwparser.payload", "%{node->} %{process}: failed to connect to the server: %{result->} (%{resultcode})", processor_chain([
+      	dup26,
+      	dup21,
+      	setc("event_description","failed to connect to the server"),
+      	dup22,
+      ]));
+      
+      var msg95 = msg("usp_ipc_client_reconnect", part121);
+      
+      var part122 = match("MESSAGE#92:usp_trace_ipc_disconnect", "nwparser.payload", "%{node->} %{process}:Trace client disconnected. %{result}", processor_chain([
+      	dup26,
+      	dup21,
+      	setc("event_description","Trace client disconnected"),
+      	dup22,
+      ]));
+      
+      var msg96 = msg("usp_trace_ipc_disconnect", part122);
+      
+      var part123 = match("MESSAGE#93:usp_trace_ipc_reconnect", "nwparser.payload", "%{node->} %{process}:USP trace client cannot reconnect to server", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","USP trace client cannot reconnect to server"),
+      	dup22,
+      ]));
+      
+      var msg97 = msg("usp_trace_ipc_reconnect", part123);
+      
+      var part124 = match("MESSAGE#94:uspinfo", "nwparser.payload", "%{process}: flow_print_session_summary_output received %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","flow_print_session_summary_output received"),
+      	dup22,
+      ]));
+      
+      var msg98 = msg("uspinfo", part124);
+      
+      var part125 = match("MESSAGE#95:Version", "nwparser.payload", "Version %{version->} by builder on %{event_time_string}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Version build date"),
+      	dup22,
+      ]));
+      
+      var msg99 = msg("Version", part125);
+      
+      var part126 = match("MESSAGE#96:xntpd", "nwparser.payload", "%{process}[%{process_id}]: frequency initialized %{result->} from %{filename}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","frequency initialized from file"),
+      	dup22,
+      ]));
+      
+      var msg100 = msg("xntpd", part126);
+      
+      var part127 = match("MESSAGE#97:xntpd:01", "nwparser.payload", "%{process}[%{process_id}]: ntpd %{version->} %{event_time_string->} (%{resultcode})", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","nptd version build"),
+      	dup22,
+      ]));
+      
+      var msg101 = msg("xntpd:01", part127);
+      
+      var part128 = match("MESSAGE#98:xntpd:02", "nwparser.payload", "%{process}: kernel time sync enabled %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","kernel time sync enabled"),
+      	dup22,
+      ]));
+      
+      var msg102 = msg("xntpd:02", part128);
+      
+      var part129 = match("MESSAGE#99:xntpd:03", "nwparser.payload", "%{process}[%{process_id}]: NTP Server %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup31,
+      	dup22,
+      ]));
+      
+      var msg103 = msg("xntpd:03", part129);
+      
+      var select27 = linear_select([
+      	msg100,
+      	msg101,
+      	msg102,
+      	msg103,
+      ]);
+      
+      var part130 = match("MESSAGE#100:last", "nwparser.payload", "last message repeated %{dclass_counter1->} times", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","last message repeated"),
+      	dup22,
+      ]));
+      
+      var msg104 = msg("last", part130);
+      
+      var part131 = match("MESSAGE#739:last:01", "nwparser.payload", "message repeated %{dclass_counter1->} times", processor_chain([
+      	dup47,
+      	dup46,
+      	dup22,
+      	dup21,
+      	dup23,
+      ]));
+      
+      var msg105 = msg("last:01", part131);
+      
+      var select28 = linear_select([
+      	msg104,
+      	msg105,
+      ]);
+      
+      var part132 = match("MESSAGE#101:BCHIP", "nwparser.payload", "%{process->} %{device}: cannot write ucode mask reg", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","cannot write ucode mask reg"),
+      	dup22,
+      ]));
+      
+      var msg106 = msg("BCHIP", part132);
+      
+      var part133 = match("MESSAGE#102:CM", "nwparser.payload", "%{process}(%{fld1}): Slot %{device}: On-line", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Slot on-line"),
+      	dup22,
+      ]));
+      
+      var msg107 = msg("CM", part133);
+      
+      var part134 = match("MESSAGE#103:COS", "nwparser.payload", "%{process}: Received FC->Q map, %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Received FC Q map"),
+      	dup22,
+      ]));
+      
+      var msg108 = msg("COS", part134);
+      
+      var part135 = match("MESSAGE#104:COSFPC", "nwparser.payload", "%{process}: ifd %{resultcode}: %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","ifd error"),
+      	dup22,
+      ]));
+      
+      var msg109 = msg("COSFPC", part135);
+      
+      var part136 = match("MESSAGE#105:COSMAN", "nwparser.payload", "%{process}: %{service}: delete class_to_ifl table %{dclass_counter1}, ifl %{dclass_counter2}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","delete class to ifl link"),
+      	dup22,
+      ]));
+      
+      var msg110 = msg("COSMAN", part136);
+      
+      var part137 = match("MESSAGE#106:RDP", "nwparser.payload", "%{process}: Keepalive timeout for rdp.(%{interface}).(%{device}) (%{result})", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Keepalive timeout"),
+      	dup22,
+      ]));
+      
+      var msg111 = msg("RDP", part137);
+      
+      var part138 = match("MESSAGE#107:SNTPD", "nwparser.payload", "%{process}: Initial time of day set", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Initial time of day set"),
+      	dup22,
+      ]));
+      
+      var msg112 = msg("SNTPD", part138);
+      
+      var part139 = match("MESSAGE#108:SSB", "nwparser.payload", "%{process}(%{fld1}): Slot %{device}, serial number S/N %{serial_number}.", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Slot serial number"),
+      	dup22,
+      ]));
+      
+      var msg113 = msg("SSB", part139);
+      
+      var part140 = match("MESSAGE#109:ACCT_ACCOUNTING_FERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected error %{result->} from file %{filename}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unexpected error"),
+      	dup22,
+      ]));
+      
+      var msg114 = msg("ACCT_ACCOUNTING_FERROR", part140);
+      
+      var part141 = match("MESSAGE#110:ACCT_ACCOUNTING_FOPEN_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to open file %{filename}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Failed to open file"),
+      	dup22,
+      ]));
+      
+      var msg115 = msg("ACCT_ACCOUNTING_FOPEN_ERROR", part141);
+      
+      var part142 = match("MESSAGE#111:ACCT_ACCOUNTING_SMALL_FILE_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File %{filename->} size (%{dclass_counter1}) is smaller than record size (%{dclass_counter2})", processor_chain([
+      	dup48,
+      	dup21,
+      	setc("event_description","File size mismatch"),
+      	dup22,
+      ]));
+      
+      var msg116 = msg("ACCT_ACCOUNTING_SMALL_FILE_SIZE", part142);
+      
+      var part143 = match("MESSAGE#112:ACCT_BAD_RECORD_FORMAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid statistics record: %{result}", processor_chain([
+      	dup48,
+      	dup21,
+      	setc("event_description","Invalid statistics record"),
+      	dup22,
+      ]));
+      
+      var msg117 = msg("ACCT_BAD_RECORD_FORMAT", part143);
+      
+      var part144 = match("MESSAGE#113:ACCT_CU_RTSLIB_error", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} getting class usage statistics for interface %{interface}: %{result}", processor_chain([
+      	dup48,
+      	dup21,
+      	setc("event_description","Class usage statistics error for interface"),
+      	dup22,
+      ]));
+      
+      var msg118 = msg("ACCT_CU_RTSLIB_error", part144);
+      
+      var part145 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/1_0", "nwparser.p0", "Error %{resultcode->} trying %{p0}");
+      
+      var part146 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/1_1", "nwparser.p0", "trying %{p0}");
+      
+      var select29 = linear_select([
+      	part145,
+      	part146,
+      ]);
+      
+      var part147 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/2", "nwparser.p0", "%{}to get hostname");
+      
+      var all18 = all_match({
+      	processors: [
+      		dup49,
+      		select29,
+      		part147,
+      	],
+      	on_success: processor_chain([
+      		dup48,
+      		dup21,
+      		setc("event_description","error trying to get hostname"),
+      		dup22,
+      	]),
+      });
+      
+      var msg119 = msg("ACCT_GETHOSTNAME_error", all18);
+      
+      var part148 = match("MESSAGE#115:ACCT_MALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed while reallocating %{obj_name}", processor_chain([
+      	dup50,
+      	dup21,
+      	setc("event_description","Memory allocation failure"),
+      	dup22,
+      ]));
+      
+      var msg120 = msg("ACCT_MALLOC_FAILURE", part148);
+      
+      var part149 = match("MESSAGE#116:ACCT_UNDEFINED_COUNTER_NAME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} in accounting profile %{dclass_counter1->} is not defined in a firewall using this filter profile", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Accounting profile counter not defined in firewall"),
+      	dup22,
+      ]));
+      
+      var msg121 = msg("ACCT_UNDEFINED_COUNTER_NAME", part149);
+      
+      var part150 = match("MESSAGE#117:ACCT_XFER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{result}: %{disposition}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","ACCT_XFER_FAILED"),
+      	dup22,
+      ]));
+      
+      var msg122 = msg("ACCT_XFER_FAILED", part150);
+      
+      var part151 = match("MESSAGE#118:ACCT_XFER_POPEN_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{result}: in invoking command command to transfer file %{filename}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","POPEN FAIL invoking command command to transfer file"),
+      	dup22,
+      ]));
+      
+      var msg123 = msg("ACCT_XFER_POPEN_FAIL", part151);
+      
+      var part152 = match("MESSAGE#119:APPQOS_LOG_EVENT", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} timestamp=\"%{result}\" message-type=\"%{info}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-name=\"%{protocol}\" application-name=\"%{application}\" rule-set-name=\"%{rule_group}\" rule-name=\"%{rulename}\" action=\"%{action}\" argument=\"%{fld2}\" argument1=\"%{fld3}\"]", processor_chain([
+      	dup27,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var msg124 = msg("APPQOS_LOG_EVENT", part152);
+      
+      var part153 = match("MESSAGE#120:APPTRACK_SESSION_CREATE", "nwparser.payload", "%{event_type}: AppTrack session created %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username->} %{fld10}", processor_chain([
+      	dup27,
+      	dup52,
+      	dup53,
+      	dup21,
+      	setc("result","AppTrack session created"),
+      	dup22,
+      ]));
+      
+      var msg125 = msg("APPTRACK_SESSION_CREATE", part153);
+      
+      var part154 = match("MESSAGE#121:APPTRACK_SESSION_CLOSE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" service-name=\"%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-name=\"%{rule_template}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([
+      	dup27,
+      	dup52,
+      	dup54,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var msg126 = msg("APPTRACK_SESSION_CLOSE", part154);
+      
+      var part155 = match("MESSAGE#122:APPTRACK_SESSION_CLOSE:01", "nwparser.payload", "%{event_type}: %{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{packets}(%{rbytes}) %{dclass_counter1}(%{sbytes}) %{duration->} %{username->} %{fld10}", processor_chain([
+      	dup27,
+      	dup52,
+      	dup54,
+      	dup21,
+      	dup22,
+      ]));
+      
+      var msg127 = msg("APPTRACK_SESSION_CLOSE:01", part155);
+      
+      var select30 = linear_select([
+      	msg126,
+      	msg127,
+      ]);
+      
+      var part156 = match("MESSAGE#123:APPTRACK_SESSION_VOL_UPDATE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" service-name=\"%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-name=\"%{rule_template}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([
+      	dup27,
+      	dup52,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var msg128 = msg("APPTRACK_SESSION_VOL_UPDATE", part156);
+      
+      var part157 = match("MESSAGE#124:APPTRACK_SESSION_VOL_UPDATE:01", "nwparser.payload", "%{event_type}: %{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{packets}(%{rbytes}) %{dclass_counter1}(%{sbytes}) %{duration->} %{username->} %{fld10}", processor_chain([
+      	dup27,
+      	dup52,
+      	dup21,
+      	dup22,
+      ]));
+      
+      var msg129 = msg("APPTRACK_SESSION_VOL_UPDATE:01", part157);
+      
+      var select31 = linear_select([
+      	msg128,
+      	msg129,
+      ]);
+      
+      var msg130 = msg("BFDD_TRAP_STATE_DOWN", dup135);
+      
+      var msg131 = msg("BFDD_TRAP_STATE_UP", dup135);
+      
+      var part158 = match("MESSAGE#127:bgp_connect_start", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: connect %{saddr->} (%{shost}): %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","bgp connect error"),
+      	dup22,
+      ]));
+      
+      var msg132 = msg("bgp_connect_start", part158);
+      
+      var part159 = match("MESSAGE#128:bgp_event", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}) old state %{change_old->} event %{action->} new state %{change_new}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","bgp peer state change"),
+      	dup22,
+      ]));
+      
+      var msg133 = msg("bgp_event", part159);
+      
+      var part160 = match("MESSAGE#129:bgp_listen_accept", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection attempt from unconfigured neighbor: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Connection attempt from unconfigured neighbor"),
+      	dup22,
+      ]));
+      
+      var msg134 = msg("bgp_listen_accept", part160);
+      
+      var part161 = match("MESSAGE#130:bgp_listen_reset", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","bgp reset"),
+      	dup22,
+      ]));
+      
+      var msg135 = msg("bgp_listen_reset", part161);
+      
+      var part162 = match("MESSAGE#131:bgp_nexthop_sanity", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}) next hop %{saddr->} local, %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","peer next hop local"),
+      	dup22,
+      ]));
+      
+      var msg136 = msg("bgp_nexthop_sanity", part162);
+      
+      var part163 = match("MESSAGE#132:bgp_process_caps", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{severity->} (%{action}) subcode %{version->} (%{result}) value %{disposition}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","code RED error NOTIFICATION sent"),
+      	dup22,
+      ]));
+      
+      var msg137 = msg("bgp_process_caps", part163);
+      
+      var part164 = match("MESSAGE#133:bgp_process_caps:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: mismatch NLRI with %{hostip->} (%{hostname}): peer: %{daddr->} us: %{saddr}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup56,
+      	dup22,
+      ]));
+      
+      var msg138 = msg("bgp_process_caps:01", part164);
+      
+      var select32 = linear_select([
+      	msg137,
+      	msg138,
+      ]);
+      
+      var part165 = match("MESSAGE#134:bgp_pp_recv", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: dropping %{daddr->} (%{dhost}), %{info->} (%{protocol})", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","connection collision"),
+      	setc("result","dropping connection to peer"),
+      	dup22,
+      ]));
+      
+      var msg139 = msg("bgp_pp_recv", part165);
+      
+      var part166 = match("MESSAGE#135:bgp_pp_recv:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}): received unexpected EOF", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","peer received unexpected EOF"),
+      	dup22,
+      ]));
+      
+      var msg140 = msg("bgp_pp_recv:01", part166);
+      
+      var select33 = linear_select([
+      	msg139,
+      	msg140,
+      ]);
+      
+      var part167 = match("MESSAGE#136:bgp_send", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: sending %{sbytes->} bytes to %{daddr->} (%{dhost}) blocked (%{disposition}): %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","bgp send blocked error"),
+      	dup22,
+      ]));
+      
+      var msg141 = msg("bgp_send", part167);
+      
+      var part168 = match("MESSAGE#137:bgp_traffic_timeout", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{resultcode->} (%{action}), Reason: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","bgp timeout NOTIFICATION sent"),
+      	dup22,
+      ]));
+      
+      var msg142 = msg("bgp_traffic_timeout", part168);
+      
+      var part169 = match("MESSAGE#138:BOOTPD_ARG_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Ignoring unknown option %{resultcode}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","boot argument error"),
+      	dup22,
+      ]));
+      
+      var msg143 = msg("BOOTPD_ARG_ERR", part169);
+      
+      var part170 = match("MESSAGE#139:BOOTPD_BAD_ID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected ID %{resultcode}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","boot unexpected Id value"),
+      	dup22,
+      ]));
+      
+      var msg144 = msg("BOOTPD_BAD_ID", part170);
+      
+      var part171 = match("MESSAGE#140:BOOTPD_BOOTSTRING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Boot string: %{filename}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Invalid boot string"),
+      	dup22,
+      ]));
+      
+      var msg145 = msg("BOOTPD_BOOTSTRING", part171);
+      
+      var part172 = match("MESSAGE#141:BOOTPD_CONFIG_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Problems with configuration file '%{filename}', %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","configuration file error"),
+      	dup22,
+      ]));
+      
+      var msg146 = msg("BOOTPD_CONFIG_ERR", part172);
+      
+      var part173 = match("MESSAGE#142:BOOTPD_CONF_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open configuration file '%{filename}'", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to open configuration file"),
+      	dup22,
+      ]));
+      
+      var msg147 = msg("BOOTPD_CONF_OPEN", part173);
+      
+      var part174 = match("MESSAGE#143:BOOTPD_DUP_REV", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate revision: %{version}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","boot - Duplicate revision"),
+      	dup22,
+      ]));
+      
+      var msg148 = msg("BOOTPD_DUP_REV", part174);
+      
+      var part175 = match("MESSAGE#144:BOOTPD_DUP_SLOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate slot default: %{ssid}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","boot - duplicate slot"),
+      	dup22,
+      ]));
+      
+      var msg149 = msg("BOOTPD_DUP_SLOT", part175);
+      
+      var part176 = match("MESSAGE#145:BOOTPD_MODEL_CHK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected ID %{id->} for model %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unexpected ID for model"),
+      	dup22,
+      ]));
+      
+      var msg150 = msg("BOOTPD_MODEL_CHK", part176);
+      
+      var part177 = match("MESSAGE#146:BOOTPD_MODEL_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unsupported model %{dclass_counter1}, %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unsupported model"),
+      	dup22,
+      ]));
+      
+      var msg151 = msg("BOOTPD_MODEL_ERR", part177);
+      
+      var part178 = match("MESSAGE#147:BOOTPD_NEW_CONF", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: New configuration installed", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","New configuration installed"),
+      	dup22,
+      ]));
+      
+      var msg152 = msg("BOOTPD_NEW_CONF", part178);
+      
+      var part179 = match("MESSAGE#148:BOOTPD_NO_BOOTSTRING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No boot string found for type %{filename}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","No boot string found"),
+      	dup22,
+      ]));
+      
+      var msg153 = msg("BOOTPD_NO_BOOTSTRING", part179);
+      
+      var part180 = match("MESSAGE#149:BOOTPD_NO_CONFIG", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No configuration file '%{filename}', %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","No configuration file found"),
+      	dup22,
+      ]));
+      
+      var msg154 = msg("BOOTPD_NO_CONFIG", part180);
+      
+      var part181 = match("MESSAGE#150:BOOTPD_PARSE_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename}: number parse errors on SIGHUP", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","parse errors on SIGHUP"),
+      	dup22,
+      ]));
+      
+      var msg155 = msg("BOOTPD_PARSE_ERR", part181);
+      
+      var part182 = match("MESSAGE#151:BOOTPD_REPARSE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reparsing configuration file '%{filename}'", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Reparsing configuration file"),
+      	dup22,
+      ]));
+      
+      var msg156 = msg("BOOTPD_REPARSE", part182);
+      
+      var part183 = match("MESSAGE#152:BOOTPD_SELECT_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: select: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","select error"),
+      	dup22,
+      ]));
+      
+      var msg157 = msg("BOOTPD_SELECT_ERR", part183);
+      
+      var part184 = match("MESSAGE#153:BOOTPD_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Timeout %{result->} unreasonable", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","timeout unreasonable"),
+      	dup22,
+      ]));
+      
+      var msg158 = msg("BOOTPD_TIMEOUT", part184);
+      
+      var part185 = match("MESSAGE#154:BOOTPD_VERSION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version: %{version->} built by builder on %{event_time_string}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","boot version built"),
+      	dup22,
+      ]));
+      
+      var msg159 = msg("BOOTPD_VERSION", part185);
+      
+      var part186 = match("MESSAGE#155:CHASSISD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{version->} built by builder on %{event_time_string}", processor_chain([
+      	dup57,
+      	dup21,
+      	setc("event_description","CHASSISD release built"),
+      	dup22,
+      ]));
+      
+      var msg160 = msg("CHASSISD", part186);
+      
+      var part187 = match("MESSAGE#156:CHASSISD_ARGUMENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown option %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","CHASSISD Unknown option"),
+      	dup22,
+      ]));
+      
+      var msg161 = msg("CHASSISD_ARGUMENT_ERROR", part187);
+      
+      var part188 = match("MESSAGE#157:CHASSISD_BLOWERS_SPEED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fans and impellers are now running at normal speed", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Fans and impellers are now running at normal speed"),
+      	dup22,
+      ]));
+      
+      var msg162 = msg("CHASSISD_BLOWERS_SPEED", part188);
+      
+      var part189 = match("MESSAGE#158:CHASSISD_BLOWERS_SPEED_FULL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fans and impellers being set to full speed [%{result}]", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Fans and impellers being set to full speed"),
+      	dup22,
+      ]));
+      
+      var msg163 = msg("CHASSISD_BLOWERS_SPEED_FULL", part189);
+      
+      var part190 = match("MESSAGE#159:CHASSISD_CB_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result->} reading midplane ID EEPROM, %{dclass_counter1->} %{dclass_counter2}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","reading midplane ID EEPROM"),
+      	dup22,
+      ]));
+      
+      var msg164 = msg("CHASSISD_CB_READ", part190);
+      
+      var part191 = match("MESSAGE#160:CHASSISD_COMMAND_ACK_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{device->} online ack code %{dclass_counter1->} - - %{result}, %{interface}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","CHASSISD COMMAND ACK ERROR"),
+      	dup22,
+      ]));
+      
+      var msg165 = msg("CHASSISD_COMMAND_ACK_ERROR", part191);
+      
+      var part192 = match("MESSAGE#161:CHASSISD_COMMAND_ACK_SF_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{disposition->} - %{result}, code %{resultcode}, SFM %{dclass_counter1}, FPC %{dclass_counter2}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","CHASSISD COMMAND ACK SF ERROR"),
+      	dup22,
+      ]));
+      
+      var msg166 = msg("CHASSISD_COMMAND_ACK_SF_ERROR", part192);
+      
+      var part193 = match("MESSAGE#162:CHASSISD_CONCAT_MODE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Cannot set no-concatenated mode for FPC %{dclass_counter2->} PIC %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Cannot set no-concatenated mode for FPC"),
+      	dup22,
+      ]));
+      
+      var msg167 = msg("CHASSISD_CONCAT_MODE_ERROR", part193);
+      
+      var part194 = match("MESSAGE#163:CHASSISD_CONFIG_INIT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Problems with configuration file %{filename}; %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","CONFIG File Problem"),
+      	dup22,
+      ]));
+      
+      var msg168 = msg("CHASSISD_CONFIG_INIT_ERROR", part194);
+      
+      var part195 = match("MESSAGE#164:CHASSISD_CONFIG_WARNING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename}: %{result}, FPC %{dclass_counter2->} %{resultcode}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","CHASSISD CONFIG WARNING"),
+      	dup22,
+      ]));
+      
+      var msg169 = msg("CHASSISD_CONFIG_WARNING", part195);
+      
+      var part196 = match("MESSAGE#165:CHASSISD_EXISTS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: chassisd already running; %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","chassisd already running"),
+      	dup22,
+      ]));
+      
+      var msg170 = msg("CHASSISD_EXISTS", part196);
+      
+      var part197 = match("MESSAGE#166:CHASSISD_EXISTS_TERM_OTHER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Killing existing chassisd and exiting", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Killing existing chassisd and exiting"),
+      	dup22,
+      ]));
+      
+      var msg171 = msg("CHASSISD_EXISTS_TERM_OTHER", part197);
+      
+      var part198 = match("MESSAGE#167:CHASSISD_FILE_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File open: %{filename}, error: %{resultcode->} - - %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","file open error"),
+      	dup22,
+      ]));
+      
+      var msg172 = msg("CHASSISD_FILE_OPEN", part198);
+      
+      var part199 = match("MESSAGE#168:CHASSISD_FILE_STAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File stat: %{filename}, error: %{resultcode->} - - %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","CHASSISD file statistics error"),
+      	dup22,
+      ]));
+      
+      var msg173 = msg("CHASSISD_FILE_STAT", part199);
+      
+      var part200 = match("MESSAGE#169:CHASSISD_FRU_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","CHASSISD received restart EVENT"),
+      	dup22,
+      ]));
+      
+      var msg174 = msg("CHASSISD_FRU_EVENT", part200);
+      
+      var part201 = match("MESSAGE#170:CHASSISD_FRU_IPC_WRITE_ERROR_EXT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} FRU %{filename}#%{resultcode}, %{result->} %{dclass_counter1}, %{dclass_counter2}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","CHASSISD restart WRITE_ERROR"),
+      	dup22,
+      ]));
+      
+      var msg175 = msg("CHASSISD_FRU_IPC_WRITE_ERROR_EXT", part201);
+      
+      var part202 = match("MESSAGE#171:CHASSISD_FRU_STEP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} %{resultcode->} at step %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","CHASSISD FRU STEP ERROR"),
+      	dup22,
+      ]));
+      
+      var msg176 = msg("CHASSISD_FRU_STEP_ERROR", part202);
+      
+      var part203 = match("MESSAGE#172:CHASSISD_GETTIMEOFDAY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected error from gettimeofday: %{resultcode->} - %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unexpected error from gettimeofday"),
+      	dup22,
+      ]));
+      
+      var msg177 = msg("CHASSISD_GETTIMEOFDAY", part203);
+      
+      var part204 = match("MESSAGE#173:CHASSISD_HOST_TEMP_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result->} reading host temperature sensor", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","reading host temperature sensor"),
+      	dup22,
+      ]));
+      
+      var msg178 = msg("CHASSISD_HOST_TEMP_READ", part204);
+      
+      var part205 = match("MESSAGE#174:CHASSISD_IFDEV_DETACH_ALL_PSEUDO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{disposition})", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","detaching all pseudo devices"),
+      	dup22,
+      ]));
+      
+      var msg179 = msg("CHASSISD_IFDEV_DETACH_ALL_PSEUDO", part205);
+      
+      var part206 = match("MESSAGE#175:CHASSISD_IFDEV_DETACH_FPC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{resultcode})", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","CHASSISD IFDEV DETACH FPC"),
+      	dup22,
+      ]));
+      
+      var msg180 = msg("CHASSISD_IFDEV_DETACH_FPC", part206);
+      
+      var part207 = match("MESSAGE#176:CHASSISD_IFDEV_DETACH_PIC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{resultcode})", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","CHASSISD IFDEV DETACH PIC"),
+      	dup22,
+      ]));
+      
+      var msg181 = msg("CHASSISD_IFDEV_DETACH_PIC", part207);
+      
+      var part208 = match("MESSAGE#177:CHASSISD_IFDEV_DETACH_PSEUDO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{disposition})", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","CHASSISD IFDEV DETACH PSEUDO"),
+      	dup22,
+      ]));
+      
+      var msg182 = msg("CHASSISD_IFDEV_DETACH_PSEUDO", part208);
+      
+      var part209 = match("MESSAGE#178:CHASSISD_IFDEV_DETACH_TLV_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","CHASSISD IFDEV DETACH TLV ERROR"),
+      	dup22,
+      ]));
+      
+      var msg183 = msg("CHASSISD_IFDEV_DETACH_TLV_ERROR", part209);
+      
+      var part210 = match("MESSAGE#179:CHASSISD_IFDEV_GET_BY_INDEX_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: rtslib_ifdm_get_by_index failed: %{resultcode->} - %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","rtslib_ifdm_get_by_index failed"),
+      	dup22,
+      ]));
+      
+      var msg184 = msg("CHASSISD_IFDEV_GET_BY_INDEX_FAIL", part210);
+      
+      var part211 = match("MESSAGE#180:CHASSISD_IPC_MSG_QFULL_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: type = %{dclass_counter1}, subtype = %{dclass_counter2}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Message Queue full"),
+      	dup22,
+      ]));
+      
+      var msg185 = msg("CHASSISD_IPC_MSG_QFULL_ERROR", part211);
+      
+      var part212 = match("MESSAGE#181:CHASSISD_IPC_UNEXPECTED_RECV", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received unexpected message from %{service}: type = %{dclass_counter1}, subtype = %{dclass_counter2}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Received unexpected message"),
+      	dup22,
+      ]));
+      
+      var msg186 = msg("CHASSISD_IPC_UNEXPECTED_RECV", part212);
+      
+      var part213 = match("MESSAGE#182:CHASSISD_IPC_WRITE_ERR_NO_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FRU has no connection pipe %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","FRU has no connection pipe"),
+      	dup22,
+      ]));
+      
+      var msg187 = msg("CHASSISD_IPC_WRITE_ERR_NO_PIPE", part213);
+      
+      var part214 = match("MESSAGE#183:CHASSISD_IPC_WRITE_ERR_NULL_ARGS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FRU has no connection arguments %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","FRU has no connection arguments"),
+      	dup22,
+      ]));
+      
+      var msg188 = msg("CHASSISD_IPC_WRITE_ERR_NULL_ARGS", part214);
+      
+      var part215 = match("MESSAGE#184:CHASSISD_MAC_ADDRESS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: chassisd MAC address allocation error", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","chassisd MAC address allocation error"),
+      	dup22,
+      ]));
+      
+      var msg189 = msg("CHASSISD_MAC_ADDRESS_ERROR", part215);
+      
+      var part216 = match("MESSAGE#185:CHASSISD_MAC_DEFAULT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using default MAC address base", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Using default MAC address base"),
+      	dup22,
+      ]));
+      
+      var msg190 = msg("CHASSISD_MAC_DEFAULT", part216);
+      
+      var part217 = match("MESSAGE#186:CHASSISD_MBUS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} %{resultcode}: management bus failed sanity test", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","management bus failed sanity test"),
+      	dup22,
+      ]));
+      
+      var msg191 = msg("CHASSISD_MBUS_ERROR", part217);
+      
+      var part218 = match("MESSAGE#187:CHASSISD_PARSE_COMPLETE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using new configuration", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Using new configuration"),
+      	dup22,
+      ]));
+      
+      var msg192 = msg("CHASSISD_PARSE_COMPLETE", part218);
+      
+      var part219 = match("MESSAGE#188:CHASSISD_PARSE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{resultcode->} %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","CHASSISD PARSE ERROR"),
+      	dup22,
+      ]));
+      
+      var msg193 = msg("CHASSISD_PARSE_ERROR", part219);
+      
+      var part220 = match("MESSAGE#189:CHASSISD_PARSE_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Parsing configuration file '%{filename}'", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Parsing configuration file"),
+      	dup22,
+      ]));
+      
+      var msg194 = msg("CHASSISD_PARSE_INIT", part220);
+      
+      var part221 = match("MESSAGE#190:CHASSISD_PIDFILE_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open PID file '%{filename}': %{result->} %{resultcode}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to open PID file"),
+      	dup22,
+      ]));
+      
+      var msg195 = msg("CHASSISD_PIDFILE_OPEN", part221);
+      
+      var part222 = match("MESSAGE#191:CHASSISD_PIPE_WRITE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Pipe error: %{resultcode}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Pipe error"),
+      	dup22,
+      ]));
+      
+      var msg196 = msg("CHASSISD_PIPE_WRITE_ERROR", part222);
+      
+      var part223 = match("MESSAGE#192:CHASSISD_POWER_CHECK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{device->} %{dclass_counter1->} not powering up", processor_chain([
+      	dup58,
+      	dup21,
+      	setc("event_description","device not powering up"),
+      	dup22,
+      ]));
+      
+      var msg197 = msg("CHASSISD_POWER_CHECK", part223);
+      
+      var part224 = match("MESSAGE#193:CHASSISD_RECONNECT_SUCCESSFUL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Successfully reconnected on soft restart", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Successful reconnect on soft restart"),
+      	dup22,
+      ]));
+      
+      var msg198 = msg("CHASSISD_RECONNECT_SUCCESSFUL", part224);
+      
+      var part225 = match("MESSAGE#194:CHASSISD_RELEASE_MASTERSHIP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Release mastership notification", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Release mastership notification"),
+      	dup22,
+      ]));
+      
+      var msg199 = msg("CHASSISD_RELEASE_MASTERSHIP", part225);
+      
+      var part226 = match("MESSAGE#195:CHASSISD_RE_INIT_INVALID_RE_SLOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: re_init: re %{resultcode}, %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","re_init Invalid RE slot"),
+      	dup22,
+      ]));
+      
+      var msg200 = msg("CHASSISD_RE_INIT_INVALID_RE_SLOT", part226);
+      
+      var part227 = match("MESSAGE#196:CHASSISD_ROOT_MOUNT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine the mount point for root directory: %{resultcode}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to determine mount point for root directory"),
+      	dup22,
+      ]));
+      
+      var msg201 = msg("CHASSISD_ROOT_MOUNT_ERROR", part227);
+      
+      var part228 = match("MESSAGE#197:CHASSISD_RTS_SEQ_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifmsg sequence gap %{resultcode->} - - %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","ifmsg sequence gap"),
+      	dup22,
+      ]));
+      
+      var msg202 = msg("CHASSISD_RTS_SEQ_ERROR", part228);
+      
+      var part229 = match("MESSAGE#198:CHASSISD_SBOARD_VERSION_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version mismatch: %{info}", processor_chain([
+      	setc("eventcategory","1603040000"),
+      	dup21,
+      	setc("event_description","Version mismatch"),
+      	dup22,
+      ]));
+      
+      var msg203 = msg("CHASSISD_SBOARD_VERSION_MISMATCH", part229);
+      
+      var part230 = match("MESSAGE#199:CHASSISD_SERIAL_ID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Serial ID read error: %{resultcode->} - - %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Serial ID read error"),
+      	dup22,
+      ]));
+      
+      var msg204 = msg("CHASSISD_SERIAL_ID", part230);
+      
+      var part231 = match("MESSAGE#200:CHASSISD_SMB_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: fpga download not complete: val %{resultcode}, %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","fpga download not complete"),
+      	dup22,
+      ]));
+      
+      var msg205 = msg("CHASSISD_SMB_ERROR", part231);
+      
+      var part232 = match("MESSAGE#201:CHASSISD_SNMP_TRAP6", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap generated: %{result->} (%{info})", processor_chain([
+      	dup57,
+      	dup21,
+      	setc("event_description","SNMP Trap6 generated"),
+      	dup22,
+      ]));
+      
+      var msg206 = msg("CHASSISD_SNMP_TRAP6", part232);
+      
+      var part233 = match("MESSAGE#202:CHASSISD_SNMP_TRAP7", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap: %{result}: %{info}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMP Trap7 generated"),
+      	dup22,
+      ]));
+      
+      var msg207 = msg("CHASSISD_SNMP_TRAP7", part233);
+      
+      var part234 = match("MESSAGE#203:CHASSISD_SNMP_TRAP10", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap: %{result}: %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","SNMP trap - FRU power on"),
+      	dup22,
+      ]));
+      
+      var msg208 = msg("CHASSISD_SNMP_TRAP10", part234);
+      
+      var part235 = match("MESSAGE#204:CHASSISD_TERM_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received SIGTERM request, %{result}", processor_chain([
+      	dup59,
+      	dup21,
+      	setc("event_description","Received SIGTERM request"),
+      	dup22,
+      ]));
+      
+      var msg209 = msg("CHASSISD_TERM_SIGNAL", part235);
+      
+      var part236 = match("MESSAGE#205:CHASSISD_TRACE_PIC_OFFLINE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Taking PIC offline - - FPC slot %{dclass_counter1}, PIC slot %{dclass_counter2}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Taking PIC offline"),
+      	dup22,
+      ]));
+      
+      var msg210 = msg("CHASSISD_TRACE_PIC_OFFLINE", part236);
+      
+      var part237 = match("MESSAGE#206:CHASSISD_UNEXPECTED_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} returned %{resultcode}: %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","UNEXPECTED EXIT"),
+      	dup22,
+      ]));
+      
+      var msg211 = msg("CHASSISD_UNEXPECTED_EXIT", part237);
+      
+      var part238 = match("MESSAGE#207:CHASSISD_UNSUPPORTED_MODEL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Model %{dclass_counter1->} unsupported with this version of chassisd", processor_chain([
+      	dup58,
+      	dup21,
+      	setc("event_description","Model number unsupported with this version of chassisd"),
+      	dup22,
+      ]));
+      
+      var msg212 = msg("CHASSISD_UNSUPPORTED_MODEL", part238);
+      
+      var part239 = match("MESSAGE#208:CHASSISD_VERSION_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version mismatch: %{info}", processor_chain([
+      	dup58,
+      	dup21,
+      	setc("event_description","Chassisd Version mismatch"),
+      	dup22,
+      ]));
+      
+      var msg213 = msg("CHASSISD_VERSION_MISMATCH", part239);
+      
+      var part240 = match("MESSAGE#209:CHASSISD_HIGH_TEMP_CONDITION", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} temperature=\"%{fld2}\" message=\"%{info}\"]", processor_chain([
+      	dup58,
+      	dup21,
+      	setc("event_description","CHASSISD HIGH TEMP CONDITION"),
+      	dup60,
+      	dup61,
+      ]));
+      
+      var msg214 = msg("CHASSISD_HIGH_TEMP_CONDITION", part240);
+      
+      var part241 = match("MESSAGE#210:clean_process", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: process %{agent->} RESTART mode %{event_state->} new master=%{obj_name->} old failover=%{change_old->} new failover = %{change_new}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","process RESTART mode"),
+      	dup22,
+      ]));
+      
+      var msg215 = msg("clean_process", part241);
+      
+      var part242 = match("MESSAGE#211:CM_JAVA", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Chassis %{group->} Linklocal MAC:%{macaddr}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Chassis Linklocal to MAC"),
+      	dup22,
+      ]));
+      
+      var msg216 = msg("CM_JAVA", part242);
+      
+      var part243 = match("MESSAGE#212:DCD_AS_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([
+      	dup62,
+      	dup21,
+      	setc("event_description","DCD must be run as root"),
+      	dup22,
+      ]));
+      
+      var msg217 = msg("DCD_AS_ROOT", part243);
+      
+      var part244 = match("MESSAGE#213:DCD_FILTER_LIB_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Filter library initialization failed", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Filter library initialization failed"),
+      	dup22,
+      ]));
+      
+      var msg218 = msg("DCD_FILTER_LIB_ERROR", part244);
+      
+      var msg219 = msg("DCD_MALLOC_FAILED_INIT", dup136);
+      
+      var part245 = match("MESSAGE#215:DCD_PARSE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing configuration file", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","errors while parsing configuration file"),
+      	dup22,
+      ]));
+      
+      var msg220 = msg("DCD_PARSE_EMERGENCY", part245);
+      
+      var part246 = match("MESSAGE#216:DCD_PARSE_FILTER_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing filter index file", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","errors while parsing filter index file"),
+      	dup22,
+      ]));
+      
+      var msg221 = msg("DCD_PARSE_FILTER_EMERGENCY", part246);
+      
+      var part247 = match("MESSAGE#217:DCD_PARSE_MINI_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing configuration overlay", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","errors while parsing configuration overlay"),
+      	dup22,
+      ]));
+      
+      var msg222 = msg("DCD_PARSE_MINI_EMERGENCY", part247);
+      
+      var part248 = match("MESSAGE#218:DCD_PARSE_STATE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: An unhandled state was encountered during interface parsing", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","unhandled state was encountered during interface parsing"),
+      	dup22,
+      ]));
+      
+      var msg223 = msg("DCD_PARSE_STATE_EMERGENCY", part248);
+      
+      var part249 = match("MESSAGE#219:DCD_POLICER_PARSE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing policer indexfile", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","errors while parsing policer indexfile"),
+      	dup22,
+      ]));
+      
+      var msg224 = msg("DCD_POLICER_PARSE_EMERGENCY", part249);
+      
+      var part250 = match("MESSAGE#220:DCD_PULL_LOG_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to pull file %{filename->} after %{dclass_counter1->} retries last error=%{resultcode}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Failed to pull file"),
+      	dup22,
+      ]));
+      
+      var msg225 = msg("DCD_PULL_LOG_FAILURE", part250);
+      
+      var part251 = match("MESSAGE#221:DFWD_ARGUMENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","DFWD ARGUMENT ERROR"),
+      	dup22,
+      ]));
+      
+      var msg226 = msg("DFWD_ARGUMENT_ERROR", part251);
+      
+      var msg227 = msg("DFWD_MALLOC_FAILED_INIT", dup136);
+      
+      var part252 = match("MESSAGE#223:DFWD_PARSE_FILTER_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} encountered errors while parsing filter index file", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","errors encountered while parsing filter index file"),
+      	dup22,
+      ]));
+      
+      var msg228 = msg("DFWD_PARSE_FILTER_EMERGENCY", part252);
+      
+      var part253 = match("MESSAGE#224:DFWD_PARSE_STATE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} encountered unhandled state while parsing interface", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","encountered unhandled state while parsing interface"),
+      	dup22,
+      ]));
+      
+      var msg229 = msg("DFWD_PARSE_STATE_EMERGENCY", part253);
+      
+      var msg230 = msg("ECCD_DAEMONIZE_FAILED", dup137);
+      
+      var msg231 = msg("ECCD_DUPLICATE", dup138);
+      
+      var part254 = match("MESSAGE#227:ECCD_LOOP_EXIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MainLoop return value: %{disposition}, error: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","ECCD LOOP EXIT FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg232 = msg("ECCD_LOOP_EXIT_FAILURE", part254);
+      
+      var part255 = match("MESSAGE#228:ECCD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([
+      	dup62,
+      	dup21,
+      	setc("event_description","ECCD Must be run as root"),
+      	dup22,
+      ]));
+      
+      var msg233 = msg("ECCD_NOT_ROOT", part255);
+      
+      var part256 = match("MESSAGE#229:ECCD_PCI_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: open() failed: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","ECCD PCI FILE OPEN FAILED"),
+      	dup22,
+      ]));
+      
+      var msg234 = msg("ECCD_PCI_FILE_OPEN_FAILED", part256);
+      
+      var part257 = match("MESSAGE#230:ECCD_PCI_READ_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","PCI read failure"),
+      	dup22,
+      ]));
+      
+      var msg235 = msg("ECCD_PCI_READ_FAILED", part257);
+      
+      var part258 = match("MESSAGE#231:ECCD_PCI_WRITE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","PCI write failure"),
+      	dup22,
+      ]));
+      
+      var msg236 = msg("ECCD_PCI_WRITE_FAILED", part258);
+      
+      var msg237 = msg("ECCD_PID_FILE_LOCK", dup139);
+      
+      var msg238 = msg("ECCD_PID_FILE_UPDATE", dup140);
+      
+      var part259 = match("MESSAGE#234:ECCD_TRACE_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","ECCD TRACE FILE OPEN FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg239 = msg("ECCD_TRACE_FILE_OPEN_FAILED", part259);
+      
+      var part260 = match("MESSAGE#235:ECCD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","ECCD Usage"),
+      	dup22,
+      ]));
+      
+      var msg240 = msg("ECCD_usage", part260);
+      
+      var part261 = match("MESSAGE#236:EVENTD_AUDIT_SHOW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} viewed security audit log with arguments: %{param}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","User viewed security audit log with arguments"),
+      	dup22,
+      ]));
+      
+      var msg241 = msg("EVENTD_AUDIT_SHOW", part261);
+      
+      var part262 = match("MESSAGE#237:FLOW_REASSEMBLE_SUCCEED", "nwparser.payload", "%{event_type}: Packet merged source %{saddr->} destination %{daddr->} ipid %{fld11->} succeed", processor_chain([
+      	dup20,
+      	dup21,
+      	dup22,
+      ]));
+      
+      var msg242 = msg("FLOW_REASSEMBLE_SUCCEED", part262);
+      
+      var part263 = match("MESSAGE#238:FSAD_CHANGE_FILE_OWNER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to change owner of file `%{filename}' to user %{username}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to change owner of file"),
+      	dup22,
+      ]));
+      
+      var msg243 = msg("FSAD_CHANGE_FILE_OWNER", part263);
+      
+      var part264 = match("MESSAGE#239:FSAD_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","FSAD CONFIG ERROR"),
+      	dup22,
+      ]));
+      
+      var msg244 = msg("FSAD_CONFIG_ERROR", part264);
+      
+      var part265 = match("MESSAGE#240:FSAD_CONNTIMEDOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection timed out to the client (%{shost}, %{saddr}) having request type %{obj_type}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Connection timed out to client"),
+      	dup22,
+      ]));
+      
+      var msg245 = msg("FSAD_CONNTIMEDOUT", part265);
+      
+      var part266 = match("MESSAGE#241:FSAD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","FSAD_FAILED"),
+      	dup22,
+      ]));
+      
+      var msg246 = msg("FSAD_FAILED", part266);
+      
+      var part267 = match("MESSAGE#242:FSAD_FETCHTIMEDOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fetch to server %{hostname->} for file `%{filename}' timed out", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Fetch to server to get file timed out"),
+      	dup22,
+      ]));
+      
+      var msg247 = msg("FSAD_FETCHTIMEDOUT", part267);
+      
+      var part268 = match("MESSAGE#243:FSAD_FILE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: fn failed for file `%{filename}' with error message %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","fn failed for file"),
+      	dup22,
+      ]));
+      
+      var msg248 = msg("FSAD_FILE_FAILED", part268);
+      
+      var part269 = match("MESSAGE#244:FSAD_FILE_REMOVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to remove file `%{filename}': %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to remove file"),
+      	dup22,
+      ]));
+      
+      var msg249 = msg("FSAD_FILE_REMOVE", part269);
+      
+      var part270 = match("MESSAGE#245:FSAD_FILE_RENAME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to rename file `%{filename}' to `%{resultcode}': %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to rename file"),
+      	dup22,
+      ]));
+      
+      var msg250 = msg("FSAD_FILE_RENAME", part270);
+      
+      var part271 = match("MESSAGE#246:FSAD_FILE_STAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} failed for file pathname %{filename}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","stat failed for file"),
+      	dup22,
+      ]));
+      
+      var msg251 = msg("FSAD_FILE_STAT", part271);
+      
+      var part272 = match("MESSAGE#247:FSAD_FILE_SYNC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to sync file %{filename}': %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to sync file"),
+      	dup22,
+      ]));
+      
+      var msg252 = msg("FSAD_FILE_SYNC", part272);
+      
+      var part273 = match("MESSAGE#248:FSAD_MAXCONN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Upper limit reached in fsad for handling connections", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Upper limit reached in fsad"),
+      	dup22,
+      ]));
+      
+      var msg253 = msg("FSAD_MAXCONN", part273);
+      
+      var part274 = match("MESSAGE#249:FSAD_MEMORYALLOC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} failed in the function %{action->} (%{resultcode})", processor_chain([
+      	dup50,
+      	dup21,
+      	setc("event_description","FSAD MEMORYALLOC FAILED"),
+      	dup22,
+      ]));
+      
+      var msg254 = msg("FSAD_MEMORYALLOC_FAILED", part274);
+      
+      var part275 = match("MESSAGE#250:FSAD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([
+      	dup62,
+      	dup21,
+      	setc("event_description","FSAD must be run as root"),
+      	dup22,
+      ]));
+      
+      var msg255 = msg("FSAD_NOT_ROOT", part275);
+      
+      var part276 = match("MESSAGE#251:FSAD_PARENT_DIRECTORY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: invalid directory: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","invalid directory"),
+      	dup22,
+      ]));
+      
+      var msg256 = msg("FSAD_PARENT_DIRECTORY", part276);
+      
+      var part277 = match("MESSAGE#252:FSAD_PATH_IS_DIRECTORY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File path cannot be a directory (%{filename})", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","File path cannot be a directory"),
+      	dup22,
+      ]));
+      
+      var msg257 = msg("FSAD_PATH_IS_DIRECTORY", part277);
+      
+      var part278 = match("MESSAGE#253:FSAD_PATH_IS_SPECIAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Not a regular file (%{filename})", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Not a regular file"),
+      	dup22,
+      ]));
+      
+      var msg258 = msg("FSAD_PATH_IS_SPECIAL", part278);
+      
+      var part279 = match("MESSAGE#254:FSAD_RECVERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: fsad received error message from client having request type %{obj_type->} at (%{saddr}, %{sport})", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","fsad received error message from client"),
+      	dup22,
+      ]));
+      
+      var msg259 = msg("FSAD_RECVERROR", part279);
+      
+      var part280 = match("MESSAGE#255:FSAD_TERMINATED_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Open file %{filename}` closed due to %{result}", processor_chain([
+      	dup26,
+      	dup21,
+      	setc("event_description","FSAD TERMINATED CONNECTION"),
+      	dup22,
+      ]));
+      
+      var msg260 = msg("FSAD_TERMINATED_CONNECTION", part280);
+      
+      var part281 = match("MESSAGE#256:FSAD_TERMINATING_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received terminating %{resultcode}; %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Received terminating signal"),
+      	dup22,
+      ]));
+      
+      var msg261 = msg("FSAD_TERMINATING_SIGNAL", part281);
+      
+      var part282 = match("MESSAGE#257:FSAD_TRACEOPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Open operation on trace file `%{filename}' returned error %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Open operation on trace file failed"),
+      	dup22,
+      ]));
+      
+      var msg262 = msg("FSAD_TRACEOPEN_FAILED", part282);
+      
+      var part283 = match("MESSAGE#258:FSAD_USAGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect usage, %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Incorrect FSAD usage"),
+      	dup22,
+      ]));
+      
+      var msg263 = msg("FSAD_USAGE", part283);
+      
+      var part284 = match("MESSAGE#259:GGSN_ALARM_TRAP_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","GGSN ALARM TRAP FAILED"),
+      	dup22,
+      ]));
+      
+      var msg264 = msg("GGSN_ALARM_TRAP_FAILED", part284);
+      
+      var part285 = match("MESSAGE#260:GGSN_ALARM_TRAP_SEND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","GGSN ALARM TRAP SEND FAILED"),
+      	dup22,
+      ]));
+      
+      var msg265 = msg("GGSN_ALARM_TRAP_SEND", part285);
+      
+      var part286 = match("MESSAGE#261:GGSN_TRAP_SEND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown trap request type %{obj_type}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unknown trap request type"),
+      	dup22,
+      ]));
+      
+      var msg266 = msg("GGSN_TRAP_SEND", part286);
+      
+      var part287 = match("MESSAGE#262:JADE_AUTH_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authorization failed: %{result}", processor_chain([
+      	dup68,
+      	dup33,
+      	setc("ec_subject","Service"),
+      	dup42,
+      	dup21,
+      	setc("event_description","Authorization failed"),
+      	dup22,
+      ]));
+      
+      var msg267 = msg("JADE_AUTH_ERROR", part287);
+      
+      var part288 = match("MESSAGE#263:JADE_EXEC_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: CLI %{resultcode->} %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","JADE EXEC ERROR"),
+      	dup22,
+      ]));
+      
+      var msg268 = msg("JADE_EXEC_ERROR", part288);
+      
+      var part289 = match("MESSAGE#264:JADE_NO_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Local user %{username->} does not exist", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Local user does not exist"),
+      	dup22,
+      ]));
+      
+      var msg269 = msg("JADE_NO_LOCAL_USER", part289);
+      
+      var part290 = match("MESSAGE#265:JADE_PAM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","JADE PAM error"),
+      	dup22,
+      ]));
+      
+      var msg270 = msg("JADE_PAM_ERROR", part290);
+      
+      var part291 = match("MESSAGE#266:JADE_PAM_NO_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to get local username from PAM: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to get local username from PAM"),
+      	dup22,
+      ]));
+      
+      var msg271 = msg("JADE_PAM_NO_LOCAL_USER", part291);
+      
+      var part292 = match("MESSAGE#267:KERN_ARP_ADDR_CHANGE", "nwparser.payload", "%{process}: %{event_type}: arp info overwritten for %{saddr->} from %{smacaddr->} to %{dmacaddr}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","arp info overwritten"),
+      	dup22,
+      ]));
+      
+      var msg272 = msg("KERN_ARP_ADDR_CHANGE", part292);
+      
+      var part293 = match("MESSAGE#268:KMD_PM_SA_ESTABLISHED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Local gateway: %{gateway}, Remote gateway: %{fld1}, Local ID:%{fld2}, Remote ID:%{fld3}, Direction:%{fld4}, SPI:%{fld5}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","security association has been established"),
+      	dup22,
+      ]));
+      
+      var msg273 = msg("KMD_PM_SA_ESTABLISHED", part293);
+      
+      var part294 = match("MESSAGE#269:L2CPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitialized", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Task Reinitialized"),
+      	dup60,
+      	dup22,
+      ]));
+      
+      var msg274 = msg("L2CPD_TASK_REINIT", part294);
+      
+      var part295 = match("MESSAGE#270:LIBJNX_EXEC_EXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command stopped: PID %{child_pid}, signal='%{obj_type}' %{result}, command '%{action}'", processor_chain([
+      	dup20,
+      	dup21,
+      	dup69,
+      	dup22,
+      ]));
+      
+      var msg275 = msg("LIBJNX_EXEC_EXITED", part295);
+      
+      var part296 = match("MESSAGE#271:LIBJNX_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exec failed for command '%{action}': %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Child exec failed for command"),
+      	dup22,
+      ]));
+      
+      var msg276 = msg("LIBJNX_EXEC_FAILED", part296);
+      
+      var msg277 = msg("LIBJNX_EXEC_PIPE", dup141);
+      
+      var part297 = match("MESSAGE#273:LIBJNX_EXEC_SIGNALED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command received signal: PID %{child_pid}, signal %{result}, command '%{action}'", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Command received signal"),
+      	dup22,
+      ]));
+      
+      var msg278 = msg("LIBJNX_EXEC_SIGNALED", part297);
+      
+      var part298 = match("MESSAGE#274:LIBJNX_EXEC_WEXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command exited: PID %{child_pid}, status %{result}, command '%{action}'", processor_chain([
+      	dup20,
+      	dup21,
+      	dup71,
+      	dup22,
+      ]));
+      
+      var msg279 = msg("LIBJNX_EXEC_WEXIT", part298);
+      
+      var part299 = match("MESSAGE#275:LIBJNX_FILE_COPY_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: copy_file_to_transfer_dir failed to copy from source to destination", processor_chain([
+      	dup72,
+      	dup21,
+      	setc("event_description","copy_file_to_transfer_dir failed to copy"),
+      	dup22,
+      ]));
+      
+      var msg280 = msg("LIBJNX_FILE_COPY_FAILED", part299);
+      
+      var part300 = match("MESSAGE#276:LIBJNX_PRIV_LOWER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lower privilege level: %{result}", processor_chain([
+      	dup72,
+      	dup21,
+      	setc("event_description","Unable to lower privilege level"),
+      	dup22,
+      ]));
+      
+      var msg281 = msg("LIBJNX_PRIV_LOWER_FAILED", part300);
+      
+      var part301 = match("MESSAGE#277:LIBJNX_PRIV_RAISE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to raise privilege level: %{result}", processor_chain([
+      	dup72,
+      	dup21,
+      	setc("event_description","Unable to raise privilege level"),
+      	dup22,
+      ]));
+      
+      var msg282 = msg("LIBJNX_PRIV_RAISE_FAILED", part301);
+      
+      var part302 = match("MESSAGE#278:LIBJNX_REPLICATE_RCP_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([
+      	dup72,
+      	dup21,
+      	setc("event_description","rcp failed"),
+      	dup22,
+      ]));
+      
+      var msg283 = msg("LIBJNX_REPLICATE_RCP_EXEC_FAILED", part302);
+      
+      var part303 = match("MESSAGE#279:LIBJNX_ROTATE_COMPRESS_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode->} %{dclass_counter1->} -f %{action}: %{result}", processor_chain([
+      	dup72,
+      	dup21,
+      	setc("event_description","ROTATE COMPRESS EXEC FAILED"),
+      	dup22,
+      ]));
+      
+      var msg284 = msg("LIBJNX_ROTATE_COMPRESS_EXEC_FAILED", part303);
+      
+      var part304 = match("MESSAGE#280:LIBSERVICED_CLIENT_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Client connection error: %{result}", processor_chain([
+      	dup73,
+      	dup21,
+      	setc("event_description","Client connection error"),
+      	dup22,
+      ]));
+      
+      var msg285 = msg("LIBSERVICED_CLIENT_CONNECTION", part304);
+      
+      var part305 = match("MESSAGE#281:LIBSERVICED_OUTBOUND_REQUEST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Outbound request failed for command [%{action}]: %{result}", processor_chain([
+      	dup72,
+      	dup21,
+      	setc("event_description","Outbound request failed for command"),
+      	dup22,
+      ]));
+      
+      var msg286 = msg("LIBSERVICED_OUTBOUND_REQUEST", part305);
+      
+      var part306 = match("MESSAGE#282:LIBSERVICED_SNMP_LOST_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection closed while receiving from client %{dclass_counter1}", processor_chain([
+      	dup26,
+      	dup21,
+      	setc("event_description","Connection closed while receiving from client"),
+      	dup22,
+      ]));
+      
+      var msg287 = msg("LIBSERVICED_SNMP_LOST_CONNECTION", part306);
+      
+      var part307 = match("MESSAGE#283:LIBSERVICED_SOCKET_BIND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode}: unable to bind socket %{ssid}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","unable to bind socket"),
+      	dup22,
+      ]));
+      
+      var msg288 = msg("LIBSERVICED_SOCKET_BIND", part307);
+      
+      var part308 = match("MESSAGE#284:LIBSERVICED_SOCKET_PRIVATIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to attach socket %{ssid->} to management routing instance: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to attach socket to management routing instance"),
+      	dup22,
+      ]));
+      
+      var msg289 = msg("LIBSERVICED_SOCKET_PRIVATIZE", part308);
+      
+      var part309 = match("MESSAGE#285:LICENSE_EXPIRED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","LICENSE EXPIRED"),
+      	dup22,
+      ]));
+      
+      var msg290 = msg("LICENSE_EXPIRED", part309);
+      
+      var part310 = match("MESSAGE#286:LICENSE_EXPIRED_KEY_DELETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License key \"%{filename}\" has expired.", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","License key has expired"),
+      	dup22,
+      ]));
+      
+      var msg291 = msg("LICENSE_EXPIRED_KEY_DELETED", part310);
+      
+      var part311 = match("MESSAGE#287:LICENSE_NEARING_EXPIRY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License for feature %{disposition->} %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","License key expiration soon"),
+      	dup22,
+      ]));
+      
+      var msg292 = msg("LICENSE_NEARING_EXPIRY", part311);
+      
+      var part312 = match("MESSAGE#288:LOGIN_ABORTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Client aborted login", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","client aborted login"),
+      	dup22,
+      ]));
+      
+      var msg293 = msg("LOGIN_ABORTED", part312);
+      
+      var part313 = match("MESSAGE#289:LOGIN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login failed for user %{username->} from host %{dhost}", processor_chain([
+      	dup43,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup42,
+      	dup21,
+      	dup74,
+      	dup22,
+      ]));
+      
+      var msg294 = msg("LOGIN_FAILED", part313);
+      
+      var part314 = match("MESSAGE#290:LOGIN_FAILED_INCORRECT_PASSWORD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect password for user %{username}", processor_chain([
+      	dup43,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup42,
+      	dup21,
+      	dup74,
+      	setc("result","Incorrect password for user"),
+      	dup22,
+      ]));
+      
+      var msg295 = msg("LOGIN_FAILED_INCORRECT_PASSWORD", part314);
+      
+      var part315 = match("MESSAGE#291:LOGIN_FAILED_SET_CONTEXT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to set context for user %{username}", processor_chain([
+      	dup43,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup42,
+      	dup21,
+      	dup74,
+      	setc("result","Failed to set context for user"),
+      	dup22,
+      ]));
+      
+      var msg296 = msg("LOGIN_FAILED_SET_CONTEXT", part315);
+      
+      var part316 = match("MESSAGE#292:LOGIN_FAILED_SET_LOGIN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to set login ID for user %{username}: %{dhost}", processor_chain([
+      	dup43,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup42,
+      	dup21,
+      	dup74,
+      	setc("result","Failed to set login ID for user"),
+      	dup22,
+      ]));
+      
+      var msg297 = msg("LOGIN_FAILED_SET_LOGIN", part316);
+      
+      var part317 = match("MESSAGE#293:LOGIN_HOSTNAME_UNRESOLVED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to resolve hostname %{dhost}: %{info}", processor_chain([
+      	dup43,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup42,
+      	dup21,
+      	dup74,
+      	setc("result","Unable to resolve hostname"),
+      	dup22,
+      ]));
+      
+      var msg298 = msg("LOGIN_HOSTNAME_UNRESOLVED", part317);
+      
+      var part318 = match("MESSAGE#294:LOGIN_INFORMATION/2", "nwparser.p0", "%{} %{event_type}: %{p0}");
+      
+      var part319 = match("MESSAGE#294:LOGIN_INFORMATION/4", "nwparser.p0", "%{} %{username->} logged in from host %{dhost->} on %{p0}");
+      
+      var part320 = match("MESSAGE#294:LOGIN_INFORMATION/5_0", "nwparser.p0", "device %{p0}");
+      
+      var select34 = linear_select([
+      	part320,
+      	dup44,
+      ]);
+      
+      var part321 = match("MESSAGE#294:LOGIN_INFORMATION/6", "nwparser.p0", "%{} %{terminal}");
+      
+      var all19 = all_match({
+      	processors: [
+      		dup38,
+      		dup134,
+      		part318,
+      		dup142,
+      		part319,
+      		select34,
+      		part321,
+      	],
+      	on_success: processor_chain([
+      		dup32,
+      		dup33,
+      		dup34,
+      		dup35,
+      		dup36,
+      		dup21,
+      		setc("event_description","Successful Login"),
+      		dup22,
+      	]),
+      });
+      
+      var msg299 = msg("LOGIN_INFORMATION", all19);
+      
+      var part322 = match("MESSAGE#295:LOGIN_INVALID_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No entry in local password file for user %{username}", processor_chain([
+      	dup43,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup42,
+      	dup21,
+      	dup74,
+      	setc("result","No entry in local password file for user"),
+      	dup22,
+      ]));
+      
+      var msg300 = msg("LOGIN_INVALID_LOCAL_USER", part322);
+      
+      var part323 = match("MESSAGE#296:LOGIN_MALFORMED_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid username: %{username}", processor_chain([
+      	dup43,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup42,
+      	dup21,
+      	dup74,
+      	setc("result","Invalid username"),
+      	dup22,
+      ]));
+      
+      var msg301 = msg("LOGIN_MALFORMED_USER", part323);
+      
+      var part324 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/1_0", "nwparser.p0", "PAM authentication error for user %{p0}");
+      
+      var part325 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/1_1", "nwparser.p0", "Failed password for user %{p0}");
+      
+      var select35 = linear_select([
+      	part324,
+      	part325,
+      ]);
+      
+      var part326 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/2", "nwparser.p0", "%{} %{username}");
+      
+      var all20 = all_match({
+      	processors: [
+      		dup49,
+      		select35,
+      		part326,
+      	],
+      	on_success: processor_chain([
+      		dup43,
+      		dup33,
+      		dup34,
+      		dup35,
+      		dup42,
+      		dup21,
+      		dup74,
+      		setc("result","PAM authentication error for user"),
+      		dup22,
+      	]),
+      });
+      
+      var msg302 = msg("LOGIN_PAM_AUTHENTICATION_ERROR", all20);
+      
+      var part327 = match("MESSAGE#298:LOGIN_PAM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failure while authenticating user %{username}: %{dhost}", processor_chain([
+      	dup43,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup42,
+      	dup21,
+      	setc("event_description","PAM authentication failure"),
+      	setc("result","Failure while authenticating user"),
+      	dup22,
+      ]));
+      
+      var msg303 = msg("LOGIN_PAM_ERROR", part327);
+      
+      var part328 = match("MESSAGE#299:LOGIN_PAM_MAX_RETRIES", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Too many retries while authenticating user %{username}", processor_chain([
+      	dup43,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup42,
+      	dup21,
+      	dup74,
+      	setc("result","Too many retries while authenticating user"),
+      	dup22,
+      ]));
+      
+      var msg304 = msg("LOGIN_PAM_MAX_RETRIES", part328);
+      
+      var part329 = match("MESSAGE#300:LOGIN_PAM_NONLOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} authenticated but has no local login ID", processor_chain([
+      	dup43,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup42,
+      	dup21,
+      	dup74,
+      	setc("result","User authenticated but has no local login ID"),
+      	dup22,
+      ]));
+      
+      var msg305 = msg("LOGIN_PAM_NONLOCAL_USER", part329);
+      
+      var part330 = match("MESSAGE#301:LOGIN_PAM_STOP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to end PAM session: %{info}", processor_chain([
+      	setc("eventcategory","1303000000"),
+      	dup33,
+      	dup42,
+      	dup21,
+      	setc("event_description","Failed to end PAM session"),
+      	dup22,
+      ]));
+      
+      var msg306 = msg("LOGIN_PAM_STOP", part330);
+      
+      var part331 = match("MESSAGE#302:LOGIN_PAM_USER_UNKNOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Attempt to authenticate unknown user %{username}", processor_chain([
+      	dup43,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup42,
+      	dup21,
+      	dup74,
+      	setc("result","Attempt to authenticate unknown user"),
+      	dup22,
+      ]));
+      
+      var msg307 = msg("LOGIN_PAM_USER_UNKNOWN", part331);
+      
+      var part332 = match("MESSAGE#303:LOGIN_PASSWORD_EXPIRED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Forcing change of expired password for user %{username}>", processor_chain([
+      	dup43,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup42,
+      	dup21,
+      	dup74,
+      	setc("result","Forcing change of expired password for user"),
+      	dup22,
+      ]));
+      
+      var msg308 = msg("LOGIN_PASSWORD_EXPIRED", part332);
+      
+      var part333 = match("MESSAGE#304:LOGIN_REFUSED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login of user %{username->} from host %{shost->} on %{terminal->} was refused: %{info}", processor_chain([
+      	dup43,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup42,
+      	dup21,
+      	dup74,
+      	setc("result","Login of user refused"),
+      	dup22,
+      ]));
+      
+      var msg309 = msg("LOGIN_REFUSED", part333);
+      
+      var part334 = match("MESSAGE#305:LOGIN_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} logged in as root from host %{shost->} on %{terminal}", processor_chain([
+      	dup32,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup36,
+      	dup21,
+      	setc("event_description","successful login as root"),
+      	setc("result","User logged in as root"),
+      	dup22,
+      ]));
+      
+      var msg310 = msg("LOGIN_ROOT", part334);
+      
+      var part335 = match("MESSAGE#306:LOGIN_TIMED_OUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login attempt timed out after %{dclass_counter1->} seconds", processor_chain([
+      	dup43,
+      	dup33,
+      	dup35,
+      	dup42,
+      	dup21,
+      	dup74,
+      	setc("result","Login attempt timed out"),
+      	dup22,
+      ]));
+      
+      var msg311 = msg("LOGIN_TIMED_OUT", part335);
+      
+      var part336 = match("MESSAGE#307:MIB2D_ATM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","MIB2D ATM ERROR"),
+      	dup22,
+      ]));
+      
+      var msg312 = msg("MIB2D_ATM_ERROR", part336);
+      
+      var part337 = match("MESSAGE#308:MIB2D_CONFIG_CHECK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","CONFIG CHECK FAILED"),
+      	dup22,
+      ]));
+      
+      var msg313 = msg("MIB2D_CONFIG_CHECK_FAILED", part337);
+      
+      var part338 = match("MESSAGE#309:MIB2D_FILE_OPEN_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open file '%{filename}': %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup77,
+      	dup22,
+      ]));
+      
+      var msg314 = msg("MIB2D_FILE_OPEN_FAILURE", part338);
+      
+      var msg315 = msg("MIB2D_IFD_IFINDEX_FAILURE", dup143);
+      
+      var msg316 = msg("MIB2D_IFL_IFINDEX_FAILURE", dup143);
+      
+      var part339 = match("MESSAGE#312:MIB2D_INIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: mib2d initialization failure: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","mib2d initialization failure"),
+      	dup22,
+      ]));
+      
+      var msg317 = msg("MIB2D_INIT_FAILURE", part339);
+      
+      var part340 = match("MESSAGE#313:MIB2D_KVM_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","MIB2D KVM FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg318 = msg("MIB2D_KVM_FAILURE", part340);
+      
+      var part341 = match("MESSAGE#314:MIB2D_RTSLIB_READ_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: failed in %{dclass_counter1->} %{dclass_counter2->} index (%{result})", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","MIB2D RTSLIB READ FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg319 = msg("MIB2D_RTSLIB_READ_FAILURE", part341);
+      
+      var part342 = match("MESSAGE#315:MIB2D_RTSLIB_SEQ_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: sequence mismatch (%{result}), %{action}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RTSLIB sequence mismatch"),
+      	dup22,
+      ]));
+      
+      var msg320 = msg("MIB2D_RTSLIB_SEQ_MISMATCH", part342);
+      
+      var part343 = match("MESSAGE#316:MIB2D_SYSCTL_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","MIB2D SYSCTL FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg321 = msg("MIB2D_SYSCTL_FAILURE", part343);
+      
+      var part344 = match("MESSAGE#317:MIB2D_TRAP_HEADER_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: trap_request_header failed", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","trap_request_header failed"),
+      	dup22,
+      ]));
+      
+      var msg322 = msg("MIB2D_TRAP_HEADER_FAILURE", part344);
+      
+      var part345 = match("MESSAGE#318:MIB2D_TRAP_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","MIB2D TRAP SEND FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg323 = msg("MIB2D_TRAP_SEND_FAILURE", part345);
+      
+      var part346 = match("MESSAGE#319:Multiuser", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: old requested_transition==%{change_new->} sighupped=%{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","user sighupped"),
+      	dup22,
+      ]));
+      
+      var msg324 = msg("Multiuser", part346);
+      
+      var part347 = match("MESSAGE#320:NASD_AUTHENTICATION_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate authentication handle: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to allocate authentication handle"),
+      	dup22,
+      ]));
+      
+      var msg325 = msg("NASD_AUTHENTICATION_CREATE_FAILED", part347);
+      
+      var part348 = match("MESSAGE#321:NASD_CHAP_AUTHENTICATION_IN_PROGRESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename}, authentication already in progress", processor_chain([
+      	dup79,
+      	dup33,
+      	dup42,
+      	dup21,
+      	setc("event_description","authentication already in progress"),
+      	dup22,
+      ]));
+      
+      var msg326 = msg("NASD_CHAP_AUTHENTICATION_IN_PROGRESS", part348);
+      
+      var part349 = match("MESSAGE#322:NASD_CHAP_GETHOSTNAME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: unable to obtain hostname for outgoing CHAP message: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","unable to obtain hostname for outgoing CHAP message"),
+      	dup22,
+      ]));
+      
+      var msg327 = msg("NASD_CHAP_GETHOSTNAME_FAILED", part349);
+      
+      var part350 = match("MESSAGE#323:NASD_CHAP_INVALID_CHAP_IDENTIFIER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename->} expected CHAP ID: %{resultcode}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","CHAP INVALID_CHAP IDENTIFIER"),
+      	dup22,
+      ]));
+      
+      var msg328 = msg("NASD_CHAP_INVALID_CHAP_IDENTIFIER", part350);
+      
+      var part351 = match("MESSAGE#324:NASD_CHAP_INVALID_OPCODE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}.%{dclass_counter1}: invalid operation code received %{filename}, CHAP ID: %{resultcode}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","CHAP INVALID OPCODE"),
+      	dup22,
+      ]));
+      
+      var msg329 = msg("NASD_CHAP_INVALID_OPCODE", part351);
+      
+      var part352 = match("MESSAGE#325:NASD_CHAP_LOCAL_NAME_UNAVAILABLE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine value for '%{username}' in outgoing CHAP packet", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to determine value for username in outgoing CHAP packet"),
+      	dup22,
+      ]));
+      
+      var msg330 = msg("NASD_CHAP_LOCAL_NAME_UNAVAILABLE", part352);
+      
+      var part353 = match("MESSAGE#326:NASD_CHAP_MESSAGE_UNEXPECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","CHAP MESSAGE UNEXPECTED"),
+      	dup22,
+      ]));
+      
+      var msg331 = msg("NASD_CHAP_MESSAGE_UNEXPECTED", part353);
+      
+      var part354 = match("MESSAGE#327:NASD_CHAP_REPLAY_ATTACK_DETECTED", "nwparser.payload", "%{process}[%{ssid}]: %{event_type}: %{interface}.%{dclass_counter1}: received %{filename->} %{result}.%{info}", processor_chain([
+      	dup80,
+      	dup21,
+      	setc("event_description","CHAP REPLAY ATTACK DETECTED"),
+      	dup22,
+      ]));
+      
+      var msg332 = msg("NASD_CHAP_REPLAY_ATTACK_DETECTED", part354);
+      
+      var part355 = match("MESSAGE#328:NASD_CONFIG_GET_LAST_MODIFIED_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine last modified time of JUNOS configuration database: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to determine last modified time of JUNOS configuration database"),
+      	dup22,
+      ]));
+      
+      var msg333 = msg("NASD_CONFIG_GET_LAST_MODIFIED_FAILED", part355);
+      
+      var msg334 = msg("NASD_DAEMONIZE_FAILED", dup137);
+      
+      var part356 = match("MESSAGE#330:NASD_DB_ALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate database object: %{filename}, %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to allocate database object"),
+      	dup22,
+      ]));
+      
+      var msg335 = msg("NASD_DB_ALLOC_FAILURE", part356);
+      
+      var part357 = match("MESSAGE#331:NASD_DB_TABLE_CREATE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{filename}, %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","DB TABLE CREATE FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg336 = msg("NASD_DB_TABLE_CREATE_FAILURE", part357);
+      
+      var msg337 = msg("NASD_DUPLICATE", dup138);
+      
+      var part358 = match("MESSAGE#333:NASD_EVLIB_CREATE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} with: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","EVLIB CREATE FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg338 = msg("NASD_EVLIB_CREATE_FAILURE", part358);
+      
+      var part359 = match("MESSAGE#334:NASD_EVLIB_EXIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} value: %{result}, error: %{resultcode}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","EVLIB EXIT FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg339 = msg("NASD_EVLIB_EXIT_FAILURE", part359);
+      
+      var part360 = match("MESSAGE#335:NASD_LOCAL_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate LOCAL module handle: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to allocate LOCAL module handle"),
+      	dup22,
+      ]));
+      
+      var msg340 = msg("NASD_LOCAL_CREATE_FAILED", part360);
+      
+      var part361 = match("MESSAGE#336:NASD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([
+      	dup62,
+      	dup21,
+      	setc("event_description","NASD must be run as root"),
+      	dup22,
+      ]));
+      
+      var msg341 = msg("NASD_NOT_ROOT", part361);
+      
+      var msg342 = msg("NASD_PID_FILE_LOCK", dup139);
+      
+      var msg343 = msg("NASD_PID_FILE_UPDATE", dup140);
+      
+      var part362 = match("MESSAGE#339:NASD_POST_CONFIGURE_EVENT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","POST CONFIGURE EVENT FAILED"),
+      	dup22,
+      ]));
+      
+      var msg344 = msg("NASD_POST_CONFIGURE_EVENT_FAILED", part362);
+      
+      var part363 = match("MESSAGE#340:NASD_PPP_READ_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","PPP READ FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg345 = msg("NASD_PPP_READ_FAILURE", part363);
+      
+      var part364 = match("MESSAGE#341:NASD_PPP_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to send message: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to send message"),
+      	dup22,
+      ]));
+      
+      var msg346 = msg("NASD_PPP_SEND_FAILURE", part364);
+      
+      var part365 = match("MESSAGE#342:NASD_PPP_SEND_PARTIAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to send all of message: %{resultcode}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to send all of message"),
+      	dup22,
+      ]));
+      
+      var msg347 = msg("NASD_PPP_SEND_PARTIAL", part365);
+      
+      var part366 = match("MESSAGE#343:NASD_PPP_UNRECOGNIZED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unrecognized authentication protocol: %{protocol}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unrecognized authentication protocol"),
+      	dup22,
+      ]));
+      
+      var msg348 = msg("NASD_PPP_UNRECOGNIZED", part366);
+      
+      var part367 = match("MESSAGE#344:NASD_RADIUS_ALLOCATE_PASSWORD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} when allocating password for RADIUS: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RADIUS password allocation failure"),
+      	dup22,
+      ]));
+      
+      var msg349 = msg("NASD_RADIUS_ALLOCATE_PASSWORD_FAILED", part367);
+      
+      var part368 = match("MESSAGE#345:NASD_RADIUS_CONFIG_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RADIUS CONFIG FAILED"),
+      	dup22,
+      ]));
+      
+      var msg350 = msg("NASD_RADIUS_CONFIG_FAILED", part368);
+      
+      var part369 = match("MESSAGE#346:NASD_RADIUS_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate RADIUS module handle: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to allocate RADIUS module handle"),
+      	dup22,
+      ]));
+      
+      var msg351 = msg("NASD_RADIUS_CREATE_FAILED", part369);
+      
+      var part370 = match("MESSAGE#347:NASD_RADIUS_CREATE_REQUEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RADIUS CREATE REQUEST FAILED"),
+      	dup22,
+      ]));
+      
+      var msg352 = msg("NASD_RADIUS_CREATE_REQUEST_FAILED", part370);
+      
+      var part371 = match("MESSAGE#348:NASD_RADIUS_GETHOSTNAME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain hostname for outgoing RADIUS message: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to obtain hostname for outgoing RADIUS message"),
+      	dup22,
+      ]));
+      
+      var msg353 = msg("NASD_RADIUS_GETHOSTNAME_FAILED", part371);
+      
+      var part372 = match("MESSAGE#349:NASD_RADIUS_MESSAGE_UNEXPECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown response from RADIUS server: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unknown response from RADIUS server"),
+      	dup22,
+      ]));
+      
+      var msg354 = msg("NASD_RADIUS_MESSAGE_UNEXPECTED", part372);
+      
+      var part373 = match("MESSAGE#350:NASD_RADIUS_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RADIUS OPEN FAILED"),
+      	dup22,
+      ]));
+      
+      var msg355 = msg("NASD_RADIUS_OPEN_FAILED", part373);
+      
+      var part374 = match("MESSAGE#351:NASD_RADIUS_SELECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RADIUS SELECT FAILED"),
+      	dup22,
+      ]));
+      
+      var msg356 = msg("NASD_RADIUS_SELECT_FAILED", part374);
+      
+      var part375 = match("MESSAGE#352:NASD_RADIUS_SET_TIMER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RADIUS SET TIMER FAILED"),
+      	dup22,
+      ]));
+      
+      var msg357 = msg("NASD_RADIUS_SET_TIMER_FAILED", part375);
+      
+      var part376 = match("MESSAGE#353:NASD_TRACE_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","TRACE FILE OPEN FAILED"),
+      	dup22,
+      ]));
+      
+      var msg358 = msg("NASD_TRACE_FILE_OPEN_FAILED", part376);
+      
+      var part377 = match("MESSAGE#354:NASD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","NASD Usage"),
+      	dup22,
+      ]));
+      
+      var msg359 = msg("NASD_usage", part377);
+      
+      var part378 = match("MESSAGE#355:NOTICE", "nwparser.payload", "%{agent}: %{event_type}:%{action}: %{event_description}: The %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup22,
+      ]));
+      
+      var msg360 = msg("NOTICE", part378);
+      
+      var part379 = match("MESSAGE#356:PFE_FW_SYSLOG_IP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FW: %{smacaddr->} %{fld10->} %{protocol->} %{saddr->} %{daddr->} %{sport->} %{dport->} (%{packets->} packets)", processor_chain([
+      	dup20,
+      	dup21,
+      	dup81,
+      	dup22,
+      ]));
+      
+      var msg361 = msg("PFE_FW_SYSLOG_IP", part379);
+      
+      var part380 = match("MESSAGE#357:PFE_FW_SYSLOG_IP:01", "nwparser.payload", "%{hostip->} %{hostname->} %{event_type}: FW: %{smacaddr->} %{fld10->} %{protocol->} %{saddr->} %{daddr->} %{sport->} %{dport->} (%{packets->} packets)", processor_chain([
+      	dup20,
+      	dup21,
+      	dup81,
+      	dup22,
+      ]));
+      
+      var msg362 = msg("PFE_FW_SYSLOG_IP:01", part380);
+      
+      var select36 = linear_select([
+      	msg361,
+      	msg362,
+      ]);
+      
+      var part381 = match("MESSAGE#358:PFE_NH_RESOLVE_THROTTLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Next-hop resolution requests from interface %{interface->} throttled", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Next-hop resolution requests throttled"),
+      	dup22,
+      ]));
+      
+      var msg363 = msg("PFE_NH_RESOLVE_THROTTLED", part381);
+      
+      var part382 = match("MESSAGE#359:PING_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","PING TEST COMPLETED"),
+      	dup22,
+      ]));
+      
+      var msg364 = msg("PING_TEST_COMPLETED", part382);
+      
+      var part383 = match("MESSAGE#360:PING_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","PING TEST FAILED"),
+      	dup22,
+      ]));
+      
+      var msg365 = msg("PING_TEST_FAILED", part383);
+      
+      var part384 = match("MESSAGE#361:process_mode/2", "nwparser.p0", "%{} %{p0}");
+      
+      var part385 = match("MESSAGE#361:process_mode/3_0", "nwparser.p0", "%{event_type}: %{p0}");
+      
+      var part386 = match("MESSAGE#361:process_mode/3_1", "nwparser.p0", "%{event_type->} %{p0}");
+      
+      var select37 = linear_select([
+      	part385,
+      	part386,
+      ]);
+      
+      var part387 = match("MESSAGE#361:process_mode/4", "nwparser.p0", "%{}mode=%{protocol->} cmd=%{action->} master_mode=%{result}");
+      
+      var all21 = all_match({
+      	processors: [
+      		dup38,
+      		dup134,
+      		part384,
+      		select37,
+      		part387,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup21,
+      		dup82,
+      		dup22,
+      	]),
+      });
+      
+      var msg366 = msg("process_mode", all21);
+      
+      var part388 = match("MESSAGE#362:process_mode:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: current_mode=%{protocol}, requested_mode=%{result}, cmd=%{action}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup82,
+      	dup22,
+      ]));
+      
+      var msg367 = msg("process_mode:01", part388);
+      
+      var select38 = linear_select([
+      	msg366,
+      	msg367,
+      ]);
+      
+      var part389 = match("MESSAGE#363:PWC_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} exiting with status %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","process exit with status"),
+      	dup22,
+      ]));
+      
+      var msg368 = msg("PWC_EXIT", part389);
+      
+      var part390 = match("MESSAGE#364:PWC_HOLD_RELEASE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} released child %{child_pid->} from %{dclass_counter1->} state", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Process released child from state"),
+      	dup22,
+      ]));
+      
+      var msg369 = msg("PWC_HOLD_RELEASE", part390);
+      
+      var part391 = match("MESSAGE#365:PWC_INVALID_RUNS_ARGUMENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}, not %{resultcode}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","invalid runs argument"),
+      	dup22,
+      ]));
+      
+      var msg370 = msg("PWC_INVALID_RUNS_ARGUMENT", part391);
+      
+      var part392 = match("MESSAGE#366:PWC_INVALID_TIMEOUT_ARGUMENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","INVALID TIMEOUT ARGUMENT"),
+      	dup22,
+      ]));
+      
+      var msg371 = msg("PWC_INVALID_TIMEOUT_ARGUMENT", part392);
+      
+      var part393 = match("MESSAGE#367:PWC_KILLED_BY_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc process %{agent->} received terminating signal", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","pwc process received terminating signal"),
+      	dup22,
+      ]));
+      
+      var msg372 = msg("PWC_KILLED_BY_SIGNAL", part393);
+      
+      var part394 = match("MESSAGE#368:PWC_KILL_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc is sending %{resultcode->} to child %{child_pid}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","pwc is sending kill event to child"),
+      	dup22,
+      ]));
+      
+      var msg373 = msg("PWC_KILL_EVENT", part394);
+      
+      var part395 = match("MESSAGE#369:PWC_KILL_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to kill process %{child_pid}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to kill process"),
+      	dup22,
+      ]));
+      
+      var msg374 = msg("PWC_KILL_FAILED", part395);
+      
+      var part396 = match("MESSAGE#370:PWC_KQUEUE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: kevent failed: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","kevent failed"),
+      	dup22,
+      ]));
+      
+      var msg375 = msg("PWC_KQUEUE_ERROR", part396);
+      
+      var part397 = match("MESSAGE#371:PWC_KQUEUE_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create kqueue: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to create kqueue"),
+      	dup22,
+      ]));
+      
+      var msg376 = msg("PWC_KQUEUE_INIT", part397);
+      
+      var part398 = match("MESSAGE#372:PWC_KQUEUE_REGISTER_FILTER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to register kqueue filter: %{agent->} for purpose: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Failed to register kqueue filter"),
+      	dup22,
+      ]));
+      
+      var msg377 = msg("PWC_KQUEUE_REGISTER_FILTER", part398);
+      
+      var part399 = match("MESSAGE#373:PWC_LOCKFILE_BAD_FORMAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file has bad format: %{agent}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","PID lock file has bad format"),
+      	dup22,
+      ]));
+      
+      var msg378 = msg("PWC_LOCKFILE_BAD_FORMAT", part399);
+      
+      var part400 = match("MESSAGE#374:PWC_LOCKFILE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file had error: %{agent}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","PID lock file error"),
+      	dup22,
+      ]));
+      
+      var msg379 = msg("PWC_LOCKFILE_ERROR", part400);
+      
+      var part401 = match("MESSAGE#375:PWC_LOCKFILE_MISSING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file not found: %{agent}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","PID lock file not found"),
+      	dup22,
+      ]));
+      
+      var msg380 = msg("PWC_LOCKFILE_MISSING", part401);
+      
+      var part402 = match("MESSAGE#376:PWC_LOCKFILE_NOT_LOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file not locked: %{agent}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","PID lock file not locked"),
+      	dup22,
+      ]));
+      
+      var msg381 = msg("PWC_LOCKFILE_NOT_LOCKED", part402);
+      
+      var part403 = match("MESSAGE#377:PWC_NO_PROCESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No process specified", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","No process specified for PWC"),
+      	dup22,
+      ]));
+      
+      var msg382 = msg("PWC_NO_PROCESS", part403);
+      
+      var part404 = match("MESSAGE#378:PWC_PROCESS_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc process %{agent->} child %{child_pid->} exited with status %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","pwc process exited with status"),
+      	dup22,
+      ]));
+      
+      var msg383 = msg("PWC_PROCESS_EXIT", part404);
+      
+      var part405 = match("MESSAGE#379:PWC_PROCESS_FORCED_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} forcing hold down of child %{child_pid->} until signal", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Process forcing hold down of child until signalled"),
+      	dup22,
+      ]));
+      
+      var msg384 = msg("PWC_PROCESS_FORCED_HOLD", part405);
+      
+      var part406 = match("MESSAGE#380:PWC_PROCESS_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} holding down child %{child_pid->} until signal", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Process holding down child until signalled"),
+      	dup22,
+      ]));
+      
+      var msg385 = msg("PWC_PROCESS_HOLD", part406);
+      
+      var part407 = match("MESSAGE#381:PWC_PROCESS_HOLD_SKIPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} will not down child %{child_pid->} because of %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Process not holding down child"),
+      	dup22,
+      ]));
+      
+      var msg386 = msg("PWC_PROCESS_HOLD_SKIPPED", part407);
+      
+      var part408 = match("MESSAGE#382:PWC_PROCESS_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to create child process with pidpopen: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Failed to create child process with pidpopen"),
+      	dup22,
+      ]));
+      
+      var msg387 = msg("PWC_PROCESS_OPEN", part408);
+      
+      var part409 = match("MESSAGE#383:PWC_PROCESS_TIMED_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} holding down child %{child_pid->} %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Process holding down child"),
+      	dup22,
+      ]));
+      
+      var msg388 = msg("PWC_PROCESS_TIMED_HOLD", part409);
+      
+      var part410 = match("MESSAGE#384:PWC_PROCESS_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child timed out %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Child process timed out"),
+      	dup22,
+      ]));
+      
+      var msg389 = msg("PWC_PROCESS_TIMEOUT", part410);
+      
+      var part411 = match("MESSAGE#385:PWC_SIGNAL_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: signal(%{agent}) failed: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","signal failure"),
+      	dup22,
+      ]));
+      
+      var msg390 = msg("PWC_SIGNAL_INIT", part411);
+      
+      var part412 = match("MESSAGE#386:PWC_SOCKET_CONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to connect socket to %{agent}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to connect socket to service"),
+      	dup22,
+      ]));
+      
+      var msg391 = msg("PWC_SOCKET_CONNECT", part412);
+      
+      var part413 = match("MESSAGE#387:PWC_SOCKET_CREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to create socket: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Failed to create socket"),
+      	dup22,
+      ]));
+      
+      var msg392 = msg("PWC_SOCKET_CREATE", part413);
+      
+      var part414 = match("MESSAGE#388:PWC_SOCKET_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to set socket option %{agent}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to set socket option"),
+      	dup22,
+      ]));
+      
+      var msg393 = msg("PWC_SOCKET_OPTION", part414);
+      
+      var part415 = match("MESSAGE#389:PWC_STDOUT_WRITE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Write to stdout failed: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Write to stdout failed"),
+      	dup22,
+      ]));
+      
+      var msg394 = msg("PWC_STDOUT_WRITE", part415);
+      
+      var part416 = match("MESSAGE#390:PWC_SYSTEM_CALL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","PWC SYSTEM CALL"),
+      	dup22,
+      ]));
+      
+      var msg395 = msg("PWC_SYSTEM_CALL", part416);
+      
+      var part417 = match("MESSAGE#391:PWC_UNKNOWN_KILL_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown kill option [%{agent}]", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unknown kill option"),
+      	dup22,
+      ]));
+      
+      var msg396 = msg("PWC_UNKNOWN_KILL_OPTION", part417);
+      
+      var part418 = match("MESSAGE#392:RMOPD_ADDRESS_MULTICAST_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Multicast address is not allowed", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Multicast address not allowed"),
+      	dup22,
+      ]));
+      
+      var msg397 = msg("RMOPD_ADDRESS_MULTICAST_INVALID", part418);
+      
+      var part419 = match("MESSAGE#393:RMOPD_ADDRESS_SOURCE_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Source address invalid: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RMOPD ADDRESS SOURCE INVALID"),
+      	dup22,
+      ]));
+      
+      var msg398 = msg("RMOPD_ADDRESS_SOURCE_INVALID", part419);
+      
+      var part420 = match("MESSAGE#394:RMOPD_ADDRESS_STRING_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to convert numeric address to string: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to convert numeric address to string"),
+      	dup22,
+      ]));
+      
+      var msg399 = msg("RMOPD_ADDRESS_STRING_FAILURE", part420);
+      
+      var part421 = match("MESSAGE#395:RMOPD_ADDRESS_TARGET_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: rmop_util_set_address status message: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","rmop_util_set_address status message invalid"),
+      	dup22,
+      ]));
+      
+      var msg400 = msg("RMOPD_ADDRESS_TARGET_INVALID", part421);
+      
+      var msg401 = msg("RMOPD_DUPLICATE", dup138);
+      
+      var part422 = match("MESSAGE#397:RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Only IPv4 source address is supported", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Only IPv4 source address is supported"),
+      	dup22,
+      ]));
+      
+      var msg402 = msg("RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED", part422);
+      
+      var part423 = match("MESSAGE#398:RMOPD_ICMP_SENDMSG_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{fld1}: No route to host", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","No route to host"),
+      	dup22,
+      ]));
+      
+      var msg403 = msg("RMOPD_ICMP_SENDMSG_FAILURE", part423);
+      
+      var part424 = match("MESSAGE#399:RMOPD_IFINDEX_NOT_ACTIVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifindex: %{interface}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","IFINDEX NOT ACTIVE"),
+      	dup22,
+      ]));
+      
+      var msg404 = msg("RMOPD_IFINDEX_NOT_ACTIVE", part424);
+      
+      var part425 = match("MESSAGE#400:RMOPD_IFINDEX_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for %{interface}, message: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","IFINDEX NO INFO"),
+      	dup22,
+      ]));
+      
+      var msg405 = msg("RMOPD_IFINDEX_NO_INFO", part425);
+      
+      var part426 = match("MESSAGE#401:RMOPD_IFNAME_NOT_ACTIVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifname: %{interface}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RMOPD IFNAME NOT ACTIVE"),
+      	dup22,
+      ]));
+      
+      var msg406 = msg("RMOPD_IFNAME_NOT_ACTIVE", part426);
+      
+      var part427 = match("MESSAGE#402:RMOPD_IFNAME_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for %{interface}, message: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","IFNAME NO INFO"),
+      	dup22,
+      ]));
+      
+      var msg407 = msg("RMOPD_IFNAME_NO_INFO", part427);
+      
+      var part428 = match("MESSAGE#403:RMOPD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([
+      	dup62,
+      	dup21,
+      	setc("event_description","RMOPD Must be run as root"),
+      	dup22,
+      ]));
+      
+      var msg408 = msg("RMOPD_NOT_ROOT", part428);
+      
+      var part429 = match("MESSAGE#404:RMOPD_ROUTING_INSTANCE_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for routing instance %{agent}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","No information for routing instance"),
+      	dup22,
+      ]));
+      
+      var msg409 = msg("RMOPD_ROUTING_INSTANCE_NO_INFO", part429);
+      
+      var part430 = match("MESSAGE#405:RMOPD_TRACEROUTE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","TRACEROUTE ERROR"),
+      	dup22,
+      ]));
+      
+      var msg410 = msg("RMOPD_TRACEROUTE_ERROR", part430);
+      
+      var part431 = match("MESSAGE#406:RMOPD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","RMOPD usage"),
+      	dup22,
+      ]));
+      
+      var msg411 = msg("RMOPD_usage", part431);
+      
+      var part432 = match("MESSAGE#407:RPD_ABORT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} version built by builder on %{dclass_counter1}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RPD ABORT"),
+      	dup22,
+      ]));
+      
+      var msg412 = msg("RPD_ABORT", part432);
+      
+      var part433 = match("MESSAGE#408:RPD_ACTIVE_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Exiting with active tasks: %{agent}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RPD exiting with active tasks"),
+      	dup22,
+      ]));
+      
+      var msg413 = msg("RPD_ACTIVE_TERMINATE", part433);
+      
+      var part434 = match("MESSAGE#409:RPD_ASSERT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Assertion failed %{resultcode}: file \"%{filename}\", line %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RPD Assertion failed"),
+      	dup22,
+      ]));
+      
+      var msg414 = msg("RPD_ASSERT", part434);
+      
+      var part435 = match("MESSAGE#410:RPD_ASSERT_SOFT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Soft assertion failed %{resultcode}: file \"%{filename}\", line %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RPD Soft assertion failed"),
+      	dup22,
+      ]));
+      
+      var msg415 = msg("RPD_ASSERT_SOFT", part435);
+      
+      var part436 = match("MESSAGE#411:RPD_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} version built by builder on %{dclass_counter1}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","RPD EXIT"),
+      	dup22,
+      ]));
+      
+      var msg416 = msg("RPD_EXIT", part436);
+      
+      var msg417 = msg("RPD_IFL_INDEXCOLLISION", dup144);
+      
+      var msg418 = msg("RPD_IFL_NAMECOLLISION", dup144);
+      
+      var part437 = match("MESSAGE#414:RPD_ISIS_ADJDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS lost %{dclass_counter1->} adjacency to %{dclass_counter2->} on %{interface}, %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","IS-IS lost adjacency"),
+      	dup22,
+      ]));
+      
+      var msg419 = msg("RPD_ISIS_ADJDOWN", part437);
+      
+      var part438 = match("MESSAGE#415:RPD_ISIS_ADJUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS new %{dclass_counter1->} adjacency to %{dclass_counter2->} %{interface}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","IS-IS new adjacency"),
+      	dup22,
+      ]));
+      
+      var msg420 = msg("RPD_ISIS_ADJUP", part438);
+      
+      var part439 = match("MESSAGE#416:RPD_ISIS_ADJUPNOIP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS new %{dclass_counter1->} adjacency to %{dclass_counter2->} %{interface->} without an address", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","IS-IS new adjacency without an address"),
+      	dup22,
+      ]));
+      
+      var msg421 = msg("RPD_ISIS_ADJUPNOIP", part439);
+      
+      var part440 = match("MESSAGE#417:RPD_ISIS_LSPCKSUM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS %{dclass_counter1->} LSP checksum error, interface %{interface}, LSP id %{id}, sequence %{dclass_counter2}, checksum %{resultcode}, lifetime %{fld2}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","IS-IS LSP checksum error on iterface"),
+      	dup22,
+      ]));
+      
+      var msg422 = msg("RPD_ISIS_LSPCKSUM", part440);
+      
+      var part441 = match("MESSAGE#418:RPD_ISIS_OVERLOAD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS database overload", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","IS-IS database overload"),
+      	dup22,
+      ]));
+      
+      var msg423 = msg("RPD_ISIS_OVERLOAD", part441);
+      
+      var part442 = match("MESSAGE#419:RPD_KRT_AFUNSUPRT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode}: received %{agent->} message with unsupported address family %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","message with unsupported address family received"),
+      	dup22,
+      ]));
+      
+      var msg424 = msg("RPD_KRT_AFUNSUPRT", part442);
+      
+      var part443 = match("MESSAGE#420:RPD_KRT_CCC_IFL_MODIFY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}, error", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RPD KRT CCC IFL MODIFY"),
+      	dup22,
+      ]));
+      
+      var msg425 = msg("RPD_KRT_CCC_IFL_MODIFY", part443);
+      
+      var part444 = match("MESSAGE#421:RPD_KRT_DELETED_RTT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: received deleted routing table from the kernel for family %{dclass_counter1->} table ID %{dclass_counter2}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","received deleted routing table from kernel"),
+      	dup22,
+      ]));
+      
+      var msg426 = msg("RPD_KRT_DELETED_RTT", part444);
+      
+      var part445 = match("MESSAGE#422:RPD_KRT_IFA_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifa generation mismatch -- %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","ifa generation mismatch"),
+      	dup22,
+      ]));
+      
+      var msg427 = msg("RPD_KRT_IFA_GENERATION", part445);
+      
+      var part446 = match("MESSAGE#423:RPD_KRT_IFDCHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} CHANGE for ifd %{interface->} failed, error \"%{result}\"", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","CHANGE for ifd failed"),
+      	dup22,
+      ]));
+      
+      var msg428 = msg("RPD_KRT_IFDCHANGE", part446);
+      
+      var part447 = match("MESSAGE#424:RPD_KRT_IFDEST_GET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} SERVICE: %{service->} for ifd %{interface->} failed, error \"%{result}\"", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","GET SERVICE failure on interface"),
+      	dup22,
+      ]));
+      
+      var msg429 = msg("RPD_KRT_IFDEST_GET", part447);
+      
+      var part448 = match("MESSAGE#425:RPD_KRT_IFDGET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} GET index for ifd interface failed, error \"%{result}\"", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","GET index for ifd interface failed"),
+      	dup22,
+      ]));
+      
+      var msg430 = msg("RPD_KRT_IFDGET", part448);
+      
+      var part449 = match("MESSAGE#426:RPD_KRT_IFD_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifd %{dclass_counter1->} generation mismatch -- %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","ifd generation mismatch"),
+      	dup22,
+      ]));
+      
+      var msg431 = msg("RPD_KRT_IFD_GENERATION", part449);
+      
+      var part450 = match("MESSAGE#427:RPD_KRT_IFL_CELL_RELAY_MODE_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl : %{agent}, %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","KRT IFL CELL RELAY MODE INVALID"),
+      	dup22,
+      ]));
+      
+      var msg432 = msg("RPD_KRT_IFL_CELL_RELAY_MODE_INVALID", part450);
+      
+      var part451 = match("MESSAGE#428:RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl : %{agent}, %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","KRT IFL CELL RELAY MODE UNSPECIFIED"),
+      	dup22,
+      ]));
+      
+      var msg433 = msg("RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED", part451);
+      
+      var part452 = match("MESSAGE#429:RPD_KRT_IFL_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl %{interface->} generation mismatch -- %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","ifl generation mismatch"),
+      	dup22,
+      ]));
+      
+      var msg434 = msg("RPD_KRT_IFL_GENERATION", part452);
+      
+      var part453 = match("MESSAGE#430:RPD_KRT_KERNEL_BAD_ROUTE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: lost %{interface->} %{dclass_counter1->} for route %{dclass_counter2}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","lost interface for route"),
+      	dup22,
+      ]));
+      
+      var msg435 = msg("RPD_KRT_KERNEL_BAD_ROUTE", part453);
+      
+      var part454 = match("MESSAGE#431:RPD_KRT_NEXTHOP_OVERFLOW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: number of next hops (%{dclass_counter1}) exceeded the maximum allowed (%{dclass_counter2}) -- %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","number of next hops exceeded the maximum"),
+      	dup22,
+      ]));
+      
+      var msg436 = msg("RPD_KRT_NEXTHOP_OVERFLOW", part454);
+      
+      var part455 = match("MESSAGE#432:RPD_KRT_NOIFD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No device %{dclass_counter1->} for interface %{interface}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","No device for interface"),
+      	dup22,
+      ]));
+      
+      var msg437 = msg("RPD_KRT_NOIFD", part455);
+      
+      var part456 = match("MESSAGE#433:RPD_KRT_UNKNOWN_RTT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: received routing table message for unknown table with kernel ID %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","received routing table message for unknown table"),
+      	dup22,
+      ]));
+      
+      var msg438 = msg("RPD_KRT_UNKNOWN_RTT", part456);
+      
+      var part457 = match("MESSAGE#434:RPD_KRT_VERSION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket version mismatch (%{info}) -- %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Routing socket version mismatch"),
+      	dup22,
+      ]));
+      
+      var msg439 = msg("RPD_KRT_VERSION", part457);
+      
+      var part458 = match("MESSAGE#435:RPD_KRT_VERSIONNONE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket message type %{agent}'s version is not supported by kernel, %{info->} -- %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Routing socket message type not supported by kernel"),
+      	dup22,
+      ]));
+      
+      var msg440 = msg("RPD_KRT_VERSIONNONE", part458);
+      
+      var part459 = match("MESSAGE#436:RPD_KRT_VERSIONOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket message type %{agent}'s version is older than expected (%{info}) -- %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Routing socket message type version is older than expected"),
+      	dup22,
+      ]));
+      
+      var msg441 = msg("RPD_KRT_VERSIONOLD", part459);
+      
+      var part460 = match("MESSAGE#437:RPD_LDP_INTF_BLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate session ID detected from %{daddr}, interface %{interface}, %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Duplicate session ID detected"),
+      	dup22,
+      ]));
+      
+      var msg442 = msg("RPD_LDP_INTF_BLOCKED", part460);
+      
+      var part461 = match("MESSAGE#438:RPD_LDP_INTF_UNBLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP interface %{interface->} is now %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","LDP interface now unblocked"),
+      	dup22,
+      ]));
+      
+      var msg443 = msg("RPD_LDP_INTF_UNBLOCKED", part461);
+      
+      var part462 = match("MESSAGE#439:RPD_LDP_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP neighbor %{daddr->} (%{interface}) is %{result}", processor_chain([
+      	setc("eventcategory","1603030000"),
+      	dup21,
+      	setc("event_description","LDP neighbor down"),
+      	dup22,
+      ]));
+      
+      var msg444 = msg("RPD_LDP_NBRDOWN", part462);
+      
+      var part463 = match("MESSAGE#440:RPD_LDP_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP neighbor %{daddr->} (%{interface}) is %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","LDP neighbor up"),
+      	dup22,
+      ]));
+      
+      var msg445 = msg("RPD_LDP_NBRUP", part463);
+      
+      var part464 = match("MESSAGE#441:RPD_LDP_SESSIONDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP session %{daddr->} is down, %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","LDP session down"),
+      	dup22,
+      ]));
+      
+      var msg446 = msg("RPD_LDP_SESSIONDOWN", part464);
+      
+      var part465 = match("MESSAGE#442:RPD_LDP_SESSIONUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP session %{daddr->} is up", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","LDP session up"),
+      	dup22,
+      ]));
+      
+      var msg447 = msg("RPD_LDP_SESSIONUP", part465);
+      
+      var part466 = match("MESSAGE#443:RPD_LOCK_FLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain a lock on %{agent}, %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to obtain a lock"),
+      	dup22,
+      ]));
+      
+      var msg448 = msg("RPD_LOCK_FLOCKED", part466);
+      
+      var part467 = match("MESSAGE#444:RPD_LOCK_LOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain a lock on %{agent}, %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to obtain service lock"),
+      	dup22,
+      ]));
+      
+      var msg449 = msg("RPD_LOCK_LOCKED", part467);
+      
+      var part468 = match("MESSAGE#445:RPD_MPLS_LSP_CHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result->} Route %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","MPLS LSP CHANGE"),
+      	dup22,
+      ]));
+      
+      var msg450 = msg("RPD_MPLS_LSP_CHANGE", part468);
+      
+      var part469 = match("MESSAGE#446:RPD_MPLS_LSP_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","MPLS LSP DOWN"),
+      	dup22,
+      ]));
+      
+      var msg451 = msg("RPD_MPLS_LSP_DOWN", part469);
+      
+      var part470 = match("MESSAGE#447:RPD_MPLS_LSP_SWITCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result}, Route %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","MPLS LSP SWITCH"),
+      	dup22,
+      ]));
+      
+      var msg452 = msg("RPD_MPLS_LSP_SWITCH", part470);
+      
+      var part471 = match("MESSAGE#448:RPD_MPLS_LSP_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result->} Route %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","MPLS LSP UP"),
+      	dup22,
+      ]));
+      
+      var msg453 = msg("RPD_MPLS_LSP_UP", part471);
+      
+      var part472 = match("MESSAGE#449:RPD_MSDP_PEER_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MSDP peer %{group->} %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","MSDP PEER DOWN"),
+      	dup22,
+      ]));
+      
+      var msg454 = msg("RPD_MSDP_PEER_DOWN", part472);
+      
+      var part473 = match("MESSAGE#450:RPD_MSDP_PEER_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MSDP peer %{group->} %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","MSDP PEER UP"),
+      	dup22,
+      ]));
+      
+      var msg455 = msg("RPD_MSDP_PEER_UP", part473);
+      
+      var part474 = match("MESSAGE#451:RPD_OSPF_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: OSPF neighbor %{daddr->} (%{interface}) %{disposition->} due to %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","OSPF neighbor down"),
+      	dup22,
+      ]));
+      
+      var msg456 = msg("RPD_OSPF_NBRDOWN", part474);
+      
+      var part475 = match("MESSAGE#452:RPD_OSPF_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: OSPF neighbor %{daddr->} (%{interface}) %{disposition->} due to %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","OSPF neighbor up"),
+      	dup22,
+      ]));
+      
+      var msg457 = msg("RPD_OSPF_NBRUP", part475);
+      
+      var part476 = match("MESSAGE#453:RPD_OS_MEMHIGH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using %{dclass_counter1->} KB of memory, %{info}", processor_chain([
+      	dup50,
+      	dup21,
+      	setc("event_description","OS MEMHIGH"),
+      	dup22,
+      ]));
+      
+      var msg458 = msg("RPD_OS_MEMHIGH", part476);
+      
+      var part477 = match("MESSAGE#454:RPD_PIM_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PIM neighbor %{daddr->} timeout interface %{interface}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","PIM neighbor down"),
+      	setc("result","timeout"),
+      	dup22,
+      ]));
+      
+      var msg459 = msg("RPD_PIM_NBRDOWN", part477);
+      
+      var part478 = match("MESSAGE#455:RPD_PIM_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PIM new neighbor %{daddr->} interface %{interface}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","PIM neighbor up"),
+      	dup22,
+      ]));
+      
+      var msg460 = msg("RPD_PIM_NBRUP", part478);
+      
+      var part479 = match("MESSAGE#456:RPD_RDISC_CKSUM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Bad checksum for router solicitation from %{saddr->} to %{daddr}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Bad checksum for router solicitation"),
+      	dup22,
+      ]));
+      
+      var msg461 = msg("RPD_RDISC_CKSUM", part479);
+      
+      var part480 = match("MESSAGE#457:RPD_RDISC_NOMULTI", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Ignoring interface %{dclass_counter1->} on %{interface->} -- %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Ignoring interface"),
+      	dup22,
+      ]));
+      
+      var msg462 = msg("RPD_RDISC_NOMULTI", part480);
+      
+      var part481 = match("MESSAGE#458:RPD_RDISC_NORECVIF", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to locate interface for router solicitation from %{saddr->} to %{daddr}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to locate interface for router"),
+      	dup22,
+      ]));
+      
+      var msg463 = msg("RPD_RDISC_NORECVIF", part481);
+      
+      var part482 = match("MESSAGE#459:RPD_RDISC_SOLICITADDR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Expected multicast (%{dclass_counter1}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Expected multicast for router solicitation"),
+      	dup22,
+      ]));
+      
+      var msg464 = msg("RPD_RDISC_SOLICITADDR", part482);
+      
+      var part483 = match("MESSAGE#460:RPD_RDISC_SOLICITICMP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Nonzero ICMP code (%{resultcode}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Nonzero ICMP code for router solicitation"),
+      	dup22,
+      ]));
+      
+      var msg465 = msg("RPD_RDISC_SOLICITICMP", part483);
+      
+      var part484 = match("MESSAGE#461:RPD_RDISC_SOLICITLEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Insufficient length (%{dclass_counter1}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Insufficient length for router solicitation"),
+      	dup22,
+      ]));
+      
+      var msg466 = msg("RPD_RDISC_SOLICITLEN", part484);
+      
+      var part485 = match("MESSAGE#462:RPD_RIP_AUTH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Update with invalid authentication from %{saddr->} (%{interface})", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RIP update with invalid authentication"),
+      	dup22,
+      ]));
+      
+      var msg467 = msg("RPD_RIP_AUTH", part485);
+      
+      var part486 = match("MESSAGE#463:RPD_RIP_JOIN_BROADCAST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to get broadcast address %{interface}; %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RIP - unable to get broadcast address"),
+      	dup22,
+      ]));
+      
+      var msg468 = msg("RPD_RIP_JOIN_BROADCAST", part486);
+      
+      var part487 = match("MESSAGE#464:RPD_RIP_JOIN_MULTICAST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to join multicast group %{interface}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RIP - Unable to join multicast group"),
+      	dup22,
+      ]));
+      
+      var msg469 = msg("RPD_RIP_JOIN_MULTICAST", part487);
+      
+      var part488 = match("MESSAGE#465:RPD_RT_IFUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: UP route for interface %{interface->} index %{dclass_counter1->} %{saddr}/%{dclass_counter2}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","RIP interface up"),
+      	dup22,
+      ]));
+      
+      var msg470 = msg("RPD_RT_IFUP", part488);
+      
+      var msg471 = msg("RPD_SCHED_CALLBACK_LONGRUNTIME", dup145);
+      
+      var part489 = match("MESSAGE#467:RPD_SCHED_CUMULATIVE_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime (%{result}) after action of module", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","excessive runtime after action of module"),
+      	dup22,
+      ]));
+      
+      var msg472 = msg("RPD_SCHED_CUMULATIVE_LONGRUNTIME", part489);
+      
+      var msg473 = msg("RPD_SCHED_MODULE_LONGRUNTIME", dup145);
+      
+      var part490 = match("MESSAGE#469:RPD_SCHED_TASK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} ran for %{dclass_counter1}(%{dclass_counter2})", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","task extended runtime"),
+      	dup22,
+      ]));
+      
+      var msg474 = msg("RPD_SCHED_TASK_LONGRUNTIME", part490);
+      
+      var part491 = match("MESSAGE#470:RPD_SIGNAL_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} termination signal received", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","termination signal received for service"),
+      	dup22,
+      ]));
+      
+      var msg475 = msg("RPD_SIGNAL_TERMINATE", part491);
+      
+      var part492 = match("MESSAGE#471:RPD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Start %{dclass_counter1->} version version built %{dclass_counter2}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","version built"),
+      	dup22,
+      ]));
+      
+      var msg476 = msg("RPD_START", part492);
+      
+      var part493 = match("MESSAGE#472:RPD_SYSTEM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: detail: %{action}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","system command"),
+      	dup22,
+      ]));
+      
+      var msg477 = msg("RPD_SYSTEM", part493);
+      
+      var part494 = match("MESSAGE#473:RPD_TASK_BEGIN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Commencing routing updates, version %{dclass_counter1}, built %{dclass_counter2->} by builder", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Commencing routing updates"),
+      	dup22,
+      ]));
+      
+      var msg478 = msg("RPD_TASK_BEGIN", part494);
+      
+      var part495 = match("MESSAGE#474:RPD_TASK_CHILDKILLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2->} %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","task killed by signal"),
+      	dup22,
+      ]));
+      
+      var msg479 = msg("RPD_TASK_CHILDKILLED", part495);
+      
+      var part496 = match("MESSAGE#475:RPD_TASK_CHILDSTOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2->} %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","task stopped by signal"),
+      	dup22,
+      ]));
+      
+      var msg480 = msg("RPD_TASK_CHILDSTOPPED", part496);
+      
+      var part497 = match("MESSAGE#476:RPD_TASK_FORK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fork task: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to fork task"),
+      	dup22,
+      ]));
+      
+      var msg481 = msg("RPD_TASK_FORK", part497);
+      
+      var part498 = match("MESSAGE#477:RPD_TASK_GETWD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: getwd: %{action}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","RPD TASK GETWD"),
+      	dup22,
+      ]));
+      
+      var msg482 = msg("RPD_TASK_GETWD", part498);
+      
+      var part499 = match("MESSAGE#478:RPD_TASK_NOREINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitialization not possible", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Reinitialization not possible"),
+      	dup22,
+      ]));
+      
+      var msg483 = msg("RPD_TASK_NOREINIT", part499);
+      
+      var part500 = match("MESSAGE#479:RPD_TASK_PIDCLOSED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to close and remove %{agent}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to close and remove task"),
+      	dup22,
+      ]));
+      
+      var msg484 = msg("RPD_TASK_PIDCLOSED", part500);
+      
+      var part501 = match("MESSAGE#480:RPD_TASK_PIDFLOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: flock(%{agent}, %{action}): %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RPD TASK PIDFLOCK"),
+      	dup22,
+      ]));
+      
+      var msg485 = msg("RPD_TASK_PIDFLOCK", part501);
+      
+      var part502 = match("MESSAGE#481:RPD_TASK_PIDWRITE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to write %{agent}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to write"),
+      	dup22,
+      ]));
+      
+      var msg486 = msg("RPD_TASK_PIDWRITE", part502);
+      
+      var msg487 = msg("RPD_TASK_REINIT", dup146);
+      
+      var part503 = match("MESSAGE#483:RPD_TASK_SIGNALIGNORE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: sigaction(%{result}): %{resultcode}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","ignoring task signal"),
+      	dup22,
+      ]));
+      
+      var msg488 = msg("RPD_TASK_SIGNALIGNORE", part503);
+      
+      var part504 = match("MESSAGE#484:RT_COS", "nwparser.payload", "%{process}: %{event_type}: COS IPC op %{dclass_counter1->} (%{agent}) failed, err %{resultcode->} (%{result})", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","COS IPC op failed"),
+      	dup22,
+      ]));
+      
+      var msg489 = msg("RT_COS", part504);
+      
+      var part505 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/2", "nwparser.p0", "%{fld5}\" nat-source-address=\"%{stransaddr}\" nat-source-port=\"%{stransport}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{p0}");
+      
+      var part506 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{fld10}\" dst-nat-rule-%{p0}");
+      
+      var part507 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/5_0", "nwparser.p0", "type=%{fld21->} dst-nat-rule-name=\"%{fld11}\"%{p0}");
+      
+      var part508 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/5_1", "nwparser.p0", "name=\"%{fld11}\"%{p0}");
+      
+      var select39 = linear_select([
+      	part507,
+      	part508,
+      ]);
+      
+      var part509 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/6", "nwparser.p0", "%{}protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{fld13}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{p0}");
+      
+      var part510 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/7_0", "nwparser.p0", "%{dinterface}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" encrypted=%{fld8->} %{p0}");
+      
+      var select40 = linear_select([
+      	part510,
+      	dup91,
+      ]);
+      
+      var all22 = all_match({
+      	processors: [
+      		dup86,
+      		dup147,
+      		part505,
+      		dup148,
+      		part506,
+      		select39,
+      		part509,
+      		select40,
+      		dup92,
+      	],
+      	on_success: processor_chain([
+      		dup27,
+      		dup52,
+      		dup53,
+      		dup21,
+      		dup51,
+      	]),
+      });
+      
+      var msg490 = msg("RT_FLOW_SESSION_CREATE:02", all22);
+      
+      var part511 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/1_0", "nwparser.p0", "%{dport}\" service-name=\"%{service}\" nat-source-address=\"%{stransaddr}\" nat-source-port=\"%{stransport}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-type=\"%{fld20}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-type=\"%{fld10}\" dst-nat-rule-name=\"%{rule_template}\"%{p0}");
+      
+      var part512 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/1_1", "nwparser.p0", "%{dport}\"%{p0}");
+      
+      var select41 = linear_select([
+      	part511,
+      	part512,
+      ]);
+      
+      var part513 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/2", "nwparser.p0", "%{}protocol-id=\"%{protocol}\" policy-name=\"%{p0}");
+      
+      var part514 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/3_0", "nwparser.p0", "%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" username=\"%{username}\" roles=\"%{fld50}\" packet-incoming-interface=\"%{dinterface}\" application=\"%{application}\" nested-application=\"%{fld7}\" encrypted=\"%{fld8}\"%{p0}");
+      
+      var part515 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/3_1", "nwparser.p0", "%{policyname}\"%{p0}");
+      
+      var select42 = linear_select([
+      	part514,
+      	part515,
+      ]);
+      
+      var all23 = all_match({
+      	processors: [
+      		dup86,
+      		select41,
+      		part513,
+      		select42,
+      		dup92,
+      	],
+      	on_success: processor_chain([
+      		dup27,
+      		dup52,
+      		dup53,
+      		dup21,
+      		dup51,
+      	]),
+      });
+      
+      var msg491 = msg("RT_FLOW_SESSION_CREATE", all23);
+      
+      var part516 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/0_0", "nwparser.payload", "%{process}: %{event_type}: session created%{p0}");
+      
+      var part517 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/0_1", "nwparser.payload", "%{event_type}: session created%{p0}");
+      
+      var select43 = linear_select([
+      	part516,
+      	part517,
+      ]);
+      
+      var part518 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/1", "nwparser.p0", "%{} %{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{p0}");
+      
+      var part519 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_0", "nwparser.p0", "%{rulename->} %{rule_template->} %{fld12->} %{fld13->} %{fld14->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username}(%{fld10}) %{interface->} %{protocol->} %{fld15->} UNKNOWN UNKNOWN ");
+      
+      var part520 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_1", "nwparser.p0", "%{rulename->} %{rule_template->} %{fld12->} %{fld13->} %{fld14->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username}(%{fld10}) %{interface->} %{fld15->} ");
+      
+      var part521 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_2", "nwparser.p0", "%{info->} ");
+      
+      var select44 = linear_select([
+      	part519,
+      	part520,
+      	part521,
+      ]);
+      
+      var all24 = all_match({
+      	processors: [
+      		select43,
+      		part518,
+      		select44,
+      	],
+      	on_success: processor_chain([
+      		dup27,
+      		dup52,
+      		dup53,
+      		dup21,
+      		setc("event_description","session created"),
+      		dup22,
+      	]),
+      });
+      
+      var msg492 = msg("RT_FLOW_SESSION_CREATE:01", all24);
+      
+      var select45 = linear_select([
+      	msg490,
+      	msg491,
+      	msg492,
+      ]);
+      
+      var part522 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/2", "nwparser.p0", "%{fld5}\" protocol-id=\"%{protocol}\" icmp-type=\"%{obj_type}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{user_role}\" packet-incoming-interface=\"%{p0}");
+      
+      var part523 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/3_0", "nwparser.p0", "%{dinterface}\" encrypted=\"%{fld16}\" reason=\"%{result}\" src-vrf-grp=\"%{fld99}\" dst-vrf-grp=\"%{fld98}\"%{p0}");
+      
+      var part524 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/3_1", "nwparser.p0", "%{dinterface}\" encrypted=%{fld16->} reason=\"%{result}\"%{p0}");
+      
+      var select46 = linear_select([
+      	part523,
+      	part524,
+      	dup91,
+      ]);
+      
+      var all25 = all_match({
+      	processors: [
+      		dup86,
+      		dup147,
+      		part522,
+      		select46,
+      		dup92,
+      	],
+      	on_success: processor_chain([
+      		dup93,
+      		dup52,
+      		dup94,
+      		dup21,
+      		dup51,
+      	]),
+      });
+      
+      var msg493 = msg("RT_FLOW_SESSION_DENY:02", all25);
+      
+      var part525 = match("MESSAGE#489:RT_FLOW_SESSION_DENY", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" icmp-type=\"%{obj_type}\" policy-name=\"%{policyname}\"]", processor_chain([
+      	dup93,
+      	dup52,
+      	dup94,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var msg494 = msg("RT_FLOW_SESSION_DENY", part525);
+      
+      var part526 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/1", "nwparser.p0", "%{} %{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{fld1->} %{result->} %{src_zone->} %{dst_zone->} HTTP %{info}");
+      
+      var all26 = all_match({
+      	processors: [
+      		dup149,
+      		part526,
+      	],
+      	on_success: processor_chain([
+      		dup26,
+      		dup52,
+      		dup94,
+      		dup21,
+      		dup97,
+      		dup22,
+      	]),
+      });
+      
+      var msg495 = msg("RT_FLOW_SESSION_DENY:03", all26);
+      
+      var part527 = match("MESSAGE#491:RT_FLOW_SESSION_DENY:01/1", "nwparser.p0", "%{} %{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{fld1->} %{result->} %{src_zone->} %{dst_zone}");
+      
+      var all27 = all_match({
+      	processors: [
+      		dup149,
+      		part527,
+      	],
+      	on_success: processor_chain([
+      		dup26,
+      		dup52,
+      		dup94,
+      		dup21,
+      		dup97,
+      		dup22,
+      	]),
+      });
+      
+      var msg496 = msg("RT_FLOW_SESSION_DENY:01", all27);
+      
+      var select47 = linear_select([
+      	msg493,
+      	msg494,
+      	msg495,
+      	msg496,
+      ]);
+      
+      var part528 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/6", "nwparser.p0", "%{}protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{p0}");
+      
+      var part529 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/7_0", "nwparser.p0", "%{duration}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{dinterface}\" encrypted=%{fld16->} %{p0}");
+      
+      var part530 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/7_1", "nwparser.p0", "%{duration}\"%{p0}");
+      
+      var select48 = linear_select([
+      	part529,
+      	part530,
+      ]);
+      
+      var all28 = all_match({
+      	processors: [
+      		dup98,
+      		dup147,
+      		dup99,
+      		dup148,
+      		dup100,
+      		dup150,
+      		part528,
+      		select48,
+      		dup92,
+      	],
+      	on_success: processor_chain([
+      		dup26,
+      		dup52,
+      		dup54,
+      		dup103,
+      		dup21,
+      		dup51,
+      	]),
+      });
+      
+      var msg497 = msg("RT_FLOW_SESSION_CLOSE:01", all28);
+      
+      var part531 = match("MESSAGE#493:RT_FLOW_SESSION_CLOSE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" inbound-packets=\"%{packets}\" inbound-bytes=\"%{rbytes}\" outbound-packets=\"%{dclass_counter1}\" outbound-bytes=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([
+      	dup26,
+      	dup52,
+      	dup54,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var msg498 = msg("RT_FLOW_SESSION_CLOSE", part531);
+      
+      var part532 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/0_0", "nwparser.payload", "%{process}: %{event_type}: session closed%{p0}");
+      
+      var part533 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/0_1", "nwparser.payload", "%{event_type}: session closed%{p0}");
+      
+      var select49 = linear_select([
+      	part532,
+      	part533,
+      ]);
+      
+      var part534 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/1", "nwparser.p0", "%{} %{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{info}");
+      
+      var all29 = all_match({
+      	processors: [
+      		select49,
+      		part534,
+      	],
+      	on_success: processor_chain([
+      		dup26,
+      		dup52,
+      		dup54,
+      		dup21,
+      		setc("event_description","session closed"),
+      		dup22,
+      	]),
+      });
+      
+      var msg499 = msg("RT_FLOW_SESSION_CLOSE:02", all29);
+      
+      var part535 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/6", "nwparser.p0", "%{}protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" %{p0}");
+      
+      var part536 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/7_0", "nwparser.p0", " elapsed-time=\"%{duration}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{dinterface}\" encrypted=%{fld16->} %{p0}");
+      
+      var part537 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/7_1", "nwparser.p0", " elapsed-time=\"%{duration}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{user_role}\" packet-incoming-interface=\"%{dinterface}\" %{p0}");
+      
+      var part538 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/7_2", "nwparser.p0", "elapsed-time=\"%{duration}\"%{p0}");
+      
+      var select50 = linear_select([
+      	part536,
+      	part537,
+      	part538,
+      ]);
+      
+      var part539 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/8", "nwparser.p0", "] session closed %{fld60}: %{fld51}/%{fld52}->%{fld53}/%{fld54->} %{fld55->} %{fld56}/%{fld57}->%{fld58}/%{fld59->} %{info}");
+      
+      var all30 = all_match({
+      	processors: [
+      		dup98,
+      		dup147,
+      		dup99,
+      		dup148,
+      		dup100,
+      		dup150,
+      		part535,
+      		select50,
+      		part539,
+      	],
+      	on_success: processor_chain([
+      		dup26,
+      		dup52,
+      		dup54,
+      		dup103,
+      		dup21,
+      		dup51,
+      		dup60,
+      	]),
+      });
+      
+      var msg500 = msg("RT_FLOW_SESSION_CLOSE:03", all30);
+      
+      var select51 = linear_select([
+      	msg497,
+      	msg498,
+      	msg499,
+      	msg500,
+      ]);
+      
+      var part540 = match("MESSAGE#496:RT_SCREEN_IP", "nwparser.payload", "%{process}: %{event_type}: Fragmented traffic! source:%{saddr}, destination: %{daddr}, protocol-id: %{protocol}, zone name: %{zone}, interface name: %{interface}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Fragmented traffic"),
+      	dup22,
+      ]));
+      
+      var msg501 = msg("RT_SCREEN_IP", part540);
+      
+      var part541 = match("MESSAGE#497:RT_SCREEN_IP:01", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" protocol-id=\"%{protocol}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([
+      	dup29,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var msg502 = msg("RT_SCREEN_IP:01", part541);
+      
+      var select52 = linear_select([
+      	msg501,
+      	msg502,
+      ]);
+      
+      var msg503 = msg("RT_SCREEN_TCP", dup151);
+      
+      var part542 = match("MESSAGE#499:RT_SCREEN_SESSION_LIMIT", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" message=\"%{info}\" ip-address=\"%{hostip}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([
+      	dup29,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var msg504 = msg("RT_SCREEN_SESSION_LIMIT", part542);
+      
+      var msg505 = msg("RT_SCREEN_UDP", dup151);
+      
+      var part543 = match("MESSAGE#501:SERVICED_CLIENT_CONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: attempt to connect to interface failed with error: %{result}", processor_chain([
+      	dup26,
+      	dup21,
+      	setc("event_description","attempt to connect to interface failed"),
+      	dup22,
+      ]));
+      
+      var msg506 = msg("SERVICED_CLIENT_CONNECT", part543);
+      
+      var part544 = match("MESSAGE#502:SERVICED_CLIENT_DISCONNECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unexpected termination of connection to interface", processor_chain([
+      	dup26,
+      	dup21,
+      	setc("event_description","unexpected termination of connection"),
+      	dup22,
+      ]));
+      
+      var msg507 = msg("SERVICED_CLIENT_DISCONNECTED", part544);
+      
+      var part545 = match("MESSAGE#503:SERVICED_CLIENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: client interface connection failure: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","client interface connection failure"),
+      	dup22,
+      ]));
+      
+      var msg508 = msg("SERVICED_CLIENT_ERROR", part545);
+      
+      var part546 = match("MESSAGE#504:SERVICED_COMMAND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: remote command execution failed with error: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","remote command execution failed"),
+      	dup22,
+      ]));
+      
+      var msg509 = msg("SERVICED_COMMAND_FAILED", part546);
+      
+      var part547 = match("MESSAGE#505:SERVICED_COMMIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: client failed to commit configuration with error: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","client commit configuration failed"),
+      	dup22,
+      ]));
+      
+      var msg510 = msg("SERVICED_COMMIT_FAILED", part547);
+      
+      var part548 = match("MESSAGE#506:SERVICED_CONFIGURATION_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: configuration process failed with error: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","configuration process failed"),
+      	dup22,
+      ]));
+      
+      var msg511 = msg("SERVICED_CONFIGURATION_FAILED", part548);
+      
+      var part549 = match("MESSAGE#507:SERVICED_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SERVICED CONFIG ERROR"),
+      	dup22,
+      ]));
+      
+      var msg512 = msg("SERVICED_CONFIG_ERROR", part549);
+      
+      var part550 = match("MESSAGE#508:SERVICED_CONFIG_FILE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} failed to read path with error: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","service failed to read path"),
+      	dup22,
+      ]));
+      
+      var msg513 = msg("SERVICED_CONFIG_FILE", part550);
+      
+      var part551 = match("MESSAGE#509:SERVICED_CONNECTION_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SERVICED CONNECTION ERROR"),
+      	dup22,
+      ]));
+      
+      var msg514 = msg("SERVICED_CONNECTION_ERROR", part551);
+      
+      var part552 = match("MESSAGE#510:SERVICED_DISABLED_GGSN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: GGSN services disabled: object: %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","GGSN services disabled"),
+      	dup22,
+      ]));
+      
+      var msg515 = msg("SERVICED_DISABLED_GGSN", part552);
+      
+      var msg516 = msg("SERVICED_DUPLICATE", dup138);
+      
+      var part553 = match("MESSAGE#512:SERVICED_EVENT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: event function %{dclass_counter2->} failed with error: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","event function failed"),
+      	dup22,
+      ]));
+      
+      var msg517 = msg("SERVICED_EVENT_FAILED", part553);
+      
+      var part554 = match("MESSAGE#513:SERVICED_INIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: initialization failed with error: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","service initialization failed"),
+      	dup22,
+      ]));
+      
+      var msg518 = msg("SERVICED_INIT_FAILED", part554);
+      
+      var part555 = match("MESSAGE#514:SERVICED_MALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: failed to allocate [%{dclass_counter2}] object [%{dclass_counter1->} bytes %{bytes}]: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","memory allocation failure"),
+      	dup22,
+      ]));
+      
+      var msg519 = msg("SERVICED_MALLOC_FAILURE", part555);
+      
+      var part556 = match("MESSAGE#515:SERVICED_NETWORK_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} had error: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","NETWORK FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg520 = msg("SERVICED_NETWORK_FAILURE", part556);
+      
+      var part557 = match("MESSAGE#516:SERVICED_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([
+      	dup62,
+      	dup21,
+      	setc("event_description","SERVICED must be run as root"),
+      	dup22,
+      ]));
+      
+      var msg521 = msg("SERVICED_NOT_ROOT", part557);
+      
+      var msg522 = msg("SERVICED_PID_FILE_LOCK", dup139);
+      
+      var msg523 = msg("SERVICED_PID_FILE_UPDATE", dup140);
+      
+      var part558 = match("MESSAGE#519:SERVICED_RTSOCK_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: routing socket sequence error, %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","routing socket sequence error"),
+      	dup22,
+      ]));
+      
+      var msg524 = msg("SERVICED_RTSOCK_SEQUENCE", part558);
+      
+      var part559 = match("MESSAGE#520:SERVICED_SIGNAL_HANDLER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: set up of signal name handler failed with error: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","set up of signal name handler failed"),
+      	dup22,
+      ]));
+      
+      var msg525 = msg("SERVICED_SIGNAL_HANDLER", part559);
+      
+      var part560 = match("MESSAGE#521:SERVICED_SOCKET_CREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket create failed with error: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","socket create failed with error"),
+      	dup22,
+      ]));
+      
+      var msg526 = msg("SERVICED_SOCKET_CREATE", part560);
+      
+      var part561 = match("MESSAGE#522:SERVICED_SOCKET_IO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket function %{dclass_counter2->} failed with error: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","socket function failed"),
+      	dup22,
+      ]));
+      
+      var msg527 = msg("SERVICED_SOCKET_IO", part561);
+      
+      var part562 = match("MESSAGE#523:SERVICED_SOCKET_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unable to set socket option %{dclass_counter2}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","unable to set socket option"),
+      	dup22,
+      ]));
+      
+      var msg528 = msg("SERVICED_SOCKET_OPTION", part562);
+      
+      var part563 = match("MESSAGE#524:SERVICED_STDLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} had error: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","STDLIB FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg529 = msg("SERVICED_STDLIB_FAILURE", part563);
+      
+      var part564 = match("MESSAGE#525:SERVICED_USAGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect usage: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Incorrect service usage"),
+      	dup22,
+      ]));
+      
+      var msg530 = msg("SERVICED_USAGE", part564);
+      
+      var part565 = match("MESSAGE#526:SERVICED_WORK_INCONSISTENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: object has unexpected value %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","object has unexpected value"),
+      	dup22,
+      ]));
+      
+      var msg531 = msg("SERVICED_WORK_INCONSISTENCY", part565);
+      
+      var msg532 = msg("SSL_PROXY_SSL_SESSION_ALLOW", dup152);
+      
+      var msg533 = msg("SSL_PROXY_SSL_SESSION_DROP", dup152);
+      
+      var msg534 = msg("SSL_PROXY_SESSION_IGNORE", dup152);
+      
+      var part566 = match("MESSAGE#530:SNMP_NS_LOG_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NET-SNMP version %{version->} AgentX subagent connected", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","AgentX subagent connected"),
+      	dup60,
+      	dup22,
+      ]));
+      
+      var msg535 = msg("SNMP_NS_LOG_INFO", part566);
+      
+      var part567 = match("MESSAGE#531:SNMP_SUBAGENT_IPC_REG_ROWS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ns_subagent_register_mibs: registering %{dclass_counter1->} rows", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","ns_subagent registering rows"),
+      	dup60,
+      	dup22,
+      ]));
+      
+      var msg536 = msg("SNMP_SUBAGENT_IPC_REG_ROWS", part567);
+      
+      var part568 = match("MESSAGE#532:SNMPD_ACCESS_GROUP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} access group %{group}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMPD ACCESS GROUP ERROR"),
+      	dup22,
+      ]));
+      
+      var msg537 = msg("SNMPD_ACCESS_GROUP_ERROR", part568);
+      
+      var part569 = match("MESSAGE#533:SNMPD_AUTH_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unauthorized SNMP community from %{daddr->} to unknown community name (%{pool_name})", processor_chain([
+      	dup29,
+      	dup21,
+      	dup104,
+      	setc("result","unauthorized SNMP community to unknown community name"),
+      	dup22,
+      ]));
+      
+      var msg538 = msg("SNMPD_AUTH_FAILURE", part569);
+      
+      var part570 = match("MESSAGE#534:SNMPD_AUTH_FAILURE:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: failed input interface authorization from %{daddr->} to unknown (%{pool_name})", processor_chain([
+      	dup29,
+      	dup21,
+      	dup104,
+      	setc("result","failed input interface authorization to unknown"),
+      	dup22,
+      ]));
+      
+      var msg539 = msg("SNMPD_AUTH_FAILURE:01", part570);
+      
+      var part571 = match("MESSAGE#535:SNMPD_AUTH_FAILURE:02", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unauthorized SNMP community from %{daddr->} to %{saddr->} (%{pool_name})", processor_chain([
+      	dup29,
+      	dup21,
+      	dup104,
+      	setc("result","unauthorized SNMP community "),
+      	dup22,
+      ]));
+      
+      var msg540 = msg("SNMPD_AUTH_FAILURE:02", part571);
+      
+      var part572 = match("MESSAGE#595:SNMPD_AUTH_FAILURE:03", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} function-name=\"%{fld1}\" message=\"%{info}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" index1=\"%{fld4}\"]", processor_chain([
+      	dup29,
+      	dup21,
+      	dup104,
+      	dup60,
+      	dup61,
+      ]));
+      
+      var msg541 = msg("SNMPD_AUTH_FAILURE:03", part572);
+      
+      var select53 = linear_select([
+      	msg538,
+      	msg539,
+      	msg540,
+      	msg541,
+      ]);
+      
+      var part573 = match("MESSAGE#536:SNMPD_AUTH_PRIVILEGES_EXCEEDED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{saddr}: request exceeded community privileges", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMP request exceeded community privileges"),
+      	dup22,
+      ]));
+      
+      var msg542 = msg("SNMPD_AUTH_PRIVILEGES_EXCEEDED", part573);
+      
+      var part574 = match("MESSAGE#537:SNMPD_AUTH_RESTRICTED_ADDRESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: request from address %{daddr->} not allowed", processor_chain([
+      	dup47,
+      	dup21,
+      	setc("event_description","SNMPD AUTH RESTRICTED ADDRESS"),
+      	setc("result","request not allowed"),
+      	dup22,
+      ]));
+      
+      var msg543 = msg("SNMPD_AUTH_RESTRICTED_ADDRESS", part574);
+      
+      var part575 = match("MESSAGE#538:SNMPD_AUTH_WRONG_PDU_TYPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{saddr}: unauthorized SNMP PDU type: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","unauthorized SNMP PDU type"),
+      	dup22,
+      ]));
+      
+      var msg544 = msg("SNMPD_AUTH_WRONG_PDU_TYPE", part575);
+      
+      var part576 = match("MESSAGE#539:SNMPD_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Configuration database has errors", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Configuration database has errors"),
+      	dup22,
+      ]));
+      
+      var msg545 = msg("SNMPD_CONFIG_ERROR", part576);
+      
+      var part577 = match("MESSAGE#540:SNMPD_CONTEXT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} context %{dclass_counter2}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMPD CONTEXT ERROR"),
+      	dup22,
+      ]));
+      
+      var msg546 = msg("SNMPD_CONTEXT_ERROR", part577);
+      
+      var part578 = match("MESSAGE#541:SNMPD_ENGINE_FILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2}: operation: %{dclass_counter1->} %{agent}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMPD ENGINE FILE FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg547 = msg("SNMPD_ENGINE_FILE_FAILURE", part578);
+      
+      var part579 = match("MESSAGE#542:SNMPD_ENGINE_PROCESS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: from-path: undecodable/unmatched subagent response", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description"," from-path - SNMP undecodable/unmatched subagent response"),
+      	dup22,
+      ]));
+      
+      var msg548 = msg("SNMPD_ENGINE_PROCESS_ERROR", part579);
+      
+      var part580 = match("MESSAGE#543:SNMPD_FILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: fopen %{dclass_counter2}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMPD FILE FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg549 = msg("SNMPD_FILE_FAILURE", part580);
+      
+      var part581 = match("MESSAGE#544:SNMPD_GROUP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} group: '%{group}' user '%{username}' model '%{version}'", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMPD GROUP ERROR"),
+      	dup22,
+      ]));
+      
+      var msg550 = msg("SNMPD_GROUP_ERROR", part581);
+      
+      var part582 = match("MESSAGE#545:SNMPD_INIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: snmpd initialization failure: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","snmpd initialization failure"),
+      	dup22,
+      ]));
+      
+      var msg551 = msg("SNMPD_INIT_FAILED", part582);
+      
+      var part583 = match("MESSAGE#546:SNMPD_LIBJUNIPER_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: system_default_inaddr: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","LIBJUNIPER FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg552 = msg("SNMPD_LIBJUNIPER_FAILURE", part583);
+      
+      var part584 = match("MESSAGE#547:SNMPD_LOOPBACK_ADDR_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","LOOPBACK ADDR ERROR"),
+      	dup22,
+      ]));
+      
+      var msg553 = msg("SNMPD_LOOPBACK_ADDR_ERROR", part584);
+      
+      var part585 = match("MESSAGE#548:SNMPD_MEMORY_FREED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: called for freed - already freed", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","duplicate memory free"),
+      	dup22,
+      ]));
+      
+      var msg554 = msg("SNMPD_MEMORY_FREED", part585);
+      
+      var part586 = match("MESSAGE#549:SNMPD_RADIX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: radix_add failed: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","radix_add failed"),
+      	dup22,
+      ]));
+      
+      var msg555 = msg("SNMPD_RADIX_FAILURE", part586);
+      
+      var part587 = match("MESSAGE#550:SNMPD_RECEIVE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: receive %{dclass_counter1->} failure: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMPD RECEIVE FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg556 = msg("SNMPD_RECEIVE_FAILURE", part587);
+      
+      var part588 = match("MESSAGE#551:SNMPD_RMONFILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2}: operation: %{dclass_counter1->} %{agent}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RMONFILE FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg557 = msg("SNMPD_RMONFILE_FAILURE", part588);
+      
+      var part589 = match("MESSAGE#552:SNMPD_RMON_COOKIE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: Null cookie", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Null cookie"),
+      	dup22,
+      ]));
+      
+      var msg558 = msg("SNMPD_RMON_COOKIE", part589);
+      
+      var part590 = match("MESSAGE#553:SNMPD_RMON_EVENTLOG", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","RMON EVENTLOG"),
+      	dup22,
+      ]));
+      
+      var msg559 = msg("SNMPD_RMON_EVENTLOG", part590);
+      
+      var part591 = match("MESSAGE#554:SNMPD_RMON_IOERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: Received io error, %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Received io error"),
+      	dup22,
+      ]));
+      
+      var msg560 = msg("SNMPD_RMON_IOERROR", part591);
+      
+      var part592 = match("MESSAGE#555:SNMPD_RMON_MIBERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: internal Get request error: description, %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","internal Get request error"),
+      	dup22,
+      ]));
+      
+      var msg561 = msg("SNMPD_RMON_MIBERROR", part592);
+      
+      var part593 = match("MESSAGE#556:SNMPD_RTSLIB_ASYNC_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: sequence mismatch %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","sequence mismatch"),
+      	dup22,
+      ]));
+      
+      var msg562 = msg("SNMPD_RTSLIB_ASYNC_EVENT", part593);
+      
+      var part594 = match("MESSAGE#557:SNMPD_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: send send-type (index1) failure: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup105,
+      	dup22,
+      ]));
+      
+      var msg563 = msg("SNMPD_SEND_FAILURE", part594);
+      
+      var part595 = match("MESSAGE#558:SNMPD_SEND_FAILURE:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: send to (%{saddr}) failure: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup105,
+      	dup22,
+      ]));
+      
+      var msg564 = msg("SNMPD_SEND_FAILURE:01", part595);
+      
+      var select54 = linear_select([
+      	msg563,
+      	msg564,
+      ]);
+      
+      var part596 = match("MESSAGE#559:SNMPD_SOCKET_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket failure: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMPD SOCKET FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg565 = msg("SNMPD_SOCKET_FAILURE", part596);
+      
+      var part597 = match("MESSAGE#560:SNMPD_SUBAGENT_NO_BUFFERS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No buffers available for subagent (%{agent})", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","No buffers available for subagent"),
+      	dup22,
+      ]));
+      
+      var msg566 = msg("SNMPD_SUBAGENT_NO_BUFFERS", part597);
+      
+      var part598 = match("MESSAGE#561:SNMPD_SUBAGENT_SEND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Send to subagent failed (%{agent}): %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Send to subagent failed"),
+      	dup22,
+      ]));
+      
+      var msg567 = msg("SNMPD_SUBAGENT_SEND_FAILED", part598);
+      
+      var part599 = match("MESSAGE#562:SNMPD_SYSLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: system function '%{dclass_counter1}' failed: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","system function failed"),
+      	dup22,
+      ]));
+      
+      var msg568 = msg("SNMPD_SYSLIB_FAILURE", part599);
+      
+      var part600 = match("MESSAGE#563:SNMPD_THROTTLE_QUEUE_DRAINED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: cleared all throttled traps", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","cleared all throttled traps"),
+      	dup22,
+      ]));
+      
+      var msg569 = msg("SNMPD_THROTTLE_QUEUE_DRAINED", part600);
+      
+      var part601 = match("MESSAGE#564:SNMPD_TRAP_COLD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap: cold start", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","SNMP trap: cold start"),
+      	dup22,
+      ]));
+      
+      var msg570 = msg("SNMPD_TRAP_COLD_START", part601);
+      
+      var part602 = match("MESSAGE#565:SNMPD_TRAP_GEN_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{resultcode->} (%{result})", processor_chain([
+      	dup29,
+      	dup21,
+      	dup106,
+      	dup22,
+      ]));
+      
+      var msg571 = msg("SNMPD_TRAP_GEN_FAILURE", part602);
+      
+      var part603 = match("MESSAGE#566:SNMPD_TRAP_GEN_FAILURE2", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{dclass_counter2->} %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup106,
+      	dup22,
+      ]));
+      
+      var msg572 = msg("SNMPD_TRAP_GEN_FAILURE2", part603);
+      
+      var part604 = match("MESSAGE#567:SNMPD_TRAP_INVALID_DATA", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{result->} (%{dclass_counter2}) received", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMPD TRAP INVALID DATA"),
+      	dup22,
+      ]));
+      
+      var msg573 = msg("SNMPD_TRAP_INVALID_DATA", part604);
+      
+      var part605 = match("MESSAGE#568:SNMPD_TRAP_NOT_ENOUGH_VARBINDS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{info->} (%{result})", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMPD TRAP ERROR"),
+      	dup22,
+      ]));
+      
+      var msg574 = msg("SNMPD_TRAP_NOT_ENOUGH_VARBINDS", part605);
+      
+      var part606 = match("MESSAGE#569:SNMPD_TRAP_QUEUED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Adding trap to %{dclass_counter2->} to %{obj_name->} queue, %{dclass_counter1->} traps in queue", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Adding trap to queue"),
+      	dup22,
+      ]));
+      
+      var msg575 = msg("SNMPD_TRAP_QUEUED", part606);
+      
+      var part607 = match("MESSAGE#570:SNMPD_TRAP_QUEUE_DRAINED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: traps queued to %{obj_name->} sent successfully", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","traps queued - sent successfully"),
+      	dup22,
+      ]));
+      
+      var msg576 = msg("SNMPD_TRAP_QUEUE_DRAINED", part607);
+      
+      var part608 = match("MESSAGE#571:SNMPD_TRAP_QUEUE_MAX_ATTEMPTS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: after %{dclass_counter1->} attempts, deleting %{dclass_counter2->} traps queued to %{obj_name}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMPD TRAP QUEUE MAX_ATTEMPTS - deleting some traps"),
+      	dup22,
+      ]));
+      
+      var msg577 = msg("SNMPD_TRAP_QUEUE_MAX_ATTEMPTS", part608);
+      
+      var part609 = match("MESSAGE#572:SNMPD_TRAP_QUEUE_MAX_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: maximum queue size exceeded (%{dclass_counter1}), discarding trap to %{dclass_counter2->} from %{obj_name->} queue", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","SNMP TRAP maximum queue size exceeded"),
+      	dup22,
+      ]));
+      
+      var msg578 = msg("SNMPD_TRAP_QUEUE_MAX_SIZE", part609);
+      
+      var part610 = match("MESSAGE#573:SNMPD_TRAP_THROTTLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: traps throttled after %{dclass_counter1->} traps", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","SNMP traps throttled"),
+      	dup22,
+      ]));
+      
+      var msg579 = msg("SNMPD_TRAP_THROTTLED", part610);
+      
+      var part611 = match("MESSAGE#574:SNMPD_TRAP_TYPE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unknown trap type requested (%{obj_type->} )", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","unknown SNMP trap type requested"),
+      	dup22,
+      ]));
+      
+      var msg580 = msg("SNMPD_TRAP_TYPE_ERROR", part611);
+      
+      var part612 = match("MESSAGE#575:SNMPD_TRAP_VARBIND_TYPE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: expecting %{dclass_counter1->} varbind to be VT_NUMBER (%{resultcode->} )", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMPD TRAP VARBIND TYPE ERROR"),
+      	dup22,
+      ]));
+      
+      var msg581 = msg("SNMPD_TRAP_VARBIND_TYPE_ERROR", part612);
+      
+      var part613 = match("MESSAGE#576:SNMPD_TRAP_VERSION_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: invalid version signature (%{result})", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMPD TRAP ERROR - invalid version signature"),
+      	dup22,
+      ]));
+      
+      var msg582 = msg("SNMPD_TRAP_VERSION_ERROR", part613);
+      
+      var part614 = match("MESSAGE#577:SNMPD_TRAP_WARM_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap: warm start", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","SNMPD TRAP WARM START"),
+      	dup22,
+      ]));
+      
+      var msg583 = msg("SNMPD_TRAP_WARM_START", part614);
+      
+      var part615 = match("MESSAGE#578:SNMPD_USER_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} user '%{username}' %{dclass_counter2}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMPD USER ERROR"),
+      	dup22,
+      ]));
+      
+      var msg584 = msg("SNMPD_USER_ERROR", part615);
+      
+      var part616 = match("MESSAGE#579:SNMPD_VIEW_DELETE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: deleting view %{dclass_counter2->} %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","SNMP deleting view"),
+      	dup22,
+      ]));
+      
+      var msg585 = msg("SNMPD_VIEW_DELETE", part616);
+      
+      var part617 = match("MESSAGE#580:SNMPD_VIEW_INSTALL_DEFAULT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} installing default %{dclass_counter1->} view %{dclass_counter2}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","installing default SNMP view"),
+      	dup22,
+      ]));
+      
+      var msg586 = msg("SNMPD_VIEW_INSTALL_DEFAULT", part617);
+      
+      var part618 = match("MESSAGE#581:SNMPD_VIEW_OID_PARSE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: oid parsing failed for view %{dclass_counter2->} oid %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","oid parsing failed for SNMP view"),
+      	dup22,
+      ]));
+      
+      var msg587 = msg("SNMPD_VIEW_OID_PARSE", part618);
+      
+      var part619 = match("MESSAGE#582:SNMP_GET_ERROR1", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMP_GET_ERROR 1"),
+      	dup22,
+      ]));
+      
+      var msg588 = msg("SNMP_GET_ERROR1", part619);
+      
+      var part620 = match("MESSAGE#583:SNMP_GET_ERROR2", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMP GET ERROR 2"),
+      	dup22,
+      ]));
+      
+      var msg589 = msg("SNMP_GET_ERROR2", part620);
+      
+      var part621 = match("MESSAGE#584:SNMP_GET_ERROR3", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMP GET ERROR 3"),
+      	dup22,
+      ]));
+      
+      var msg590 = msg("SNMP_GET_ERROR3", part621);
+      
+      var part622 = match("MESSAGE#585:SNMP_GET_ERROR4", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMP GET ERROR 4"),
+      	dup22,
+      ]));
+      
+      var msg591 = msg("SNMP_GET_ERROR4", part622);
+      
+      var part623 = match("MESSAGE#586:SNMP_RTSLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: rtslib-error: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMP RTSLIB FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg592 = msg("SNMP_RTSLIB_FAILURE", part623);
+      
+      var part624 = match("MESSAGE#587:SNMP_TRAP_LINK_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifIndex %{dclass_counter1}, ifAdminStatus %{resultcode}, ifOperStatus %{result}, ifName %{interface}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup107,
+      	dup22,
+      ]));
+      
+      var msg593 = msg("SNMP_TRAP_LINK_DOWN", part624);
+      
+      var part625 = match("MESSAGE#596:SNMP_TRAP_LINK_DOWN:01", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} snmp-interface-index=\"%{fld1}\" admin-status=\"%{fld3}\" operational-status=\"%{fld2}\" interface-name=\"%{interface}\"]", processor_chain([
+      	dup29,
+      	dup21,
+      	dup107,
+      	dup60,
+      	dup61,
+      ]));
+      
+      var msg594 = msg("SNMP_TRAP_LINK_DOWN:01", part625);
+      
+      var select55 = linear_select([
+      	msg593,
+      	msg594,
+      ]);
+      
+      var part626 = match("MESSAGE#588:SNMP_TRAP_LINK_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifIndex %{dclass_counter1}, ifAdminStatus %{resultcode}, ifOperStatus %{result}, ifName %{interface}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup108,
+      	dup22,
+      ]));
+      
+      var msg595 = msg("SNMP_TRAP_LINK_UP", part626);
+      
+      var part627 = match("MESSAGE#597:SNMP_TRAP_LINK_UP:01", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} snmp-interface-index=\"%{fld1}\" admin-status=\"%{fld3}\" operational-status=\"%{event_state}\" interface-name=\"%{interface}\"]", processor_chain([
+      	dup20,
+      	dup21,
+      	dup108,
+      	dup60,
+      	dup61,
+      ]));
+      
+      var msg596 = msg("SNMP_TRAP_LINK_UP:01", part627);
+      
+      var select56 = linear_select([
+      	msg595,
+      	msg596,
+      ]);
+      
+      var part628 = match("MESSAGE#589:SNMP_TRAP_PING_PROBE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMP TRAP PING PROBE FAILED"),
+      	dup22,
+      ]));
+      
+      var msg597 = msg("SNMP_TRAP_PING_PROBE_FAILED", part628);
+      
+      var part629 = match("MESSAGE#590:SNMP_TRAP_PING_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","SNMP TRAP PING TEST COMPLETED"),
+      	dup22,
+      ]));
+      
+      var msg598 = msg("SNMP_TRAP_PING_TEST_COMPLETED", part629);
+      
+      var part630 = match("MESSAGE#591:SNMP_TRAP_PING_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMP TRAP PING TEST FAILED"),
+      	dup22,
+      ]));
+      
+      var msg599 = msg("SNMP_TRAP_PING_TEST_FAILED", part630);
+      
+      var part631 = match("MESSAGE#592:SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","SNMP TRAP TRACE ROUTE PATH CHANGE"),
+      	dup22,
+      ]));
+      
+      var msg600 = msg("SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE", part631);
+      
+      var part632 = match("MESSAGE#593:SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","SNMP TRAP TRACE ROUTE TEST COMPLETED"),
+      	dup22,
+      ]));
+      
+      var msg601 = msg("SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED", part632);
+      
+      var part633 = match("MESSAGE#594:SNMP_TRAP_TRACE_ROUTE_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMP TRAP TRACE ROUTE TEST FAILED"),
+      	dup22,
+      ]));
+      
+      var msg602 = msg("SNMP_TRAP_TRACE_ROUTE_TEST_FAILED", part633);
+      
+      var part634 = match("MESSAGE#598:SSHD_LOGIN_FAILED", "nwparser.payload", "%{process}: %{event_type}: Login failed for user '%{username}' from host '%{saddr}'", processor_chain([
+      	dup43,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup42,
+      	dup21,
+      	dup109,
+      	dup22,
+      ]));
+      
+      var msg603 = msg("SSHD_LOGIN_FAILED", part634);
+      
+      var part635 = match("MESSAGE#599:SSHD_LOGIN_FAILED:01", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} username=\"%{username}\" source-address=\"%{saddr}\"]", processor_chain([
+      	dup43,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup42,
+      	dup21,
+      	dup109,
+      	dup60,
+      	dup51,
+      	setf("process","hfld33"),
+      ]));
+      
+      var msg604 = msg("SSHD_LOGIN_FAILED:01", part635);
+      
+      var select57 = linear_select([
+      	msg603,
+      	msg604,
+      ]);
+      
+      var part636 = match("MESSAGE#600:task_connect", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: task %{agent->} addr %{daddr}+%{dport}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","task connect failure"),
+      	dup22,
+      ]));
+      
+      var msg605 = msg("task_connect", part636);
+      
+      var msg606 = msg("TASK_TASK_REINIT", dup146);
+      
+      var part637 = match("MESSAGE#602:TFTPD_AF_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected address family %{dclass_counter2}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unexpected address family"),
+      	dup22,
+      ]));
+      
+      var msg607 = msg("TFTPD_AF_ERR", part637);
+      
+      var part638 = match("MESSAGE#603:TFTPD_BIND_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: bind: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","TFTPD BIND ERROR"),
+      	dup22,
+      ]));
+      
+      var msg608 = msg("TFTPD_BIND_ERR", part638);
+      
+      var part639 = match("MESSAGE#604:TFTPD_CONNECT_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: connect: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","TFTPD CONNECT ERROR"),
+      	dup22,
+      ]));
+      
+      var msg609 = msg("TFTPD_CONNECT_ERR", part639);
+      
+      var part640 = match("MESSAGE#605:TFTPD_CONNECT_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: TFTP %{protocol->} from address %{daddr->} port %{dport->} file %{filename}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","TFTPD CONNECT INFO"),
+      	dup22,
+      ]));
+      
+      var msg610 = msg("TFTPD_CONNECT_INFO", part640);
+      
+      var part641 = match("MESSAGE#606:TFTPD_CREATE_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: check_space %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","TFTPD CREATE ERROR"),
+      	dup22,
+      ]));
+      
+      var msg611 = msg("TFTPD_CREATE_ERR", part641);
+      
+      var part642 = match("MESSAGE#607:TFTPD_FIO_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","TFTPD FIO ERR"),
+      	dup22,
+      ]));
+      
+      var msg612 = msg("TFTPD_FIO_ERR", part642);
+      
+      var part643 = match("MESSAGE#608:TFTPD_FORK_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: fork: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","TFTPD FORK ERROR"),
+      	dup22,
+      ]));
+      
+      var msg613 = msg("TFTPD_FORK_ERR", part643);
+      
+      var part644 = match("MESSAGE#609:TFTPD_NAK_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: nak error %{resultcode}, %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","TFTPD NAK ERROR"),
+      	dup22,
+      ]));
+      
+      var msg614 = msg("TFTPD_NAK_ERR", part644);
+      
+      var part645 = match("MESSAGE#610:TFTPD_OPEN_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open file '%{filename}', error: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup77,
+      	dup22,
+      ]));
+      
+      var msg615 = msg("TFTPD_OPEN_ERR", part645);
+      
+      var part646 = match("MESSAGE#611:TFTPD_RECVCOMPLETE_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received %{dclass_counter1->} blocks of %{dclass_counter2->} size for file '%{filename}'", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","TFTPD RECVCOMPLETE INFO"),
+      	dup22,
+      ]));
+      
+      var msg616 = msg("TFTPD_RECVCOMPLETE_INFO", part646);
+      
+      var part647 = match("MESSAGE#612:TFTPD_RECVFROM_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: recvfrom: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","TFTPD RECVFROM ERROR"),
+      	dup22,
+      ]));
+      
+      var msg617 = msg("TFTPD_RECVFROM_ERR", part647);
+      
+      var part648 = match("MESSAGE#613:TFTPD_RECV_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: recv: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","TFTPD RECV ERROR"),
+      	dup22,
+      ]));
+      
+      var msg618 = msg("TFTPD_RECV_ERR", part648);
+      
+      var part649 = match("MESSAGE#614:TFTPD_SENDCOMPLETE_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Sent %{dclass_counter1->} blocks of %{dclass_counter2->} and %{info->} for file '%{filename}'", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","TFTPD SENDCOMPLETE INFO"),
+      	dup22,
+      ]));
+      
+      var msg619 = msg("TFTPD_SENDCOMPLETE_INFO", part649);
+      
+      var part650 = match("MESSAGE#615:TFTPD_SEND_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: send: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","TFTPD SEND ERROR"),
+      	dup22,
+      ]));
+      
+      var msg620 = msg("TFTPD_SEND_ERR", part650);
+      
+      var part651 = match("MESSAGE#616:TFTPD_SOCKET_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: socket: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","TFTPD SOCKET ERROR"),
+      	dup22,
+      ]));
+      
+      var msg621 = msg("TFTPD_SOCKET_ERR", part651);
+      
+      var part652 = match("MESSAGE#617:TFTPD_STATFS_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: statfs %{agent}, error: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","TFTPD STATFS ERROR"),
+      	dup22,
+      ]));
+      
+      var msg622 = msg("TFTPD_STATFS_ERR", part652);
+      
+      var part653 = match("MESSAGE#618:TNP", "nwparser.payload", "%{process}: %{event_type}: adding neighbor %{dclass_counter1->} to interface %{interface}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","adding neighbor to interface"),
+      	dup22,
+      ]));
+      
+      var msg623 = msg("TNP", part653);
+      
+      var part654 = match("MESSAGE#619:trace_on", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: tracing to %{fld33->} started", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","tracing to file"),
+      	dup22,
+      	call({
+      		dest: "nwparser.filename",
+      		fn: RMQ,
+      		args: [
+      			field("fld33"),
+      		],
+      	}),
+      ]));
+      
+      var msg624 = msg("trace_on", part654);
+      
+      var part655 = match("MESSAGE#620:trace_rotate", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: rotating %{filename}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","trace rotating file"),
+      	dup22,
+      ]));
+      
+      var msg625 = msg("trace_rotate", part655);
+      
+      var part656 = match("MESSAGE#621:transfer-file", "nwparser.payload", "%{process}: %{event_type}: Transferred %{filename}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","transfered file"),
+      	dup22,
+      ]));
+      
+      var msg626 = msg("transfer-file", part656);
+      
+      var part657 = match("MESSAGE#622:ttloop", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer died: %{result}: %{resultcode}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","ttloop - peer died"),
+      	dup22,
+      ]));
+      
+      var msg627 = msg("ttloop", part657);
+      
+      var part658 = match("MESSAGE#623:UI_AUTH_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authenticated user '%{username}' at permission level '%{privilege}'", processor_chain([
+      	dup79,
+      	dup33,
+      	dup34,
+      	dup36,
+      	dup21,
+      	setc("event_description","Authenticated user"),
+      	dup22,
+      ]));
+      
+      var msg628 = msg("UI_AUTH_EVENT", part658);
+      
+      var part659 = match("MESSAGE#624:UI_AUTH_INVALID_CHALLENGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received invalid authentication challenge for user '%{username}': response", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Received invalid authentication challenge for user response"),
+      	dup22,
+      ]));
+      
+      var msg629 = msg("UI_AUTH_INVALID_CHALLENGE", part659);
+      
+      var part660 = match("MESSAGE#625:UI_BOOTTIME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fetch boot time: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to fetch boot time"),
+      	dup22,
+      ]));
+      
+      var msg630 = msg("UI_BOOTTIME_FAILED", part660);
+      
+      var part661 = match("MESSAGE#626:UI_CFG_AUDIT_NEW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' %{dclass_counter2->} path unknown", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","user path unknown"),
+      	dup22,
+      ]));
+      
+      var msg631 = msg("UI_CFG_AUDIT_NEW", part661);
+      
+      var part662 = match("MESSAGE#627:UI_CFG_AUDIT_NEW:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' insert: [edit-config config %{filename->} security policies %{policyname}] %{info}", processor_chain([
+      	dup41,
+      	dup21,
+      	setc("event_description"," user Inserted Security Policies in config"),
+      	dup22,
+      ]));
+      
+      var msg632 = msg("UI_CFG_AUDIT_NEW:01", part662);
+      
+      var select58 = linear_select([
+      	msg631,
+      	msg632,
+      ]);
+      
+      var part663 = match("MESSAGE#628:UI_CFG_AUDIT_OTHER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' delete: [%{filename}]", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","User deleted file"),
+      	setc("action","delete"),
+      	dup22,
+      ]));
+      
+      var msg633 = msg("UI_CFG_AUDIT_OTHER", part663);
+      
+      var part664 = match("MESSAGE#629:UI_CFG_AUDIT_OTHER:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' rollback: %{filename}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","User rollback file"),
+      	dup22,
+      ]));
+      
+      var msg634 = msg("UI_CFG_AUDIT_OTHER:01", part664);
+      
+      var part665 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_0", "nwparser.p0", "\"%{info}\" ");
+      
+      var part666 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_1", "nwparser.p0", "%{space->} ");
+      
+      var select59 = linear_select([
+      	part665,
+      	part666,
+      ]);
+      
+      var all31 = all_match({
+      	processors: [
+      		dup110,
+      		select59,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup21,
+      		setc("event_description","User set"),
+      		dup22,
+      	]),
+      });
+      
+      var msg635 = msg("UI_CFG_AUDIT_OTHER:02", all31);
+      
+      var part667 = match("MESSAGE#631:UI_CFG_AUDIT_OTHER:03", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' replace: [edit-config config %{filename->} applications %{info}]", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","User config replace"),
+      	setc("action","replace"),
+      	dup22,
+      ]));
+      
+      var msg636 = msg("UI_CFG_AUDIT_OTHER:03", part667);
+      
+      var part668 = match("MESSAGE#632:UI_CFG_AUDIT_OTHER:04", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' deactivate: [groups %{info}]", processor_chain([
+      	setc("eventcategory","1701070000"),
+      	dup21,
+      	setc("event_description","User deactivating group(s)"),
+      	setc("action","deactivate"),
+      	dup22,
+      ]));
+      
+      var msg637 = msg("UI_CFG_AUDIT_OTHER:04", part668);
+      
+      var part669 = match("MESSAGE#633:UI_CFG_AUDIT_OTHER:05", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' update: %{filename}", processor_chain([
+      	dup111,
+      	dup21,
+      	setc("event_description","User updates config file"),
+      	setc("action","update"),
+      	dup22,
+      ]));
+      
+      var msg638 = msg("UI_CFG_AUDIT_OTHER:05", part669);
+      
+      var select60 = linear_select([
+      	msg633,
+      	msg634,
+      	msg635,
+      	msg636,
+      	msg637,
+      	msg638,
+      ]);
+      
+      var part670 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_0", "nwparser.p0", "\"%{change_old}\" %{p0}");
+      
+      var select61 = linear_select([
+      	part670,
+      	dup112,
+      ]);
+      
+      var all32 = all_match({
+      	processors: [
+      		dup110,
+      		select61,
+      		dup113,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup21,
+      		dup114,
+      		dup22,
+      	]),
+      });
+      
+      var msg639 = msg("UI_CFG_AUDIT_SET:01", all32);
+      
+      var part671 = match("MESSAGE#635:UI_CFG_AUDIT_SET:02/1_0", "nwparser.p0", "\"%{change_old->} %{p0}");
+      
+      var select62 = linear_select([
+      	part671,
+      	dup112,
+      ]);
+      
+      var all33 = all_match({
+      	processors: [
+      		dup110,
+      		select62,
+      		dup113,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup21,
+      		dup114,
+      		dup22,
+      	]),
+      });
+      
+      var msg640 = msg("UI_CFG_AUDIT_SET:02", all33);
+      
+      var part672 = match("MESSAGE#636:UI_CFG_AUDIT_SET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' replace: [edit-config config %{filename->} applications %{info}] \u003c\u003c%{disposition}> -> \"%{agent}\"", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","User replace config application(s)"),
+      	dup22,
+      ]));
+      
+      var msg641 = msg("UI_CFG_AUDIT_SET", part672);
+      
+      var select63 = linear_select([
+      	msg639,
+      	msg640,
+      	msg641,
+      ]);
+      
+      var part673 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/2", "nwparser.p0", ": [groups %{info->} secret]");
+      
+      var all34 = all_match({
+      	processors: [
+      		dup115,
+      		dup153,
+      		part673,
+      	],
+      	on_success: processor_chain([
+      		dup111,
+      		dup21,
+      		dup118,
+      		dup22,
+      	]),
+      });
+      
+      var msg642 = msg("UI_CFG_AUDIT_SET_SECRET:01", all34);
+      
+      var part674 = match("MESSAGE#638:UI_CFG_AUDIT_SET_SECRET:02/2", "nwparser.p0", ": [%{info}]");
+      
+      var all35 = all_match({
+      	processors: [
+      		dup115,
+      		dup153,
+      		part674,
+      	],
+      	on_success: processor_chain([
+      		dup111,
+      		dup21,
+      		dup118,
+      		dup22,
+      	]),
+      });
+      
+      var msg643 = msg("UI_CFG_AUDIT_SET_SECRET:02", all35);
+      
+      var part675 = match("MESSAGE#639:UI_CFG_AUDIT_SET_SECRET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' %{dclass_counter2->} %{directory}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","UI CFG AUDIT SET SECRET"),
+      	dup22,
+      ]));
+      
+      var msg644 = msg("UI_CFG_AUDIT_SET_SECRET", part675);
+      
+      var select64 = linear_select([
+      	msg642,
+      	msg643,
+      	msg644,
+      ]);
+      
+      var part676 = match("MESSAGE#640:UI_CHILD_ARGS_EXCEEDED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Too many arguments for child process '%{agent}'", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Too many arguments for child process"),
+      	dup22,
+      ]));
+      
+      var msg645 = msg("UI_CHILD_ARGS_EXCEEDED", part676);
+      
+      var part677 = match("MESSAGE#641:UI_CHILD_CHANGE_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to switch to local user: %{username}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to switch to local user"),
+      	dup22,
+      ]));
+      
+      var msg646 = msg("UI_CHILD_CHANGE_USER", part677);
+      
+      var part678 = match("MESSAGE#642:UI_CHILD_EXEC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exec failed for command '%{action}': %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Child exec failed"),
+      	dup22,
+      ]));
+      
+      var msg647 = msg("UI_CHILD_EXEC", part678);
+      
+      var part679 = match("MESSAGE#643:UI_CHILD_EXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exited: PID %{child_pid}, status %{result}, command '%{action}'", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Child exited"),
+      	dup22,
+      ]));
+      
+      var msg648 = msg("UI_CHILD_EXITED", part679);
+      
+      var part680 = match("MESSAGE#644:UI_CHILD_FOPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to append to log '%{filename}': %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to append to log"),
+      	dup22,
+      ]));
+      
+      var msg649 = msg("UI_CHILD_FOPEN", part680);
+      
+      var part681 = match("MESSAGE#645:UI_CHILD_PIPE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipe for command '%{action}': %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to create pipe for command"),
+      	dup22,
+      ]));
+      
+      var msg650 = msg("UI_CHILD_PIPE_FAILED", part681);
+      
+      var part682 = match("MESSAGE#646:UI_CHILD_SIGNALED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child received signal: PID %{child_pid}, signal %{result}: %{resultcode}, command='%{action}'", processor_chain([
+      	dup20,
+      	dup21,
+      	dup60,
+      	setc("event_description","Child received signal"),
+      	dup22,
+      ]));
+      
+      var msg651 = msg("UI_CHILD_SIGNALED", part682);
+      
+      var part683 = match("MESSAGE#647:UI_CHILD_STOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child stopped: PID %{child_pid}, signal=%{resultcode->} command='%{action}')", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Child stopped"),
+      	dup22,
+      ]));
+      
+      var msg652 = msg("UI_CHILD_STOPPED", part683);
+      
+      var part684 = match("MESSAGE#648:UI_CHILD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Starting child '%{agent}'", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Starting child"),
+      	dup22,
+      ]));
+      
+      var msg653 = msg("UI_CHILD_START", part684);
+      
+      var part685 = match("MESSAGE#649:UI_CHILD_STATUS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Cleanup child '%{agent}', PID %{child_pid}, status %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Cleanup child"),
+      	dup22,
+      ]));
+      
+      var msg654 = msg("UI_CHILD_STATUS", part685);
+      
+      var part686 = match("MESSAGE#650:UI_CHILD_WAITPID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: waitpid failed: PID %{child_pid}, rc %{dclass_counter2}, status %{resultcode}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","waitpid failed"),
+      	dup22,
+      ]));
+      
+      var msg655 = msg("UI_CHILD_WAITPID", part686);
+      
+      var part687 = match("MESSAGE#651:UI_CLI_IDLE_TIMEOUT", "nwparser.payload", "%{event_type}: Idle timeout for user '%{username}' exceeded and %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Idle timeout for user exceeded"),
+      	dup22,
+      ]));
+      
+      var msg656 = msg("UI_CLI_IDLE_TIMEOUT", part687);
+      
+      var part688 = match("MESSAGE#652:UI_CMDLINE_READ_LINE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}', command '%{action}'", processor_chain([
+      	dup20,
+      	dup21,
+      	dup119,
+      	dup22,
+      ]));
+      
+      var msg657 = msg("UI_CMDLINE_READ_LINE", part688);
+      
+      var part689 = match("MESSAGE#653:UI_CMDSET_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command execution failed for '%{agent}': %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Command execution failed"),
+      	dup22,
+      ]));
+      
+      var msg658 = msg("UI_CMDSET_EXEC_FAILED", part689);
+      
+      var part690 = match("MESSAGE#654:UI_CMDSET_FORK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fork command '%{agent}': %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to fork command"),
+      	dup22,
+      ]));
+      
+      var msg659 = msg("UI_CMDSET_FORK_FAILED", part690);
+      
+      var msg660 = msg("UI_CMDSET_PIPE_FAILED", dup141);
+      
+      var part691 = match("MESSAGE#656:UI_CMDSET_STOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command stopped: PID %{child_pid}, signal '%{resultcode}, command '%{action}'", processor_chain([
+      	dup29,
+      	dup21,
+      	dup69,
+      	dup22,
+      ]));
+      
+      var msg661 = msg("UI_CMDSET_STOPPED", part691);
+      
+      var part692 = match("MESSAGE#657:UI_CMDSET_WEXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command exited: PID %{child_pid}, status %{resultcode}, command '%{action}'", processor_chain([
+      	dup29,
+      	dup21,
+      	dup71,
+      	dup22,
+      ]));
+      
+      var msg662 = msg("UI_CMDSET_WEXITED", part692);
+      
+      var part693 = match("MESSAGE#658:UI_CMD_AUTH_REGEX_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid '%{action}' command authorization regular expression '%{agent}': %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Invalid regexp command"),
+      	dup22,
+      ]));
+      
+      var msg663 = msg("UI_CMD_AUTH_REGEX_INVALID", part693);
+      
+      var part694 = match("MESSAGE#659:UI_COMMIT/1_0", "nwparser.p0", "requested '%{action}' operation (comment:%{info}) ");
+      
+      var part695 = match("MESSAGE#659:UI_COMMIT/1_1", "nwparser.p0", "performed %{action->} ");
+      
+      var select65 = linear_select([
+      	part694,
+      	part695,
+      ]);
+      
+      var all36 = all_match({
+      	processors: [
+      		dup115,
+      		select65,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup21,
+      		dup120,
+      		dup22,
+      	]),
+      });
+      
+      var msg664 = msg("UI_COMMIT", all36);
+      
+      var part696 = match("MESSAGE#660:UI_COMMIT_AT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup120,
+      	dup22,
+      ]));
+      
+      var msg665 = msg("UI_COMMIT_AT", part696);
+      
+      var part697 = match("MESSAGE#661:UI_COMMIT_AT_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: '%{agent}' was successful", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","User commit successful"),
+      	dup22,
+      ]));
+      
+      var msg666 = msg("UI_COMMIT_AT_COMPLETED", part697);
+      
+      var part698 = match("MESSAGE#662:UI_COMMIT_AT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}, %{info}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","User commit failed"),
+      	dup22,
+      ]));
+      
+      var msg667 = msg("UI_COMMIT_AT_FAILED", part698);
+      
+      var part699 = match("MESSAGE#663:UI_COMMIT_COMPRESS_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to compress file %{filename}'", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to compress file"),
+      	dup22,
+      ]));
+      
+      var msg668 = msg("UI_COMMIT_COMPRESS_FAILED", part699);
+      
+      var part700 = match("MESSAGE#664:UI_COMMIT_CONFIRMED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed '%{action}'", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","UI COMMIT CONFIRMED"),
+      	dup22,
+      ]));
+      
+      var msg669 = msg("UI_COMMIT_CONFIRMED", part700);
+      
+      var part701 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: '%{action}' must be confirmed within %{p0}");
+      
+      var part702 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/1_0", "nwparser.p0", "minutes %{dclass_counter1->} ");
+      
+      var part703 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/1_1", "nwparser.p0", "%{dclass_counter1->} minutes ");
+      
+      var select66 = linear_select([
+      	part702,
+      	part703,
+      ]);
+      
+      var all37 = all_match({
+      	processors: [
+      		part701,
+      		select66,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup21,
+      		setc("event_description","COMMIT must be confirmed within # minutes"),
+      		dup22,
+      	]),
+      });
+      
+      var msg670 = msg("UI_COMMIT_CONFIRMED_REMINDER", all37);
+      
+      var part704 = match("MESSAGE#666:UI_COMMIT_CONFIRMED_TIMED/2", "nwparser.p0", "%{}'%{username}' performed '%{action}'");
+      
+      var all38 = all_match({
+      	processors: [
+      		dup49,
+      		dup142,
+      		part704,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup21,
+      		setc("event_description","user performed commit confirm"),
+      		dup22,
+      	]),
+      });
+      
+      var msg671 = msg("UI_COMMIT_CONFIRMED_TIMED", all38);
+      
+      var part705 = match("MESSAGE#667:UI_COMMIT_EMPTY_CONTAINER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Skipped empty object %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Skipped empty object"),
+      	dup22,
+      ]));
+      
+      var msg672 = msg("UI_COMMIT_EMPTY_CONTAINER", part705);
+      
+      var part706 = match("MESSAGE#668:UI_COMMIT_NOT_CONFIRMED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Commit was not confirmed; %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","COMMIT NOT CONFIRMED"),
+      	dup22,
+      ]));
+      
+      var msg673 = msg("UI_COMMIT_NOT_CONFIRMED", part706);
+      
+      var part707 = match("MESSAGE#669:UI_COMMIT_PROGRESS/1_0", "nwparser.p0", "commit %{p0}");
+      
+      var part708 = match("MESSAGE#669:UI_COMMIT_PROGRESS/1_1", "nwparser.p0", "Commit operation in progress %{p0}");
+      
+      var select67 = linear_select([
+      	part707,
+      	part708,
+      ]);
+      
+      var part709 = match("MESSAGE#669:UI_COMMIT_PROGRESS/2", "nwparser.p0", ": %{action}");
+      
+      var all39 = all_match({
+      	processors: [
+      		dup49,
+      		select67,
+      		part709,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup21,
+      		setc("event_description","Commit operation in progress"),
+      		dup22,
+      	]),
+      });
+      
+      var msg674 = msg("UI_COMMIT_PROGRESS", all39);
+      
+      var part710 = match("MESSAGE#670:UI_COMMIT_QUIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{action}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","COMMIT QUIT"),
+      	dup22,
+      ]));
+      
+      var msg675 = msg("UI_COMMIT_QUIT", part710);
+      
+      var part711 = match("MESSAGE#671:UI_COMMIT_ROLLBACK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Automatic rollback failed", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Automatic rollback failed"),
+      	dup22,
+      ]));
+      
+      var msg676 = msg("UI_COMMIT_ROLLBACK_FAILED", part711);
+      
+      var part712 = match("MESSAGE#672:UI_COMMIT_SYNC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{action}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","COMMIT SYNC"),
+      	dup22,
+      ]));
+      
+      var msg677 = msg("UI_COMMIT_SYNC", part712);
+      
+      var part713 = match("MESSAGE#673:UI_COMMIT_SYNC_FORCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: All logins to local configuration database were terminated because %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","All logins to local configuration database were terminated"),
+      	dup22,
+      ]));
+      
+      var msg678 = msg("UI_COMMIT_SYNC_FORCE", part713);
+      
+      var part714 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process: %{agent}, path: %{p0}");
+      
+      var part715 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/1_0", "nwparser.p0", "[%{filename}], %{p0}");
+      
+      var part716 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/1_1", "nwparser.p0", "%{filename}, %{p0}");
+      
+      var select68 = linear_select([
+      	part715,
+      	part716,
+      ]);
+      
+      var part717 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/2", "nwparser.p0", "%{}statement: %{info->} %{p0}");
+      
+      var part718 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/3_0", "nwparser.p0", ", error: %{result->} ");
+      
+      var part719 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/3_1", "nwparser.p0", "%{space}");
+      
+      var select69 = linear_select([
+      	part718,
+      	part719,
+      ]);
+      
+      var all40 = all_match({
+      	processors: [
+      		part714,
+      		select68,
+      		part717,
+      		select69,
+      	],
+      	on_success: processor_chain([
+      		dup29,
+      		dup21,
+      		setc("event_description","CONFIGURATION ERROR"),
+      		dup22,
+      	]),
+      });
+      
+      var msg679 = msg("UI_CONFIGURATION_ERROR", all40);
+      
+      var part720 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/2", "nwparser.p0", "%{}socket connection accept failed: %{result}");
+      
+      var all41 = all_match({
+      	processors: [
+      		dup49,
+      		dup154,
+      		part720,
+      	],
+      	on_success: processor_chain([
+      		dup29,
+      		dup21,
+      		setc("event_description","socket connection accept failed"),
+      		dup22,
+      	]),
+      });
+      
+      var msg680 = msg("UI_DAEMON_ACCEPT_FAILED", all41);
+      
+      var part721 = match("MESSAGE#676:UI_DAEMON_FORK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create session child: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to create session child"),
+      	dup22,
+      ]));
+      
+      var msg681 = msg("UI_DAEMON_FORK_FAILED", part721);
+      
+      var part722 = match("MESSAGE#677:UI_DAEMON_SELECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: select failed: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","DAEMON SELECT FAILED"),
+      	dup22,
+      ]));
+      
+      var msg682 = msg("UI_DAEMON_SELECT_FAILED", part722);
+      
+      var part723 = match("MESSAGE#678:UI_DAEMON_SOCKET_FAILED/2", "nwparser.p0", "%{}socket create failed: %{result}");
+      
+      var all42 = all_match({
+      	processors: [
+      		dup49,
+      		dup154,
+      		part723,
+      	],
+      	on_success: processor_chain([
+      		dup29,
+      		dup21,
+      		setc("event_description","socket create failed"),
+      		dup22,
+      	]),
+      });
+      
+      var msg683 = msg("UI_DAEMON_SOCKET_FAILED", all42);
+      
+      var part724 = match("MESSAGE#679:UI_DBASE_ACCESS_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to reaccess database file '%{filename}', address %{interface}, size %{dclass_counter1}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to reaccess database file"),
+      	dup22,
+      ]));
+      
+      var msg684 = msg("UI_DBASE_ACCESS_FAILED", part724);
+      
+      var part725 = match("MESSAGE#680:UI_DBASE_CHECKOUT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database '%{filename}' is out of data and needs to be rebuilt", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Database is out of data"),
+      	dup22,
+      ]));
+      
+      var msg685 = msg("UI_DBASE_CHECKOUT_FAILED", part725);
+      
+      var part726 = match("MESSAGE#681:UI_DBASE_EXTEND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to extend database file '%{filename}' to size %{dclass_counter1}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to extend database file"),
+      	dup22,
+      ]));
+      
+      var msg686 = msg("UI_DBASE_EXTEND_FAILED", part726);
+      
+      var part727 = match("MESSAGE#682:UI_DBASE_LOGIN_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' entering configuration mode", processor_chain([
+      	dup32,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup36,
+      	dup21,
+      	setc("event_description","User entering configuration mode"),
+      	dup22,
+      ]));
+      
+      var msg687 = msg("UI_DBASE_LOGIN_EVENT", part727);
+      
+      var part728 = match("MESSAGE#683:UI_DBASE_LOGOUT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{event_description}", processor_chain([
+      	dup123,
+      	dup33,
+      	dup34,
+      	dup124,
+      	dup36,
+      	dup21,
+      	setc("event_description","User exiting configuration mode"),
+      	dup22,
+      ]));
+      
+      var msg688 = msg("UI_DBASE_LOGOUT_EVENT", part728);
+      
+      var part729 = match("MESSAGE#684:UI_DBASE_MISMATCH_EXTENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header extent mismatch for file '%{agent}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Database header extent mismatch"),
+      	dup22,
+      ]));
+      
+      var msg689 = msg("UI_DBASE_MISMATCH_EXTENT", part729);
+      
+      var part730 = match("MESSAGE#685:UI_DBASE_MISMATCH_MAJOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header major version number mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Database header major version number mismatch"),
+      	dup22,
+      ]));
+      
+      var msg690 = msg("UI_DBASE_MISMATCH_MAJOR", part730);
+      
+      var part731 = match("MESSAGE#686:UI_DBASE_MISMATCH_MINOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header minor version number mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Database header minor version number mismatch"),
+      	dup22,
+      ]));
+      
+      var msg691 = msg("UI_DBASE_MISMATCH_MINOR", part731);
+      
+      var part732 = match("MESSAGE#687:UI_DBASE_MISMATCH_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header sequence numbers mismatch for file '%{filename}'", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Database header sequence numbers mismatch"),
+      	dup22,
+      ]));
+      
+      var msg692 = msg("UI_DBASE_MISMATCH_SEQUENCE", part732);
+      
+      var part733 = match("MESSAGE#688:UI_DBASE_MISMATCH_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header size mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Database header size mismatch"),
+      	dup22,
+      ]));
+      
+      var msg693 = msg("UI_DBASE_MISMATCH_SIZE", part733);
+      
+      var part734 = match("MESSAGE#689:UI_DBASE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database open failed for file '%{filename}': %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Database open failed"),
+      	dup22,
+      ]));
+      
+      var msg694 = msg("UI_DBASE_OPEN_FAILED", part734);
+      
+      var part735 = match("MESSAGE#690:UI_DBASE_REBUILD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} Automatic rebuild of the database '%{filename}' failed", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","DBASE REBUILD FAILED"),
+      	dup22,
+      ]));
+      
+      var msg695 = msg("UI_DBASE_REBUILD_FAILED", part735);
+      
+      var part736 = match("MESSAGE#691:UI_DBASE_REBUILD_SCHEMA_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Automatic rebuild of the database failed", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Automatic rebuild of the database failed"),
+      	dup22,
+      ]));
+      
+      var msg696 = msg("UI_DBASE_REBUILD_SCHEMA_FAILED", part736);
+      
+      var part737 = match("MESSAGE#692:UI_DBASE_REBUILD_STARTED/1_1", "nwparser.p0", "Automatic %{p0}");
+      
+      var select70 = linear_select([
+      	dup75,
+      	part737,
+      ]);
+      
+      var part738 = match("MESSAGE#692:UI_DBASE_REBUILD_STARTED/2", "nwparser.p0", "%{} %{username->} rebuild/rollback of the database '%{filename}' started");
+      
+      var all43 = all_match({
+      	processors: [
+      		dup49,
+      		select70,
+      		part738,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup21,
+      		setc("event_description","DBASE REBUILD STARTED"),
+      		dup22,
+      	]),
+      });
+      
+      var msg697 = msg("UI_DBASE_REBUILD_STARTED", all43);
+      
+      var part739 = match("MESSAGE#693:UI_DBASE_RECREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' attempting database re-creation", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","user attempting database re-creation"),
+      	dup22,
+      ]));
+      
+      var msg698 = msg("UI_DBASE_RECREATE", part739);
+      
+      var part740 = match("MESSAGE#694:UI_DBASE_REOPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reopen of the database failed", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Reopen of the database failed"),
+      	dup22,
+      ]));
+      
+      var msg699 = msg("UI_DBASE_REOPEN_FAILED", part740);
+      
+      var part741 = match("MESSAGE#695:UI_DUPLICATE_UID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Users %{username->} have the same UID %{uid}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Users have the same UID"),
+      	dup22,
+      ]));
+      
+      var msg700 = msg("UI_DUPLICATE_UID", part741);
+      
+      var part742 = match("MESSAGE#696:UI_JUNOSCRIPT_CMD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' used JUNOScript client to run command '%{action}'", processor_chain([
+      	setc("eventcategory","1401050100"),
+      	dup21,
+      	setc("event_description","User used JUNOScript client to run command"),
+      	dup22,
+      ]));
+      
+      var msg701 = msg("UI_JUNOSCRIPT_CMD", part742);
+      
+      var part743 = match("MESSAGE#697:UI_JUNOSCRIPT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: JUNOScript error: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","JUNOScript error"),
+      	dup22,
+      ]));
+      
+      var msg702 = msg("UI_JUNOSCRIPT_ERROR", part743);
+      
+      var part744 = match("MESSAGE#698:UI_LOAD_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' is performing a '%{action}'", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","User command"),
+      	dup22,
+      ]));
+      
+      var msg703 = msg("UI_LOAD_EVENT", part744);
+      
+      var part745 = match("MESSAGE#699:UI_LOAD_JUNOS_DEFAULT_FILE_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Loading the default config from %{filename}", processor_chain([
+      	setc("eventcategory","1701040000"),
+      	dup21,
+      	setc("event_description","Loading default config from file"),
+      	dup22,
+      ]));
+      
+      var msg704 = msg("UI_LOAD_JUNOS_DEFAULT_FILE_EVENT", part745);
+      
+      var part746 = match("MESSAGE#700:UI_LOGIN_EVENT:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' login, class '%{group}' [%{fld01}], %{info->} '%{saddr->} %{sport->} %{daddr->} %{dport}', client-mode '%{fld02}'", processor_chain([
+      	dup32,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup36,
+      	dup21,
+      	dup125,
+      	dup126,
+      	dup22,
+      ]));
+      
+      var msg705 = msg("UI_LOGIN_EVENT:01", part746);
+      
+      var part747 = match("MESSAGE#701:UI_LOGIN_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' login, class '%{group}' %{info}", processor_chain([
+      	dup32,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup36,
+      	dup21,
+      	dup125,
+      	dup22,
+      ]));
+      
+      var msg706 = msg("UI_LOGIN_EVENT", part747);
+      
+      var select71 = linear_select([
+      	msg705,
+      	msg706,
+      ]);
+      
+      var part748 = match("MESSAGE#702:UI_LOGOUT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' logout", processor_chain([
+      	dup123,
+      	dup33,
+      	dup34,
+      	dup124,
+      	dup36,
+      	dup21,
+      	setc("event_description","User logout"),
+      	dup22,
+      ]));
+      
+      var msg707 = msg("UI_LOGOUT_EVENT", part748);
+      
+      var part749 = match("MESSAGE#703:UI_LOST_CONN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Lost connection to daemon %{agent}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Lost connection to daemon"),
+      	dup22,
+      ]));
+      
+      var msg708 = msg("UI_LOST_CONN", part749);
+      
+      var part750 = match("MESSAGE#704:UI_MASTERSHIP_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} by '%{username}'", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","MASTERSHIP EVENT"),
+      	dup22,
+      ]));
+      
+      var msg709 = msg("UI_MASTERSHIP_EVENT", part750);
+      
+      var part751 = match("MESSAGE#705:UI_MGD_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Terminating operation: exit status %{resultcode}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Terminating operation"),
+      	dup22,
+      ]));
+      
+      var msg710 = msg("UI_MGD_TERMINATE", part751);
+      
+      var part752 = match("MESSAGE#706:UI_NETCONF_CMD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' used NETCONF client to run command '%{action}'", processor_chain([
+      	dup28,
+      	dup21,
+      	setc("event_description","User used NETCONF client to run command"),
+      	dup22,
+      ]));
+      
+      var msg711 = msg("UI_NETCONF_CMD", part752);
+      
+      var part753 = match("MESSAGE#707:UI_READ_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: read failed for peer %{hostname}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","read failed for peer"),
+      	dup22,
+      ]));
+      
+      var msg712 = msg("UI_READ_FAILED", part753);
+      
+      var part754 = match("MESSAGE#708:UI_READ_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Timeout on read of peer %{hostname}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Timeout on read of peer"),
+      	dup22,
+      ]));
+      
+      var msg713 = msg("UI_READ_TIMEOUT", part754);
+      
+      var part755 = match("MESSAGE#709:UI_REBOOT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: System %{action->} by '%{username}'", processor_chain([
+      	dup59,
+      	dup21,
+      	setc("event_description","System reboot or halt"),
+      	dup22,
+      ]));
+      
+      var msg714 = msg("UI_REBOOT_EVENT", part755);
+      
+      var part756 = match("MESSAGE#710:UI_RESTART_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' restarting daemon %{service}", processor_chain([
+      	dup28,
+      	dup21,
+      	setc("event_description","user restarting daemon"),
+      	dup22,
+      ]));
+      
+      var msg715 = msg("UI_RESTART_EVENT", part756);
+      
+      var part757 = match("MESSAGE#711:UI_SCHEMA_CHECKOUT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema is out of date and %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Schema is out of date"),
+      	dup22,
+      ]));
+      
+      var msg716 = msg("UI_SCHEMA_CHECKOUT_FAILED", part757);
+      
+      var part758 = match("MESSAGE#712:UI_SCHEMA_MISMATCH_MAJOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema major version mismatch for package %{filename->} %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Schema major version mismatch"),
+      	dup22,
+      ]));
+      
+      var msg717 = msg("UI_SCHEMA_MISMATCH_MAJOR", part758);
+      
+      var part759 = match("MESSAGE#713:UI_SCHEMA_MISMATCH_MINOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema minor version mismatch for package %{filename->} %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Schema minor version mismatch"),
+      	dup22,
+      ]));
+      
+      var msg718 = msg("UI_SCHEMA_MISMATCH_MINOR", part759);
+      
+      var part760 = match("MESSAGE#714:UI_SCHEMA_MISMATCH_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema header sequence numbers mismatch for package %{filename}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Schema header sequence numbers mismatch"),
+      	dup22,
+      ]));
+      
+      var msg719 = msg("UI_SCHEMA_MISMATCH_SEQUENCE", part760);
+      
+      var part761 = match("MESSAGE#715:UI_SCHEMA_SEQUENCE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema sequence number mismatch", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Schema sequence number mismatch"),
+      	dup22,
+      ]));
+      
+      var msg720 = msg("UI_SCHEMA_SEQUENCE_ERROR", part761);
+      
+      var part762 = match("MESSAGE#716:UI_SYNC_OTHER_RE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Configuration synchronization with remote Routing Engine %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Configuration synchronization with remote Routing Engine"),
+      	dup22,
+      ]));
+      
+      var msg721 = msg("UI_SYNC_OTHER_RE", part762);
+      
+      var part763 = match("MESSAGE#717:UI_TACPLUS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: TACACS+ failure: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup127,
+      	dup22,
+      ]));
+      
+      var msg722 = msg("UI_TACPLUS_ERROR", part763);
+      
+      var part764 = match("MESSAGE#718:UI_VERSION_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fetch system version: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to fetch system version"),
+      	dup22,
+      ]));
+      
+      var msg723 = msg("UI_VERSION_FAILED", part764);
+      
+      var part765 = match("MESSAGE#719:UI_WRITE_RECONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Re-establishing connection to peer %{hostname}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Re-establishing connection to peer"),
+      	dup22,
+      ]));
+      
+      var msg724 = msg("UI_WRITE_RECONNECT", part765);
+      
+      var part766 = match("MESSAGE#720:VRRPD_NEWMASTER_TRAP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Interface %{interface->} (local addr: %{saddr}) is now master for %{username}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Interface new master for User"),
+      	dup22,
+      ]));
+      
+      var msg725 = msg("VRRPD_NEWMASTER_TRAP", part766);
+      
+      var part767 = match("MESSAGE#721:WEB_AUTH_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to authenticate %{obj_name->} (username %{c_username})", processor_chain([
+      	dup68,
+      	dup33,
+      	dup34,
+      	dup42,
+      	dup21,
+      	setc("event_description","Unable to authenticate client"),
+      	dup22,
+      ]));
+      
+      var msg726 = msg("WEB_AUTH_FAIL", part767);
+      
+      var part768 = match("MESSAGE#722:WEB_AUTH_SUCCESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authenticated %{agent->} client (username %{c_username})", processor_chain([
+      	dup79,
+      	dup33,
+      	dup34,
+      	dup36,
+      	dup21,
+      	setc("event_description","Authenticated client"),
+      	dup22,
+      ]));
+      
+      var msg727 = msg("WEB_AUTH_SUCCESS", part768);
+      
+      var part769 = match("MESSAGE#723:WEB_INTERFACE_UNAUTH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Web services request received from unauthorized interface %{interface}", processor_chain([
+      	setc("eventcategory","1001030300"),
+      	dup21,
+      	setc("event_description","web request from unauthorized interface"),
+      	dup22,
+      ]));
+      
+      var msg728 = msg("WEB_INTERFACE_UNAUTH", part769);
+      
+      var part770 = match("MESSAGE#724:WEB_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to read from client: %{result}", processor_chain([
+      	dup73,
+      	dup21,
+      	setc("event_description","Unable to read from client"),
+      	dup22,
+      ]));
+      
+      var msg729 = msg("WEB_READ", part770);
+      
+      var part771 = match("MESSAGE#725:WEBFILTER_REQUEST_NOT_CHECKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Error encountered: %{result}, failed to check request %{url}", processor_chain([
+      	setc("eventcategory","1204020100"),
+      	dup21,
+      	setc("event_description","failed to check web request"),
+      	dup22,
+      ]));
+      
+      var msg730 = msg("WEBFILTER_REQUEST_NOT_CHECKED", part771);
+      
+      var part772 = match("MESSAGE#726:FLOW_REASSEMBLE_FAIL", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" destination-address=\"%{daddr}\" assembly-id=\"%{fld1}\"]", processor_chain([
+      	dup73,
+      	dup52,
+      	dup42,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var msg731 = msg("FLOW_REASSEMBLE_FAIL", part772);
+      
+      var part773 = match("MESSAGE#727:eswd", "nwparser.payload", "%{process}[%{process_id}]: Bridge Address: add %{macaddr}", processor_chain([
+      	dup28,
+      	dup21,
+      	setc("event_description","Bridge Address"),
+      	dup22,
+      ]));
+      
+      var msg732 = msg("eswd", part773);
+      
+      var part774 = match("MESSAGE#728:eswd:01", "nwparser.payload", "%{process}[%{process_id}]: %{info}: STP state for interface %{interface->} context id %{id->} changed from %{fld3}", processor_chain([
+      	dup28,
+      	dup21,
+      	setc("event_description","ESWD STP State Change Info"),
+      	dup22,
+      ]));
+      
+      var msg733 = msg("eswd:01", part774);
+      
+      var select72 = linear_select([
+      	msg732,
+      	msg733,
+      ]);
+      
+      var part775 = match("MESSAGE#729:/usr/sbin/cron", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) CMD ( %{action})", processor_chain([
+      	dup28,
+      	dup21,
+      	dup25,
+      	dup22,
+      ]));
+      
+      var msg734 = msg("/usr/sbin/cron", part775);
+      
+      var part776 = match("MESSAGE#730:chassism:02", "nwparser.payload", "%{process}[%{process_id}]: %{info}: ifd %{interface->} %{action}", processor_chain([
+      	dup28,
+      	dup21,
+      	setc("event_description","Link status change event"),
+      	dup22,
+      ]));
+      
+      var msg735 = msg("chassism:02", part776);
+      
+      var part777 = match("MESSAGE#731:chassism:01", "nwparser.payload", "%{process}[%{process_id}]: %{info}: %{interface}, %{action}", processor_chain([
+      	dup28,
+      	dup21,
+      	setc("event_description","ifd process flaps"),
+      	dup22,
+      ]));
+      
+      var msg736 = msg("chassism:01", part777);
+      
+      var part778 = match("MESSAGE#732:chassism", "nwparser.payload", "%{process}[%{process_id}]: %{info}: %{action}", processor_chain([
+      	dup28,
+      	dup21,
+      	setc("event_description","IFCM "),
+      	dup22,
+      ]));
+      
+      var msg737 = msg("chassism", part778);
+      
+      var select73 = linear_select([
+      	msg735,
+      	msg736,
+      	msg737,
+      ]);
+      
+      var msg738 = msg("WEBFILTER_URL_PERMITTED", dup155);
+      
+      var part779 = match("MESSAGE#734:WEBFILTER_URL_PERMITTED:01", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var msg739 = msg("WEBFILTER_URL_PERMITTED:01", part779);
+      
+      var part780 = match("MESSAGE#735:WEBFILTER_URL_PERMITTED:03", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=%{fld4}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var msg740 = msg("WEBFILTER_URL_PERMITTED:03", part780);
+      
+      var part781 = match("MESSAGE#736:WEBFILTER_URL_PERMITTED:02", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=%{url}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var msg741 = msg("WEBFILTER_URL_PERMITTED:02", part781);
+      
+      var select74 = linear_select([
+      	msg738,
+      	msg739,
+      	msg740,
+      	msg741,
+      ]);
+      
+      var msg742 = msg("WEBFILTER_URL_BLOCKED", dup155);
+      
+      var part782 = match("MESSAGE#738:WEBFILTER_URL_BLOCKED:01", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var msg743 = msg("WEBFILTER_URL_BLOCKED:01", part782);
+      
+      var select75 = linear_select([
+      	msg742,
+      	msg743,
+      ]);
+      
+      var part783 = match("MESSAGE#740:SECINTEL_NETWORK_CONNECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> Access url %{url->} on port %{network_port->} failed\u003c\u003c%{result}>.", processor_chain([
+      	dup45,
+      	dup46,
+      	dup22,
+      	dup21,
+      	dup126,
+      ]));
+      
+      var msg744 = msg("SECINTEL_NETWORK_CONNECT_FAILED", part783);
+      
+      var part784 = match("MESSAGE#741:AAMWD_NETWORK_CONNECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> Access host %{hostname->} on ip %{hostip->} port %{network_port->} %{result}.", processor_chain([
+      	dup45,
+      	dup46,
+      	dup22,
+      ]));
+      
+      var msg745 = msg("AAMWD_NETWORK_CONNECT_FAILED", part784);
+      
+      var part785 = match("MESSAGE#742:PKID_UNABLE_TO_GET_CRL", "nwparser.payload", "%{process}[%{process_id}]: %{id}: Failed to retrieve CRL from received file for %{node}", processor_chain([
+      	dup45,
+      	dup46,
+      	dup22,
+      	dup21,
+      	dup126,
+      ]));
+      
+      var msg746 = msg("PKID_UNABLE_TO_GET_CRL", part785);
+      
+      var part786 = match("MESSAGE#743:SECINTEL_ERROR_OTHERS", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> %{result}", processor_chain([
+      	dup45,
+      	dup46,
+      	dup22,
+      	dup21,
+      	dup126,
+      ]));
+      
+      var msg747 = msg("SECINTEL_ERROR_OTHERS", part786);
+      
+      var part787 = match("MESSAGE#744:JSRPD_HA_CONTROL_LINK_UP", "nwparser.payload", "%{process}[%{process_id}]: %{id}: HA control link monitor status is marked up", processor_chain([
+      	dup47,
+      	dup46,
+      	dup22,
+      	dup21,
+      	dup126,
+      ]));
+      
+      var msg748 = msg("JSRPD_HA_CONTROL_LINK_UP", part787);
+      
+      var part788 = match("MESSAGE#745:LACPD_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: LACPD_TIMEOUT: %{sinterface}: %{event_description}", processor_chain([
+      	dup45,
+      	dup46,
+      	dup22,
+      	dup21,
+      	dup126,
+      ]));
+      
+      var msg749 = msg("LACPD_TIMEOUT", part788);
+      
+      var msg750 = msg("cli", dup156);
+      
+      var msg751 = msg("pfed", dup156);
+      
+      var msg752 = msg("idpinfo", dup156);
+      
+      var msg753 = msg("kmd", dup156);
+      
+      var part789 = match("MESSAGE#751:node:01", "nwparser.payload", "%{hostname->} %{node->} Next-hop resolution requests from interface %{interface->} throttled", processor_chain([
+      	dup20,
+      	dup22,
+      	dup21,
+      ]));
+      
+      var msg754 = msg("node:01", part789);
+      
+      var part790 = match("MESSAGE#752:node:02", "nwparser.payload", "%{hostname->} %{node->} %{process}: Trying peer connection, status %{resultcode}, attempt %{fld1}", processor_chain([
+      	dup20,
+      	dup22,
+      	dup21,
+      ]));
+      
+      var msg755 = msg("node:02", part790);
+      
+      var part791 = match("MESSAGE#753:node:03", "nwparser.payload", "%{hostname->} %{node->} %{process}: trying master connection, status %{resultcode}, attempt %{fld1}", processor_chain([
+      	dup20,
+      	dup22,
+      	dup21,
+      ]));
+      
+      var msg756 = msg("node:03", part791);
+      
+      var part792 = match("MESSAGE#754:node:04", "nwparser.payload", "%{hostname->} %{node->} %{fld1->} key %{fld2->} %{fld3->} port priority %{fld6->} %{fld4->} port %{portname->} %{fld5->} state %{resultcode}", processor_chain([
+      	dup20,
+      	dup22,
+      	dup21,
+      ]));
+      
+      var msg757 = msg("node:04", part792);
+      
+      var select76 = linear_select([
+      	dup129,
+      	dup130,
+      ]);
+      
+      var part793 = match("MESSAGE#755:node:05/2", "nwparser.p0", "%{}sys priority %{fld4->} %{p0}");
+      
+      var select77 = linear_select([
+      	dup130,
+      	dup129,
+      ]);
+      
+      var part794 = match("MESSAGE#755:node:05/4", "nwparser.p0", "%{}sys %{interface}");
+      
+      var all44 = all_match({
+      	processors: [
+      		dup128,
+      		select76,
+      		part793,
+      		select77,
+      		part794,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup22,
+      		dup21,
+      	]),
+      });
+      
+      var msg758 = msg("node:05", all44);
+      
+      var part795 = match("MESSAGE#756:node:06/1_0", "nwparser.p0", "dst mac %{dinterface}");
+      
+      var part796 = match("MESSAGE#756:node:06/1_1", "nwparser.p0", "src mac %{sinterface->} ether type %{fld1}");
+      
+      var select78 = linear_select([
+      	part795,
+      	part796,
+      ]);
+      
+      var all45 = all_match({
+      	processors: [
+      		dup128,
+      		select78,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup22,
+      		dup21,
+      	]),
+      });
+      
+      var msg759 = msg("node:06", all45);
+      
+      var part797 = match("MESSAGE#757:node:07", "nwparser.payload", "%{hostname->} %{node->} %{process}: interface %{interface->} trigger reth_scan", processor_chain([
+      	dup20,
+      	dup22,
+      	dup21,
+      ]));
+      
+      var msg760 = msg("node:07", part797);
+      
+      var part798 = match("MESSAGE#758:node:08", "nwparser.payload", "%{hostname->} %{node->} %{process}: %{info}", processor_chain([
+      	dup20,
+      	dup22,
+      	dup21,
+      ]));
+      
+      var msg761 = msg("node:08", part798);
+      
+      var part799 = match("MESSAGE#759:node:09", "nwparser.payload", "%{hostname->} %{node->} %{fld1}", processor_chain([
+      	dup20,
+      	dup22,
+      	dup21,
+      ]));
+      
+      var msg762 = msg("node:09", part799);
+      
+      var select79 = linear_select([
+      	msg754,
+      	msg755,
+      	msg756,
+      	msg757,
+      	msg758,
+      	msg759,
+      	msg760,
+      	msg761,
+      	msg762,
+      ]);
+      
+      var part800 = match("MESSAGE#760:(FPC:01", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: deleting active remote neighbor entry %{fld2->} from interface %{interface}.", processor_chain([
+      	dup20,
+      	dup22,
+      	dup21,
+      	dup23,
+      ]));
+      
+      var msg763 = msg("(FPC:01", part800);
+      
+      var part801 = match("MESSAGE#761:(FPC:02", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type->} deleting nb %{fld2->} on ifd %{interface->} for cid %{fld3->} from active neighbor table", processor_chain([
+      	dup20,
+      	dup22,
+      	dup21,
+      	dup23,
+      ]));
+      
+      var msg764 = msg("(FPC:02", part801);
+      
+      var part802 = match("MESSAGE#762:(FPC:03/0", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: M%{p0}");
+      
+      var part803 = match("MESSAGE#762:(FPC:03/1_0", "nwparser.p0", "DOWN %{p0}");
+      
+      var part804 = match("MESSAGE#762:(FPC:03/1_1", "nwparser.p0", "UP %{p0}");
+      
+      var select80 = linear_select([
+      	part803,
+      	part804,
+      ]);
+      
+      var part805 = match("MESSAGE#762:(FPC:03/2", "nwparser.p0", "%{}received for interface %{interface}, member of %{fld4}");
+      
+      var all46 = all_match({
+      	processors: [
+      		part802,
+      		select80,
+      		part805,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup22,
+      		dup21,
+      		dup23,
+      	]),
+      });
+      
+      var msg765 = msg("(FPC:03", all46);
+      
+      var part806 = match("MESSAGE#763:(FPC:04", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: ifd=%{interface}, ifd flags=%{fld2}", processor_chain([
+      	dup20,
+      	dup22,
+      	dup21,
+      	dup23,
+      ]));
+      
+      var msg766 = msg("(FPC:04", part806);
+      
+      var part807 = match("MESSAGE#764:(FPC:05", "nwparser.payload", "%{fld1}) %{node->} kernel: rdp keepalive expired, connection dropped - src %{fld3}:%{fld2->} dest %{fld4}:%{fld5}", processor_chain([
+      	dup20,
+      	dup22,
+      	dup21,
+      	dup23,
+      ]));
+      
+      var msg767 = msg("(FPC:05", part807);
+      
+      var part808 = match("MESSAGE#765:(FPC", "nwparser.payload", "%{fld1}) %{node->} %{fld10}", processor_chain([
+      	dup20,
+      	dup22,
+      	dup21,
+      	dup23,
+      ]));
+      
+      var msg768 = msg("(FPC", part808);
+      
+      var select81 = linear_select([
+      	msg763,
+      	msg764,
+      	msg765,
+      	msg766,
+      	msg767,
+      	msg768,
+      ]);
+      
+      var part809 = match("MESSAGE#766:tnp.bootpd", "nwparser.payload", "%{process}[%{process_id}]:%{fld1}", processor_chain([
+      	dup47,
+      	dup22,
+      	dup21,
+      	dup23,
+      ]));
+      
+      var msg769 = msg("tnp.bootpd", part809);
+      
+      var part810 = match("MESSAGE#769:AAMW_ACTION_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} hostname=\"%{hostname}\" file-category=\"%{fld9}\" verdict-number=\"%{fld10}\" action=\"%{action}\" list-hit=\"%{fld19}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" policy-name=\"%{policyname}\" username=\"%{username}\" roles=\"%{user_role}\" session-id-32=\"%{sessionid}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" url=\"%{url}\"] %{fld27}", processor_chain([
+      	dup47,
+      	dup51,
+      	dup21,
+      	dup60,
+      ]));
+      
+      var msg770 = msg("AAMW_ACTION_LOG", part810);
+      
+      var part811 = match("MESSAGE#770:AAMW_HOST_INFECTED_EVENT_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} timestamp=\"%{fld30}\" tenant-id=\"%{fld1}\" client-ip-str=\"%{hostip}\" hostname=\"%{hostname}\" status=\"%{fld13}\" policy-name=\"%{policyname}\" verdict-number=\"%{fld15}\" state=\"%{fld16}\" reason=\"%{result}\" message=\"%{info}\" %{fld3}", processor_chain([
+      	dup131,
+      	dup51,
+      	dup21,
+      	dup60,
+      ]));
+      
+      var msg771 = msg("AAMW_HOST_INFECTED_EVENT_LOG", part811);
+      
+      var part812 = match("MESSAGE#771:AAMW_MALWARE_EVENT_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} timestamp=\"%{fld30}\" tenant-id=\"%{fld1}\" sample-sha256=\"%{checksum}\" client-ip-str=\"%{hostip}\" verdict-number=\"%{fld26}\" malware-info=\"%{threat_name}\" username=\"%{username}\" hostname=\"%{hostname}\" %{fld3}", processor_chain([
+      	dup131,
+      	dup51,
+      	dup21,
+      ]));
+      
+      var msg772 = msg("AAMW_MALWARE_EVENT_LOG", part812);
+      
+      var part813 = match("MESSAGE#772:IDP_ATTACK_LOG_EVENT", "nwparser.payload", "%{event_type}[junos@%{fld32->} epoch-time=\"%{fld1}\" message-type=\"%{info}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-name=\"%{protocol}\" service-name=\"%{service}\" application-name=\"%{application}\" rule-name=\"%{fld5}\" rulebase-name=\"%{rulename}\" policy-name=\"%{policyname}\" export-id=\"%{fld6}\" repeat-count=\"%{fld7}\" action=\"%{action}\" threat-severity=\"%{severity}\" attack-name=\"%{threat_name}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" elapsed-time=%{fld8->} inbound-bytes=\"%{rbytes}\" outbound-bytes=\"%{sbytes}\" inbound-packets=\"%{packets}\" outbound-packets=\"%{dclass_counter1}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" packet-log-id=\"%{fld9}\" alert=\"%{fld19}\" username=\"%{username}\" roles=\"%{fld15}\" message=\"%{fld28}\" %{fld3}", processor_chain([
+      	dup80,
+      	dup51,
+      	dup21,
+      	dup60,
+      ]));
+      
+      var msg773 = msg("IDP_ATTACK_LOG_EVENT", part813);
+      
+      var part814 = match("MESSAGE#773:RT_SCREEN_ICMP", "nwparser.payload", "%{event_type}[junos@%{fld32->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"] %{fld23}", processor_chain([
+      	dup80,
+      	dup51,
+      	dup21,
+      	dup60,
+      ]));
+      
+      var msg774 = msg("RT_SCREEN_ICMP", part814);
+      
+      var part815 = match("MESSAGE#774:SECINTEL_ACTION_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} category=\"%{fld1}\" sub-category=\"%{fld2}\" action=\"%{action}\" action-detail=\"%{fld4}\" http-host=\"%{fld17}\" threat-severity=\"%{severity}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" application=\"%{fld5}\" nested-application=\"%{fld6}\" feed-name=\"%{fld18}\" policy-name=\"%{policyname}\" profile-name=\"%{rulename}\" username=\"%{username}\" roles=\"%{user_role}\" session-id-32=\"%{sessionid}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\"]%{fld10}", processor_chain([
+      	dup45,
+      	dup51,
+      	dup21,
+      	dup60,
+      ]));
+      
+      var msg775 = msg("SECINTEL_ACTION_LOG", part815);
+      
+      var part816 = match("MESSAGE#775:qsfp/0", "nwparser.payload", "%{hostname->} %{p0}");
+      
+      var part817 = match("MESSAGE#775:qsfp/1_0", "nwparser.p0", "%{fld2->} %{fld3->} %{process}: qsfp-%{interface->} Chan# %{p0}");
+      
+      var part818 = match("MESSAGE#775:qsfp/1_1", "nwparser.p0", "%{fld2->} qsfp-%{interface->} Chan# %{p0}");
+      
+      var select82 = linear_select([
+      	part817,
+      	part818,
+      ]);
+      
+      var part819 = match("MESSAGE#775:qsfp/2", "nwparser.p0", "%{fld5}:%{event_description}");
+      
+      var all47 = all_match({
+      	processors: [
+      		part816,
+      		select82,
+      		part819,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup21,
+      		dup22,
+      	]),
+      });
+      
+      var msg776 = msg("qsfp", all47);
+      
+      var part820 = match("MESSAGE#776:JUNOSROUTER_GENERIC:03", "nwparser.payload", "%{event_type}: User '%{username}', command '%{action}'", processor_chain([
+      	dup20,
+      	dup21,
+      	dup119,
+      	dup22,
+      ]));
+      
+      var msg777 = msg("JUNOSROUTER_GENERIC:03", part820);
+      
+      var part821 = match("MESSAGE#777:JUNOSROUTER_GENERIC:04", "nwparser.payload", "%{event_type}: User '%{username}' %{fld1}", processor_chain([
+      	dup123,
+      	dup33,
+      	dup34,
+      	dup124,
+      	dup36,
+      	dup21,
+      	setc("event_description","LOGOUT"),
+      	dup22,
+      ]));
+      
+      var msg778 = msg("JUNOSROUTER_GENERIC:04", part821);
+      
+      var part822 = match("MESSAGE#778:JUNOSROUTER_GENERIC:05", "nwparser.payload", "%{event_type}: TACACS+ failure: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup127,
+      	dup22,
+      ]));
+      
+      var msg779 = msg("JUNOSROUTER_GENERIC:05", part822);
+      
+      var part823 = match("MESSAGE#779:JUNOSROUTER_GENERIC:06", "nwparser.payload", "%{event_type}: mismatch NLRI with %{hostip->} (%{hostname}): peer: %{daddr->} us: %{saddr}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup56,
+      	dup22,
+      ]));
+      
+      var msg780 = msg("JUNOSROUTER_GENERIC:06", part823);
+      
+      var part824 = match("MESSAGE#780:JUNOSROUTER_GENERIC:07", "nwparser.payload", "%{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{resultcode->} (%{action}), Reason: %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup37,
+      	dup22,
+      ]));
+      
+      var msg781 = msg("JUNOSROUTER_GENERIC:07", part824);
+      
+      var part825 = match("MESSAGE#781:JUNOSROUTER_GENERIC:08/0", "nwparser.payload", "%{event_type}: NOTIFICATION received from %{p0}");
+      
+      var part826 = match("MESSAGE#781:JUNOSROUTER_GENERIC:08/1_0", "nwparser.p0", "%{daddr->} (%{dhost}): code %{resultcode->} (%{action}), socket buffer sndcc: %{fld1->} rcvcc: %{fld2->} TCP state: %{event_state}, snd_una: %{fld3->} snd_nxt: %{fld4->} snd_wnd: %{fld5->} rcv_nxt: %{fld6->} rcv_adv: %{fld7}, hold timer %{fld8}");
+      
+      var part827 = match("MESSAGE#781:JUNOSROUTER_GENERIC:08/1_1", "nwparser.p0", "%{daddr->} (%{dhost}): code %{resultcode->} (%{action})");
+      
+      var select83 = linear_select([
+      	part826,
+      	part827,
+      ]);
+      
+      var all48 = all_match({
+      	processors: [
+      		part825,
+      		select83,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup21,
+      		dup37,
+      		dup22,
+      	]),
+      });
+      
+      var msg782 = msg("JUNOSROUTER_GENERIC:08", all48);
+      
+      var part828 = match("MESSAGE#782:JUNOSROUTER_GENERIC:09", "nwparser.payload", "%{event_type}: [edit interfaces%{interface}unit%{fld1}family inet address%{hostip}/%{network_port}] :%{event_description}:%{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup22,
+      ]));
+      
+      var msg783 = msg("JUNOSROUTER_GENERIC:09", part828);
+      
+      var part829 = match("MESSAGE#783:JUNOSROUTER_GENERIC:01", "nwparser.payload", "%{event_type->} Interface Monitor failed %{fld1}", processor_chain([
+      	dup132,
+      	dup22,
+      	dup21,
+      	setc("event_description","Interface Monitor failed "),
+      	dup23,
+      ]));
+      
+      var msg784 = msg("JUNOSROUTER_GENERIC:01", part829);
+      
+      var part830 = match("MESSAGE#784:JUNOSROUTER_GENERIC:02", "nwparser.payload", "%{event_type->} Interface Monitor failure recovered %{fld1}", processor_chain([
+      	dup132,
+      	dup22,
+      	dup21,
+      	setc("event_description","Interface Monitor failure recovered"),
+      	dup23,
+      ]));
+      
+      var msg785 = msg("JUNOSROUTER_GENERIC:02", part830);
+      
+      var part831 = match("MESSAGE#785:JUNOSROUTER_GENERIC", "nwparser.payload", "%{event_type->} %{fld1}", processor_chain([
+      	dup132,
+      	dup22,
+      	dup21,
+      	dup23,
+      ]));
+      
+      var msg786 = msg("JUNOSROUTER_GENERIC", part831);
+      
+      var select84 = linear_select([
+      	msg777,
+      	msg778,
+      	msg779,
+      	msg780,
+      	msg781,
+      	msg782,
+      	msg783,
+      	msg784,
+      	msg785,
+      	msg786,
+      ]);
+      
+      var chain1 = processor_chain([
+      	select5,
+      	msgid_select({
+      		"(FPC": select81,
+      		"/usr/libexec/telnetd": msg2,
+      		"/usr/sbin/cron": msg734,
+      		"/usr/sbin/sshd": msg1,
+      		"AAMWD_NETWORK_CONNECT_FAILED": msg745,
+      		"AAMW_ACTION_LOG": msg770,
+      		"AAMW_HOST_INFECTED_EVENT_LOG": msg771,
+      		"AAMW_MALWARE_EVENT_LOG": msg772,
+      		"ACCT_ACCOUNTING_FERROR": msg114,
+      		"ACCT_ACCOUNTING_FOPEN_ERROR": msg115,
+      		"ACCT_ACCOUNTING_SMALL_FILE_SIZE": msg116,
+      		"ACCT_BAD_RECORD_FORMAT": msg117,
+      		"ACCT_CU_RTSLIB_error": msg118,
+      		"ACCT_GETHOSTNAME_error": msg119,
+      		"ACCT_MALLOC_FAILURE": msg120,
+      		"ACCT_UNDEFINED_COUNTER_NAME": msg121,
+      		"ACCT_XFER_FAILED": msg122,
+      		"ACCT_XFER_POPEN_FAIL": msg123,
+      		"APPQOS_LOG_EVENT": msg124,
+      		"APPTRACK_SESSION_CLOSE": select30,
+      		"APPTRACK_SESSION_CREATE": msg125,
+      		"APPTRACK_SESSION_VOL_UPDATE": select31,
+      		"BCHIP": msg106,
+      		"BFDD_TRAP_STATE_DOWN": msg130,
+      		"BFDD_TRAP_STATE_UP": msg131,
+      		"BOOTPD_ARG_ERR": msg143,
+      		"BOOTPD_BAD_ID": msg144,
+      		"BOOTPD_BOOTSTRING": msg145,
+      		"BOOTPD_CONFIG_ERR": msg146,
+      		"BOOTPD_CONF_OPEN": msg147,
+      		"BOOTPD_DUP_REV": msg148,
+      		"BOOTPD_DUP_SLOT": msg149,
+      		"BOOTPD_MODEL_CHK": msg150,
+      		"BOOTPD_MODEL_ERR": msg151,
+      		"BOOTPD_NEW_CONF": msg152,
+      		"BOOTPD_NO_BOOTSTRING": msg153,
+      		"BOOTPD_NO_CONFIG": msg154,
+      		"BOOTPD_PARSE_ERR": msg155,
+      		"BOOTPD_REPARSE": msg156,
+      		"BOOTPD_SELECT_ERR": msg157,
+      		"BOOTPD_TIMEOUT": msg158,
+      		"BOOTPD_VERSION": msg159,
+      		"CHASSISD": msg160,
+      		"CHASSISD_ARGUMENT_ERROR": msg161,
+      		"CHASSISD_BLOWERS_SPEED": msg162,
+      		"CHASSISD_BLOWERS_SPEED_FULL": msg163,
+      		"CHASSISD_CB_READ": msg164,
+      		"CHASSISD_COMMAND_ACK_ERROR": msg165,
+      		"CHASSISD_COMMAND_ACK_SF_ERROR": msg166,
+      		"CHASSISD_CONCAT_MODE_ERROR": msg167,
+      		"CHASSISD_CONFIG_INIT_ERROR": msg168,
+      		"CHASSISD_CONFIG_WARNING": msg169,
+      		"CHASSISD_EXISTS": msg170,
+      		"CHASSISD_EXISTS_TERM_OTHER": msg171,
+      		"CHASSISD_FILE_OPEN": msg172,
+      		"CHASSISD_FILE_STAT": msg173,
+      		"CHASSISD_FRU_EVENT": msg174,
+      		"CHASSISD_FRU_IPC_WRITE_ERROR_EXT": msg175,
+      		"CHASSISD_FRU_STEP_ERROR": msg176,
+      		"CHASSISD_GETTIMEOFDAY": msg177,
+      		"CHASSISD_HIGH_TEMP_CONDITION": msg214,
+      		"CHASSISD_HOST_TEMP_READ": msg178,
+      		"CHASSISD_IFDEV_DETACH_ALL_PSEUDO": msg179,
+      		"CHASSISD_IFDEV_DETACH_FPC": msg180,
+      		"CHASSISD_IFDEV_DETACH_PIC": msg181,
+      		"CHASSISD_IFDEV_DETACH_PSEUDO": msg182,
+      		"CHASSISD_IFDEV_DETACH_TLV_ERROR": msg183,
+      		"CHASSISD_IFDEV_GET_BY_INDEX_FAIL": msg184,
+      		"CHASSISD_IPC_MSG_QFULL_ERROR": msg185,
+      		"CHASSISD_IPC_UNEXPECTED_RECV": msg186,
+      		"CHASSISD_IPC_WRITE_ERR_NO_PIPE": msg187,
+      		"CHASSISD_IPC_WRITE_ERR_NULL_ARGS": msg188,
+      		"CHASSISD_MAC_ADDRESS_ERROR": msg189,
+      		"CHASSISD_MAC_DEFAULT": msg190,
+      		"CHASSISD_MBUS_ERROR": msg191,
+      		"CHASSISD_PARSE_COMPLETE": msg192,
+      		"CHASSISD_PARSE_ERROR": msg193,
+      		"CHASSISD_PARSE_INIT": msg194,
+      		"CHASSISD_PIDFILE_OPEN": msg195,
+      		"CHASSISD_PIPE_WRITE_ERROR": msg196,
+      		"CHASSISD_POWER_CHECK": msg197,
+      		"CHASSISD_RECONNECT_SUCCESSFUL": msg198,
+      		"CHASSISD_RELEASE_MASTERSHIP": msg199,
+      		"CHASSISD_RE_INIT_INVALID_RE_SLOT": msg200,
+      		"CHASSISD_ROOT_MOUNT_ERROR": msg201,
+      		"CHASSISD_RTS_SEQ_ERROR": msg202,
+      		"CHASSISD_SBOARD_VERSION_MISMATCH": msg203,
+      		"CHASSISD_SERIAL_ID": msg204,
+      		"CHASSISD_SMB_ERROR": msg205,
+      		"CHASSISD_SNMP_TRAP10": msg208,
+      		"CHASSISD_SNMP_TRAP6": msg206,
+      		"CHASSISD_SNMP_TRAP7": msg207,
+      		"CHASSISD_TERM_SIGNAL": msg209,
+      		"CHASSISD_TRACE_PIC_OFFLINE": msg210,
+      		"CHASSISD_UNEXPECTED_EXIT": msg211,
+      		"CHASSISD_UNSUPPORTED_MODEL": msg212,
+      		"CHASSISD_VERSION_MISMATCH": msg213,
+      		"CM": msg107,
+      		"CM_JAVA": msg216,
+      		"COS": msg108,
+      		"COSFPC": msg109,
+      		"COSMAN": msg110,
+      		"CRON": msg16,
+      		"CROND": select11,
+      		"Cmerror": msg17,
+      		"DCD_AS_ROOT": msg217,
+      		"DCD_FILTER_LIB_ERROR": msg218,
+      		"DCD_MALLOC_FAILED_INIT": msg219,
+      		"DCD_PARSE_EMERGENCY": msg220,
+      		"DCD_PARSE_FILTER_EMERGENCY": msg221,
+      		"DCD_PARSE_MINI_EMERGENCY": msg222,
+      		"DCD_PARSE_STATE_EMERGENCY": msg223,
+      		"DCD_POLICER_PARSE_EMERGENCY": msg224,
+      		"DCD_PULL_LOG_FAILURE": msg225,
+      		"DFWD_ARGUMENT_ERROR": msg226,
+      		"DFWD_MALLOC_FAILED_INIT": msg227,
+      		"DFWD_PARSE_FILTER_EMERGENCY": msg228,
+      		"DFWD_PARSE_STATE_EMERGENCY": msg229,
+      		"ECCD_DAEMONIZE_FAILED": msg230,
+      		"ECCD_DUPLICATE": msg231,
+      		"ECCD_LOOP_EXIT_FAILURE": msg232,
+      		"ECCD_NOT_ROOT": msg233,
+      		"ECCD_PCI_FILE_OPEN_FAILED": msg234,
+      		"ECCD_PCI_READ_FAILED": msg235,
+      		"ECCD_PCI_WRITE_FAILED": msg236,
+      		"ECCD_PID_FILE_LOCK": msg237,
+      		"ECCD_PID_FILE_UPDATE": msg238,
+      		"ECCD_TRACE_FILE_OPEN_FAILED": msg239,
+      		"ECCD_usage": msg240,
+      		"EVENT": msg23,
+      		"EVENTD_AUDIT_SHOW": msg241,
+      		"FLOW_REASSEMBLE_FAIL": msg731,
+      		"FLOW_REASSEMBLE_SUCCEED": msg242,
+      		"FSAD_CHANGE_FILE_OWNER": msg243,
+      		"FSAD_CONFIG_ERROR": msg244,
+      		"FSAD_CONNTIMEDOUT": msg245,
+      		"FSAD_FAILED": msg246,
+      		"FSAD_FETCHTIMEDOUT": msg247,
+      		"FSAD_FILE_FAILED": msg248,
+      		"FSAD_FILE_REMOVE": msg249,
+      		"FSAD_FILE_RENAME": msg250,
+      		"FSAD_FILE_STAT": msg251,
+      		"FSAD_FILE_SYNC": msg252,
+      		"FSAD_MAXCONN": msg253,
+      		"FSAD_MEMORYALLOC_FAILED": msg254,
+      		"FSAD_NOT_ROOT": msg255,
+      		"FSAD_PARENT_DIRECTORY": msg256,
+      		"FSAD_PATH_IS_DIRECTORY": msg257,
+      		"FSAD_PATH_IS_SPECIAL": msg258,
+      		"FSAD_RECVERROR": msg259,
+      		"FSAD_TERMINATED_CONNECTION": msg260,
+      		"FSAD_TERMINATING_SIGNAL": msg261,
+      		"FSAD_TRACEOPEN_FAILED": msg262,
+      		"FSAD_USAGE": msg263,
+      		"Failed": select25,
+      		"GGSN_ALARM_TRAP_FAILED": msg264,
+      		"GGSN_ALARM_TRAP_SEND": msg265,
+      		"GGSN_TRAP_SEND": msg266,
+      		"IDP_ATTACK_LOG_EVENT": msg773,
+      		"JADE_AUTH_ERROR": msg267,
+      		"JADE_EXEC_ERROR": msg268,
+      		"JADE_NO_LOCAL_USER": msg269,
+      		"JADE_PAM_ERROR": msg270,
+      		"JADE_PAM_NO_LOCAL_USER": msg271,
+      		"JSRPD_HA_CONTROL_LINK_UP": msg748,
+      		"JUNOSROUTER_GENERIC": select84,
+      		"KERN_ARP_ADDR_CHANGE": msg272,
+      		"KMD_PM_SA_ESTABLISHED": msg273,
+      		"L2CPD_TASK_REINIT": msg274,
+      		"LACPD_TIMEOUT": msg749,
+      		"LIBJNX_EXEC_EXITED": msg275,
+      		"LIBJNX_EXEC_FAILED": msg276,
+      		"LIBJNX_EXEC_PIPE": msg277,
+      		"LIBJNX_EXEC_SIGNALED": msg278,
+      		"LIBJNX_EXEC_WEXIT": msg279,
+      		"LIBJNX_FILE_COPY_FAILED": msg280,
+      		"LIBJNX_PRIV_LOWER_FAILED": msg281,
+      		"LIBJNX_PRIV_RAISE_FAILED": msg282,
+      		"LIBJNX_REPLICATE_RCP_EXEC_FAILED": msg283,
+      		"LIBJNX_ROTATE_COMPRESS_EXEC_FAILED": msg284,
+      		"LIBSERVICED_CLIENT_CONNECTION": msg285,
+      		"LIBSERVICED_OUTBOUND_REQUEST": msg286,
+      		"LIBSERVICED_SNMP_LOST_CONNECTION": msg287,
+      		"LIBSERVICED_SOCKET_BIND": msg288,
+      		"LIBSERVICED_SOCKET_PRIVATIZE": msg289,
+      		"LICENSE_EXPIRED": msg290,
+      		"LICENSE_EXPIRED_KEY_DELETED": msg291,
+      		"LICENSE_NEARING_EXPIRY": msg292,
+      		"LOGIN_ABORTED": msg293,
+      		"LOGIN_FAILED": msg294,
+      		"LOGIN_FAILED_INCORRECT_PASSWORD": msg295,
+      		"LOGIN_FAILED_SET_CONTEXT": msg296,
+      		"LOGIN_FAILED_SET_LOGIN": msg297,
+      		"LOGIN_HOSTNAME_UNRESOLVED": msg298,
+      		"LOGIN_INFORMATION": msg299,
+      		"LOGIN_INVALID_LOCAL_USER": msg300,
+      		"LOGIN_MALFORMED_USER": msg301,
+      		"LOGIN_PAM_AUTHENTICATION_ERROR": msg302,
+      		"LOGIN_PAM_ERROR": msg303,
+      		"LOGIN_PAM_MAX_RETRIES": msg304,
+      		"LOGIN_PAM_NONLOCAL_USER": msg305,
+      		"LOGIN_PAM_STOP": msg306,
+      		"LOGIN_PAM_USER_UNKNOWN": msg307,
+      		"LOGIN_PASSWORD_EXPIRED": msg308,
+      		"LOGIN_REFUSED": msg309,
+      		"LOGIN_ROOT": msg310,
+      		"LOGIN_TIMED_OUT": msg311,
+      		"MIB2D_ATM_ERROR": msg312,
+      		"MIB2D_CONFIG_CHECK_FAILED": msg313,
+      		"MIB2D_FILE_OPEN_FAILURE": msg314,
+      		"MIB2D_IFD_IFINDEX_FAILURE": msg315,
+      		"MIB2D_IFL_IFINDEX_FAILURE": msg316,
+      		"MIB2D_INIT_FAILURE": msg317,
+      		"MIB2D_KVM_FAILURE": msg318,
+      		"MIB2D_RTSLIB_READ_FAILURE": msg319,
+      		"MIB2D_RTSLIB_SEQ_MISMATCH": msg320,
+      		"MIB2D_SYSCTL_FAILURE": msg321,
+      		"MIB2D_TRAP_HEADER_FAILURE": msg322,
+      		"MIB2D_TRAP_SEND_FAILURE": msg323,
+      		"MRVL-L2": msg56,
+      		"Multiuser": msg324,
+      		"NASD_AUTHENTICATION_CREATE_FAILED": msg325,
+      		"NASD_CHAP_AUTHENTICATION_IN_PROGRESS": msg326,
+      		"NASD_CHAP_GETHOSTNAME_FAILED": msg327,
+      		"NASD_CHAP_INVALID_CHAP_IDENTIFIER": msg328,
+      		"NASD_CHAP_INVALID_OPCODE": msg329,
+      		"NASD_CHAP_LOCAL_NAME_UNAVAILABLE": msg330,
+      		"NASD_CHAP_MESSAGE_UNEXPECTED": msg331,
+      		"NASD_CHAP_REPLAY_ATTACK_DETECTED": msg332,
+      		"NASD_CONFIG_GET_LAST_MODIFIED_FAILED": msg333,
+      		"NASD_DAEMONIZE_FAILED": msg334,
+      		"NASD_DB_ALLOC_FAILURE": msg335,
+      		"NASD_DB_TABLE_CREATE_FAILURE": msg336,
+      		"NASD_DUPLICATE": msg337,
+      		"NASD_EVLIB_CREATE_FAILURE": msg338,
+      		"NASD_EVLIB_EXIT_FAILURE": msg339,
+      		"NASD_LOCAL_CREATE_FAILED": msg340,
+      		"NASD_NOT_ROOT": msg341,
+      		"NASD_PID_FILE_LOCK": msg342,
+      		"NASD_PID_FILE_UPDATE": msg343,
+      		"NASD_POST_CONFIGURE_EVENT_FAILED": msg344,
+      		"NASD_PPP_READ_FAILURE": msg345,
+      		"NASD_PPP_SEND_FAILURE": msg346,
+      		"NASD_PPP_SEND_PARTIAL": msg347,
+      		"NASD_PPP_UNRECOGNIZED": msg348,
+      		"NASD_RADIUS_ALLOCATE_PASSWORD_FAILED": msg349,
+      		"NASD_RADIUS_CONFIG_FAILED": msg350,
+      		"NASD_RADIUS_CREATE_FAILED": msg351,
+      		"NASD_RADIUS_CREATE_REQUEST_FAILED": msg352,
+      		"NASD_RADIUS_GETHOSTNAME_FAILED": msg353,
+      		"NASD_RADIUS_MESSAGE_UNEXPECTED": msg354,
+      		"NASD_RADIUS_OPEN_FAILED": msg355,
+      		"NASD_RADIUS_SELECT_FAILED": msg356,
+      		"NASD_RADIUS_SET_TIMER_FAILED": msg357,
+      		"NASD_TRACE_FILE_OPEN_FAILED": msg358,
+      		"NASD_usage": msg359,
+      		"NOTICE": msg360,
+      		"PFEMAN": msg61,
+      		"PFE_FW_SYSLOG_IP": select36,
+      		"PFE_NH_RESOLVE_THROTTLED": msg363,
+      		"PING_TEST_COMPLETED": msg364,
+      		"PING_TEST_FAILED": msg365,
+      		"PKID_UNABLE_TO_GET_CRL": msg746,
+      		"PWC_EXIT": msg368,
+      		"PWC_HOLD_RELEASE": msg369,
+      		"PWC_INVALID_RUNS_ARGUMENT": msg370,
+      		"PWC_INVALID_TIMEOUT_ARGUMENT": msg371,
+      		"PWC_KILLED_BY_SIGNAL": msg372,
+      		"PWC_KILL_EVENT": msg373,
+      		"PWC_KILL_FAILED": msg374,
+      		"PWC_KQUEUE_ERROR": msg375,
+      		"PWC_KQUEUE_INIT": msg376,
+      		"PWC_KQUEUE_REGISTER_FILTER": msg377,
+      		"PWC_LOCKFILE_BAD_FORMAT": msg378,
+      		"PWC_LOCKFILE_ERROR": msg379,
+      		"PWC_LOCKFILE_MISSING": msg380,
+      		"PWC_LOCKFILE_NOT_LOCKED": msg381,
+      		"PWC_NO_PROCESS": msg382,
+      		"PWC_PROCESS_EXIT": msg383,
+      		"PWC_PROCESS_FORCED_HOLD": msg384,
+      		"PWC_PROCESS_HOLD": msg385,
+      		"PWC_PROCESS_HOLD_SKIPPED": msg386,
+      		"PWC_PROCESS_OPEN": msg387,
+      		"PWC_PROCESS_TIMED_HOLD": msg388,
+      		"PWC_PROCESS_TIMEOUT": msg389,
+      		"PWC_SIGNAL_INIT": msg390,
+      		"PWC_SOCKET_CONNECT": msg391,
+      		"PWC_SOCKET_CREATE": msg392,
+      		"PWC_SOCKET_OPTION": msg393,
+      		"PWC_STDOUT_WRITE": msg394,
+      		"PWC_SYSTEM_CALL": msg395,
+      		"PWC_UNKNOWN_KILL_OPTION": msg396,
+      		"RDP": msg111,
+      		"RMOPD_ADDRESS_MULTICAST_INVALID": msg397,
+      		"RMOPD_ADDRESS_SOURCE_INVALID": msg398,
+      		"RMOPD_ADDRESS_STRING_FAILURE": msg399,
+      		"RMOPD_ADDRESS_TARGET_INVALID": msg400,
+      		"RMOPD_DUPLICATE": msg401,
+      		"RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED": msg402,
+      		"RMOPD_ICMP_SENDMSG_FAILURE": msg403,
+      		"RMOPD_IFINDEX_NOT_ACTIVE": msg404,
+      		"RMOPD_IFINDEX_NO_INFO": msg405,
+      		"RMOPD_IFNAME_NOT_ACTIVE": msg406,
+      		"RMOPD_IFNAME_NO_INFO": msg407,
+      		"RMOPD_NOT_ROOT": msg408,
+      		"RMOPD_ROUTING_INSTANCE_NO_INFO": msg409,
+      		"RMOPD_TRACEROUTE_ERROR": msg410,
+      		"RMOPD_usage": msg411,
+      		"RPD_ABORT": msg412,
+      		"RPD_ACTIVE_TERMINATE": msg413,
+      		"RPD_ASSERT": msg414,
+      		"RPD_ASSERT_SOFT": msg415,
+      		"RPD_EXIT": msg416,
+      		"RPD_IFL_INDEXCOLLISION": msg417,
+      		"RPD_IFL_NAMECOLLISION": msg418,
+      		"RPD_ISIS_ADJDOWN": msg419,
+      		"RPD_ISIS_ADJUP": msg420,
+      		"RPD_ISIS_ADJUPNOIP": msg421,
+      		"RPD_ISIS_LSPCKSUM": msg422,
+      		"RPD_ISIS_OVERLOAD": msg423,
+      		"RPD_KRT_AFUNSUPRT": msg424,
+      		"RPD_KRT_CCC_IFL_MODIFY": msg425,
+      		"RPD_KRT_DELETED_RTT": msg426,
+      		"RPD_KRT_IFA_GENERATION": msg427,
+      		"RPD_KRT_IFDCHANGE": msg428,
+      		"RPD_KRT_IFDEST_GET": msg429,
+      		"RPD_KRT_IFDGET": msg430,
+      		"RPD_KRT_IFD_GENERATION": msg431,
+      		"RPD_KRT_IFL_CELL_RELAY_MODE_INVALID": msg432,
+      		"RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED": msg433,
+      		"RPD_KRT_IFL_GENERATION": msg434,
+      		"RPD_KRT_KERNEL_BAD_ROUTE": msg435,
+      		"RPD_KRT_NEXTHOP_OVERFLOW": msg436,
+      		"RPD_KRT_NOIFD": msg437,
+      		"RPD_KRT_UNKNOWN_RTT": msg438,
+      		"RPD_KRT_VERSION": msg439,
+      		"RPD_KRT_VERSIONNONE": msg440,
+      		"RPD_KRT_VERSIONOLD": msg441,
+      		"RPD_LDP_INTF_BLOCKED": msg442,
+      		"RPD_LDP_INTF_UNBLOCKED": msg443,
+      		"RPD_LDP_NBRDOWN": msg444,
+      		"RPD_LDP_NBRUP": msg445,
+      		"RPD_LDP_SESSIONDOWN": msg446,
+      		"RPD_LDP_SESSIONUP": msg447,
+      		"RPD_LOCK_FLOCKED": msg448,
+      		"RPD_LOCK_LOCKED": msg449,
+      		"RPD_MPLS_LSP_CHANGE": msg450,
+      		"RPD_MPLS_LSP_DOWN": msg451,
+      		"RPD_MPLS_LSP_SWITCH": msg452,
+      		"RPD_MPLS_LSP_UP": msg453,
+      		"RPD_MSDP_PEER_DOWN": msg454,
+      		"RPD_MSDP_PEER_UP": msg455,
+      		"RPD_OSPF_NBRDOWN": msg456,
+      		"RPD_OSPF_NBRUP": msg457,
+      		"RPD_OS_MEMHIGH": msg458,
+      		"RPD_PIM_NBRDOWN": msg459,
+      		"RPD_PIM_NBRUP": msg460,
+      		"RPD_RDISC_CKSUM": msg461,
+      		"RPD_RDISC_NOMULTI": msg462,
+      		"RPD_RDISC_NORECVIF": msg463,
+      		"RPD_RDISC_SOLICITADDR": msg464,
+      		"RPD_RDISC_SOLICITICMP": msg465,
+      		"RPD_RDISC_SOLICITLEN": msg466,
+      		"RPD_RIP_AUTH": msg467,
+      		"RPD_RIP_JOIN_BROADCAST": msg468,
+      		"RPD_RIP_JOIN_MULTICAST": msg469,
+      		"RPD_RT_IFUP": msg470,
+      		"RPD_SCHED_CALLBACK_LONGRUNTIME": msg471,
+      		"RPD_SCHED_CUMULATIVE_LONGRUNTIME": msg472,
+      		"RPD_SCHED_MODULE_LONGRUNTIME": msg473,
+      		"RPD_SCHED_TASK_LONGRUNTIME": msg474,
+      		"RPD_SIGNAL_TERMINATE": msg475,
+      		"RPD_START": msg476,
+      		"RPD_SYSTEM": msg477,
+      		"RPD_TASK_BEGIN": msg478,
+      		"RPD_TASK_CHILDKILLED": msg479,
+      		"RPD_TASK_CHILDSTOPPED": msg480,
+      		"RPD_TASK_FORK": msg481,
+      		"RPD_TASK_GETWD": msg482,
+      		"RPD_TASK_NOREINIT": msg483,
+      		"RPD_TASK_PIDCLOSED": msg484,
+      		"RPD_TASK_PIDFLOCK": msg485,
+      		"RPD_TASK_PIDWRITE": msg486,
+      		"RPD_TASK_REINIT": msg487,
+      		"RPD_TASK_SIGNALIGNORE": msg488,
+      		"RT_COS": msg489,
+      		"RT_FLOW_SESSION_CLOSE": select51,
+      		"RT_FLOW_SESSION_CREATE": select45,
+      		"RT_FLOW_SESSION_DENY": select47,
+      		"RT_SCREEN_ICMP": msg774,
+      		"RT_SCREEN_IP": select52,
+      		"RT_SCREEN_SESSION_LIMIT": msg504,
+      		"RT_SCREEN_TCP": msg503,
+      		"RT_SCREEN_UDP": msg505,
+      		"Resolve": msg63,
+      		"SECINTEL_ACTION_LOG": msg775,
+      		"SECINTEL_ERROR_OTHERS": msg747,
+      		"SECINTEL_NETWORK_CONNECT_FAILED": msg744,
+      		"SERVICED_CLIENT_CONNECT": msg506,
+      		"SERVICED_CLIENT_DISCONNECTED": msg507,
+      		"SERVICED_CLIENT_ERROR": msg508,
+      		"SERVICED_COMMAND_FAILED": msg509,
+      		"SERVICED_COMMIT_FAILED": msg510,
+      		"SERVICED_CONFIGURATION_FAILED": msg511,
+      		"SERVICED_CONFIG_ERROR": msg512,
+      		"SERVICED_CONFIG_FILE": msg513,
+      		"SERVICED_CONNECTION_ERROR": msg514,
+      		"SERVICED_DISABLED_GGSN": msg515,
+      		"SERVICED_DUPLICATE": msg516,
+      		"SERVICED_EVENT_FAILED": msg517,
+      		"SERVICED_INIT_FAILED": msg518,
+      		"SERVICED_MALLOC_FAILURE": msg519,
+      		"SERVICED_NETWORK_FAILURE": msg520,
+      		"SERVICED_NOT_ROOT": msg521,
+      		"SERVICED_PID_FILE_LOCK": msg522,
+      		"SERVICED_PID_FILE_UPDATE": msg523,
+      		"SERVICED_RTSOCK_SEQUENCE": msg524,
+      		"SERVICED_SIGNAL_HANDLER": msg525,
+      		"SERVICED_SOCKET_CREATE": msg526,
+      		"SERVICED_SOCKET_IO": msg527,
+      		"SERVICED_SOCKET_OPTION": msg528,
+      		"SERVICED_STDLIB_FAILURE": msg529,
+      		"SERVICED_USAGE": msg530,
+      		"SERVICED_WORK_INCONSISTENCY": msg531,
+      		"SNMPD_ACCESS_GROUP_ERROR": msg537,
+      		"SNMPD_AUTH_FAILURE": select53,
+      		"SNMPD_AUTH_PRIVILEGES_EXCEEDED": msg542,
+      		"SNMPD_AUTH_RESTRICTED_ADDRESS": msg543,
+      		"SNMPD_AUTH_WRONG_PDU_TYPE": msg544,
+      		"SNMPD_CONFIG_ERROR": msg545,
+      		"SNMPD_CONTEXT_ERROR": msg546,
+      		"SNMPD_ENGINE_FILE_FAILURE": msg547,
+      		"SNMPD_ENGINE_PROCESS_ERROR": msg548,
+      		"SNMPD_FILE_FAILURE": msg549,
+      		"SNMPD_GROUP_ERROR": msg550,
+      		"SNMPD_INIT_FAILED": msg551,
+      		"SNMPD_LIBJUNIPER_FAILURE": msg552,
+      		"SNMPD_LOOPBACK_ADDR_ERROR": msg553,
+      		"SNMPD_MEMORY_FREED": msg554,
+      		"SNMPD_RADIX_FAILURE": msg555,
+      		"SNMPD_RECEIVE_FAILURE": msg556,
+      		"SNMPD_RMONFILE_FAILURE": msg557,
+      		"SNMPD_RMON_COOKIE": msg558,
+      		"SNMPD_RMON_EVENTLOG": msg559,
+      		"SNMPD_RMON_IOERROR": msg560,
+      		"SNMPD_RMON_MIBERROR": msg561,
+      		"SNMPD_RTSLIB_ASYNC_EVENT": msg562,
+      		"SNMPD_SEND_FAILURE": select54,
+      		"SNMPD_SOCKET_FAILURE": msg565,
+      		"SNMPD_SUBAGENT_NO_BUFFERS": msg566,
+      		"SNMPD_SUBAGENT_SEND_FAILED": msg567,
+      		"SNMPD_SYSLIB_FAILURE": msg568,
+      		"SNMPD_THROTTLE_QUEUE_DRAINED": msg569,
+      		"SNMPD_TRAP_COLD_START": msg570,
+      		"SNMPD_TRAP_GEN_FAILURE": msg571,
+      		"SNMPD_TRAP_GEN_FAILURE2": msg572,
+      		"SNMPD_TRAP_INVALID_DATA": msg573,
+      		"SNMPD_TRAP_NOT_ENOUGH_VARBINDS": msg574,
+      		"SNMPD_TRAP_QUEUED": msg575,
+      		"SNMPD_TRAP_QUEUE_DRAINED": msg576,
+      		"SNMPD_TRAP_QUEUE_MAX_ATTEMPTS": msg577,
+      		"SNMPD_TRAP_QUEUE_MAX_SIZE": msg578,
+      		"SNMPD_TRAP_THROTTLED": msg579,
+      		"SNMPD_TRAP_TYPE_ERROR": msg580,
+      		"SNMPD_TRAP_VARBIND_TYPE_ERROR": msg581,
+      		"SNMPD_TRAP_VERSION_ERROR": msg582,
+      		"SNMPD_TRAP_WARM_START": msg583,
+      		"SNMPD_USER_ERROR": msg584,
+      		"SNMPD_VIEW_DELETE": msg585,
+      		"SNMPD_VIEW_INSTALL_DEFAULT": msg586,
+      		"SNMPD_VIEW_OID_PARSE": msg587,
+      		"SNMP_GET_ERROR1": msg588,
+      		"SNMP_GET_ERROR2": msg589,
+      		"SNMP_GET_ERROR3": msg590,
+      		"SNMP_GET_ERROR4": msg591,
+      		"SNMP_NS_LOG_INFO": msg535,
+      		"SNMP_RTSLIB_FAILURE": msg592,
+      		"SNMP_SUBAGENT_IPC_REG_ROWS": msg536,
+      		"SNMP_TRAP_LINK_DOWN": select55,
+      		"SNMP_TRAP_LINK_UP": select56,
+      		"SNMP_TRAP_PING_PROBE_FAILED": msg597,
+      		"SNMP_TRAP_PING_TEST_COMPLETED": msg598,
+      		"SNMP_TRAP_PING_TEST_FAILED": msg599,
+      		"SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE": msg600,
+      		"SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED": msg601,
+      		"SNMP_TRAP_TRACE_ROUTE_TEST_FAILED": msg602,
+      		"SNTPD": msg112,
+      		"SSB": msg113,
+      		"SSHD_LOGIN_FAILED": select57,
+      		"SSL_PROXY_SESSION_IGNORE": msg534,
+      		"SSL_PROXY_SSL_SESSION_ALLOW": msg532,
+      		"SSL_PROXY_SSL_SESSION_DROP": msg533,
+      		"TASK_TASK_REINIT": msg606,
+      		"TFTPD_AF_ERR": msg607,
+      		"TFTPD_BIND_ERR": msg608,
+      		"TFTPD_CONNECT_ERR": msg609,
+      		"TFTPD_CONNECT_INFO": msg610,
+      		"TFTPD_CREATE_ERR": msg611,
+      		"TFTPD_FIO_ERR": msg612,
+      		"TFTPD_FORK_ERR": msg613,
+      		"TFTPD_NAK_ERR": msg614,
+      		"TFTPD_OPEN_ERR": msg615,
+      		"TFTPD_RECVCOMPLETE_INFO": msg616,
+      		"TFTPD_RECVFROM_ERR": msg617,
+      		"TFTPD_RECV_ERR": msg618,
+      		"TFTPD_SENDCOMPLETE_INFO": msg619,
+      		"TFTPD_SEND_ERR": msg620,
+      		"TFTPD_SOCKET_ERR": msg621,
+      		"TFTPD_STATFS_ERR": msg622,
+      		"TNP": msg623,
+      		"UI_AUTH_EVENT": msg628,
+      		"UI_AUTH_INVALID_CHALLENGE": msg629,
+      		"UI_BOOTTIME_FAILED": msg630,
+      		"UI_CFG_AUDIT_NEW": select58,
+      		"UI_CFG_AUDIT_OTHER": select60,
+      		"UI_CFG_AUDIT_SET": select63,
+      		"UI_CFG_AUDIT_SET_SECRET": select64,
+      		"UI_CHILD_ARGS_EXCEEDED": msg645,
+      		"UI_CHILD_CHANGE_USER": msg646,
+      		"UI_CHILD_EXEC": msg647,
+      		"UI_CHILD_EXITED": msg648,
+      		"UI_CHILD_FOPEN": msg649,
+      		"UI_CHILD_PIPE_FAILED": msg650,
+      		"UI_CHILD_SIGNALED": msg651,
+      		"UI_CHILD_START": msg653,
+      		"UI_CHILD_STATUS": msg654,
+      		"UI_CHILD_STOPPED": msg652,
+      		"UI_CHILD_WAITPID": msg655,
+      		"UI_CLI_IDLE_TIMEOUT": msg656,
+      		"UI_CMDLINE_READ_LINE": msg657,
+      		"UI_CMDSET_EXEC_FAILED": msg658,
+      		"UI_CMDSET_FORK_FAILED": msg659,
+      		"UI_CMDSET_PIPE_FAILED": msg660,
+      		"UI_CMDSET_STOPPED": msg661,
+      		"UI_CMDSET_WEXITED": msg662,
+      		"UI_CMD_AUTH_REGEX_INVALID": msg663,
+      		"UI_COMMIT": msg664,
+      		"UI_COMMIT_AT": msg665,
+      		"UI_COMMIT_AT_COMPLETED": msg666,
+      		"UI_COMMIT_AT_FAILED": msg667,
+      		"UI_COMMIT_COMPRESS_FAILED": msg668,
+      		"UI_COMMIT_CONFIRMED": msg669,
+      		"UI_COMMIT_CONFIRMED_REMINDER": msg670,
+      		"UI_COMMIT_CONFIRMED_TIMED": msg671,
+      		"UI_COMMIT_EMPTY_CONTAINER": msg672,
+      		"UI_COMMIT_NOT_CONFIRMED": msg673,
+      		"UI_COMMIT_PROGRESS": msg674,
+      		"UI_COMMIT_QUIT": msg675,
+      		"UI_COMMIT_ROLLBACK_FAILED": msg676,
+      		"UI_COMMIT_SYNC": msg677,
+      		"UI_COMMIT_SYNC_FORCE": msg678,
+      		"UI_CONFIGURATION_ERROR": msg679,
+      		"UI_DAEMON_ACCEPT_FAILED": msg680,
+      		"UI_DAEMON_FORK_FAILED": msg681,
+      		"UI_DAEMON_SELECT_FAILED": msg682,
+      		"UI_DAEMON_SOCKET_FAILED": msg683,
+      		"UI_DBASE_ACCESS_FAILED": msg684,
+      		"UI_DBASE_CHECKOUT_FAILED": msg685,
+      		"UI_DBASE_EXTEND_FAILED": msg686,
+      		"UI_DBASE_LOGIN_EVENT": msg687,
+      		"UI_DBASE_LOGOUT_EVENT": msg688,
+      		"UI_DBASE_MISMATCH_EXTENT": msg689,
+      		"UI_DBASE_MISMATCH_MAJOR": msg690,
+      		"UI_DBASE_MISMATCH_MINOR": msg691,
+      		"UI_DBASE_MISMATCH_SEQUENCE": msg692,
+      		"UI_DBASE_MISMATCH_SIZE": msg693,
+      		"UI_DBASE_OPEN_FAILED": msg694,
+      		"UI_DBASE_REBUILD_FAILED": msg695,
+      		"UI_DBASE_REBUILD_SCHEMA_FAILED": msg696,
+      		"UI_DBASE_REBUILD_STARTED": msg697,
+      		"UI_DBASE_RECREATE": msg698,
+      		"UI_DBASE_REOPEN_FAILED": msg699,
+      		"UI_DUPLICATE_UID": msg700,
+      		"UI_JUNOSCRIPT_CMD": msg701,
+      		"UI_JUNOSCRIPT_ERROR": msg702,
+      		"UI_LOAD_EVENT": msg703,
+      		"UI_LOAD_JUNOS_DEFAULT_FILE_EVENT": msg704,
+      		"UI_LOGIN_EVENT": select71,
+      		"UI_LOGOUT_EVENT": msg707,
+      		"UI_LOST_CONN": msg708,
+      		"UI_MASTERSHIP_EVENT": msg709,
+      		"UI_MGD_TERMINATE": msg710,
+      		"UI_NETCONF_CMD": msg711,
+      		"UI_READ_FAILED": msg712,
+      		"UI_READ_TIMEOUT": msg713,
+      		"UI_REBOOT_EVENT": msg714,
+      		"UI_RESTART_EVENT": msg715,
+      		"UI_SCHEMA_CHECKOUT_FAILED": msg716,
+      		"UI_SCHEMA_MISMATCH_MAJOR": msg717,
+      		"UI_SCHEMA_MISMATCH_MINOR": msg718,
+      		"UI_SCHEMA_MISMATCH_SEQUENCE": msg719,
+      		"UI_SCHEMA_SEQUENCE_ERROR": msg720,
+      		"UI_SYNC_OTHER_RE": msg721,
+      		"UI_TACPLUS_ERROR": msg722,
+      		"UI_VERSION_FAILED": msg723,
+      		"UI_WRITE_RECONNECT": msg724,
+      		"VRRPD_NEWMASTER_TRAP": msg725,
+      		"Version": msg99,
+      		"WEBFILTER_REQUEST_NOT_CHECKED": msg730,
+      		"WEBFILTER_URL_BLOCKED": select75,
+      		"WEBFILTER_URL_PERMITTED": select74,
+      		"WEB_AUTH_FAIL": msg726,
+      		"WEB_AUTH_SUCCESS": msg727,
+      		"WEB_INTERFACE_UNAUTH": msg728,
+      		"WEB_READ": msg729,
+      		"alarmd": msg3,
+      		"bgp_connect_start": msg132,
+      		"bgp_event": msg133,
+      		"bgp_listen_accept": msg134,
+      		"bgp_listen_reset": msg135,
+      		"bgp_nexthop_sanity": msg136,
+      		"bgp_pp_recv": select33,
+      		"bgp_process_caps": select32,
+      		"bgp_send": msg141,
+      		"bgp_traffic_timeout": msg142,
+      		"bigd": select6,
+      		"bigpipe": select7,
+      		"bigstart": msg9,
+      		"cgatool": msg10,
+      		"chassisd": msg11,
+      		"chassism": select73,
+      		"checkd": select8,
+      		"clean_process": msg215,
+      		"cli": msg750,
+      		"cosd": msg14,
+      		"craftd": msg15,
+      		"cron": msg18,
+      		"crond": msg21,
+      		"dcd": msg22,
+      		"eswd": select72,
+      		"ftpd": msg24,
+      		"ha_rto_stats_handler": msg25,
+      		"hostinit": msg26,
+      		"idpinfo": msg752,
+      		"ifinfo": select13,
+      		"ifp_ifl_anydown_change_event": msg30,
+      		"ifp_ifl_config_event": msg31,
+      		"ifp_ifl_ext_chg": msg32,
+      		"inetd": select14,
+      		"init": select15,
+      		"ipc_msg_write": msg40,
+      		"kernel": select17,
+      		"kmd": msg753,
+      		"last": select28,
+      		"login": select18,
+      		"lsys_ssam_handler": msg53,
+      		"mcsn": msg54,
+      		"mgd": msg62,
+      		"mrvl_dfw_log_effuse_status": msg55,
+      		"node": select79,
+      		"pfed": msg751,
+      		"process_mode": select38,
+      		"profile_ssam_handler": msg57,
+      		"pst_nat_binding_set_profile": msg58,
+      		"qsfp": msg776,
+      		"respawn": msg64,
+      		"root": msg65,
+      		"rpd": select20,
+      		"rshd": msg70,
+      		"sfd": msg71,
+      		"sshd": select21,
+      		"syslogd": msg92,
+      		"task_connect": msg605,
+      		"task_reconfigure": msg59,
+      		"tnetd": msg60,
+      		"tnp.bootpd": msg769,
+      		"trace_on": msg624,
+      		"trace_rotate": msg625,
+      		"transfer-file": msg626,
+      		"ttloop": msg627,
+      		"ucd-snmp": select26,
+      		"usp_ipc_client_reconnect": msg95,
+      		"usp_trace_ipc_disconnect": msg96,
+      		"usp_trace_ipc_reconnect": msg97,
+      		"uspinfo": msg98,
+      		"xntpd": select27,
+      	}),
+      ]);
+      
+      var hdr43 = match("HEADER#3:0004/0", "message", "%{month->} %{day->} %{time->} %{p0}");
+      
+      var part832 = match("HEADER#3:0004/1_0", "nwparser.p0", "fpc0 %{p0}");
+      
+      var part833 = match("HEADER#3:0004/1_1", "nwparser.p0", "fpc1 %{p0}");
+      
+      var part834 = match("HEADER#3:0004/1_2", "nwparser.p0", "fpc2 %{p0}");
+      
+      var part835 = match("HEADER#3:0004/1_3", "nwparser.p0", "fpc3 %{p0}");
+      
+      var part836 = match("HEADER#3:0004/1_4", "nwparser.p0", "fpc4 %{p0}");
+      
+      var part837 = match("HEADER#3:0004/1_5", "nwparser.p0", "fpc5 %{p0}");
+      
+      var part838 = match("HEADER#3:0004/1_11", "nwparser.p0", "ssb %{p0}");
+      
+      var part839 = match("HEADER#15:0026.upd.a/1_0", "nwparser.p0", "RT_FLOW - %{p0}");
+      
+      var part840 = match("HEADER#15:0026.upd.a/1_1", "nwparser.p0", "junos-ssl-proxy - %{p0}");
+      
+      var part841 = match("HEADER#15:0026.upd.a/1_2", "nwparser.p0", "RT_APPQOS - %{p0}");
+      
+      var part842 = match("HEADER#15:0026.upd.a/1_3", "nwparser.p0", "%{hfld33->} - %{p0}");
+      
+      var part843 = match("HEADER#15:0026.upd.a/2", "nwparser.p0", "%{messageid->} [%{payload}");
+      
+      var hdr44 = match("HEADER#16:0026.upd.b/0", "message", "%{event_time->} %{hfld32->} %{hhostname->} %{p0}");
+      
+      var part844 = match("MESSAGE#77:sshd:06/0", "nwparser.payload", "%{} %{p0}");
+      
+      var part845 = match("MESSAGE#77:sshd:06/1_0", "nwparser.p0", "%{process}[%{process_id}]: %{p0}");
+      
+      var part846 = match("MESSAGE#77:sshd:06/1_1", "nwparser.p0", "%{process}: %{p0}");
+      
+      var part847 = match("MESSAGE#72:Failed:05/1_2", "nwparser.p0", "%{p0}");
+      
+      var part848 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{p0}");
+      
+      var part849 = match("MESSAGE#294:LOGIN_INFORMATION/3_0", "nwparser.p0", "User %{p0}");
+      
+      var part850 = match("MESSAGE#294:LOGIN_INFORMATION/3_1", "nwparser.p0", "user %{p0}");
+      
+      var part851 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{p0}");
+      
+      var part852 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_0", "nwparser.p0", "%{dport}\" connection-tag=%{fld20->} service-name=\"%{p0}");
+      
+      var part853 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_1", "nwparser.p0", "%{dport}\" service-name=\"%{p0}");
+      
+      var part854 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_0", "nwparser.p0", "%{dtransport}\" nat-connection-tag=%{fld6->} src-nat-rule-type=%{fld20->} %{p0}");
+      
+      var part855 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_1", "nwparser.p0", "%{dtransport}\"%{p0}");
+      
+      var part856 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/7_1", "nwparser.p0", "%{dinterface}\"%{p0}");
+      
+      var part857 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/8", "nwparser.p0", "]%{}");
+      
+      var part858 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_0", "nwparser.payload", "%{process}: %{event_type}: session denied%{p0}");
+      
+      var part859 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_1", "nwparser.payload", "%{event_type}: session denied%{p0}");
+      
+      var part860 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{p0}");
+      
+      var part861 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/2", "nwparser.p0", "%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{p0}");
+      
+      var part862 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{rulename}\" dst-nat-rule-%{p0}");
+      
+      var part863 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_0", "nwparser.p0", "type=%{fld7->} dst-nat-rule-name=\"%{rule_template}\"%{p0}");
+      
+      var part864 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_1", "nwparser.p0", "name=\"%{rule_template}\"%{p0}");
+      
+      var part865 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' set: [%{action}] %{p0}");
+      
+      var part866 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_1", "nwparser.p0", "\u003c\u003c%{change_old}> %{p0}");
+      
+      var part867 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/2", "nwparser.p0", "%{}-> \"%{change_new}\"");
+      
+      var part868 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{p0}");
+      
+      var part869 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_0", "nwparser.p0", "set %{p0}");
+      
+      var part870 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_1", "nwparser.p0", "replace %{p0}");
+      
+      var part871 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_0", "nwparser.p0", "Network %{p0}");
+      
+      var part872 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_1", "nwparser.p0", "Local %{p0}");
+      
+      var part873 = match("MESSAGE#755:node:05/0", "nwparser.payload", "%{hostname->} %{node->} %{p0}");
+      
+      var part874 = match("MESSAGE#755:node:05/1_0", "nwparser.p0", "partner%{p0}");
+      
+      var part875 = match("MESSAGE#755:node:05/1_1", "nwparser.p0", "actor%{p0}");
+      
+      var select85 = linear_select([
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      ]);
+      
+      var select86 = linear_select([
+      	dup39,
+      	dup40,
+      ]);
+      
+      var part876 = match("MESSAGE#125:BFDD_TRAP_STATE_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: local discriminator: %{resultcode}, new state: %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup55,
+      	dup22,
+      ]));
+      
+      var part877 = match("MESSAGE#214:DCD_MALLOC_FAILED_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed during initialization for configuration load", processor_chain([
+      	dup50,
+      	dup21,
+      	dup63,
+      	dup22,
+      ]));
+      
+      var part878 = match("MESSAGE#225:ECCD_DAEMONIZE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}, unable to run in the background as a daemon: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup64,
+      	dup22,
+      ]));
+      
+      var part879 = match("MESSAGE#226:ECCD_DUPLICATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Another copy of this program is running", processor_chain([
+      	dup29,
+      	dup21,
+      	dup65,
+      	dup22,
+      ]));
+      
+      var part880 = match("MESSAGE#232:ECCD_PID_FILE_LOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lock PID file: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup66,
+      	dup22,
+      ]));
+      
+      var part881 = match("MESSAGE#233:ECCD_PID_FILE_UPDATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to update process PID file: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup67,
+      	dup22,
+      ]));
+      
+      var part882 = match("MESSAGE#272:LIBJNX_EXEC_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipes for command '%{action}': %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup70,
+      	dup22,
+      ]));
+      
+      var select87 = linear_select([
+      	dup75,
+      	dup76,
+      ]);
+      
+      var part883 = match("MESSAGE#310:MIB2D_IFD_IFINDEX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP index assigned to %{uid->} changed from %{dclass_counter1->} to %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup78,
+      	dup22,
+      ]));
+      
+      var part884 = match("MESSAGE#412:RPD_IFL_INDEXCOLLISION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Logical interface collision -- %{result}, %{info}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup83,
+      	dup22,
+      ]));
+      
+      var part885 = match("MESSAGE#466:RPD_SCHED_CALLBACK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime time during action of module", processor_chain([
+      	dup29,
+      	dup21,
+      	dup84,
+      	dup22,
+      ]));
+      
+      var part886 = match("MESSAGE#482:RPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitializing", processor_chain([
+      	dup20,
+      	dup21,
+      	dup85,
+      	dup22,
+      ]));
+      
+      var select88 = linear_select([
+      	dup87,
+      	dup88,
+      ]);
+      
+      var select89 = linear_select([
+      	dup89,
+      	dup90,
+      ]);
+      
+      var select90 = linear_select([
+      	dup95,
+      	dup96,
+      ]);
+      
+      var select91 = linear_select([
+      	dup101,
+      	dup102,
+      ]);
+      
+      var part887 = match("MESSAGE#498:RT_SCREEN_TCP", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([
+      	dup29,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var part888 = match("MESSAGE#527:SSL_PROXY_SSL_SESSION_ALLOW", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} logical-system-name=\"%{hostname}\" session-id=\"%{sessionid}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" profile-name=\"%{rulename}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" message=\"%{info}\"]", processor_chain([
+      	dup26,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var select92 = linear_select([
+      	dup116,
+      	dup117,
+      ]);
+      
+      var select93 = linear_select([
+      	dup121,
+      	dup122,
+      ]);
+      
+      var part889 = match("MESSAGE#733:WEBFILTER_URL_PERMITTED", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7->} USERNAME=%{fld8->} ROLES=%{fld9}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var part890 = match("MESSAGE#747:cli", "nwparser.payload", "%{fld12}", processor_chain([
+      	dup47,
+      	dup46,
+      	dup22,
+      	dup21,
+      ]));
+      
+- community_id:
+- add_locale: ~
+- add_fields:
+    target: ''
+    fields:
+        ecs.version: 1.5.0
diff --git a/packages/juniper/0.1.0/dataset/junos/agent/stream/udp.yml.hbs b/packages/juniper/0.1.0/dataset/junos/agent/stream/udp.yml.hbs
new file mode 100644
index 0000000000..bf98cd0242
--- /dev/null
+++ b/packages/juniper/0.1.0/dataset/junos/agent/stream/udp.yml.hbs
@@ -0,0 +1,12345 @@
+udp:
+host: "{{udp_host}}:{{udp_port}}"
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "Juniper"
+        product: "Junos"
+        type: "Routers"
+publisher_pipeline.disable_host: true
+
+processors:
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.error(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(populate_fields);
+      	builder.Add(restore_flags);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var dup1 = match("HEADER#3:0004/0", "message", "%{month->} %{day->} %{time->} %{p0}");
+      
+      var dup2 = match("HEADER#3:0004/1_0", "nwparser.p0", "fpc0 %{p0}");
+      
+      var dup3 = match("HEADER#3:0004/1_1", "nwparser.p0", "fpc1 %{p0}");
+      
+      var dup4 = match("HEADER#3:0004/1_2", "nwparser.p0", "fpc2 %{p0}");
+      
+      var dup5 = match("HEADER#3:0004/1_3", "nwparser.p0", "fpc3 %{p0}");
+      
+      var dup6 = match("HEADER#3:0004/1_4", "nwparser.p0", "fpc4 %{p0}");
+      
+      var dup7 = match("HEADER#3:0004/1_5", "nwparser.p0", "fpc5 %{p0}");
+      
+      var dup8 = match("HEADER#3:0004/1_11", "nwparser.p0", "ssb %{p0}");
+      
+      var dup9 = call({
+      	dest: "nwparser.payload",
+      	fn: STRCAT,
+      	args: [
+      		field("hfld2"),
+      		constant(" "),
+      		field("messageid"),
+      		constant(": "),
+      		field("payload"),
+      	],
+      });
+      
+      var dup10 = call({
+      	dest: "nwparser.payload",
+      	fn: STRCAT,
+      	args: [
+      		field("hfld1"),
+      		constant("["),
+      		field("pid"),
+      		constant("]: "),
+      		field("messageid"),
+      		constant(": "),
+      		field("payload"),
+      	],
+      });
+      
+      var dup11 = call({
+      	dest: "nwparser.payload",
+      	fn: STRCAT,
+      	args: [
+      		field("messageid"),
+      		constant(": "),
+      		field("payload"),
+      	],
+      });
+      
+      var dup12 = match("HEADER#15:0026.upd.a/1_0", "nwparser.p0", "RT_FLOW - %{p0}");
+      
+      var dup13 = match("HEADER#15:0026.upd.a/1_1", "nwparser.p0", "junos-ssl-proxy - %{p0}");
+      
+      var dup14 = match("HEADER#15:0026.upd.a/1_2", "nwparser.p0", "RT_APPQOS - %{p0}");
+      
+      var dup15 = match("HEADER#15:0026.upd.a/1_3", "nwparser.p0", "%{hfld33->} - %{p0}");
+      
+      var dup16 = match("HEADER#15:0026.upd.a/2", "nwparser.p0", "%{messageid->} [%{payload}");
+      
+      var dup17 = match("HEADER#16:0026.upd.b/0", "message", "%{event_time->} %{hfld32->} %{hhostname->} %{p0}");
+      
+      var dup18 = call({
+      	dest: "nwparser.payload",
+      	fn: STRCAT,
+      	args: [
+      		field("messageid"),
+      		constant("["),
+      		field("pid"),
+      		constant("]: "),
+      		field("payload"),
+      	],
+      });
+      
+      var dup19 = setc("messageid","JUNOSROUTER_GENERIC");
+      
+      var dup20 = setc("eventcategory","1605000000");
+      
+      var dup21 = setf("msg","$MSG");
+      
+      var dup22 = date_time({
+      	dest: "event_time",
+      	args: ["month","day","time"],
+      	fmts: [
+      		[dB,dF,dH,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup23 = setf("hostname","hhost");
+      
+      var dup24 = setc("event_description","AUDIT");
+      
+      var dup25 = setc("event_description","CRON command");
+      
+      var dup26 = setc("eventcategory","1801030000");
+      
+      var dup27 = setc("eventcategory","1801020000");
+      
+      var dup28 = setc("eventcategory","1605010000");
+      
+      var dup29 = setc("eventcategory","1603000000");
+      
+      var dup30 = setc("event_description","Process mode");
+      
+      var dup31 = setc("event_description","NTP Server Unreachable");
+      
+      var dup32 = setc("eventcategory","1401060000");
+      
+      var dup33 = setc("ec_theme","Authentication");
+      
+      var dup34 = setc("ec_subject","User");
+      
+      var dup35 = setc("ec_activity","Logon");
+      
+      var dup36 = setc("ec_outcome","Success");
+      
+      var dup37 = setc("event_description","rpd proceeding");
+      
+      var dup38 = match("MESSAGE#77:sshd:06/0", "nwparser.payload", "%{} %{p0}");
+      
+      var dup39 = match("MESSAGE#77:sshd:06/1_0", "nwparser.p0", "%{process}[%{process_id}]: %{p0}");
+      
+      var dup40 = match("MESSAGE#77:sshd:06/1_1", "nwparser.p0", "%{process}: %{p0}");
+      
+      var dup41 = setc("eventcategory","1701010000");
+      
+      var dup42 = setc("ec_outcome","Failure");
+      
+      var dup43 = setc("eventcategory","1401030000");
+      
+      var dup44 = match("MESSAGE#72:Failed:05/1_2", "nwparser.p0", "%{p0}");
+      
+      var dup45 = setc("eventcategory","1803000000");
+      
+      var dup46 = setc("event_type","VPN");
+      
+      var dup47 = setc("eventcategory","1605020000");
+      
+      var dup48 = setc("eventcategory","1602020000");
+      
+      var dup49 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{p0}");
+      
+      var dup50 = setc("eventcategory","1603020000");
+      
+      var dup51 = date_time({
+      	dest: "event_time",
+      	args: ["hfld32"],
+      	fmts: [
+      		[dW,dc("-"),dG,dc("-"),dF,dc("T"),dN,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup52 = setc("ec_subject","NetworkComm");
+      
+      var dup53 = setc("ec_activity","Create");
+      
+      var dup54 = setc("ec_activity","Stop");
+      
+      var dup55 = setc("event_description","Trap state change");
+      
+      var dup56 = setc("event_description","peer NLRI mismatch");
+      
+      var dup57 = setc("eventcategory","1605030000");
+      
+      var dup58 = setc("eventcategory","1603010000");
+      
+      var dup59 = setc("eventcategory","1606000000");
+      
+      var dup60 = setf("hostname","hhostname");
+      
+      var dup61 = date_time({
+      	dest: "event_time",
+      	args: ["hfld6"],
+      	fmts: [
+      		[dW,dc("-"),dG,dc("-"),dF,dc("T"),dN,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup62 = setc("eventcategory","1401050200");
+      
+      var dup63 = setc("event_description","Memory allocation failed during initialization for configuration load");
+      
+      var dup64 = setc("event_description","unable to run in the background as a daemon");
+      
+      var dup65 = setc("event_description","Another copy of this program is running");
+      
+      var dup66 = setc("event_description","Unable to lock PID file");
+      
+      var dup67 = setc("event_description","Unable to update process PID file");
+      
+      var dup68 = setc("eventcategory","1301000000");
+      
+      var dup69 = setc("event_description","Command stopped");
+      
+      var dup70 = setc("event_description","Unable to create pipes for command");
+      
+      var dup71 = setc("event_description","Command exited");
+      
+      var dup72 = setc("eventcategory","1603050000");
+      
+      var dup73 = setc("eventcategory","1801010000");
+      
+      var dup74 = setc("event_description","Login failure");
+      
+      var dup75 = match("MESSAGE#294:LOGIN_INFORMATION/3_0", "nwparser.p0", "User %{p0}");
+      
+      var dup76 = match("MESSAGE#294:LOGIN_INFORMATION/3_1", "nwparser.p0", "user %{p0}");
+      
+      var dup77 = setc("event_description","Unable to open file");
+      
+      var dup78 = setc("event_description","SNMP index assigned changed");
+      
+      var dup79 = setc("eventcategory","1302000000");
+      
+      var dup80 = setc("eventcategory","1001020300");
+      
+      var dup81 = setc("event_description","PFE FW SYSLOG_IP");
+      
+      var dup82 = setc("event_description","process_mode");
+      
+      var dup83 = setc("event_description","Logical interface collision");
+      
+      var dup84 = setc("event_description","excessive runtime time during action of module");
+      
+      var dup85 = setc("event_description","Reinitializing");
+      
+      var dup86 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{p0}");
+      
+      var dup87 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_0", "nwparser.p0", "%{dport}\" connection-tag=%{fld20->} service-name=\"%{p0}");
+      
+      var dup88 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_1", "nwparser.p0", "%{dport}\" service-name=\"%{p0}");
+      
+      var dup89 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_0", "nwparser.p0", "%{dtransport}\" nat-connection-tag=%{fld6->} src-nat-rule-type=%{fld20->} %{p0}");
+      
+      var dup90 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_1", "nwparser.p0", "%{dtransport}\"%{p0}");
+      
+      var dup91 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/7_1", "nwparser.p0", "%{dinterface}\"%{p0}");
+      
+      var dup92 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/8", "nwparser.p0", "]%{}");
+      
+      var dup93 = setc("eventcategory","1803010000");
+      
+      var dup94 = setc("ec_activity","Deny");
+      
+      var dup95 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_0", "nwparser.payload", "%{process}: %{event_type}: session denied%{p0}");
+      
+      var dup96 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_1", "nwparser.payload", "%{event_type}: session denied%{p0}");
+      
+      var dup97 = setc("event_description","session denied");
+      
+      var dup98 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{p0}");
+      
+      var dup99 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/2", "nwparser.p0", "%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{p0}");
+      
+      var dup100 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{rulename}\" dst-nat-rule-%{p0}");
+      
+      var dup101 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_0", "nwparser.p0", "type=%{fld7->} dst-nat-rule-name=\"%{rule_template}\"%{p0}");
+      
+      var dup102 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_1", "nwparser.p0", "name=\"%{rule_template}\"%{p0}");
+      
+      var dup103 = setc("dclass_counter1_string","No.of packets from client");
+      
+      var dup104 = setc("event_description","SNMPD AUTH FAILURE");
+      
+      var dup105 = setc("event_description","send send-type (index1) failure");
+      
+      var dup106 = setc("event_description","SNMP trap error");
+      
+      var dup107 = setc("event_description","SNMP TRAP LINK DOWN");
+      
+      var dup108 = setc("event_description","SNMP TRAP LINK UP");
+      
+      var dup109 = setc("event_description","Login Failure");
+      
+      var dup110 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' set: [%{action}] %{p0}");
+      
+      var dup111 = setc("eventcategory","1701020000");
+      
+      var dup112 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_1", "nwparser.p0", "\u003c\u003c%{change_old}> %{p0}");
+      
+      var dup113 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/2", "nwparser.p0", "%{}-> \"%{change_new}\"");
+      
+      var dup114 = setc("event_description","User set command");
+      
+      var dup115 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{p0}");
+      
+      var dup116 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_0", "nwparser.p0", "set %{p0}");
+      
+      var dup117 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_1", "nwparser.p0", "replace %{p0}");
+      
+      var dup118 = setc("event_description","User set groups to secret");
+      
+      var dup119 = setc("event_description","UI CMDLINE READ LINE");
+      
+      var dup120 = setc("event_description","User commit");
+      
+      var dup121 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_0", "nwparser.p0", "Network %{p0}");
+      
+      var dup122 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_1", "nwparser.p0", "Local %{p0}");
+      
+      var dup123 = setc("eventcategory","1401070000");
+      
+      var dup124 = setc("ec_activity","Logoff");
+      
+      var dup125 = setc("event_description","Successful login");
+      
+      var dup126 = setf("hostname","hostip");
+      
+      var dup127 = setc("event_description","TACACS+ failure");
+      
+      var dup128 = match("MESSAGE#755:node:05/0", "nwparser.payload", "%{hostname->} %{node->} %{p0}");
+      
+      var dup129 = match("MESSAGE#755:node:05/1_0", "nwparser.p0", "partner%{p0}");
+      
+      var dup130 = match("MESSAGE#755:node:05/1_1", "nwparser.p0", "actor%{p0}");
+      
+      var dup131 = setc("eventcategory","1003010000");
+      
+      var dup132 = setc("eventcategory","1901000000");
+      
+      var dup133 = linear_select([
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      ]);
+      
+      var dup134 = linear_select([
+      	dup39,
+      	dup40,
+      ]);
+      
+      var dup135 = match("MESSAGE#125:BFDD_TRAP_STATE_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: local discriminator: %{resultcode}, new state: %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup55,
+      	dup22,
+      ]));
+      
+      var dup136 = match("MESSAGE#214:DCD_MALLOC_FAILED_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed during initialization for configuration load", processor_chain([
+      	dup50,
+      	dup21,
+      	dup63,
+      	dup22,
+      ]));
+      
+      var dup137 = match("MESSAGE#225:ECCD_DAEMONIZE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}, unable to run in the background as a daemon: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup64,
+      	dup22,
+      ]));
+      
+      var dup138 = match("MESSAGE#226:ECCD_DUPLICATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Another copy of this program is running", processor_chain([
+      	dup29,
+      	dup21,
+      	dup65,
+      	dup22,
+      ]));
+      
+      var dup139 = match("MESSAGE#232:ECCD_PID_FILE_LOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lock PID file: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup66,
+      	dup22,
+      ]));
+      
+      var dup140 = match("MESSAGE#233:ECCD_PID_FILE_UPDATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to update process PID file: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup67,
+      	dup22,
+      ]));
+      
+      var dup141 = match("MESSAGE#272:LIBJNX_EXEC_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipes for command '%{action}': %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup70,
+      	dup22,
+      ]));
+      
+      var dup142 = linear_select([
+      	dup75,
+      	dup76,
+      ]);
+      
+      var dup143 = match("MESSAGE#310:MIB2D_IFD_IFINDEX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP index assigned to %{uid->} changed from %{dclass_counter1->} to %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup78,
+      	dup22,
+      ]));
+      
+      var dup144 = match("MESSAGE#412:RPD_IFL_INDEXCOLLISION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Logical interface collision -- %{result}, %{info}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup83,
+      	dup22,
+      ]));
+      
+      var dup145 = match("MESSAGE#466:RPD_SCHED_CALLBACK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime time during action of module", processor_chain([
+      	dup29,
+      	dup21,
+      	dup84,
+      	dup22,
+      ]));
+      
+      var dup146 = match("MESSAGE#482:RPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitializing", processor_chain([
+      	dup20,
+      	dup21,
+      	dup85,
+      	dup22,
+      ]));
+      
+      var dup147 = linear_select([
+      	dup87,
+      	dup88,
+      ]);
+      
+      var dup148 = linear_select([
+      	dup89,
+      	dup90,
+      ]);
+      
+      var dup149 = linear_select([
+      	dup95,
+      	dup96,
+      ]);
+      
+      var dup150 = linear_select([
+      	dup101,
+      	dup102,
+      ]);
+      
+      var dup151 = match("MESSAGE#498:RT_SCREEN_TCP", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([
+      	dup29,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var dup152 = match("MESSAGE#527:SSL_PROXY_SSL_SESSION_ALLOW", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} logical-system-name=\"%{hostname}\" session-id=\"%{sessionid}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" profile-name=\"%{rulename}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" message=\"%{info}\"]", processor_chain([
+      	dup26,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var dup153 = linear_select([
+      	dup116,
+      	dup117,
+      ]);
+      
+      var dup154 = linear_select([
+      	dup121,
+      	dup122,
+      ]);
+      
+      var dup155 = match("MESSAGE#733:WEBFILTER_URL_PERMITTED", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7->} USERNAME=%{fld8->} ROLES=%{fld9}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var dup156 = match("MESSAGE#747:cli", "nwparser.payload", "%{fld12}", processor_chain([
+      	dup47,
+      	dup46,
+      	dup22,
+      	dup21,
+      ]));
+      
+      var hdr1 = match("HEADER#0:0001", "message", "%{month->} %{day->} %{time->} %{messageid}: restart %{payload}", processor_chain([
+      	setc("header_id","0001"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant(": restart "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr2 = match("HEADER#1:0002", "message", "%{month->} %{day->} %{time->} %{messageid->} message repeated %{payload}", processor_chain([
+      	setc("header_id","0002"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant(" message repeated "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr3 = match("HEADER#2:0003", "message", "%{month->} %{day->} %{time->} ssb %{messageid}(%{hfld1}): %{payload}", processor_chain([
+      	setc("header_id","0003"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant("("),
+      			field("hfld1"),
+      			constant("): "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var part1 = match("HEADER#3:0004/1_6", "nwparser.p0", "fpc6 %{p0}");
+      
+      var part2 = match("HEADER#3:0004/1_7", "nwparser.p0", "fpc7 %{p0}");
+      
+      var part3 = match("HEADER#3:0004/1_8", "nwparser.p0", "fpc8 %{p0}");
+      
+      var part4 = match("HEADER#3:0004/1_9", "nwparser.p0", "fpc9 %{p0}");
+      
+      var part5 = match("HEADER#3:0004/1_10", "nwparser.p0", "cfeb %{p0}");
+      
+      var select1 = linear_select([
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup6,
+      	dup7,
+      	part1,
+      	part2,
+      	part3,
+      	part4,
+      	part5,
+      	dup8,
+      ]);
+      
+      var part6 = match("HEADER#3:0004/2", "nwparser.p0", "%{} %{messageid}: %{payload}");
+      
+      var all1 = all_match({
+      	processors: [
+      		dup1,
+      		select1,
+      		part6,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","0004"),
+      	]),
+      });
+      
+      var select2 = linear_select([
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup6,
+      	dup7,
+      	dup8,
+      ]);
+      
+      var part7 = match("HEADER#4:0005/2", "nwparser.p0", "%{} %{messageid->} %{payload}");
+      
+      var all2 = all_match({
+      	processors: [
+      		dup1,
+      		select2,
+      		part7,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","0005"),
+      	]),
+      });
+      
+      var hdr4 = match("HEADER#5:0007", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2}[%{hpid}]: %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0007"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld2"),
+      			constant("["),
+      			field("hpid"),
+      			constant("]: "),
+      			field("messageid"),
+      			constant(": "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr5 = match("HEADER#6:0008", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{messageid}[%{hpid}]: %{payload}", processor_chain([
+      	setc("header_id","0008"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant("["),
+      			field("hpid"),
+      			constant("]: "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr6 = match("HEADER#7:0009", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2->} IFP trace> %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0009"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld2"),
+      			constant(" IFP trace> "),
+      			field("messageid"),
+      			constant(": "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr7 = match("HEADER#8:0010", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2->} %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0010"),
+      	dup9,
+      ]));
+      
+      var hdr8 = match("HEADER#9:0029", "message", "%{month->} %{day->} %{time->} %{hostip->} %{hfld1}[%{pid}]: %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0029"),
+      	dup10,
+      ]));
+      
+      var hdr9 = match("HEADER#10:0015", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0015"),
+      	dup10,
+      ]));
+      
+      var hdr10 = match("HEADER#11:0011", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0011"),
+      	dup9,
+      ]));
+      
+      var hdr11 = match("HEADER#12:0027", "message", "%{month->} %{day->} %{time->} %{hhostname->} RT_FLOW: %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0027"),
+      	dup11,
+      ]));
+      
+      var hdr12 = match("HEADER#13:0012", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0012"),
+      	dup11,
+      ]));
+      
+      var hdr13 = match("HEADER#14:0013", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hfld32->} %{hhostname->} RT_FLOW - %{messageid->} [%{payload}", processor_chain([
+      	setc("header_id","0013"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant(" ["),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr14 = match("HEADER#15:0026.upd.a/0", "message", "%{hfld1->} %{event_time->} %{hfld32->} %{hhostname->} %{p0}");
+      
+      var all3 = all_match({
+      	processors: [
+      		hdr14,
+      		dup133,
+      		dup16,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","0026.upd.a"),
+      	]),
+      });
+      
+      var all4 = all_match({
+      	processors: [
+      		dup17,
+      		dup133,
+      		dup16,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","0026.upd.b"),
+      	]),
+      });
+      
+      var all5 = all_match({
+      	processors: [
+      		dup17,
+      		dup133,
+      		dup16,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","0026"),
+      	]),
+      });
+      
+      var hdr15 = match("HEADER#18:0014", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid}[%{hpid}]: %{payload}", processor_chain([
+      	setc("header_id","0014"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld1"),
+      			constant("["),
+      			field("pid"),
+      			constant("]: "),
+      			field("messageid"),
+      			constant("["),
+      			field("hpid"),
+      			constant("]: "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr16 = match("HEADER#19:0016", "message", "%{month->} %{day->} %{time->} %{hfld1}: %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0016"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld1"),
+      			constant(": "),
+      			field("messageid"),
+      			constant(": "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr17 = match("HEADER#20:0017", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0017"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld1"),
+      			constant("["),
+      			field("pid"),
+      			constant("]: "),
+      			field("messageid"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr18 = match("HEADER#21:0018", "message", "%{month->} %{day->} %{time->} %{hhost}: %{messageid}[%{pid}]: %{payload}", processor_chain([
+      	setc("header_id","0018"),
+      	dup18,
+      ]));
+      
+      var hdr19 = match("HEADER#22:0028", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid}[%{pid}]: %{payload}", processor_chain([
+      	setc("header_id","0028"),
+      	dup18,
+      ]));
+      
+      var hdr20 = match("HEADER#23:0019", "message", "%{month->} %{day->} %{time->} %{hhost}: %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0019"),
+      	dup11,
+      ]));
+      
+      var hdr21 = match("HEADER#24:0020", "message", "%{month->} %{day->} %{time->} %{messageid}[%{pid}]: %{payload}", processor_chain([
+      	setc("header_id","0020"),
+      	dup18,
+      ]));
+      
+      var hdr22 = match("HEADER#25:0021", "message", "%{month->} %{day->} %{time->} /%{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0021"),
+      	dup11,
+      ]));
+      
+      var hdr23 = match("HEADER#26:0022", "message", "%{month->} %{day->} %{time->} %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0022"),
+      	dup11,
+      ]));
+      
+      var hdr24 = match("HEADER#27:0023", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid}[%{pid}]: %{payload}", processor_chain([
+      	setc("header_id","0023"),
+      	dup18,
+      ]));
+      
+      var hdr25 = match("HEADER#28:0024", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0024"),
+      	dup11,
+      ]));
+      
+      var hdr26 = match("HEADER#29:0025", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{hfld2->} %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0025"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld2"),
+      			constant(" "),
+      			field("messageid"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr27 = match("HEADER#30:0031", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0031"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr28 = match("HEADER#31:0032", "message", "%{month->} %{day->} %{time->} %{hostip->} (%{hfld1}) %{hfld2->} %{messageid}[%{pid}]: %{payload}", processor_chain([
+      	setc("header_id","0032"),
+      	dup18,
+      ]));
+      
+      var hdr29 = match("HEADER#32:0033", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname->} %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0033"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld1"),
+      			constant(" "),
+      			field("hhostname"),
+      			constant(" "),
+      			field("messageid"),
+      			constant(": "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr30 = match("HEADER#33:3336", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","3336"),
+      ]));
+      
+      var hdr31 = match("HEADER#34:3339", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","3339"),
+      ]));
+      
+      var hdr32 = match("HEADER#35:3337", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","3337"),
+      ]));
+      
+      var hdr33 = match("HEADER#36:3341", "message", "%{hfld1->} %{hfld6->} %{hhostname->} %{hfld2->} %{hfld3->} %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","3341"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld2"),
+      			constant(" "),
+      			field("hfld3"),
+      			constant(" "),
+      			field("messageid"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr34 = match("HEADER#37:3338", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","3338"),
+      ]));
+      
+      var hdr35 = match("HEADER#38:3340/0", "message", "%{month->} %{day->} %{time->} %{hhost->} node%{p0}");
+      
+      var part8 = match("HEADER#38:3340/1_0", "nwparser.p0", "%{hfld1}.fpc%{hfld2}.pic%{hfld3->} %{p0}");
+      
+      var part9 = match("HEADER#38:3340/1_1", "nwparser.p0", "%{hfld1}.fpc%{hfld2->} %{p0}");
+      
+      var select3 = linear_select([
+      	part8,
+      	part9,
+      ]);
+      
+      var part10 = match("HEADER#38:3340/2", "nwparser.p0", "%{} %{payload}");
+      
+      var all6 = all_match({
+      	processors: [
+      		hdr35,
+      		select3,
+      		part10,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","3340"),
+      		setc("messageid","node"),
+      	]),
+      });
+      
+      var hdr36 = match("HEADER#39:9997/0_0", "message", "mgd[%{p0}");
+      
+      var hdr37 = match("HEADER#39:9997/0_1", "message", "rpd[%{p0}");
+      
+      var hdr38 = match("HEADER#39:9997/0_2", "message", "dcd[%{p0}");
+      
+      var select4 = linear_select([
+      	hdr36,
+      	hdr37,
+      	hdr38,
+      ]);
+      
+      var part11 = match("HEADER#39:9997/1", "nwparser.p0", "%{process_id}]:%{payload}");
+      
+      var all7 = all_match({
+      	processors: [
+      		select4,
+      		part11,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","9997"),
+      		dup19,
+      	]),
+      });
+      
+      var hdr39 = match("HEADER#40:9995", "message", "%{month->} %{day->} %{time->} %{hhost->} %{hfld1->} %{hfld2->} %{messageid}[%{hfld3}]:%{payload}", processor_chain([
+      	setc("header_id","9995"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant("["),
+      			field("hfld3"),
+      			constant("]:"),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr40 = match("HEADER#41:9994", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{hfld1->} qsfp %{payload}", processor_chain([
+      	setc("header_id","9994"),
+      	setc("messageid","qsfp"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld2"),
+      			constant(" "),
+      			field("hfld1"),
+      			constant(" qsfp "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr41 = match("HEADER#42:9999", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{hevent_type}: %{payload}", processor_chain([
+      	setc("header_id","9999"),
+      	dup19,
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hevent_type"),
+      			constant(": "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr42 = match("HEADER#43:9998", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{process}: %{payload}", processor_chain([
+      	setc("header_id","9998"),
+      	dup19,
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld2"),
+      			constant(" "),
+      			field("process"),
+      			constant(": "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var select5 = linear_select([
+      	hdr1,
+      	hdr2,
+      	hdr3,
+      	all1,
+      	all2,
+      	hdr4,
+      	hdr5,
+      	hdr6,
+      	hdr7,
+      	hdr8,
+      	hdr9,
+      	hdr10,
+      	hdr11,
+      	hdr12,
+      	hdr13,
+      	all3,
+      	all4,
+      	all5,
+      	hdr15,
+      	hdr16,
+      	hdr17,
+      	hdr18,
+      	hdr19,
+      	hdr20,
+      	hdr21,
+      	hdr22,
+      	hdr23,
+      	hdr24,
+      	hdr25,
+      	hdr26,
+      	hdr27,
+      	hdr28,
+      	hdr29,
+      	hdr30,
+      	hdr31,
+      	hdr32,
+      	hdr33,
+      	hdr34,
+      	all6,
+      	all7,
+      	hdr39,
+      	hdr40,
+      	hdr41,
+      	hdr42,
+      ]);
+      
+      var part12 = match("MESSAGE#0:/usr/sbin/sshd", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exit status %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","sshd exit status"),
+      	dup22,
+      ]));
+      
+      var msg1 = msg("/usr/sbin/sshd", part12);
+      
+      var part13 = match("MESSAGE#1:/usr/libexec/telnetd", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exit status %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","telnetd exit status"),
+      	dup22,
+      ]));
+      
+      var msg2 = msg("/usr/libexec/telnetd", part13);
+      
+      var part14 = match("MESSAGE#2:alarmd", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License color=%{severity}, class=%{device}, reason=%{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Alarm Set or Cleared"),
+      	dup22,
+      ]));
+      
+      var msg3 = msg("alarmd", part14);
+      
+      var part15 = match("MESSAGE#3:bigd", "nwparser.payload", "%{process}: Node detected UP for %{node}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Node detected UP"),
+      	dup22,
+      ]));
+      
+      var msg4 = msg("bigd", part15);
+      
+      var part16 = match("MESSAGE#4:bigd:01", "nwparser.payload", "%{process}: Monitor template id is %{id}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Monitor template id"),
+      	dup22,
+      ]));
+      
+      var msg5 = msg("bigd:01", part16);
+      
+      var select6 = linear_select([
+      	msg4,
+      	msg5,
+      ]);
+      
+      var part17 = match("MESSAGE#5:bigpipe", "nwparser.payload", "%{process}: Loading the configuration file %{filename}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Loading configuration file"),
+      	dup22,
+      ]));
+      
+      var msg6 = msg("bigpipe", part17);
+      
+      var part18 = match("MESSAGE#6:bigpipe:01", "nwparser.payload", "%{process}: Begin config install operation %{action}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Begin config install operation"),
+      	dup22,
+      ]));
+      
+      var msg7 = msg("bigpipe:01", part18);
+      
+      var part19 = match("MESSAGE#7:bigpipe:02", "nwparser.payload", "%{process}: AUDIT -- Action %{action->} User: %{username}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Audit"),
+      	dup22,
+      ]));
+      
+      var msg8 = msg("bigpipe:02", part19);
+      
+      var select7 = linear_select([
+      	msg6,
+      	msg7,
+      	msg8,
+      ]);
+      
+      var part20 = match("MESSAGE#8:bigstart", "nwparser.payload", "%{process}: shutdown %{service}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","portal shutdown"),
+      	dup22,
+      ]));
+      
+      var msg9 = msg("bigstart", part20);
+      
+      var part21 = match("MESSAGE#9:cgatool", "nwparser.payload", "%{process}: %{event_type}: generated address is %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","cga address genration"),
+      	dup22,
+      ]));
+      
+      var msg10 = msg("cgatool", part21);
+      
+      var part22 = match("MESSAGE#10:chassisd:01", "nwparser.payload", "%{process}[%{process_id}]:%{fld12}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup22,
+      	dup23,
+      ]));
+      
+      var msg11 = msg("chassisd:01", part22);
+      
+      var part23 = match("MESSAGE#11:checkd", "nwparser.payload", "%{process}: AUDIT -- Action %{action->} User: %{username}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup24,
+      	dup22,
+      ]));
+      
+      var msg12 = msg("checkd", part23);
+      
+      var part24 = match("MESSAGE#12:checkd:01", "nwparser.payload", "%{process}: exiting", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","checkd exiting"),
+      	dup22,
+      ]));
+      
+      var msg13 = msg("checkd:01", part24);
+      
+      var select8 = linear_select([
+      	msg12,
+      	msg13,
+      ]);
+      
+      var part25 = match("MESSAGE#13:cosd", "nwparser.payload", "%{process}[%{process_id}]: link protection %{dclass_counter1->} for intf %{interface}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","link protection for interface"),
+      	dup22,
+      ]));
+      
+      var msg14 = msg("cosd", part25);
+      
+      var part26 = match("MESSAGE#14:craftd", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}, %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","License expiration warning"),
+      	dup22,
+      ]));
+      
+      var msg15 = msg("craftd", part26);
+      
+      var part27 = match("MESSAGE#15:CRON/0", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) %{p0}");
+      
+      var part28 = match("MESSAGE#15:CRON/1_0", "nwparser.p0", "CMD (%{result}) ");
+      
+      var part29 = match("MESSAGE#15:CRON/1_1", "nwparser.p0", "cmd='%{result}' ");
+      
+      var select9 = linear_select([
+      	part28,
+      	part29,
+      ]);
+      
+      var all8 = all_match({
+      	processors: [
+      		part27,
+      		select9,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup21,
+      		dup25,
+      		dup22,
+      	]),
+      });
+      
+      var msg16 = msg("CRON", all8);
+      
+      var part30 = match("MESSAGE#16:Cmerror/0_0", "nwparser.payload", "%{hostname->} %{node}Cmerror: Level%{level}count increment %{dclass_counter1->} %{fld1}");
+      
+      var part31 = match("MESSAGE#16:Cmerror/0_1", "nwparser.payload", "%{fld2}");
+      
+      var select10 = linear_select([
+      	part30,
+      	part31,
+      ]);
+      
+      var all9 = all_match({
+      	processors: [
+      		select10,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup22,
+      		dup21,
+      	]),
+      });
+      
+      var msg17 = msg("Cmerror", all9);
+      
+      var part32 = match("MESSAGE#17:cron", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) %{action->} (%{filename})", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","cron RELOAD"),
+      	dup22,
+      ]));
+      
+      var msg18 = msg("cron", part32);
+      
+      var part33 = match("MESSAGE#18:CROND", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) CMD (%{action})", processor_chain([
+      	dup20,
+      	dup21,
+      	dup22,
+      	dup23,
+      ]));
+      
+      var msg19 = msg("CROND", part33);
+      
+      var part34 = match("MESSAGE#20:CROND:02", "nwparser.payload", "%{process}[%{process_id}]: pam_unix(crond:session): session closed for user %{username}", processor_chain([
+      	dup26,
+      	dup21,
+      	dup22,
+      	dup23,
+      ]));
+      
+      var msg20 = msg("CROND:02", part34);
+      
+      var select11 = linear_select([
+      	msg19,
+      	msg20,
+      ]);
+      
+      var part35 = match("MESSAGE#19:crond:01", "nwparser.payload", "%{process}[%{process_id}]: pam_unix(crond:session): session opened for user %{username->} by (uid=%{uid})", processor_chain([
+      	dup27,
+      	dup21,
+      	dup22,
+      	dup23,
+      ]));
+      
+      var msg21 = msg("crond:01", part35);
+      
+      var part36 = match("MESSAGE#21:dcd", "nwparser.payload", "%{process}[%{process_id}]: %{result->} Setting ignored, %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Setting ignored"),
+      	dup22,
+      ]));
+      
+      var msg22 = msg("dcd", part36);
+      
+      var part37 = match("MESSAGE#22:EVENT/0", "nwparser.payload", "%{process}[%{process_id}]: EVENT %{event_type->} %{interface->} index %{resultcode->} %{p0}");
+      
+      var part38 = match("MESSAGE#22:EVENT/1_0", "nwparser.p0", "%{saddr->} -> %{daddr->} \u003c\u003c%{result}> ");
+      
+      var part39 = match("MESSAGE#22:EVENT/1_1", "nwparser.p0", "\u003c\u003c%{result}> ");
+      
+      var select12 = linear_select([
+      	part38,
+      	part39,
+      ]);
+      
+      var all10 = all_match({
+      	processors: [
+      		part37,
+      		select12,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup21,
+      		setc("event_description","EVENT"),
+      		dup22,
+      	]),
+      });
+      
+      var msg23 = msg("EVENT", all10);
+      
+      var part40 = match("MESSAGE#23:ftpd", "nwparser.payload", "%{process}[%{process_id}]: connection from %{saddr->} (%{shost})", processor_chain([
+      	setc("eventcategory","1802000000"),
+      	dup21,
+      	setc("event_description","ftpd connection"),
+      	dup22,
+      ]));
+      
+      var msg24 = msg("ftpd", part40);
+      
+      var part41 = match("MESSAGE#24:ha_rto_stats_handler", "nwparser.payload", "%{hostname->} %{node}ha_rto_stats_handler:%{fld12}", processor_chain([
+      	dup28,
+      	dup22,
+      	dup21,
+      ]));
+      
+      var msg25 = msg("ha_rto_stats_handler", part41);
+      
+      var part42 = match("MESSAGE#25:hostinit", "nwparser.payload", "%{process}: %{obj_name->} -- LDAP Connection not bound correctly. %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","LDAP Connection not bound correctly"),
+      	dup22,
+      ]));
+      
+      var msg26 = msg("hostinit", part42);
+      
+      var part43 = match("MESSAGE#26:ifinfo", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> Added entry - %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","PIC_INFO debug - Added entry"),
+      	dup22,
+      ]));
+      
+      var msg27 = msg("ifinfo", part43);
+      
+      var part44 = match("MESSAGE#27:ifinfo:01", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> Initializing spu listtype %{resultcode}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","PIC_INFO debug Initializing spu"),
+      	dup22,
+      ]));
+      
+      var msg28 = msg("ifinfo:01", part44);
+      
+      var part45 = match("MESSAGE#28:ifinfo:02", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","PIC_INFO debug delete from list"),
+      	dup22,
+      ]));
+      
+      var msg29 = msg("ifinfo:02", part45);
+      
+      var select13 = linear_select([
+      	msg27,
+      	msg28,
+      	msg29,
+      ]);
+      
+      var part46 = match("MESSAGE#29:ifp_ifl_anydown_change_event", "nwparser.payload", "%{node->} %{action}> %{process}: IFL anydown change event: \"%{event_type}\"", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","IFL anydown change event"),
+      	dup22,
+      ]));
+      
+      var msg30 = msg("ifp_ifl_anydown_change_event", part46);
+      
+      var part47 = match("MESSAGE#30:ifp_ifl_config_event", "nwparser.payload", "%{node->} %{action}> %{process}: IFL config: \"%{filename}\"", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","ifp ifl config_event"),
+      	dup22,
+      ]));
+      
+      var msg31 = msg("ifp_ifl_config_event", part47);
+      
+      var part48 = match("MESSAGE#31:ifp_ifl_ext_chg", "nwparser.payload", "%{node->} %{process}: ifp ext piid %{parent_pid->} zone_id %{zone}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","ifp_ifl_ext_chg"),
+      	dup22,
+      ]));
+      
+      var msg32 = msg("ifp_ifl_ext_chg", part48);
+      
+      var part49 = match("MESSAGE#32:inetd", "nwparser.payload", "%{process}[%{process_id}]: %{protocol->} from %{saddr->} exceeded counts/min (%{result})", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","connection exceeded count limit"),
+      	dup22,
+      ]));
+      
+      var msg33 = msg("inetd", part49);
+      
+      var part50 = match("MESSAGE#33:inetd:01", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exited, status %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","exited"),
+      	dup22,
+      ]));
+      
+      var msg34 = msg("inetd:01", part50);
+      
+      var select14 = linear_select([
+      	msg33,
+      	msg34,
+      ]);
+      
+      var part51 = match("MESSAGE#34:init:04", "nwparser.payload", "%{process}: %{event_type->} current_mode=%{protocol}, requested_mode=%{result}, cmd=%{action}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup30,
+      	dup22,
+      ]));
+      
+      var msg35 = msg("init:04", part51);
+      
+      var part52 = match("MESSAGE#35:init", "nwparser.payload", "%{process}: %{event_type->} mode=%{protocol->} cmd=%{action->} master_mode=%{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup30,
+      	dup22,
+      ]));
+      
+      var msg36 = msg("init", part52);
+      
+      var part53 = match("MESSAGE#36:init:01", "nwparser.payload", "%{process}: failure target for routing set to %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","failure target for routing set"),
+      	dup22,
+      ]));
+      
+      var msg37 = msg("init:01", part53);
+      
+      var part54 = match("MESSAGE#37:init:02", "nwparser.payload", "%{process}: ntp (PID %{child_pid}) started", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","ntp started"),
+      	dup22,
+      ]));
+      
+      var msg38 = msg("init:02", part54);
+      
+      var part55 = match("MESSAGE#38:init:03", "nwparser.payload", "%{process}: product mask %{info->} model %{dclass_counter1}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","product mask and model info"),
+      	dup22,
+      ]));
+      
+      var msg39 = msg("init:03", part55);
+      
+      var select15 = linear_select([
+      	msg35,
+      	msg36,
+      	msg37,
+      	msg38,
+      	msg39,
+      ]);
+      
+      var part56 = match("MESSAGE#39:ipc_msg_write", "nwparser.payload", "%{node->} %{process}: IPC message type: %{event_type}, subtype: %{resultcode->} exceeds MTU, mtu %{dclass_counter1}, length %{dclass_counter2}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","IPC message exceeds MTU"),
+      	dup22,
+      ]));
+      
+      var msg40 = msg("ipc_msg_write", part56);
+      
+      var part57 = match("MESSAGE#40:connection_established", "nwparser.payload", "%{process}: %{service}: conn established: listener idx=%{dclass_counter1->} tnpaddr=%{dclass_counter2}", processor_chain([
+      	dup27,
+      	dup21,
+      	setc("event_description","listener connection established"),
+      	dup22,
+      ]));
+      
+      var msg41 = msg("connection_established", part57);
+      
+      var part58 = match("MESSAGE#41:connection_dropped/0", "nwparser.payload", "%{process}: %{p0}");
+      
+      var part59 = match("MESSAGE#41:connection_dropped/1_0", "nwparser.p0", "%{result}, connection dropped - src %{saddr}:%{sport->} dest %{daddr}:%{dport->} ");
+      
+      var part60 = match("MESSAGE#41:connection_dropped/1_1", "nwparser.p0", "%{result}: conn dropped: listener idx=%{dclass_counter1->} tnpaddr=%{dclass_counter2->} ");
+      
+      var select16 = linear_select([
+      	part59,
+      	part60,
+      ]);
+      
+      var all11 = all_match({
+      	processors: [
+      		part58,
+      		select16,
+      	],
+      	on_success: processor_chain([
+      		dup26,
+      		dup21,
+      		setc("event_description","connection dropped"),
+      		dup22,
+      	]),
+      });
+      
+      var msg42 = msg("connection_dropped", all11);
+      
+      var part61 = match("MESSAGE#42:kernel", "nwparser.payload", "%{process}: %{interface}: Asserting SONET alarm(s) %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Asserting SONET alarm(s)"),
+      	dup22,
+      ]));
+      
+      var msg43 = msg("kernel", part61);
+      
+      var part62 = match("MESSAGE#43:kernel:01", "nwparser.payload", "%{process}: %{interface->} down: %{result}.", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","interface down"),
+      	dup22,
+      ]));
+      
+      var msg44 = msg("kernel:01", part62);
+      
+      var part63 = match("MESSAGE#44:kernel:02", "nwparser.payload", "%{process}: %{interface}: loopback suspected; %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","loopback suspected om interface"),
+      	dup22,
+      ]));
+      
+      var msg45 = msg("kernel:02", part63);
+      
+      var part64 = match("MESSAGE#45:kernel:03", "nwparser.payload", "%{process}: %{service}: soreceive() error %{resultcode}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","soreceive error"),
+      	dup22,
+      ]));
+      
+      var msg46 = msg("kernel:03", part64);
+      
+      var part65 = match("MESSAGE#46:kernel:04", "nwparser.payload", "%{process}: %{service->} !VALID(state 4)->%{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","pfe_peer_alloc state 4"),
+      	dup22,
+      ]));
+      
+      var msg47 = msg("kernel:04", part65);
+      
+      var part66 = match("MESSAGE#47:kernel:05", "nwparser.payload", "%{fld1->} %{hostip->} (%{fld2}) %{fld3->} %{process}[%{process_id}]: NTP Server %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup31,
+      	dup22,
+      ]));
+      
+      var msg48 = msg("kernel:05", part66);
+      
+      var part67 = match("MESSAGE#48:kernel:06", "nwparser.payload", "%{fld1->} %{hostip->} %{process}[%{process_id}]: NTP Server %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup31,
+      	dup22,
+      ]));
+      
+      var msg49 = msg("kernel:06", part67);
+      
+      var select17 = linear_select([
+      	msg41,
+      	msg42,
+      	msg43,
+      	msg44,
+      	msg45,
+      	msg46,
+      	msg47,
+      	msg48,
+      	msg49,
+      ]);
+      
+      var part68 = match("MESSAGE#49:successful_login", "nwparser.payload", "%{process}: login from %{saddr->} on %{interface->} as %{username}", processor_chain([
+      	dup32,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup36,
+      	dup21,
+      	setc("event_description","successful user login"),
+      	dup22,
+      ]));
+      
+      var msg50 = msg("successful_login", part68);
+      
+      var part69 = match("MESSAGE#50:login_attempt", "nwparser.payload", "%{process}: Login attempt for user %{username->} from host %{hostip}", processor_chain([
+      	dup32,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup21,
+      	setc("event_description","user login attempt"),
+      	dup22,
+      ]));
+      
+      var msg51 = msg("login_attempt", part69);
+      
+      var part70 = match("MESSAGE#51:login", "nwparser.payload", "%{process}: PAM module %{dclass_counter1->} returned: %{space}[%{resultcode}]%{result}", processor_chain([
+      	dup32,
+      	dup33,
+      	dup36,
+      	dup21,
+      	setc("event_description","PAM module return from login"),
+      	dup22,
+      ]));
+      
+      var msg52 = msg("login", part70);
+      
+      var select18 = linear_select([
+      	msg50,
+      	msg51,
+      	msg52,
+      ]);
+      
+      var part71 = match("MESSAGE#52:lsys_ssam_handler", "nwparser.payload", "%{node->} %{process}: processing lsys root-logical-system %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","processing lsys root-logical-system"),
+      	dup22,
+      ]));
+      
+      var msg53 = msg("lsys_ssam_handler", part71);
+      
+      var part72 = match("MESSAGE#53:mcsn", "nwparser.payload", "%{process}[%{process_id}]: Removing mif from group [%{group}] %{space->} %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Removing mif  from group"),
+      	dup22,
+      ]));
+      
+      var msg54 = msg("mcsn", part72);
+      
+      var part73 = match("MESSAGE#54:mrvl_dfw_log_effuse_status", "nwparser.payload", "%{process}: Firewall rows could not be redirected on device %{device}.", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Firewall rows could not be redirected on device"),
+      	dup22,
+      ]));
+      
+      var msg55 = msg("mrvl_dfw_log_effuse_status", part73);
+      
+      var part74 = match("MESSAGE#55:MRVL-L2", "nwparser.payload", "%{process}:%{action}(),%{process_id}:MFilter (%{filter}) already exists", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","mfilter already exists for add"),
+      	dup22,
+      ]));
+      
+      var msg56 = msg("MRVL-L2", part74);
+      
+      var part75 = match("MESSAGE#56:profile_ssam_handler", "nwparser.payload", "%{node->} %{process}: processing profile SP-root %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","processing profile SP-root"),
+      	dup22,
+      ]));
+      
+      var msg57 = msg("profile_ssam_handler", part75);
+      
+      var part76 = match("MESSAGE#57:pst_nat_binding_set_profile", "nwparser.payload", "%{node->} %{process}: %{event_source}: can't get resource bucket %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","can't get resource bucket"),
+      	dup22,
+      ]));
+      
+      var msg58 = msg("pst_nat_binding_set_profile", part76);
+      
+      var part77 = match("MESSAGE#58:task_reconfigure", "nwparser.payload", "%{process}[%{process_id}]: task_reconfigure %{action}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","reinitializing done"),
+      	dup22,
+      ]));
+      
+      var msg59 = msg("task_reconfigure", part77);
+      
+      var part78 = match("MESSAGE#59:tnetd/0_0", "nwparser.payload", "%{process}[%{process_id}]:%{service}[%{fld1}]: exit status%{resultcode->} ");
+      
+      var part79 = match("MESSAGE#59:tnetd/0_1", "nwparser.payload", "%{fld3}");
+      
+      var select19 = linear_select([
+      	part78,
+      	part79,
+      ]);
+      
+      var all12 = all_match({
+      	processors: [
+      		select19,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup21,
+      		dup22,
+      		dup23,
+      	]),
+      });
+      
+      var msg60 = msg("tnetd", all12);
+      
+      var part80 = match("MESSAGE#60:PFEMAN", "nwparser.payload", "%{process}: Session manager active", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Session manager active"),
+      	dup22,
+      ]));
+      
+      var msg61 = msg("PFEMAN", part80);
+      
+      var part81 = match("MESSAGE#61:mgd", "nwparser.payload", "%{process}[%{process_id}]: Could not send message to %{service}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Could not send message to service"),
+      	dup22,
+      ]));
+      
+      var msg62 = msg("mgd", part81);
+      
+      var part82 = match("MESSAGE#62:Resolve", "nwparser.payload", "Resolve request came for an address matching on Wrong nh nh:%{result}, %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Resolve request came for an address matching on Wrong nh"),
+      	dup22,
+      ]));
+      
+      var msg63 = msg("Resolve", part82);
+      
+      var part83 = match("MESSAGE#63:respawn", "nwparser.payload", "%{process}: %{service->} exited with status = %{resultcode}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","service exited with status"),
+      	dup22,
+      ]));
+      
+      var msg64 = msg("respawn", part83);
+      
+      var part84 = match("MESSAGE#64:root", "nwparser.payload", "%{process}: %{node}: This system does not have 3-DNS or Link Controller enabled", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","system does not have 3-DNS or Link Controller enabled"),
+      	dup22,
+      ]));
+      
+      var msg65 = msg("root", part84);
+      
+      var part85 = match("MESSAGE#65:rpd", "nwparser.payload", "%{process}[%{process_id}]: Received %{result->} for intf device %{interface}; mc_ae_id %{dclass_counter1}, status %{resultcode}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Received data for interface"),
+      	dup22,
+      ]));
+      
+      var msg66 = msg("rpd", part85);
+      
+      var part86 = match("MESSAGE#66:rpd:01", "nwparser.payload", "%{process}[%{process_id}]: RSVP neighbor %{daddr->} up on interface %{interface}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","RSVP neighbor up on interface "),
+      	dup22,
+      ]));
+      
+      var msg67 = msg("rpd:01", part86);
+      
+      var part87 = match("MESSAGE#67:rpd:02", "nwparser.payload", "%{process}[%{process_id}]: %{saddr->} (%{shost}): reseting pending active connection", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","reseting pending active connection"),
+      	dup22,
+      ]));
+      
+      var msg68 = msg("rpd:02", part87);
+      
+      var part88 = match("MESSAGE#68:rpd_proceeding", "nwparser.payload", "%{process}: proceeding. %{param}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup37,
+      	dup22,
+      ]));
+      
+      var msg69 = msg("rpd_proceeding", part88);
+      
+      var select20 = linear_select([
+      	msg66,
+      	msg67,
+      	msg68,
+      	msg69,
+      ]);
+      
+      var part89 = match("MESSAGE#69:rshd", "nwparser.payload", "%{process}[%{process_id}]: %{username->} as root: cmd='%{action}'", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","user issuing command as root"),
+      	dup22,
+      ]));
+      
+      var msg70 = msg("rshd", part89);
+      
+      var part90 = match("MESSAGE#70:sfd", "nwparser.payload", "%{process}: Waiting on accept", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","sfd waiting on accept"),
+      	dup22,
+      ]));
+      
+      var msg71 = msg("sfd", part90);
+      
+      var part91 = match("MESSAGE#71:sshd", "nwparser.payload", "%{process}[%{process_id}]: Accepted password for %{username->} from %{saddr->} port %{sport->} %{protocol}", processor_chain([
+      	dup32,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup36,
+      	dup21,
+      	setc("event_description","Accepted password"),
+      	dup22,
+      ]));
+      
+      var msg72 = msg("sshd", part91);
+      
+      var part92 = match("MESSAGE#73:sshd:02", "nwparser.payload", "%{process}[%{process_id}]: Received disconnect from %{shost}: %{fld1}: %{result}", processor_chain([
+      	dup26,
+      	dup21,
+      	setc("event_description","Received disconnect"),
+      	dup22,
+      ]));
+      
+      var msg73 = msg("sshd:02", part92);
+      
+      var part93 = match("MESSAGE#74:sshd:03", "nwparser.payload", "%{process}[%{process_id}]: Did not receive identification string from %{saddr}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("result","no identification string"),
+      	setc("event_description","Did not receive identification string from peer"),
+      	dup22,
+      ]));
+      
+      var msg74 = msg("sshd:03", part93);
+      
+      var part94 = match("MESSAGE#75:sshd:04", "nwparser.payload", "%{process}[%{process_id}]: Could not write ident string to %{dhost}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Could not write ident string"),
+      	dup22,
+      ]));
+      
+      var msg75 = msg("sshd:04", part94);
+      
+      var part95 = match("MESSAGE#76:sshd:05", "nwparser.payload", "%{process}[%{process_id}]: subsystem request for netconf", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","subsystem request for netconf"),
+      	dup22,
+      ]));
+      
+      var msg76 = msg("sshd:05", part95);
+      
+      var part96 = match("MESSAGE#77:sshd:06/2", "nwparser.p0", "%{}sendmsg to %{saddr}(%{shost}).%{sport}: %{info}");
+      
+      var all13 = all_match({
+      	processors: [
+      		dup38,
+      		dup134,
+      		part96,
+      	],
+      	on_success: processor_chain([
+      		dup28,
+      		dup21,
+      		setc("event_description","send message stats"),
+      		dup22,
+      	]),
+      });
+      
+      var msg77 = msg("sshd:06", all13);
+      
+      var part97 = match("MESSAGE#78:sshd:07/2", "nwparser.p0", "%{}Added radius server %{saddr}(%{shost})");
+      
+      var all14 = all_match({
+      	processors: [
+      		dup38,
+      		dup134,
+      		part97,
+      	],
+      	on_success: processor_chain([
+      		dup41,
+      		setc("ec_theme","Configuration"),
+      		setc("ec_activity","Modify"),
+      		dup36,
+      		dup21,
+      		setc("event_description","Added radius server"),
+      		dup22,
+      	]),
+      });
+      
+      var msg78 = msg("sshd:07", all14);
+      
+      var part98 = match("MESSAGE#79:sshd:08", "nwparser.payload", "%{process}[%{process_id}]: %{result}: %{space->} [%{resultcode}]authentication error", processor_chain([
+      	setc("eventcategory","1301020000"),
+      	dup33,
+      	dup42,
+      	dup21,
+      	setc("event_description","authentication error"),
+      	dup22,
+      ]));
+      
+      var msg79 = msg("sshd:08", part98);
+      
+      var part99 = match("MESSAGE#80:sshd:09", "nwparser.payload", "%{process}[%{process_id}]: unrecognized attribute in %{policyname}: %{change_attribute}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","unrecognized attribute in policy"),
+      	dup22,
+      ]));
+      
+      var msg80 = msg("sshd:09", part99);
+      
+      var part100 = match("MESSAGE#81:sshd:10", "nwparser.payload", "%{process}: PAM module %{dclass_counter1->} returned: %{space}[%{resultcode}]%{result}", processor_chain([
+      	dup43,
+      	dup33,
+      	dup42,
+      	dup21,
+      	setc("event_description","PAM module return from sshd"),
+      	dup22,
+      ]));
+      
+      var msg81 = msg("sshd:10", part100);
+      
+      var part101 = match("MESSAGE#82:sshd:11", "nwparser.payload", "%{process}: PAM authentication chain returned: %{space}[%{resultcode}]%{result}", processor_chain([
+      	dup43,
+      	dup33,
+      	dup42,
+      	dup21,
+      	setc("event_description","PAM authentication chain return"),
+      	dup22,
+      ]));
+      
+      var msg82 = msg("sshd:11", part101);
+      
+      var part102 = match("MESSAGE#83:sshd:12", "nwparser.payload", "%{process}: %{severity}: can't get client address: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","can't get client address"),
+      	dup22,
+      ]));
+      
+      var msg83 = msg("sshd:12", part102);
+      
+      var part103 = match("MESSAGE#84:sshd:13", "nwparser.payload", "%{process}: auth server unresponsive", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","auth server unresponsive"),
+      	dup22,
+      ]));
+      
+      var msg84 = msg("sshd:13", part103);
+      
+      var part104 = match("MESSAGE#85:sshd:14", "nwparser.payload", "%{process}: %{service}: No valid RADIUS responses received", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","No valid RADIUS responses received"),
+      	dup22,
+      ]));
+      
+      var msg85 = msg("sshd:14", part104);
+      
+      var part105 = match("MESSAGE#86:sshd:15", "nwparser.payload", "%{process}: Moving to next server: %{saddr}(%{shost}).%{sport}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Moving to next server"),
+      	dup22,
+      ]));
+      
+      var msg86 = msg("sshd:15", part105);
+      
+      var part106 = match("MESSAGE#87:sshd:16", "nwparser.payload", "%{fld1->} sshd: SSHD_LOGIN_FAILED: Login failed for user '%{username}' from host '%{hostip}'.", processor_chain([
+      	dup43,
+      	dup33,
+      	dup42,
+      	dup21,
+      	setc("event_description","Login failed for user"),
+      	dup22,
+      ]));
+      
+      var msg87 = msg("sshd:16", part106);
+      
+      var select21 = linear_select([
+      	msg72,
+      	msg73,
+      	msg74,
+      	msg75,
+      	msg76,
+      	msg77,
+      	msg78,
+      	msg79,
+      	msg80,
+      	msg81,
+      	msg82,
+      	msg83,
+      	msg84,
+      	msg85,
+      	msg86,
+      	msg87,
+      ]);
+      
+      var part107 = match("MESSAGE#72:Failed:05/0", "nwparser.payload", "%{process}[%{process_id}]: Failed password for %{p0}");
+      
+      var part108 = match("MESSAGE#72:Failed:05/1_0", "nwparser.p0", "illegal user %{p0}");
+      
+      var part109 = match("MESSAGE#72:Failed:05/1_1", "nwparser.p0", "invalid user %{p0}");
+      
+      var select22 = linear_select([
+      	part108,
+      	part109,
+      	dup44,
+      ]);
+      
+      var part110 = match("MESSAGE#72:Failed:05/2", "nwparser.p0", "%{} %{username->} from %{saddr->} port %{sport->} %{protocol}");
+      
+      var all15 = all_match({
+      	processors: [
+      		part107,
+      		select22,
+      		part110,
+      	],
+      	on_success: processor_chain([
+      		dup43,
+      		dup33,
+      		dup34,
+      		dup35,
+      		dup42,
+      		dup21,
+      		setc("event_description","authentication failure"),
+      		dup22,
+      	]),
+      });
+      
+      var msg88 = msg("Failed:05", all15);
+      
+      var part111 = match("MESSAGE#746:Failed/0", "nwparser.payload", "%{hostname->} %{process}[%{process_id}]: Failed to resolve ipv%{p0}");
+      
+      var part112 = match("MESSAGE#746:Failed/1_0", "nwparser.p0", "4%{p0}");
+      
+      var part113 = match("MESSAGE#746:Failed/1_1", "nwparser.p0", "6%{p0}");
+      
+      var select23 = linear_select([
+      	part112,
+      	part113,
+      ]);
+      
+      var part114 = match("MESSAGE#746:Failed/2", "nwparser.p0", "%{}addresses for domain name %{sdomain}");
+      
+      var all16 = all_match({
+      	processors: [
+      		part111,
+      		select23,
+      		part114,
+      	],
+      	on_success: processor_chain([
+      		dup45,
+      		dup46,
+      		dup22,
+      		dup21,
+      	]),
+      });
+      
+      var msg89 = msg("Failed", all16);
+      
+      var part115 = match("MESSAGE#767:Failed:01", "nwparser.payload", "%{hostname->} %{process}[%{process_id}]: %{fld1}", processor_chain([
+      	dup45,
+      	dup22,
+      	dup21,
+      ]));
+      
+      var msg90 = msg("Failed:01", part115);
+      
+      var part116 = match("MESSAGE#768:Failed:02/0_0", "nwparser.payload", "%{fld1->} to create a route if table for Multiservice ");
+      
+      var part117 = match("MESSAGE#768:Failed:02/0_1", "nwparser.payload", "%{fld10}");
+      
+      var select24 = linear_select([
+      	part116,
+      	part117,
+      ]);
+      
+      var all17 = all_match({
+      	processors: [
+      		select24,
+      	],
+      	on_success: processor_chain([
+      		dup45,
+      		dup22,
+      		dup21,
+      		setf("hostname","hfld1"),
+      	]),
+      });
+      
+      var msg91 = msg("Failed:02", all17);
+      
+      var select25 = linear_select([
+      	msg88,
+      	msg89,
+      	msg90,
+      	msg91,
+      ]);
+      
+      var part118 = match("MESSAGE#88:syslogd", "nwparser.payload", "%{process}: restart", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","syslog daemon restart"),
+      	dup22,
+      ]));
+      
+      var msg92 = msg("syslogd", part118);
+      
+      var part119 = match("MESSAGE#89:ucd-snmp", "nwparser.payload", "%{process}[%{process_id}]: AUDIT -- Action %{action->} User: %{username}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup24,
+      	dup22,
+      ]));
+      
+      var msg93 = msg("ucd-snmp", part119);
+      
+      var part120 = match("MESSAGE#90:ucd-snmp:01", "nwparser.payload", "%{process}[%{process_id}]: Received TERM or STOP signal %{space->} %{result}.", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Received TERM or STOP signal"),
+      	dup22,
+      ]));
+      
+      var msg94 = msg("ucd-snmp:01", part120);
+      
+      var select26 = linear_select([
+      	msg93,
+      	msg94,
+      ]);
+      
+      var part121 = match("MESSAGE#91:usp_ipc_client_reconnect", "nwparser.payload", "%{node->} %{process}: failed to connect to the server: %{result->} (%{resultcode})", processor_chain([
+      	dup26,
+      	dup21,
+      	setc("event_description","failed to connect to the server"),
+      	dup22,
+      ]));
+      
+      var msg95 = msg("usp_ipc_client_reconnect", part121);
+      
+      var part122 = match("MESSAGE#92:usp_trace_ipc_disconnect", "nwparser.payload", "%{node->} %{process}:Trace client disconnected. %{result}", processor_chain([
+      	dup26,
+      	dup21,
+      	setc("event_description","Trace client disconnected"),
+      	dup22,
+      ]));
+      
+      var msg96 = msg("usp_trace_ipc_disconnect", part122);
+      
+      var part123 = match("MESSAGE#93:usp_trace_ipc_reconnect", "nwparser.payload", "%{node->} %{process}:USP trace client cannot reconnect to server", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","USP trace client cannot reconnect to server"),
+      	dup22,
+      ]));
+      
+      var msg97 = msg("usp_trace_ipc_reconnect", part123);
+      
+      var part124 = match("MESSAGE#94:uspinfo", "nwparser.payload", "%{process}: flow_print_session_summary_output received %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","flow_print_session_summary_output received"),
+      	dup22,
+      ]));
+      
+      var msg98 = msg("uspinfo", part124);
+      
+      var part125 = match("MESSAGE#95:Version", "nwparser.payload", "Version %{version->} by builder on %{event_time_string}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Version build date"),
+      	dup22,
+      ]));
+      
+      var msg99 = msg("Version", part125);
+      
+      var part126 = match("MESSAGE#96:xntpd", "nwparser.payload", "%{process}[%{process_id}]: frequency initialized %{result->} from %{filename}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","frequency initialized from file"),
+      	dup22,
+      ]));
+      
+      var msg100 = msg("xntpd", part126);
+      
+      var part127 = match("MESSAGE#97:xntpd:01", "nwparser.payload", "%{process}[%{process_id}]: ntpd %{version->} %{event_time_string->} (%{resultcode})", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","nptd version build"),
+      	dup22,
+      ]));
+      
+      var msg101 = msg("xntpd:01", part127);
+      
+      var part128 = match("MESSAGE#98:xntpd:02", "nwparser.payload", "%{process}: kernel time sync enabled %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","kernel time sync enabled"),
+      	dup22,
+      ]));
+      
+      var msg102 = msg("xntpd:02", part128);
+      
+      var part129 = match("MESSAGE#99:xntpd:03", "nwparser.payload", "%{process}[%{process_id}]: NTP Server %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup31,
+      	dup22,
+      ]));
+      
+      var msg103 = msg("xntpd:03", part129);
+      
+      var select27 = linear_select([
+      	msg100,
+      	msg101,
+      	msg102,
+      	msg103,
+      ]);
+      
+      var part130 = match("MESSAGE#100:last", "nwparser.payload", "last message repeated %{dclass_counter1->} times", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","last message repeated"),
+      	dup22,
+      ]));
+      
+      var msg104 = msg("last", part130);
+      
+      var part131 = match("MESSAGE#739:last:01", "nwparser.payload", "message repeated %{dclass_counter1->} times", processor_chain([
+      	dup47,
+      	dup46,
+      	dup22,
+      	dup21,
+      	dup23,
+      ]));
+      
+      var msg105 = msg("last:01", part131);
+      
+      var select28 = linear_select([
+      	msg104,
+      	msg105,
+      ]);
+      
+      var part132 = match("MESSAGE#101:BCHIP", "nwparser.payload", "%{process->} %{device}: cannot write ucode mask reg", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","cannot write ucode mask reg"),
+      	dup22,
+      ]));
+      
+      var msg106 = msg("BCHIP", part132);
+      
+      var part133 = match("MESSAGE#102:CM", "nwparser.payload", "%{process}(%{fld1}): Slot %{device}: On-line", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Slot on-line"),
+      	dup22,
+      ]));
+      
+      var msg107 = msg("CM", part133);
+      
+      var part134 = match("MESSAGE#103:COS", "nwparser.payload", "%{process}: Received FC->Q map, %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Received FC Q map"),
+      	dup22,
+      ]));
+      
+      var msg108 = msg("COS", part134);
+      
+      var part135 = match("MESSAGE#104:COSFPC", "nwparser.payload", "%{process}: ifd %{resultcode}: %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","ifd error"),
+      	dup22,
+      ]));
+      
+      var msg109 = msg("COSFPC", part135);
+      
+      var part136 = match("MESSAGE#105:COSMAN", "nwparser.payload", "%{process}: %{service}: delete class_to_ifl table %{dclass_counter1}, ifl %{dclass_counter2}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","delete class to ifl link"),
+      	dup22,
+      ]));
+      
+      var msg110 = msg("COSMAN", part136);
+      
+      var part137 = match("MESSAGE#106:RDP", "nwparser.payload", "%{process}: Keepalive timeout for rdp.(%{interface}).(%{device}) (%{result})", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Keepalive timeout"),
+      	dup22,
+      ]));
+      
+      var msg111 = msg("RDP", part137);
+      
+      var part138 = match("MESSAGE#107:SNTPD", "nwparser.payload", "%{process}: Initial time of day set", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Initial time of day set"),
+      	dup22,
+      ]));
+      
+      var msg112 = msg("SNTPD", part138);
+      
+      var part139 = match("MESSAGE#108:SSB", "nwparser.payload", "%{process}(%{fld1}): Slot %{device}, serial number S/N %{serial_number}.", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Slot serial number"),
+      	dup22,
+      ]));
+      
+      var msg113 = msg("SSB", part139);
+      
+      var part140 = match("MESSAGE#109:ACCT_ACCOUNTING_FERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected error %{result->} from file %{filename}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unexpected error"),
+      	dup22,
+      ]));
+      
+      var msg114 = msg("ACCT_ACCOUNTING_FERROR", part140);
+      
+      var part141 = match("MESSAGE#110:ACCT_ACCOUNTING_FOPEN_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to open file %{filename}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Failed to open file"),
+      	dup22,
+      ]));
+      
+      var msg115 = msg("ACCT_ACCOUNTING_FOPEN_ERROR", part141);
+      
+      var part142 = match("MESSAGE#111:ACCT_ACCOUNTING_SMALL_FILE_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File %{filename->} size (%{dclass_counter1}) is smaller than record size (%{dclass_counter2})", processor_chain([
+      	dup48,
+      	dup21,
+      	setc("event_description","File size mismatch"),
+      	dup22,
+      ]));
+      
+      var msg116 = msg("ACCT_ACCOUNTING_SMALL_FILE_SIZE", part142);
+      
+      var part143 = match("MESSAGE#112:ACCT_BAD_RECORD_FORMAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid statistics record: %{result}", processor_chain([
+      	dup48,
+      	dup21,
+      	setc("event_description","Invalid statistics record"),
+      	dup22,
+      ]));
+      
+      var msg117 = msg("ACCT_BAD_RECORD_FORMAT", part143);
+      
+      var part144 = match("MESSAGE#113:ACCT_CU_RTSLIB_error", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} getting class usage statistics for interface %{interface}: %{result}", processor_chain([
+      	dup48,
+      	dup21,
+      	setc("event_description","Class usage statistics error for interface"),
+      	dup22,
+      ]));
+      
+      var msg118 = msg("ACCT_CU_RTSLIB_error", part144);
+      
+      var part145 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/1_0", "nwparser.p0", "Error %{resultcode->} trying %{p0}");
+      
+      var part146 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/1_1", "nwparser.p0", "trying %{p0}");
+      
+      var select29 = linear_select([
+      	part145,
+      	part146,
+      ]);
+      
+      var part147 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/2", "nwparser.p0", "%{}to get hostname");
+      
+      var all18 = all_match({
+      	processors: [
+      		dup49,
+      		select29,
+      		part147,
+      	],
+      	on_success: processor_chain([
+      		dup48,
+      		dup21,
+      		setc("event_description","error trying to get hostname"),
+      		dup22,
+      	]),
+      });
+      
+      var msg119 = msg("ACCT_GETHOSTNAME_error", all18);
+      
+      var part148 = match("MESSAGE#115:ACCT_MALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed while reallocating %{obj_name}", processor_chain([
+      	dup50,
+      	dup21,
+      	setc("event_description","Memory allocation failure"),
+      	dup22,
+      ]));
+      
+      var msg120 = msg("ACCT_MALLOC_FAILURE", part148);
+      
+      var part149 = match("MESSAGE#116:ACCT_UNDEFINED_COUNTER_NAME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} in accounting profile %{dclass_counter1->} is not defined in a firewall using this filter profile", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Accounting profile counter not defined in firewall"),
+      	dup22,
+      ]));
+      
+      var msg121 = msg("ACCT_UNDEFINED_COUNTER_NAME", part149);
+      
+      var part150 = match("MESSAGE#117:ACCT_XFER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{result}: %{disposition}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","ACCT_XFER_FAILED"),
+      	dup22,
+      ]));
+      
+      var msg122 = msg("ACCT_XFER_FAILED", part150);
+      
+      var part151 = match("MESSAGE#118:ACCT_XFER_POPEN_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{result}: in invoking command command to transfer file %{filename}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","POPEN FAIL invoking command command to transfer file"),
+      	dup22,
+      ]));
+      
+      var msg123 = msg("ACCT_XFER_POPEN_FAIL", part151);
+      
+      var part152 = match("MESSAGE#119:APPQOS_LOG_EVENT", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} timestamp=\"%{result}\" message-type=\"%{info}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-name=\"%{protocol}\" application-name=\"%{application}\" rule-set-name=\"%{rule_group}\" rule-name=\"%{rulename}\" action=\"%{action}\" argument=\"%{fld2}\" argument1=\"%{fld3}\"]", processor_chain([
+      	dup27,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var msg124 = msg("APPQOS_LOG_EVENT", part152);
+      
+      var part153 = match("MESSAGE#120:APPTRACK_SESSION_CREATE", "nwparser.payload", "%{event_type}: AppTrack session created %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username->} %{fld10}", processor_chain([
+      	dup27,
+      	dup52,
+      	dup53,
+      	dup21,
+      	setc("result","AppTrack session created"),
+      	dup22,
+      ]));
+      
+      var msg125 = msg("APPTRACK_SESSION_CREATE", part153);
+      
+      var part154 = match("MESSAGE#121:APPTRACK_SESSION_CLOSE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" service-name=\"%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-name=\"%{rule_template}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([
+      	dup27,
+      	dup52,
+      	dup54,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var msg126 = msg("APPTRACK_SESSION_CLOSE", part154);
+      
+      var part155 = match("MESSAGE#122:APPTRACK_SESSION_CLOSE:01", "nwparser.payload", "%{event_type}: %{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{packets}(%{rbytes}) %{dclass_counter1}(%{sbytes}) %{duration->} %{username->} %{fld10}", processor_chain([
+      	dup27,
+      	dup52,
+      	dup54,
+      	dup21,
+      	dup22,
+      ]));
+      
+      var msg127 = msg("APPTRACK_SESSION_CLOSE:01", part155);
+      
+      var select30 = linear_select([
+      	msg126,
+      	msg127,
+      ]);
+      
+      var part156 = match("MESSAGE#123:APPTRACK_SESSION_VOL_UPDATE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" service-name=\"%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-name=\"%{rule_template}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([
+      	dup27,
+      	dup52,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var msg128 = msg("APPTRACK_SESSION_VOL_UPDATE", part156);
+      
+      var part157 = match("MESSAGE#124:APPTRACK_SESSION_VOL_UPDATE:01", "nwparser.payload", "%{event_type}: %{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{packets}(%{rbytes}) %{dclass_counter1}(%{sbytes}) %{duration->} %{username->} %{fld10}", processor_chain([
+      	dup27,
+      	dup52,
+      	dup21,
+      	dup22,
+      ]));
+      
+      var msg129 = msg("APPTRACK_SESSION_VOL_UPDATE:01", part157);
+      
+      var select31 = linear_select([
+      	msg128,
+      	msg129,
+      ]);
+      
+      var msg130 = msg("BFDD_TRAP_STATE_DOWN", dup135);
+      
+      var msg131 = msg("BFDD_TRAP_STATE_UP", dup135);
+      
+      var part158 = match("MESSAGE#127:bgp_connect_start", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: connect %{saddr->} (%{shost}): %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","bgp connect error"),
+      	dup22,
+      ]));
+      
+      var msg132 = msg("bgp_connect_start", part158);
+      
+      var part159 = match("MESSAGE#128:bgp_event", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}) old state %{change_old->} event %{action->} new state %{change_new}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","bgp peer state change"),
+      	dup22,
+      ]));
+      
+      var msg133 = msg("bgp_event", part159);
+      
+      var part160 = match("MESSAGE#129:bgp_listen_accept", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection attempt from unconfigured neighbor: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Connection attempt from unconfigured neighbor"),
+      	dup22,
+      ]));
+      
+      var msg134 = msg("bgp_listen_accept", part160);
+      
+      var part161 = match("MESSAGE#130:bgp_listen_reset", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","bgp reset"),
+      	dup22,
+      ]));
+      
+      var msg135 = msg("bgp_listen_reset", part161);
+      
+      var part162 = match("MESSAGE#131:bgp_nexthop_sanity", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}) next hop %{saddr->} local, %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","peer next hop local"),
+      	dup22,
+      ]));
+      
+      var msg136 = msg("bgp_nexthop_sanity", part162);
+      
+      var part163 = match("MESSAGE#132:bgp_process_caps", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{severity->} (%{action}) subcode %{version->} (%{result}) value %{disposition}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","code RED error NOTIFICATION sent"),
+      	dup22,
+      ]));
+      
+      var msg137 = msg("bgp_process_caps", part163);
+      
+      var part164 = match("MESSAGE#133:bgp_process_caps:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: mismatch NLRI with %{hostip->} (%{hostname}): peer: %{daddr->} us: %{saddr}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup56,
+      	dup22,
+      ]));
+      
+      var msg138 = msg("bgp_process_caps:01", part164);
+      
+      var select32 = linear_select([
+      	msg137,
+      	msg138,
+      ]);
+      
+      var part165 = match("MESSAGE#134:bgp_pp_recv", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: dropping %{daddr->} (%{dhost}), %{info->} (%{protocol})", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","connection collision"),
+      	setc("result","dropping connection to peer"),
+      	dup22,
+      ]));
+      
+      var msg139 = msg("bgp_pp_recv", part165);
+      
+      var part166 = match("MESSAGE#135:bgp_pp_recv:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}): received unexpected EOF", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","peer received unexpected EOF"),
+      	dup22,
+      ]));
+      
+      var msg140 = msg("bgp_pp_recv:01", part166);
+      
+      var select33 = linear_select([
+      	msg139,
+      	msg140,
+      ]);
+      
+      var part167 = match("MESSAGE#136:bgp_send", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: sending %{sbytes->} bytes to %{daddr->} (%{dhost}) blocked (%{disposition}): %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","bgp send blocked error"),
+      	dup22,
+      ]));
+      
+      var msg141 = msg("bgp_send", part167);
+      
+      var part168 = match("MESSAGE#137:bgp_traffic_timeout", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{resultcode->} (%{action}), Reason: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","bgp timeout NOTIFICATION sent"),
+      	dup22,
+      ]));
+      
+      var msg142 = msg("bgp_traffic_timeout", part168);
+      
+      var part169 = match("MESSAGE#138:BOOTPD_ARG_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Ignoring unknown option %{resultcode}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","boot argument error"),
+      	dup22,
+      ]));
+      
+      var msg143 = msg("BOOTPD_ARG_ERR", part169);
+      
+      var part170 = match("MESSAGE#139:BOOTPD_BAD_ID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected ID %{resultcode}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","boot unexpected Id value"),
+      	dup22,
+      ]));
+      
+      var msg144 = msg("BOOTPD_BAD_ID", part170);
+      
+      var part171 = match("MESSAGE#140:BOOTPD_BOOTSTRING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Boot string: %{filename}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Invalid boot string"),
+      	dup22,
+      ]));
+      
+      var msg145 = msg("BOOTPD_BOOTSTRING", part171);
+      
+      var part172 = match("MESSAGE#141:BOOTPD_CONFIG_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Problems with configuration file '%{filename}', %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","configuration file error"),
+      	dup22,
+      ]));
+      
+      var msg146 = msg("BOOTPD_CONFIG_ERR", part172);
+      
+      var part173 = match("MESSAGE#142:BOOTPD_CONF_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open configuration file '%{filename}'", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to open configuration file"),
+      	dup22,
+      ]));
+      
+      var msg147 = msg("BOOTPD_CONF_OPEN", part173);
+      
+      var part174 = match("MESSAGE#143:BOOTPD_DUP_REV", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate revision: %{version}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","boot - Duplicate revision"),
+      	dup22,
+      ]));
+      
+      var msg148 = msg("BOOTPD_DUP_REV", part174);
+      
+      var part175 = match("MESSAGE#144:BOOTPD_DUP_SLOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate slot default: %{ssid}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","boot - duplicate slot"),
+      	dup22,
+      ]));
+      
+      var msg149 = msg("BOOTPD_DUP_SLOT", part175);
+      
+      var part176 = match("MESSAGE#145:BOOTPD_MODEL_CHK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected ID %{id->} for model %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unexpected ID for model"),
+      	dup22,
+      ]));
+      
+      var msg150 = msg("BOOTPD_MODEL_CHK", part176);
+      
+      var part177 = match("MESSAGE#146:BOOTPD_MODEL_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unsupported model %{dclass_counter1}, %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unsupported model"),
+      	dup22,
+      ]));
+      
+      var msg151 = msg("BOOTPD_MODEL_ERR", part177);
+      
+      var part178 = match("MESSAGE#147:BOOTPD_NEW_CONF", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: New configuration installed", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","New configuration installed"),
+      	dup22,
+      ]));
+      
+      var msg152 = msg("BOOTPD_NEW_CONF", part178);
+      
+      var part179 = match("MESSAGE#148:BOOTPD_NO_BOOTSTRING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No boot string found for type %{filename}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","No boot string found"),
+      	dup22,
+      ]));
+      
+      var msg153 = msg("BOOTPD_NO_BOOTSTRING", part179);
+      
+      var part180 = match("MESSAGE#149:BOOTPD_NO_CONFIG", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No configuration file '%{filename}', %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","No configuration file found"),
+      	dup22,
+      ]));
+      
+      var msg154 = msg("BOOTPD_NO_CONFIG", part180);
+      
+      var part181 = match("MESSAGE#150:BOOTPD_PARSE_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename}: number parse errors on SIGHUP", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","parse errors on SIGHUP"),
+      	dup22,
+      ]));
+      
+      var msg155 = msg("BOOTPD_PARSE_ERR", part181);
+      
+      var part182 = match("MESSAGE#151:BOOTPD_REPARSE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reparsing configuration file '%{filename}'", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Reparsing configuration file"),
+      	dup22,
+      ]));
+      
+      var msg156 = msg("BOOTPD_REPARSE", part182);
+      
+      var part183 = match("MESSAGE#152:BOOTPD_SELECT_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: select: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","select error"),
+      	dup22,
+      ]));
+      
+      var msg157 = msg("BOOTPD_SELECT_ERR", part183);
+      
+      var part184 = match("MESSAGE#153:BOOTPD_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Timeout %{result->} unreasonable", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","timeout unreasonable"),
+      	dup22,
+      ]));
+      
+      var msg158 = msg("BOOTPD_TIMEOUT", part184);
+      
+      var part185 = match("MESSAGE#154:BOOTPD_VERSION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version: %{version->} built by builder on %{event_time_string}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","boot version built"),
+      	dup22,
+      ]));
+      
+      var msg159 = msg("BOOTPD_VERSION", part185);
+      
+      var part186 = match("MESSAGE#155:CHASSISD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{version->} built by builder on %{event_time_string}", processor_chain([
+      	dup57,
+      	dup21,
+      	setc("event_description","CHASSISD release built"),
+      	dup22,
+      ]));
+      
+      var msg160 = msg("CHASSISD", part186);
+      
+      var part187 = match("MESSAGE#156:CHASSISD_ARGUMENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown option %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","CHASSISD Unknown option"),
+      	dup22,
+      ]));
+      
+      var msg161 = msg("CHASSISD_ARGUMENT_ERROR", part187);
+      
+      var part188 = match("MESSAGE#157:CHASSISD_BLOWERS_SPEED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fans and impellers are now running at normal speed", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Fans and impellers are now running at normal speed"),
+      	dup22,
+      ]));
+      
+      var msg162 = msg("CHASSISD_BLOWERS_SPEED", part188);
+      
+      var part189 = match("MESSAGE#158:CHASSISD_BLOWERS_SPEED_FULL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fans and impellers being set to full speed [%{result}]", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Fans and impellers being set to full speed"),
+      	dup22,
+      ]));
+      
+      var msg163 = msg("CHASSISD_BLOWERS_SPEED_FULL", part189);
+      
+      var part190 = match("MESSAGE#159:CHASSISD_CB_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result->} reading midplane ID EEPROM, %{dclass_counter1->} %{dclass_counter2}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","reading midplane ID EEPROM"),
+      	dup22,
+      ]));
+      
+      var msg164 = msg("CHASSISD_CB_READ", part190);
+      
+      var part191 = match("MESSAGE#160:CHASSISD_COMMAND_ACK_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{device->} online ack code %{dclass_counter1->} - - %{result}, %{interface}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","CHASSISD COMMAND ACK ERROR"),
+      	dup22,
+      ]));
+      
+      var msg165 = msg("CHASSISD_COMMAND_ACK_ERROR", part191);
+      
+      var part192 = match("MESSAGE#161:CHASSISD_COMMAND_ACK_SF_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{disposition->} - %{result}, code %{resultcode}, SFM %{dclass_counter1}, FPC %{dclass_counter2}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","CHASSISD COMMAND ACK SF ERROR"),
+      	dup22,
+      ]));
+      
+      var msg166 = msg("CHASSISD_COMMAND_ACK_SF_ERROR", part192);
+      
+      var part193 = match("MESSAGE#162:CHASSISD_CONCAT_MODE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Cannot set no-concatenated mode for FPC %{dclass_counter2->} PIC %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Cannot set no-concatenated mode for FPC"),
+      	dup22,
+      ]));
+      
+      var msg167 = msg("CHASSISD_CONCAT_MODE_ERROR", part193);
+      
+      var part194 = match("MESSAGE#163:CHASSISD_CONFIG_INIT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Problems with configuration file %{filename}; %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","CONFIG File Problem"),
+      	dup22,
+      ]));
+      
+      var msg168 = msg("CHASSISD_CONFIG_INIT_ERROR", part194);
+      
+      var part195 = match("MESSAGE#164:CHASSISD_CONFIG_WARNING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename}: %{result}, FPC %{dclass_counter2->} %{resultcode}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","CHASSISD CONFIG WARNING"),
+      	dup22,
+      ]));
+      
+      var msg169 = msg("CHASSISD_CONFIG_WARNING", part195);
+      
+      var part196 = match("MESSAGE#165:CHASSISD_EXISTS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: chassisd already running; %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","chassisd already running"),
+      	dup22,
+      ]));
+      
+      var msg170 = msg("CHASSISD_EXISTS", part196);
+      
+      var part197 = match("MESSAGE#166:CHASSISD_EXISTS_TERM_OTHER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Killing existing chassisd and exiting", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Killing existing chassisd and exiting"),
+      	dup22,
+      ]));
+      
+      var msg171 = msg("CHASSISD_EXISTS_TERM_OTHER", part197);
+      
+      var part198 = match("MESSAGE#167:CHASSISD_FILE_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File open: %{filename}, error: %{resultcode->} - - %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","file open error"),
+      	dup22,
+      ]));
+      
+      var msg172 = msg("CHASSISD_FILE_OPEN", part198);
+      
+      var part199 = match("MESSAGE#168:CHASSISD_FILE_STAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File stat: %{filename}, error: %{resultcode->} - - %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","CHASSISD file statistics error"),
+      	dup22,
+      ]));
+      
+      var msg173 = msg("CHASSISD_FILE_STAT", part199);
+      
+      var part200 = match("MESSAGE#169:CHASSISD_FRU_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","CHASSISD received restart EVENT"),
+      	dup22,
+      ]));
+      
+      var msg174 = msg("CHASSISD_FRU_EVENT", part200);
+      
+      var part201 = match("MESSAGE#170:CHASSISD_FRU_IPC_WRITE_ERROR_EXT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} FRU %{filename}#%{resultcode}, %{result->} %{dclass_counter1}, %{dclass_counter2}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","CHASSISD restart WRITE_ERROR"),
+      	dup22,
+      ]));
+      
+      var msg175 = msg("CHASSISD_FRU_IPC_WRITE_ERROR_EXT", part201);
+      
+      var part202 = match("MESSAGE#171:CHASSISD_FRU_STEP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} %{resultcode->} at step %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","CHASSISD FRU STEP ERROR"),
+      	dup22,
+      ]));
+      
+      var msg176 = msg("CHASSISD_FRU_STEP_ERROR", part202);
+      
+      var part203 = match("MESSAGE#172:CHASSISD_GETTIMEOFDAY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected error from gettimeofday: %{resultcode->} - %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unexpected error from gettimeofday"),
+      	dup22,
+      ]));
+      
+      var msg177 = msg("CHASSISD_GETTIMEOFDAY", part203);
+      
+      var part204 = match("MESSAGE#173:CHASSISD_HOST_TEMP_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result->} reading host temperature sensor", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","reading host temperature sensor"),
+      	dup22,
+      ]));
+      
+      var msg178 = msg("CHASSISD_HOST_TEMP_READ", part204);
+      
+      var part205 = match("MESSAGE#174:CHASSISD_IFDEV_DETACH_ALL_PSEUDO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{disposition})", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","detaching all pseudo devices"),
+      	dup22,
+      ]));
+      
+      var msg179 = msg("CHASSISD_IFDEV_DETACH_ALL_PSEUDO", part205);
+      
+      var part206 = match("MESSAGE#175:CHASSISD_IFDEV_DETACH_FPC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{resultcode})", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","CHASSISD IFDEV DETACH FPC"),
+      	dup22,
+      ]));
+      
+      var msg180 = msg("CHASSISD_IFDEV_DETACH_FPC", part206);
+      
+      var part207 = match("MESSAGE#176:CHASSISD_IFDEV_DETACH_PIC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{resultcode})", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","CHASSISD IFDEV DETACH PIC"),
+      	dup22,
+      ]));
+      
+      var msg181 = msg("CHASSISD_IFDEV_DETACH_PIC", part207);
+      
+      var part208 = match("MESSAGE#177:CHASSISD_IFDEV_DETACH_PSEUDO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{disposition})", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","CHASSISD IFDEV DETACH PSEUDO"),
+      	dup22,
+      ]));
+      
+      var msg182 = msg("CHASSISD_IFDEV_DETACH_PSEUDO", part208);
+      
+      var part209 = match("MESSAGE#178:CHASSISD_IFDEV_DETACH_TLV_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","CHASSISD IFDEV DETACH TLV ERROR"),
+      	dup22,
+      ]));
+      
+      var msg183 = msg("CHASSISD_IFDEV_DETACH_TLV_ERROR", part209);
+      
+      var part210 = match("MESSAGE#179:CHASSISD_IFDEV_GET_BY_INDEX_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: rtslib_ifdm_get_by_index failed: %{resultcode->} - %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","rtslib_ifdm_get_by_index failed"),
+      	dup22,
+      ]));
+      
+      var msg184 = msg("CHASSISD_IFDEV_GET_BY_INDEX_FAIL", part210);
+      
+      var part211 = match("MESSAGE#180:CHASSISD_IPC_MSG_QFULL_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: type = %{dclass_counter1}, subtype = %{dclass_counter2}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Message Queue full"),
+      	dup22,
+      ]));
+      
+      var msg185 = msg("CHASSISD_IPC_MSG_QFULL_ERROR", part211);
+      
+      var part212 = match("MESSAGE#181:CHASSISD_IPC_UNEXPECTED_RECV", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received unexpected message from %{service}: type = %{dclass_counter1}, subtype = %{dclass_counter2}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Received unexpected message"),
+      	dup22,
+      ]));
+      
+      var msg186 = msg("CHASSISD_IPC_UNEXPECTED_RECV", part212);
+      
+      var part213 = match("MESSAGE#182:CHASSISD_IPC_WRITE_ERR_NO_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FRU has no connection pipe %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","FRU has no connection pipe"),
+      	dup22,
+      ]));
+      
+      var msg187 = msg("CHASSISD_IPC_WRITE_ERR_NO_PIPE", part213);
+      
+      var part214 = match("MESSAGE#183:CHASSISD_IPC_WRITE_ERR_NULL_ARGS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FRU has no connection arguments %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","FRU has no connection arguments"),
+      	dup22,
+      ]));
+      
+      var msg188 = msg("CHASSISD_IPC_WRITE_ERR_NULL_ARGS", part214);
+      
+      var part215 = match("MESSAGE#184:CHASSISD_MAC_ADDRESS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: chassisd MAC address allocation error", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","chassisd MAC address allocation error"),
+      	dup22,
+      ]));
+      
+      var msg189 = msg("CHASSISD_MAC_ADDRESS_ERROR", part215);
+      
+      var part216 = match("MESSAGE#185:CHASSISD_MAC_DEFAULT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using default MAC address base", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Using default MAC address base"),
+      	dup22,
+      ]));
+      
+      var msg190 = msg("CHASSISD_MAC_DEFAULT", part216);
+      
+      var part217 = match("MESSAGE#186:CHASSISD_MBUS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} %{resultcode}: management bus failed sanity test", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","management bus failed sanity test"),
+      	dup22,
+      ]));
+      
+      var msg191 = msg("CHASSISD_MBUS_ERROR", part217);
+      
+      var part218 = match("MESSAGE#187:CHASSISD_PARSE_COMPLETE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using new configuration", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Using new configuration"),
+      	dup22,
+      ]));
+      
+      var msg192 = msg("CHASSISD_PARSE_COMPLETE", part218);
+      
+      var part219 = match("MESSAGE#188:CHASSISD_PARSE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{resultcode->} %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","CHASSISD PARSE ERROR"),
+      	dup22,
+      ]));
+      
+      var msg193 = msg("CHASSISD_PARSE_ERROR", part219);
+      
+      var part220 = match("MESSAGE#189:CHASSISD_PARSE_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Parsing configuration file '%{filename}'", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Parsing configuration file"),
+      	dup22,
+      ]));
+      
+      var msg194 = msg("CHASSISD_PARSE_INIT", part220);
+      
+      var part221 = match("MESSAGE#190:CHASSISD_PIDFILE_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open PID file '%{filename}': %{result->} %{resultcode}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to open PID file"),
+      	dup22,
+      ]));
+      
+      var msg195 = msg("CHASSISD_PIDFILE_OPEN", part221);
+      
+      var part222 = match("MESSAGE#191:CHASSISD_PIPE_WRITE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Pipe error: %{resultcode}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Pipe error"),
+      	dup22,
+      ]));
+      
+      var msg196 = msg("CHASSISD_PIPE_WRITE_ERROR", part222);
+      
+      var part223 = match("MESSAGE#192:CHASSISD_POWER_CHECK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{device->} %{dclass_counter1->} not powering up", processor_chain([
+      	dup58,
+      	dup21,
+      	setc("event_description","device not powering up"),
+      	dup22,
+      ]));
+      
+      var msg197 = msg("CHASSISD_POWER_CHECK", part223);
+      
+      var part224 = match("MESSAGE#193:CHASSISD_RECONNECT_SUCCESSFUL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Successfully reconnected on soft restart", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Successful reconnect on soft restart"),
+      	dup22,
+      ]));
+      
+      var msg198 = msg("CHASSISD_RECONNECT_SUCCESSFUL", part224);
+      
+      var part225 = match("MESSAGE#194:CHASSISD_RELEASE_MASTERSHIP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Release mastership notification", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Release mastership notification"),
+      	dup22,
+      ]));
+      
+      var msg199 = msg("CHASSISD_RELEASE_MASTERSHIP", part225);
+      
+      var part226 = match("MESSAGE#195:CHASSISD_RE_INIT_INVALID_RE_SLOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: re_init: re %{resultcode}, %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","re_init Invalid RE slot"),
+      	dup22,
+      ]));
+      
+      var msg200 = msg("CHASSISD_RE_INIT_INVALID_RE_SLOT", part226);
+      
+      var part227 = match("MESSAGE#196:CHASSISD_ROOT_MOUNT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine the mount point for root directory: %{resultcode}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to determine mount point for root directory"),
+      	dup22,
+      ]));
+      
+      var msg201 = msg("CHASSISD_ROOT_MOUNT_ERROR", part227);
+      
+      var part228 = match("MESSAGE#197:CHASSISD_RTS_SEQ_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifmsg sequence gap %{resultcode->} - - %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","ifmsg sequence gap"),
+      	dup22,
+      ]));
+      
+      var msg202 = msg("CHASSISD_RTS_SEQ_ERROR", part228);
+      
+      var part229 = match("MESSAGE#198:CHASSISD_SBOARD_VERSION_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version mismatch: %{info}", processor_chain([
+      	setc("eventcategory","1603040000"),
+      	dup21,
+      	setc("event_description","Version mismatch"),
+      	dup22,
+      ]));
+      
+      var msg203 = msg("CHASSISD_SBOARD_VERSION_MISMATCH", part229);
+      
+      var part230 = match("MESSAGE#199:CHASSISD_SERIAL_ID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Serial ID read error: %{resultcode->} - - %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Serial ID read error"),
+      	dup22,
+      ]));
+      
+      var msg204 = msg("CHASSISD_SERIAL_ID", part230);
+      
+      var part231 = match("MESSAGE#200:CHASSISD_SMB_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: fpga download not complete: val %{resultcode}, %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","fpga download not complete"),
+      	dup22,
+      ]));
+      
+      var msg205 = msg("CHASSISD_SMB_ERROR", part231);
+      
+      var part232 = match("MESSAGE#201:CHASSISD_SNMP_TRAP6", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap generated: %{result->} (%{info})", processor_chain([
+      	dup57,
+      	dup21,
+      	setc("event_description","SNMP Trap6 generated"),
+      	dup22,
+      ]));
+      
+      var msg206 = msg("CHASSISD_SNMP_TRAP6", part232);
+      
+      var part233 = match("MESSAGE#202:CHASSISD_SNMP_TRAP7", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap: %{result}: %{info}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMP Trap7 generated"),
+      	dup22,
+      ]));
+      
+      var msg207 = msg("CHASSISD_SNMP_TRAP7", part233);
+      
+      var part234 = match("MESSAGE#203:CHASSISD_SNMP_TRAP10", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap: %{result}: %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","SNMP trap - FRU power on"),
+      	dup22,
+      ]));
+      
+      var msg208 = msg("CHASSISD_SNMP_TRAP10", part234);
+      
+      var part235 = match("MESSAGE#204:CHASSISD_TERM_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received SIGTERM request, %{result}", processor_chain([
+      	dup59,
+      	dup21,
+      	setc("event_description","Received SIGTERM request"),
+      	dup22,
+      ]));
+      
+      var msg209 = msg("CHASSISD_TERM_SIGNAL", part235);
+      
+      var part236 = match("MESSAGE#205:CHASSISD_TRACE_PIC_OFFLINE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Taking PIC offline - - FPC slot %{dclass_counter1}, PIC slot %{dclass_counter2}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Taking PIC offline"),
+      	dup22,
+      ]));
+      
+      var msg210 = msg("CHASSISD_TRACE_PIC_OFFLINE", part236);
+      
+      var part237 = match("MESSAGE#206:CHASSISD_UNEXPECTED_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} returned %{resultcode}: %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","UNEXPECTED EXIT"),
+      	dup22,
+      ]));
+      
+      var msg211 = msg("CHASSISD_UNEXPECTED_EXIT", part237);
+      
+      var part238 = match("MESSAGE#207:CHASSISD_UNSUPPORTED_MODEL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Model %{dclass_counter1->} unsupported with this version of chassisd", processor_chain([
+      	dup58,
+      	dup21,
+      	setc("event_description","Model number unsupported with this version of chassisd"),
+      	dup22,
+      ]));
+      
+      var msg212 = msg("CHASSISD_UNSUPPORTED_MODEL", part238);
+      
+      var part239 = match("MESSAGE#208:CHASSISD_VERSION_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version mismatch: %{info}", processor_chain([
+      	dup58,
+      	dup21,
+      	setc("event_description","Chassisd Version mismatch"),
+      	dup22,
+      ]));
+      
+      var msg213 = msg("CHASSISD_VERSION_MISMATCH", part239);
+      
+      var part240 = match("MESSAGE#209:CHASSISD_HIGH_TEMP_CONDITION", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} temperature=\"%{fld2}\" message=\"%{info}\"]", processor_chain([
+      	dup58,
+      	dup21,
+      	setc("event_description","CHASSISD HIGH TEMP CONDITION"),
+      	dup60,
+      	dup61,
+      ]));
+      
+      var msg214 = msg("CHASSISD_HIGH_TEMP_CONDITION", part240);
+      
+      var part241 = match("MESSAGE#210:clean_process", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: process %{agent->} RESTART mode %{event_state->} new master=%{obj_name->} old failover=%{change_old->} new failover = %{change_new}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","process RESTART mode"),
+      	dup22,
+      ]));
+      
+      var msg215 = msg("clean_process", part241);
+      
+      var part242 = match("MESSAGE#211:CM_JAVA", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Chassis %{group->} Linklocal MAC:%{macaddr}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Chassis Linklocal to MAC"),
+      	dup22,
+      ]));
+      
+      var msg216 = msg("CM_JAVA", part242);
+      
+      var part243 = match("MESSAGE#212:DCD_AS_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([
+      	dup62,
+      	dup21,
+      	setc("event_description","DCD must be run as root"),
+      	dup22,
+      ]));
+      
+      var msg217 = msg("DCD_AS_ROOT", part243);
+      
+      var part244 = match("MESSAGE#213:DCD_FILTER_LIB_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Filter library initialization failed", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Filter library initialization failed"),
+      	dup22,
+      ]));
+      
+      var msg218 = msg("DCD_FILTER_LIB_ERROR", part244);
+      
+      var msg219 = msg("DCD_MALLOC_FAILED_INIT", dup136);
+      
+      var part245 = match("MESSAGE#215:DCD_PARSE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing configuration file", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","errors while parsing configuration file"),
+      	dup22,
+      ]));
+      
+      var msg220 = msg("DCD_PARSE_EMERGENCY", part245);
+      
+      var part246 = match("MESSAGE#216:DCD_PARSE_FILTER_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing filter index file", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","errors while parsing filter index file"),
+      	dup22,
+      ]));
+      
+      var msg221 = msg("DCD_PARSE_FILTER_EMERGENCY", part246);
+      
+      var part247 = match("MESSAGE#217:DCD_PARSE_MINI_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing configuration overlay", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","errors while parsing configuration overlay"),
+      	dup22,
+      ]));
+      
+      var msg222 = msg("DCD_PARSE_MINI_EMERGENCY", part247);
+      
+      var part248 = match("MESSAGE#218:DCD_PARSE_STATE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: An unhandled state was encountered during interface parsing", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","unhandled state was encountered during interface parsing"),
+      	dup22,
+      ]));
+      
+      var msg223 = msg("DCD_PARSE_STATE_EMERGENCY", part248);
+      
+      var part249 = match("MESSAGE#219:DCD_POLICER_PARSE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing policer indexfile", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","errors while parsing policer indexfile"),
+      	dup22,
+      ]));
+      
+      var msg224 = msg("DCD_POLICER_PARSE_EMERGENCY", part249);
+      
+      var part250 = match("MESSAGE#220:DCD_PULL_LOG_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to pull file %{filename->} after %{dclass_counter1->} retries last error=%{resultcode}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Failed to pull file"),
+      	dup22,
+      ]));
+      
+      var msg225 = msg("DCD_PULL_LOG_FAILURE", part250);
+      
+      var part251 = match("MESSAGE#221:DFWD_ARGUMENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","DFWD ARGUMENT ERROR"),
+      	dup22,
+      ]));
+      
+      var msg226 = msg("DFWD_ARGUMENT_ERROR", part251);
+      
+      var msg227 = msg("DFWD_MALLOC_FAILED_INIT", dup136);
+      
+      var part252 = match("MESSAGE#223:DFWD_PARSE_FILTER_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} encountered errors while parsing filter index file", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","errors encountered while parsing filter index file"),
+      	dup22,
+      ]));
+      
+      var msg228 = msg("DFWD_PARSE_FILTER_EMERGENCY", part252);
+      
+      var part253 = match("MESSAGE#224:DFWD_PARSE_STATE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} encountered unhandled state while parsing interface", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","encountered unhandled state while parsing interface"),
+      	dup22,
+      ]));
+      
+      var msg229 = msg("DFWD_PARSE_STATE_EMERGENCY", part253);
+      
+      var msg230 = msg("ECCD_DAEMONIZE_FAILED", dup137);
+      
+      var msg231 = msg("ECCD_DUPLICATE", dup138);
+      
+      var part254 = match("MESSAGE#227:ECCD_LOOP_EXIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MainLoop return value: %{disposition}, error: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","ECCD LOOP EXIT FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg232 = msg("ECCD_LOOP_EXIT_FAILURE", part254);
+      
+      var part255 = match("MESSAGE#228:ECCD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([
+      	dup62,
+      	dup21,
+      	setc("event_description","ECCD Must be run as root"),
+      	dup22,
+      ]));
+      
+      var msg233 = msg("ECCD_NOT_ROOT", part255);
+      
+      var part256 = match("MESSAGE#229:ECCD_PCI_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: open() failed: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","ECCD PCI FILE OPEN FAILED"),
+      	dup22,
+      ]));
+      
+      var msg234 = msg("ECCD_PCI_FILE_OPEN_FAILED", part256);
+      
+      var part257 = match("MESSAGE#230:ECCD_PCI_READ_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","PCI read failure"),
+      	dup22,
+      ]));
+      
+      var msg235 = msg("ECCD_PCI_READ_FAILED", part257);
+      
+      var part258 = match("MESSAGE#231:ECCD_PCI_WRITE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","PCI write failure"),
+      	dup22,
+      ]));
+      
+      var msg236 = msg("ECCD_PCI_WRITE_FAILED", part258);
+      
+      var msg237 = msg("ECCD_PID_FILE_LOCK", dup139);
+      
+      var msg238 = msg("ECCD_PID_FILE_UPDATE", dup140);
+      
+      var part259 = match("MESSAGE#234:ECCD_TRACE_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","ECCD TRACE FILE OPEN FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg239 = msg("ECCD_TRACE_FILE_OPEN_FAILED", part259);
+      
+      var part260 = match("MESSAGE#235:ECCD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","ECCD Usage"),
+      	dup22,
+      ]));
+      
+      var msg240 = msg("ECCD_usage", part260);
+      
+      var part261 = match("MESSAGE#236:EVENTD_AUDIT_SHOW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} viewed security audit log with arguments: %{param}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","User viewed security audit log with arguments"),
+      	dup22,
+      ]));
+      
+      var msg241 = msg("EVENTD_AUDIT_SHOW", part261);
+      
+      var part262 = match("MESSAGE#237:FLOW_REASSEMBLE_SUCCEED", "nwparser.payload", "%{event_type}: Packet merged source %{saddr->} destination %{daddr->} ipid %{fld11->} succeed", processor_chain([
+      	dup20,
+      	dup21,
+      	dup22,
+      ]));
+      
+      var msg242 = msg("FLOW_REASSEMBLE_SUCCEED", part262);
+      
+      var part263 = match("MESSAGE#238:FSAD_CHANGE_FILE_OWNER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to change owner of file `%{filename}' to user %{username}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to change owner of file"),
+      	dup22,
+      ]));
+      
+      var msg243 = msg("FSAD_CHANGE_FILE_OWNER", part263);
+      
+      var part264 = match("MESSAGE#239:FSAD_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","FSAD CONFIG ERROR"),
+      	dup22,
+      ]));
+      
+      var msg244 = msg("FSAD_CONFIG_ERROR", part264);
+      
+      var part265 = match("MESSAGE#240:FSAD_CONNTIMEDOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection timed out to the client (%{shost}, %{saddr}) having request type %{obj_type}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Connection timed out to client"),
+      	dup22,
+      ]));
+      
+      var msg245 = msg("FSAD_CONNTIMEDOUT", part265);
+      
+      var part266 = match("MESSAGE#241:FSAD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","FSAD_FAILED"),
+      	dup22,
+      ]));
+      
+      var msg246 = msg("FSAD_FAILED", part266);
+      
+      var part267 = match("MESSAGE#242:FSAD_FETCHTIMEDOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fetch to server %{hostname->} for file `%{filename}' timed out", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Fetch to server to get file timed out"),
+      	dup22,
+      ]));
+      
+      var msg247 = msg("FSAD_FETCHTIMEDOUT", part267);
+      
+      var part268 = match("MESSAGE#243:FSAD_FILE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: fn failed for file `%{filename}' with error message %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","fn failed for file"),
+      	dup22,
+      ]));
+      
+      var msg248 = msg("FSAD_FILE_FAILED", part268);
+      
+      var part269 = match("MESSAGE#244:FSAD_FILE_REMOVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to remove file `%{filename}': %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to remove file"),
+      	dup22,
+      ]));
+      
+      var msg249 = msg("FSAD_FILE_REMOVE", part269);
+      
+      var part270 = match("MESSAGE#245:FSAD_FILE_RENAME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to rename file `%{filename}' to `%{resultcode}': %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to rename file"),
+      	dup22,
+      ]));
+      
+      var msg250 = msg("FSAD_FILE_RENAME", part270);
+      
+      var part271 = match("MESSAGE#246:FSAD_FILE_STAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} failed for file pathname %{filename}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","stat failed for file"),
+      	dup22,
+      ]));
+      
+      var msg251 = msg("FSAD_FILE_STAT", part271);
+      
+      var part272 = match("MESSAGE#247:FSAD_FILE_SYNC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to sync file %{filename}': %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to sync file"),
+      	dup22,
+      ]));
+      
+      var msg252 = msg("FSAD_FILE_SYNC", part272);
+      
+      var part273 = match("MESSAGE#248:FSAD_MAXCONN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Upper limit reached in fsad for handling connections", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Upper limit reached in fsad"),
+      	dup22,
+      ]));
+      
+      var msg253 = msg("FSAD_MAXCONN", part273);
+      
+      var part274 = match("MESSAGE#249:FSAD_MEMORYALLOC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} failed in the function %{action->} (%{resultcode})", processor_chain([
+      	dup50,
+      	dup21,
+      	setc("event_description","FSAD MEMORYALLOC FAILED"),
+      	dup22,
+      ]));
+      
+      var msg254 = msg("FSAD_MEMORYALLOC_FAILED", part274);
+      
+      var part275 = match("MESSAGE#250:FSAD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([
+      	dup62,
+      	dup21,
+      	setc("event_description","FSAD must be run as root"),
+      	dup22,
+      ]));
+      
+      var msg255 = msg("FSAD_NOT_ROOT", part275);
+      
+      var part276 = match("MESSAGE#251:FSAD_PARENT_DIRECTORY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: invalid directory: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","invalid directory"),
+      	dup22,
+      ]));
+      
+      var msg256 = msg("FSAD_PARENT_DIRECTORY", part276);
+      
+      var part277 = match("MESSAGE#252:FSAD_PATH_IS_DIRECTORY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File path cannot be a directory (%{filename})", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","File path cannot be a directory"),
+      	dup22,
+      ]));
+      
+      var msg257 = msg("FSAD_PATH_IS_DIRECTORY", part277);
+      
+      var part278 = match("MESSAGE#253:FSAD_PATH_IS_SPECIAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Not a regular file (%{filename})", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Not a regular file"),
+      	dup22,
+      ]));
+      
+      var msg258 = msg("FSAD_PATH_IS_SPECIAL", part278);
+      
+      var part279 = match("MESSAGE#254:FSAD_RECVERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: fsad received error message from client having request type %{obj_type->} at (%{saddr}, %{sport})", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","fsad received error message from client"),
+      	dup22,
+      ]));
+      
+      var msg259 = msg("FSAD_RECVERROR", part279);
+      
+      var part280 = match("MESSAGE#255:FSAD_TERMINATED_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Open file %{filename}` closed due to %{result}", processor_chain([
+      	dup26,
+      	dup21,
+      	setc("event_description","FSAD TERMINATED CONNECTION"),
+      	dup22,
+      ]));
+      
+      var msg260 = msg("FSAD_TERMINATED_CONNECTION", part280);
+      
+      var part281 = match("MESSAGE#256:FSAD_TERMINATING_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received terminating %{resultcode}; %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Received terminating signal"),
+      	dup22,
+      ]));
+      
+      var msg261 = msg("FSAD_TERMINATING_SIGNAL", part281);
+      
+      var part282 = match("MESSAGE#257:FSAD_TRACEOPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Open operation on trace file `%{filename}' returned error %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Open operation on trace file failed"),
+      	dup22,
+      ]));
+      
+      var msg262 = msg("FSAD_TRACEOPEN_FAILED", part282);
+      
+      var part283 = match("MESSAGE#258:FSAD_USAGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect usage, %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Incorrect FSAD usage"),
+      	dup22,
+      ]));
+      
+      var msg263 = msg("FSAD_USAGE", part283);
+      
+      var part284 = match("MESSAGE#259:GGSN_ALARM_TRAP_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","GGSN ALARM TRAP FAILED"),
+      	dup22,
+      ]));
+      
+      var msg264 = msg("GGSN_ALARM_TRAP_FAILED", part284);
+      
+      var part285 = match("MESSAGE#260:GGSN_ALARM_TRAP_SEND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","GGSN ALARM TRAP SEND FAILED"),
+      	dup22,
+      ]));
+      
+      var msg265 = msg("GGSN_ALARM_TRAP_SEND", part285);
+      
+      var part286 = match("MESSAGE#261:GGSN_TRAP_SEND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown trap request type %{obj_type}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unknown trap request type"),
+      	dup22,
+      ]));
+      
+      var msg266 = msg("GGSN_TRAP_SEND", part286);
+      
+      var part287 = match("MESSAGE#262:JADE_AUTH_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authorization failed: %{result}", processor_chain([
+      	dup68,
+      	dup33,
+      	setc("ec_subject","Service"),
+      	dup42,
+      	dup21,
+      	setc("event_description","Authorization failed"),
+      	dup22,
+      ]));
+      
+      var msg267 = msg("JADE_AUTH_ERROR", part287);
+      
+      var part288 = match("MESSAGE#263:JADE_EXEC_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: CLI %{resultcode->} %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","JADE EXEC ERROR"),
+      	dup22,
+      ]));
+      
+      var msg268 = msg("JADE_EXEC_ERROR", part288);
+      
+      var part289 = match("MESSAGE#264:JADE_NO_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Local user %{username->} does not exist", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Local user does not exist"),
+      	dup22,
+      ]));
+      
+      var msg269 = msg("JADE_NO_LOCAL_USER", part289);
+      
+      var part290 = match("MESSAGE#265:JADE_PAM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","JADE PAM error"),
+      	dup22,
+      ]));
+      
+      var msg270 = msg("JADE_PAM_ERROR", part290);
+      
+      var part291 = match("MESSAGE#266:JADE_PAM_NO_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to get local username from PAM: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to get local username from PAM"),
+      	dup22,
+      ]));
+      
+      var msg271 = msg("JADE_PAM_NO_LOCAL_USER", part291);
+      
+      var part292 = match("MESSAGE#267:KERN_ARP_ADDR_CHANGE", "nwparser.payload", "%{process}: %{event_type}: arp info overwritten for %{saddr->} from %{smacaddr->} to %{dmacaddr}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","arp info overwritten"),
+      	dup22,
+      ]));
+      
+      var msg272 = msg("KERN_ARP_ADDR_CHANGE", part292);
+      
+      var part293 = match("MESSAGE#268:KMD_PM_SA_ESTABLISHED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Local gateway: %{gateway}, Remote gateway: %{fld1}, Local ID:%{fld2}, Remote ID:%{fld3}, Direction:%{fld4}, SPI:%{fld5}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","security association has been established"),
+      	dup22,
+      ]));
+      
+      var msg273 = msg("KMD_PM_SA_ESTABLISHED", part293);
+      
+      var part294 = match("MESSAGE#269:L2CPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitialized", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Task Reinitialized"),
+      	dup60,
+      	dup22,
+      ]));
+      
+      var msg274 = msg("L2CPD_TASK_REINIT", part294);
+      
+      var part295 = match("MESSAGE#270:LIBJNX_EXEC_EXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command stopped: PID %{child_pid}, signal='%{obj_type}' %{result}, command '%{action}'", processor_chain([
+      	dup20,
+      	dup21,
+      	dup69,
+      	dup22,
+      ]));
+      
+      var msg275 = msg("LIBJNX_EXEC_EXITED", part295);
+      
+      var part296 = match("MESSAGE#271:LIBJNX_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exec failed for command '%{action}': %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Child exec failed for command"),
+      	dup22,
+      ]));
+      
+      var msg276 = msg("LIBJNX_EXEC_FAILED", part296);
+      
+      var msg277 = msg("LIBJNX_EXEC_PIPE", dup141);
+      
+      var part297 = match("MESSAGE#273:LIBJNX_EXEC_SIGNALED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command received signal: PID %{child_pid}, signal %{result}, command '%{action}'", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Command received signal"),
+      	dup22,
+      ]));
+      
+      var msg278 = msg("LIBJNX_EXEC_SIGNALED", part297);
+      
+      var part298 = match("MESSAGE#274:LIBJNX_EXEC_WEXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command exited: PID %{child_pid}, status %{result}, command '%{action}'", processor_chain([
+      	dup20,
+      	dup21,
+      	dup71,
+      	dup22,
+      ]));
+      
+      var msg279 = msg("LIBJNX_EXEC_WEXIT", part298);
+      
+      var part299 = match("MESSAGE#275:LIBJNX_FILE_COPY_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: copy_file_to_transfer_dir failed to copy from source to destination", processor_chain([
+      	dup72,
+      	dup21,
+      	setc("event_description","copy_file_to_transfer_dir failed to copy"),
+      	dup22,
+      ]));
+      
+      var msg280 = msg("LIBJNX_FILE_COPY_FAILED", part299);
+      
+      var part300 = match("MESSAGE#276:LIBJNX_PRIV_LOWER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lower privilege level: %{result}", processor_chain([
+      	dup72,
+      	dup21,
+      	setc("event_description","Unable to lower privilege level"),
+      	dup22,
+      ]));
+      
+      var msg281 = msg("LIBJNX_PRIV_LOWER_FAILED", part300);
+      
+      var part301 = match("MESSAGE#277:LIBJNX_PRIV_RAISE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to raise privilege level: %{result}", processor_chain([
+      	dup72,
+      	dup21,
+      	setc("event_description","Unable to raise privilege level"),
+      	dup22,
+      ]));
+      
+      var msg282 = msg("LIBJNX_PRIV_RAISE_FAILED", part301);
+      
+      var part302 = match("MESSAGE#278:LIBJNX_REPLICATE_RCP_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([
+      	dup72,
+      	dup21,
+      	setc("event_description","rcp failed"),
+      	dup22,
+      ]));
+      
+      var msg283 = msg("LIBJNX_REPLICATE_RCP_EXEC_FAILED", part302);
+      
+      var part303 = match("MESSAGE#279:LIBJNX_ROTATE_COMPRESS_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode->} %{dclass_counter1->} -f %{action}: %{result}", processor_chain([
+      	dup72,
+      	dup21,
+      	setc("event_description","ROTATE COMPRESS EXEC FAILED"),
+      	dup22,
+      ]));
+      
+      var msg284 = msg("LIBJNX_ROTATE_COMPRESS_EXEC_FAILED", part303);
+      
+      var part304 = match("MESSAGE#280:LIBSERVICED_CLIENT_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Client connection error: %{result}", processor_chain([
+      	dup73,
+      	dup21,
+      	setc("event_description","Client connection error"),
+      	dup22,
+      ]));
+      
+      var msg285 = msg("LIBSERVICED_CLIENT_CONNECTION", part304);
+      
+      var part305 = match("MESSAGE#281:LIBSERVICED_OUTBOUND_REQUEST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Outbound request failed for command [%{action}]: %{result}", processor_chain([
+      	dup72,
+      	dup21,
+      	setc("event_description","Outbound request failed for command"),
+      	dup22,
+      ]));
+      
+      var msg286 = msg("LIBSERVICED_OUTBOUND_REQUEST", part305);
+      
+      var part306 = match("MESSAGE#282:LIBSERVICED_SNMP_LOST_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection closed while receiving from client %{dclass_counter1}", processor_chain([
+      	dup26,
+      	dup21,
+      	setc("event_description","Connection closed while receiving from client"),
+      	dup22,
+      ]));
+      
+      var msg287 = msg("LIBSERVICED_SNMP_LOST_CONNECTION", part306);
+      
+      var part307 = match("MESSAGE#283:LIBSERVICED_SOCKET_BIND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode}: unable to bind socket %{ssid}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","unable to bind socket"),
+      	dup22,
+      ]));
+      
+      var msg288 = msg("LIBSERVICED_SOCKET_BIND", part307);
+      
+      var part308 = match("MESSAGE#284:LIBSERVICED_SOCKET_PRIVATIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to attach socket %{ssid->} to management routing instance: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to attach socket to management routing instance"),
+      	dup22,
+      ]));
+      
+      var msg289 = msg("LIBSERVICED_SOCKET_PRIVATIZE", part308);
+      
+      var part309 = match("MESSAGE#285:LICENSE_EXPIRED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","LICENSE EXPIRED"),
+      	dup22,
+      ]));
+      
+      var msg290 = msg("LICENSE_EXPIRED", part309);
+      
+      var part310 = match("MESSAGE#286:LICENSE_EXPIRED_KEY_DELETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License key \"%{filename}\" has expired.", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","License key has expired"),
+      	dup22,
+      ]));
+      
+      var msg291 = msg("LICENSE_EXPIRED_KEY_DELETED", part310);
+      
+      var part311 = match("MESSAGE#287:LICENSE_NEARING_EXPIRY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License for feature %{disposition->} %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","License key expiration soon"),
+      	dup22,
+      ]));
+      
+      var msg292 = msg("LICENSE_NEARING_EXPIRY", part311);
+      
+      var part312 = match("MESSAGE#288:LOGIN_ABORTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Client aborted login", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","client aborted login"),
+      	dup22,
+      ]));
+      
+      var msg293 = msg("LOGIN_ABORTED", part312);
+      
+      var part313 = match("MESSAGE#289:LOGIN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login failed for user %{username->} from host %{dhost}", processor_chain([
+      	dup43,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup42,
+      	dup21,
+      	dup74,
+      	dup22,
+      ]));
+      
+      var msg294 = msg("LOGIN_FAILED", part313);
+      
+      var part314 = match("MESSAGE#290:LOGIN_FAILED_INCORRECT_PASSWORD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect password for user %{username}", processor_chain([
+      	dup43,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup42,
+      	dup21,
+      	dup74,
+      	setc("result","Incorrect password for user"),
+      	dup22,
+      ]));
+      
+      var msg295 = msg("LOGIN_FAILED_INCORRECT_PASSWORD", part314);
+      
+      var part315 = match("MESSAGE#291:LOGIN_FAILED_SET_CONTEXT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to set context for user %{username}", processor_chain([
+      	dup43,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup42,
+      	dup21,
+      	dup74,
+      	setc("result","Failed to set context for user"),
+      	dup22,
+      ]));
+      
+      var msg296 = msg("LOGIN_FAILED_SET_CONTEXT", part315);
+      
+      var part316 = match("MESSAGE#292:LOGIN_FAILED_SET_LOGIN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to set login ID for user %{username}: %{dhost}", processor_chain([
+      	dup43,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup42,
+      	dup21,
+      	dup74,
+      	setc("result","Failed to set login ID for user"),
+      	dup22,
+      ]));
+      
+      var msg297 = msg("LOGIN_FAILED_SET_LOGIN", part316);
+      
+      var part317 = match("MESSAGE#293:LOGIN_HOSTNAME_UNRESOLVED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to resolve hostname %{dhost}: %{info}", processor_chain([
+      	dup43,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup42,
+      	dup21,
+      	dup74,
+      	setc("result","Unable to resolve hostname"),
+      	dup22,
+      ]));
+      
+      var msg298 = msg("LOGIN_HOSTNAME_UNRESOLVED", part317);
+      
+      var part318 = match("MESSAGE#294:LOGIN_INFORMATION/2", "nwparser.p0", "%{} %{event_type}: %{p0}");
+      
+      var part319 = match("MESSAGE#294:LOGIN_INFORMATION/4", "nwparser.p0", "%{} %{username->} logged in from host %{dhost->} on %{p0}");
+      
+      var part320 = match("MESSAGE#294:LOGIN_INFORMATION/5_0", "nwparser.p0", "device %{p0}");
+      
+      var select34 = linear_select([
+      	part320,
+      	dup44,
+      ]);
+      
+      var part321 = match("MESSAGE#294:LOGIN_INFORMATION/6", "nwparser.p0", "%{} %{terminal}");
+      
+      var all19 = all_match({
+      	processors: [
+      		dup38,
+      		dup134,
+      		part318,
+      		dup142,
+      		part319,
+      		select34,
+      		part321,
+      	],
+      	on_success: processor_chain([
+      		dup32,
+      		dup33,
+      		dup34,
+      		dup35,
+      		dup36,
+      		dup21,
+      		setc("event_description","Successful Login"),
+      		dup22,
+      	]),
+      });
+      
+      var msg299 = msg("LOGIN_INFORMATION", all19);
+      
+      var part322 = match("MESSAGE#295:LOGIN_INVALID_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No entry in local password file for user %{username}", processor_chain([
+      	dup43,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup42,
+      	dup21,
+      	dup74,
+      	setc("result","No entry in local password file for user"),
+      	dup22,
+      ]));
+      
+      var msg300 = msg("LOGIN_INVALID_LOCAL_USER", part322);
+      
+      var part323 = match("MESSAGE#296:LOGIN_MALFORMED_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid username: %{username}", processor_chain([
+      	dup43,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup42,
+      	dup21,
+      	dup74,
+      	setc("result","Invalid username"),
+      	dup22,
+      ]));
+      
+      var msg301 = msg("LOGIN_MALFORMED_USER", part323);
+      
+      var part324 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/1_0", "nwparser.p0", "PAM authentication error for user %{p0}");
+      
+      var part325 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/1_1", "nwparser.p0", "Failed password for user %{p0}");
+      
+      var select35 = linear_select([
+      	part324,
+      	part325,
+      ]);
+      
+      var part326 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/2", "nwparser.p0", "%{} %{username}");
+      
+      var all20 = all_match({
+      	processors: [
+      		dup49,
+      		select35,
+      		part326,
+      	],
+      	on_success: processor_chain([
+      		dup43,
+      		dup33,
+      		dup34,
+      		dup35,
+      		dup42,
+      		dup21,
+      		dup74,
+      		setc("result","PAM authentication error for user"),
+      		dup22,
+      	]),
+      });
+      
+      var msg302 = msg("LOGIN_PAM_AUTHENTICATION_ERROR", all20);
+      
+      var part327 = match("MESSAGE#298:LOGIN_PAM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failure while authenticating user %{username}: %{dhost}", processor_chain([
+      	dup43,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup42,
+      	dup21,
+      	setc("event_description","PAM authentication failure"),
+      	setc("result","Failure while authenticating user"),
+      	dup22,
+      ]));
+      
+      var msg303 = msg("LOGIN_PAM_ERROR", part327);
+      
+      var part328 = match("MESSAGE#299:LOGIN_PAM_MAX_RETRIES", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Too many retries while authenticating user %{username}", processor_chain([
+      	dup43,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup42,
+      	dup21,
+      	dup74,
+      	setc("result","Too many retries while authenticating user"),
+      	dup22,
+      ]));
+      
+      var msg304 = msg("LOGIN_PAM_MAX_RETRIES", part328);
+      
+      var part329 = match("MESSAGE#300:LOGIN_PAM_NONLOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} authenticated but has no local login ID", processor_chain([
+      	dup43,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup42,
+      	dup21,
+      	dup74,
+      	setc("result","User authenticated but has no local login ID"),
+      	dup22,
+      ]));
+      
+      var msg305 = msg("LOGIN_PAM_NONLOCAL_USER", part329);
+      
+      var part330 = match("MESSAGE#301:LOGIN_PAM_STOP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to end PAM session: %{info}", processor_chain([
+      	setc("eventcategory","1303000000"),
+      	dup33,
+      	dup42,
+      	dup21,
+      	setc("event_description","Failed to end PAM session"),
+      	dup22,
+      ]));
+      
+      var msg306 = msg("LOGIN_PAM_STOP", part330);
+      
+      var part331 = match("MESSAGE#302:LOGIN_PAM_USER_UNKNOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Attempt to authenticate unknown user %{username}", processor_chain([
+      	dup43,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup42,
+      	dup21,
+      	dup74,
+      	setc("result","Attempt to authenticate unknown user"),
+      	dup22,
+      ]));
+      
+      var msg307 = msg("LOGIN_PAM_USER_UNKNOWN", part331);
+      
+      var part332 = match("MESSAGE#303:LOGIN_PASSWORD_EXPIRED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Forcing change of expired password for user %{username}>", processor_chain([
+      	dup43,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup42,
+      	dup21,
+      	dup74,
+      	setc("result","Forcing change of expired password for user"),
+      	dup22,
+      ]));
+      
+      var msg308 = msg("LOGIN_PASSWORD_EXPIRED", part332);
+      
+      var part333 = match("MESSAGE#304:LOGIN_REFUSED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login of user %{username->} from host %{shost->} on %{terminal->} was refused: %{info}", processor_chain([
+      	dup43,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup42,
+      	dup21,
+      	dup74,
+      	setc("result","Login of user refused"),
+      	dup22,
+      ]));
+      
+      var msg309 = msg("LOGIN_REFUSED", part333);
+      
+      var part334 = match("MESSAGE#305:LOGIN_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} logged in as root from host %{shost->} on %{terminal}", processor_chain([
+      	dup32,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup36,
+      	dup21,
+      	setc("event_description","successful login as root"),
+      	setc("result","User logged in as root"),
+      	dup22,
+      ]));
+      
+      var msg310 = msg("LOGIN_ROOT", part334);
+      
+      var part335 = match("MESSAGE#306:LOGIN_TIMED_OUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login attempt timed out after %{dclass_counter1->} seconds", processor_chain([
+      	dup43,
+      	dup33,
+      	dup35,
+      	dup42,
+      	dup21,
+      	dup74,
+      	setc("result","Login attempt timed out"),
+      	dup22,
+      ]));
+      
+      var msg311 = msg("LOGIN_TIMED_OUT", part335);
+      
+      var part336 = match("MESSAGE#307:MIB2D_ATM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","MIB2D ATM ERROR"),
+      	dup22,
+      ]));
+      
+      var msg312 = msg("MIB2D_ATM_ERROR", part336);
+      
+      var part337 = match("MESSAGE#308:MIB2D_CONFIG_CHECK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","CONFIG CHECK FAILED"),
+      	dup22,
+      ]));
+      
+      var msg313 = msg("MIB2D_CONFIG_CHECK_FAILED", part337);
+      
+      var part338 = match("MESSAGE#309:MIB2D_FILE_OPEN_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open file '%{filename}': %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup77,
+      	dup22,
+      ]));
+      
+      var msg314 = msg("MIB2D_FILE_OPEN_FAILURE", part338);
+      
+      var msg315 = msg("MIB2D_IFD_IFINDEX_FAILURE", dup143);
+      
+      var msg316 = msg("MIB2D_IFL_IFINDEX_FAILURE", dup143);
+      
+      var part339 = match("MESSAGE#312:MIB2D_INIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: mib2d initialization failure: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","mib2d initialization failure"),
+      	dup22,
+      ]));
+      
+      var msg317 = msg("MIB2D_INIT_FAILURE", part339);
+      
+      var part340 = match("MESSAGE#313:MIB2D_KVM_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","MIB2D KVM FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg318 = msg("MIB2D_KVM_FAILURE", part340);
+      
+      var part341 = match("MESSAGE#314:MIB2D_RTSLIB_READ_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: failed in %{dclass_counter1->} %{dclass_counter2->} index (%{result})", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","MIB2D RTSLIB READ FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg319 = msg("MIB2D_RTSLIB_READ_FAILURE", part341);
+      
+      var part342 = match("MESSAGE#315:MIB2D_RTSLIB_SEQ_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: sequence mismatch (%{result}), %{action}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RTSLIB sequence mismatch"),
+      	dup22,
+      ]));
+      
+      var msg320 = msg("MIB2D_RTSLIB_SEQ_MISMATCH", part342);
+      
+      var part343 = match("MESSAGE#316:MIB2D_SYSCTL_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","MIB2D SYSCTL FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg321 = msg("MIB2D_SYSCTL_FAILURE", part343);
+      
+      var part344 = match("MESSAGE#317:MIB2D_TRAP_HEADER_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: trap_request_header failed", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","trap_request_header failed"),
+      	dup22,
+      ]));
+      
+      var msg322 = msg("MIB2D_TRAP_HEADER_FAILURE", part344);
+      
+      var part345 = match("MESSAGE#318:MIB2D_TRAP_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","MIB2D TRAP SEND FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg323 = msg("MIB2D_TRAP_SEND_FAILURE", part345);
+      
+      var part346 = match("MESSAGE#319:Multiuser", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: old requested_transition==%{change_new->} sighupped=%{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","user sighupped"),
+      	dup22,
+      ]));
+      
+      var msg324 = msg("Multiuser", part346);
+      
+      var part347 = match("MESSAGE#320:NASD_AUTHENTICATION_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate authentication handle: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to allocate authentication handle"),
+      	dup22,
+      ]));
+      
+      var msg325 = msg("NASD_AUTHENTICATION_CREATE_FAILED", part347);
+      
+      var part348 = match("MESSAGE#321:NASD_CHAP_AUTHENTICATION_IN_PROGRESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename}, authentication already in progress", processor_chain([
+      	dup79,
+      	dup33,
+      	dup42,
+      	dup21,
+      	setc("event_description","authentication already in progress"),
+      	dup22,
+      ]));
+      
+      var msg326 = msg("NASD_CHAP_AUTHENTICATION_IN_PROGRESS", part348);
+      
+      var part349 = match("MESSAGE#322:NASD_CHAP_GETHOSTNAME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: unable to obtain hostname for outgoing CHAP message: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","unable to obtain hostname for outgoing CHAP message"),
+      	dup22,
+      ]));
+      
+      var msg327 = msg("NASD_CHAP_GETHOSTNAME_FAILED", part349);
+      
+      var part350 = match("MESSAGE#323:NASD_CHAP_INVALID_CHAP_IDENTIFIER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename->} expected CHAP ID: %{resultcode}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","CHAP INVALID_CHAP IDENTIFIER"),
+      	dup22,
+      ]));
+      
+      var msg328 = msg("NASD_CHAP_INVALID_CHAP_IDENTIFIER", part350);
+      
+      var part351 = match("MESSAGE#324:NASD_CHAP_INVALID_OPCODE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}.%{dclass_counter1}: invalid operation code received %{filename}, CHAP ID: %{resultcode}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","CHAP INVALID OPCODE"),
+      	dup22,
+      ]));
+      
+      var msg329 = msg("NASD_CHAP_INVALID_OPCODE", part351);
+      
+      var part352 = match("MESSAGE#325:NASD_CHAP_LOCAL_NAME_UNAVAILABLE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine value for '%{username}' in outgoing CHAP packet", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to determine value for username in outgoing CHAP packet"),
+      	dup22,
+      ]));
+      
+      var msg330 = msg("NASD_CHAP_LOCAL_NAME_UNAVAILABLE", part352);
+      
+      var part353 = match("MESSAGE#326:NASD_CHAP_MESSAGE_UNEXPECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","CHAP MESSAGE UNEXPECTED"),
+      	dup22,
+      ]));
+      
+      var msg331 = msg("NASD_CHAP_MESSAGE_UNEXPECTED", part353);
+      
+      var part354 = match("MESSAGE#327:NASD_CHAP_REPLAY_ATTACK_DETECTED", "nwparser.payload", "%{process}[%{ssid}]: %{event_type}: %{interface}.%{dclass_counter1}: received %{filename->} %{result}.%{info}", processor_chain([
+      	dup80,
+      	dup21,
+      	setc("event_description","CHAP REPLAY ATTACK DETECTED"),
+      	dup22,
+      ]));
+      
+      var msg332 = msg("NASD_CHAP_REPLAY_ATTACK_DETECTED", part354);
+      
+      var part355 = match("MESSAGE#328:NASD_CONFIG_GET_LAST_MODIFIED_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine last modified time of JUNOS configuration database: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to determine last modified time of JUNOS configuration database"),
+      	dup22,
+      ]));
+      
+      var msg333 = msg("NASD_CONFIG_GET_LAST_MODIFIED_FAILED", part355);
+      
+      var msg334 = msg("NASD_DAEMONIZE_FAILED", dup137);
+      
+      var part356 = match("MESSAGE#330:NASD_DB_ALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate database object: %{filename}, %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to allocate database object"),
+      	dup22,
+      ]));
+      
+      var msg335 = msg("NASD_DB_ALLOC_FAILURE", part356);
+      
+      var part357 = match("MESSAGE#331:NASD_DB_TABLE_CREATE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{filename}, %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","DB TABLE CREATE FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg336 = msg("NASD_DB_TABLE_CREATE_FAILURE", part357);
+      
+      var msg337 = msg("NASD_DUPLICATE", dup138);
+      
+      var part358 = match("MESSAGE#333:NASD_EVLIB_CREATE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} with: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","EVLIB CREATE FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg338 = msg("NASD_EVLIB_CREATE_FAILURE", part358);
+      
+      var part359 = match("MESSAGE#334:NASD_EVLIB_EXIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} value: %{result}, error: %{resultcode}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","EVLIB EXIT FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg339 = msg("NASD_EVLIB_EXIT_FAILURE", part359);
+      
+      var part360 = match("MESSAGE#335:NASD_LOCAL_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate LOCAL module handle: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to allocate LOCAL module handle"),
+      	dup22,
+      ]));
+      
+      var msg340 = msg("NASD_LOCAL_CREATE_FAILED", part360);
+      
+      var part361 = match("MESSAGE#336:NASD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([
+      	dup62,
+      	dup21,
+      	setc("event_description","NASD must be run as root"),
+      	dup22,
+      ]));
+      
+      var msg341 = msg("NASD_NOT_ROOT", part361);
+      
+      var msg342 = msg("NASD_PID_FILE_LOCK", dup139);
+      
+      var msg343 = msg("NASD_PID_FILE_UPDATE", dup140);
+      
+      var part362 = match("MESSAGE#339:NASD_POST_CONFIGURE_EVENT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","POST CONFIGURE EVENT FAILED"),
+      	dup22,
+      ]));
+      
+      var msg344 = msg("NASD_POST_CONFIGURE_EVENT_FAILED", part362);
+      
+      var part363 = match("MESSAGE#340:NASD_PPP_READ_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","PPP READ FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg345 = msg("NASD_PPP_READ_FAILURE", part363);
+      
+      var part364 = match("MESSAGE#341:NASD_PPP_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to send message: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to send message"),
+      	dup22,
+      ]));
+      
+      var msg346 = msg("NASD_PPP_SEND_FAILURE", part364);
+      
+      var part365 = match("MESSAGE#342:NASD_PPP_SEND_PARTIAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to send all of message: %{resultcode}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to send all of message"),
+      	dup22,
+      ]));
+      
+      var msg347 = msg("NASD_PPP_SEND_PARTIAL", part365);
+      
+      var part366 = match("MESSAGE#343:NASD_PPP_UNRECOGNIZED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unrecognized authentication protocol: %{protocol}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unrecognized authentication protocol"),
+      	dup22,
+      ]));
+      
+      var msg348 = msg("NASD_PPP_UNRECOGNIZED", part366);
+      
+      var part367 = match("MESSAGE#344:NASD_RADIUS_ALLOCATE_PASSWORD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} when allocating password for RADIUS: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RADIUS password allocation failure"),
+      	dup22,
+      ]));
+      
+      var msg349 = msg("NASD_RADIUS_ALLOCATE_PASSWORD_FAILED", part367);
+      
+      var part368 = match("MESSAGE#345:NASD_RADIUS_CONFIG_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RADIUS CONFIG FAILED"),
+      	dup22,
+      ]));
+      
+      var msg350 = msg("NASD_RADIUS_CONFIG_FAILED", part368);
+      
+      var part369 = match("MESSAGE#346:NASD_RADIUS_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate RADIUS module handle: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to allocate RADIUS module handle"),
+      	dup22,
+      ]));
+      
+      var msg351 = msg("NASD_RADIUS_CREATE_FAILED", part369);
+      
+      var part370 = match("MESSAGE#347:NASD_RADIUS_CREATE_REQUEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RADIUS CREATE REQUEST FAILED"),
+      	dup22,
+      ]));
+      
+      var msg352 = msg("NASD_RADIUS_CREATE_REQUEST_FAILED", part370);
+      
+      var part371 = match("MESSAGE#348:NASD_RADIUS_GETHOSTNAME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain hostname for outgoing RADIUS message: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to obtain hostname for outgoing RADIUS message"),
+      	dup22,
+      ]));
+      
+      var msg353 = msg("NASD_RADIUS_GETHOSTNAME_FAILED", part371);
+      
+      var part372 = match("MESSAGE#349:NASD_RADIUS_MESSAGE_UNEXPECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown response from RADIUS server: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unknown response from RADIUS server"),
+      	dup22,
+      ]));
+      
+      var msg354 = msg("NASD_RADIUS_MESSAGE_UNEXPECTED", part372);
+      
+      var part373 = match("MESSAGE#350:NASD_RADIUS_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RADIUS OPEN FAILED"),
+      	dup22,
+      ]));
+      
+      var msg355 = msg("NASD_RADIUS_OPEN_FAILED", part373);
+      
+      var part374 = match("MESSAGE#351:NASD_RADIUS_SELECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RADIUS SELECT FAILED"),
+      	dup22,
+      ]));
+      
+      var msg356 = msg("NASD_RADIUS_SELECT_FAILED", part374);
+      
+      var part375 = match("MESSAGE#352:NASD_RADIUS_SET_TIMER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RADIUS SET TIMER FAILED"),
+      	dup22,
+      ]));
+      
+      var msg357 = msg("NASD_RADIUS_SET_TIMER_FAILED", part375);
+      
+      var part376 = match("MESSAGE#353:NASD_TRACE_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","TRACE FILE OPEN FAILED"),
+      	dup22,
+      ]));
+      
+      var msg358 = msg("NASD_TRACE_FILE_OPEN_FAILED", part376);
+      
+      var part377 = match("MESSAGE#354:NASD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","NASD Usage"),
+      	dup22,
+      ]));
+      
+      var msg359 = msg("NASD_usage", part377);
+      
+      var part378 = match("MESSAGE#355:NOTICE", "nwparser.payload", "%{agent}: %{event_type}:%{action}: %{event_description}: The %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup22,
+      ]));
+      
+      var msg360 = msg("NOTICE", part378);
+      
+      var part379 = match("MESSAGE#356:PFE_FW_SYSLOG_IP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FW: %{smacaddr->} %{fld10->} %{protocol->} %{saddr->} %{daddr->} %{sport->} %{dport->} (%{packets->} packets)", processor_chain([
+      	dup20,
+      	dup21,
+      	dup81,
+      	dup22,
+      ]));
+      
+      var msg361 = msg("PFE_FW_SYSLOG_IP", part379);
+      
+      var part380 = match("MESSAGE#357:PFE_FW_SYSLOG_IP:01", "nwparser.payload", "%{hostip->} %{hostname->} %{event_type}: FW: %{smacaddr->} %{fld10->} %{protocol->} %{saddr->} %{daddr->} %{sport->} %{dport->} (%{packets->} packets)", processor_chain([
+      	dup20,
+      	dup21,
+      	dup81,
+      	dup22,
+      ]));
+      
+      var msg362 = msg("PFE_FW_SYSLOG_IP:01", part380);
+      
+      var select36 = linear_select([
+      	msg361,
+      	msg362,
+      ]);
+      
+      var part381 = match("MESSAGE#358:PFE_NH_RESOLVE_THROTTLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Next-hop resolution requests from interface %{interface->} throttled", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Next-hop resolution requests throttled"),
+      	dup22,
+      ]));
+      
+      var msg363 = msg("PFE_NH_RESOLVE_THROTTLED", part381);
+      
+      var part382 = match("MESSAGE#359:PING_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","PING TEST COMPLETED"),
+      	dup22,
+      ]));
+      
+      var msg364 = msg("PING_TEST_COMPLETED", part382);
+      
+      var part383 = match("MESSAGE#360:PING_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","PING TEST FAILED"),
+      	dup22,
+      ]));
+      
+      var msg365 = msg("PING_TEST_FAILED", part383);
+      
+      var part384 = match("MESSAGE#361:process_mode/2", "nwparser.p0", "%{} %{p0}");
+      
+      var part385 = match("MESSAGE#361:process_mode/3_0", "nwparser.p0", "%{event_type}: %{p0}");
+      
+      var part386 = match("MESSAGE#361:process_mode/3_1", "nwparser.p0", "%{event_type->} %{p0}");
+      
+      var select37 = linear_select([
+      	part385,
+      	part386,
+      ]);
+      
+      var part387 = match("MESSAGE#361:process_mode/4", "nwparser.p0", "%{}mode=%{protocol->} cmd=%{action->} master_mode=%{result}");
+      
+      var all21 = all_match({
+      	processors: [
+      		dup38,
+      		dup134,
+      		part384,
+      		select37,
+      		part387,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup21,
+      		dup82,
+      		dup22,
+      	]),
+      });
+      
+      var msg366 = msg("process_mode", all21);
+      
+      var part388 = match("MESSAGE#362:process_mode:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: current_mode=%{protocol}, requested_mode=%{result}, cmd=%{action}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup82,
+      	dup22,
+      ]));
+      
+      var msg367 = msg("process_mode:01", part388);
+      
+      var select38 = linear_select([
+      	msg366,
+      	msg367,
+      ]);
+      
+      var part389 = match("MESSAGE#363:PWC_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} exiting with status %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","process exit with status"),
+      	dup22,
+      ]));
+      
+      var msg368 = msg("PWC_EXIT", part389);
+      
+      var part390 = match("MESSAGE#364:PWC_HOLD_RELEASE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} released child %{child_pid->} from %{dclass_counter1->} state", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Process released child from state"),
+      	dup22,
+      ]));
+      
+      var msg369 = msg("PWC_HOLD_RELEASE", part390);
+      
+      var part391 = match("MESSAGE#365:PWC_INVALID_RUNS_ARGUMENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}, not %{resultcode}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","invalid runs argument"),
+      	dup22,
+      ]));
+      
+      var msg370 = msg("PWC_INVALID_RUNS_ARGUMENT", part391);
+      
+      var part392 = match("MESSAGE#366:PWC_INVALID_TIMEOUT_ARGUMENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","INVALID TIMEOUT ARGUMENT"),
+      	dup22,
+      ]));
+      
+      var msg371 = msg("PWC_INVALID_TIMEOUT_ARGUMENT", part392);
+      
+      var part393 = match("MESSAGE#367:PWC_KILLED_BY_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc process %{agent->} received terminating signal", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","pwc process received terminating signal"),
+      	dup22,
+      ]));
+      
+      var msg372 = msg("PWC_KILLED_BY_SIGNAL", part393);
+      
+      var part394 = match("MESSAGE#368:PWC_KILL_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc is sending %{resultcode->} to child %{child_pid}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","pwc is sending kill event to child"),
+      	dup22,
+      ]));
+      
+      var msg373 = msg("PWC_KILL_EVENT", part394);
+      
+      var part395 = match("MESSAGE#369:PWC_KILL_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to kill process %{child_pid}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to kill process"),
+      	dup22,
+      ]));
+      
+      var msg374 = msg("PWC_KILL_FAILED", part395);
+      
+      var part396 = match("MESSAGE#370:PWC_KQUEUE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: kevent failed: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","kevent failed"),
+      	dup22,
+      ]));
+      
+      var msg375 = msg("PWC_KQUEUE_ERROR", part396);
+      
+      var part397 = match("MESSAGE#371:PWC_KQUEUE_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create kqueue: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to create kqueue"),
+      	dup22,
+      ]));
+      
+      var msg376 = msg("PWC_KQUEUE_INIT", part397);
+      
+      var part398 = match("MESSAGE#372:PWC_KQUEUE_REGISTER_FILTER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to register kqueue filter: %{agent->} for purpose: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Failed to register kqueue filter"),
+      	dup22,
+      ]));
+      
+      var msg377 = msg("PWC_KQUEUE_REGISTER_FILTER", part398);
+      
+      var part399 = match("MESSAGE#373:PWC_LOCKFILE_BAD_FORMAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file has bad format: %{agent}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","PID lock file has bad format"),
+      	dup22,
+      ]));
+      
+      var msg378 = msg("PWC_LOCKFILE_BAD_FORMAT", part399);
+      
+      var part400 = match("MESSAGE#374:PWC_LOCKFILE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file had error: %{agent}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","PID lock file error"),
+      	dup22,
+      ]));
+      
+      var msg379 = msg("PWC_LOCKFILE_ERROR", part400);
+      
+      var part401 = match("MESSAGE#375:PWC_LOCKFILE_MISSING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file not found: %{agent}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","PID lock file not found"),
+      	dup22,
+      ]));
+      
+      var msg380 = msg("PWC_LOCKFILE_MISSING", part401);
+      
+      var part402 = match("MESSAGE#376:PWC_LOCKFILE_NOT_LOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file not locked: %{agent}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","PID lock file not locked"),
+      	dup22,
+      ]));
+      
+      var msg381 = msg("PWC_LOCKFILE_NOT_LOCKED", part402);
+      
+      var part403 = match("MESSAGE#377:PWC_NO_PROCESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No process specified", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","No process specified for PWC"),
+      	dup22,
+      ]));
+      
+      var msg382 = msg("PWC_NO_PROCESS", part403);
+      
+      var part404 = match("MESSAGE#378:PWC_PROCESS_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc process %{agent->} child %{child_pid->} exited with status %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","pwc process exited with status"),
+      	dup22,
+      ]));
+      
+      var msg383 = msg("PWC_PROCESS_EXIT", part404);
+      
+      var part405 = match("MESSAGE#379:PWC_PROCESS_FORCED_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} forcing hold down of child %{child_pid->} until signal", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Process forcing hold down of child until signalled"),
+      	dup22,
+      ]));
+      
+      var msg384 = msg("PWC_PROCESS_FORCED_HOLD", part405);
+      
+      var part406 = match("MESSAGE#380:PWC_PROCESS_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} holding down child %{child_pid->} until signal", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Process holding down child until signalled"),
+      	dup22,
+      ]));
+      
+      var msg385 = msg("PWC_PROCESS_HOLD", part406);
+      
+      var part407 = match("MESSAGE#381:PWC_PROCESS_HOLD_SKIPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} will not down child %{child_pid->} because of %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Process not holding down child"),
+      	dup22,
+      ]));
+      
+      var msg386 = msg("PWC_PROCESS_HOLD_SKIPPED", part407);
+      
+      var part408 = match("MESSAGE#382:PWC_PROCESS_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to create child process with pidpopen: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Failed to create child process with pidpopen"),
+      	dup22,
+      ]));
+      
+      var msg387 = msg("PWC_PROCESS_OPEN", part408);
+      
+      var part409 = match("MESSAGE#383:PWC_PROCESS_TIMED_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} holding down child %{child_pid->} %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Process holding down child"),
+      	dup22,
+      ]));
+      
+      var msg388 = msg("PWC_PROCESS_TIMED_HOLD", part409);
+      
+      var part410 = match("MESSAGE#384:PWC_PROCESS_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child timed out %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Child process timed out"),
+      	dup22,
+      ]));
+      
+      var msg389 = msg("PWC_PROCESS_TIMEOUT", part410);
+      
+      var part411 = match("MESSAGE#385:PWC_SIGNAL_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: signal(%{agent}) failed: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","signal failure"),
+      	dup22,
+      ]));
+      
+      var msg390 = msg("PWC_SIGNAL_INIT", part411);
+      
+      var part412 = match("MESSAGE#386:PWC_SOCKET_CONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to connect socket to %{agent}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to connect socket to service"),
+      	dup22,
+      ]));
+      
+      var msg391 = msg("PWC_SOCKET_CONNECT", part412);
+      
+      var part413 = match("MESSAGE#387:PWC_SOCKET_CREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to create socket: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Failed to create socket"),
+      	dup22,
+      ]));
+      
+      var msg392 = msg("PWC_SOCKET_CREATE", part413);
+      
+      var part414 = match("MESSAGE#388:PWC_SOCKET_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to set socket option %{agent}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to set socket option"),
+      	dup22,
+      ]));
+      
+      var msg393 = msg("PWC_SOCKET_OPTION", part414);
+      
+      var part415 = match("MESSAGE#389:PWC_STDOUT_WRITE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Write to stdout failed: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Write to stdout failed"),
+      	dup22,
+      ]));
+      
+      var msg394 = msg("PWC_STDOUT_WRITE", part415);
+      
+      var part416 = match("MESSAGE#390:PWC_SYSTEM_CALL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","PWC SYSTEM CALL"),
+      	dup22,
+      ]));
+      
+      var msg395 = msg("PWC_SYSTEM_CALL", part416);
+      
+      var part417 = match("MESSAGE#391:PWC_UNKNOWN_KILL_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown kill option [%{agent}]", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unknown kill option"),
+      	dup22,
+      ]));
+      
+      var msg396 = msg("PWC_UNKNOWN_KILL_OPTION", part417);
+      
+      var part418 = match("MESSAGE#392:RMOPD_ADDRESS_MULTICAST_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Multicast address is not allowed", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Multicast address not allowed"),
+      	dup22,
+      ]));
+      
+      var msg397 = msg("RMOPD_ADDRESS_MULTICAST_INVALID", part418);
+      
+      var part419 = match("MESSAGE#393:RMOPD_ADDRESS_SOURCE_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Source address invalid: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RMOPD ADDRESS SOURCE INVALID"),
+      	dup22,
+      ]));
+      
+      var msg398 = msg("RMOPD_ADDRESS_SOURCE_INVALID", part419);
+      
+      var part420 = match("MESSAGE#394:RMOPD_ADDRESS_STRING_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to convert numeric address to string: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to convert numeric address to string"),
+      	dup22,
+      ]));
+      
+      var msg399 = msg("RMOPD_ADDRESS_STRING_FAILURE", part420);
+      
+      var part421 = match("MESSAGE#395:RMOPD_ADDRESS_TARGET_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: rmop_util_set_address status message: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","rmop_util_set_address status message invalid"),
+      	dup22,
+      ]));
+      
+      var msg400 = msg("RMOPD_ADDRESS_TARGET_INVALID", part421);
+      
+      var msg401 = msg("RMOPD_DUPLICATE", dup138);
+      
+      var part422 = match("MESSAGE#397:RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Only IPv4 source address is supported", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Only IPv4 source address is supported"),
+      	dup22,
+      ]));
+      
+      var msg402 = msg("RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED", part422);
+      
+      var part423 = match("MESSAGE#398:RMOPD_ICMP_SENDMSG_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{fld1}: No route to host", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","No route to host"),
+      	dup22,
+      ]));
+      
+      var msg403 = msg("RMOPD_ICMP_SENDMSG_FAILURE", part423);
+      
+      var part424 = match("MESSAGE#399:RMOPD_IFINDEX_NOT_ACTIVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifindex: %{interface}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","IFINDEX NOT ACTIVE"),
+      	dup22,
+      ]));
+      
+      var msg404 = msg("RMOPD_IFINDEX_NOT_ACTIVE", part424);
+      
+      var part425 = match("MESSAGE#400:RMOPD_IFINDEX_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for %{interface}, message: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","IFINDEX NO INFO"),
+      	dup22,
+      ]));
+      
+      var msg405 = msg("RMOPD_IFINDEX_NO_INFO", part425);
+      
+      var part426 = match("MESSAGE#401:RMOPD_IFNAME_NOT_ACTIVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifname: %{interface}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RMOPD IFNAME NOT ACTIVE"),
+      	dup22,
+      ]));
+      
+      var msg406 = msg("RMOPD_IFNAME_NOT_ACTIVE", part426);
+      
+      var part427 = match("MESSAGE#402:RMOPD_IFNAME_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for %{interface}, message: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","IFNAME NO INFO"),
+      	dup22,
+      ]));
+      
+      var msg407 = msg("RMOPD_IFNAME_NO_INFO", part427);
+      
+      var part428 = match("MESSAGE#403:RMOPD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([
+      	dup62,
+      	dup21,
+      	setc("event_description","RMOPD Must be run as root"),
+      	dup22,
+      ]));
+      
+      var msg408 = msg("RMOPD_NOT_ROOT", part428);
+      
+      var part429 = match("MESSAGE#404:RMOPD_ROUTING_INSTANCE_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for routing instance %{agent}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","No information for routing instance"),
+      	dup22,
+      ]));
+      
+      var msg409 = msg("RMOPD_ROUTING_INSTANCE_NO_INFO", part429);
+      
+      var part430 = match("MESSAGE#405:RMOPD_TRACEROUTE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","TRACEROUTE ERROR"),
+      	dup22,
+      ]));
+      
+      var msg410 = msg("RMOPD_TRACEROUTE_ERROR", part430);
+      
+      var part431 = match("MESSAGE#406:RMOPD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","RMOPD usage"),
+      	dup22,
+      ]));
+      
+      var msg411 = msg("RMOPD_usage", part431);
+      
+      var part432 = match("MESSAGE#407:RPD_ABORT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} version built by builder on %{dclass_counter1}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RPD ABORT"),
+      	dup22,
+      ]));
+      
+      var msg412 = msg("RPD_ABORT", part432);
+      
+      var part433 = match("MESSAGE#408:RPD_ACTIVE_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Exiting with active tasks: %{agent}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RPD exiting with active tasks"),
+      	dup22,
+      ]));
+      
+      var msg413 = msg("RPD_ACTIVE_TERMINATE", part433);
+      
+      var part434 = match("MESSAGE#409:RPD_ASSERT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Assertion failed %{resultcode}: file \"%{filename}\", line %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RPD Assertion failed"),
+      	dup22,
+      ]));
+      
+      var msg414 = msg("RPD_ASSERT", part434);
+      
+      var part435 = match("MESSAGE#410:RPD_ASSERT_SOFT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Soft assertion failed %{resultcode}: file \"%{filename}\", line %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RPD Soft assertion failed"),
+      	dup22,
+      ]));
+      
+      var msg415 = msg("RPD_ASSERT_SOFT", part435);
+      
+      var part436 = match("MESSAGE#411:RPD_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} version built by builder on %{dclass_counter1}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","RPD EXIT"),
+      	dup22,
+      ]));
+      
+      var msg416 = msg("RPD_EXIT", part436);
+      
+      var msg417 = msg("RPD_IFL_INDEXCOLLISION", dup144);
+      
+      var msg418 = msg("RPD_IFL_NAMECOLLISION", dup144);
+      
+      var part437 = match("MESSAGE#414:RPD_ISIS_ADJDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS lost %{dclass_counter1->} adjacency to %{dclass_counter2->} on %{interface}, %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","IS-IS lost adjacency"),
+      	dup22,
+      ]));
+      
+      var msg419 = msg("RPD_ISIS_ADJDOWN", part437);
+      
+      var part438 = match("MESSAGE#415:RPD_ISIS_ADJUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS new %{dclass_counter1->} adjacency to %{dclass_counter2->} %{interface}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","IS-IS new adjacency"),
+      	dup22,
+      ]));
+      
+      var msg420 = msg("RPD_ISIS_ADJUP", part438);
+      
+      var part439 = match("MESSAGE#416:RPD_ISIS_ADJUPNOIP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS new %{dclass_counter1->} adjacency to %{dclass_counter2->} %{interface->} without an address", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","IS-IS new adjacency without an address"),
+      	dup22,
+      ]));
+      
+      var msg421 = msg("RPD_ISIS_ADJUPNOIP", part439);
+      
+      var part440 = match("MESSAGE#417:RPD_ISIS_LSPCKSUM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS %{dclass_counter1->} LSP checksum error, interface %{interface}, LSP id %{id}, sequence %{dclass_counter2}, checksum %{resultcode}, lifetime %{fld2}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","IS-IS LSP checksum error on iterface"),
+      	dup22,
+      ]));
+      
+      var msg422 = msg("RPD_ISIS_LSPCKSUM", part440);
+      
+      var part441 = match("MESSAGE#418:RPD_ISIS_OVERLOAD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS database overload", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","IS-IS database overload"),
+      	dup22,
+      ]));
+      
+      var msg423 = msg("RPD_ISIS_OVERLOAD", part441);
+      
+      var part442 = match("MESSAGE#419:RPD_KRT_AFUNSUPRT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode}: received %{agent->} message with unsupported address family %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","message with unsupported address family received"),
+      	dup22,
+      ]));
+      
+      var msg424 = msg("RPD_KRT_AFUNSUPRT", part442);
+      
+      var part443 = match("MESSAGE#420:RPD_KRT_CCC_IFL_MODIFY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}, error", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RPD KRT CCC IFL MODIFY"),
+      	dup22,
+      ]));
+      
+      var msg425 = msg("RPD_KRT_CCC_IFL_MODIFY", part443);
+      
+      var part444 = match("MESSAGE#421:RPD_KRT_DELETED_RTT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: received deleted routing table from the kernel for family %{dclass_counter1->} table ID %{dclass_counter2}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","received deleted routing table from kernel"),
+      	dup22,
+      ]));
+      
+      var msg426 = msg("RPD_KRT_DELETED_RTT", part444);
+      
+      var part445 = match("MESSAGE#422:RPD_KRT_IFA_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifa generation mismatch -- %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","ifa generation mismatch"),
+      	dup22,
+      ]));
+      
+      var msg427 = msg("RPD_KRT_IFA_GENERATION", part445);
+      
+      var part446 = match("MESSAGE#423:RPD_KRT_IFDCHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} CHANGE for ifd %{interface->} failed, error \"%{result}\"", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","CHANGE for ifd failed"),
+      	dup22,
+      ]));
+      
+      var msg428 = msg("RPD_KRT_IFDCHANGE", part446);
+      
+      var part447 = match("MESSAGE#424:RPD_KRT_IFDEST_GET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} SERVICE: %{service->} for ifd %{interface->} failed, error \"%{result}\"", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","GET SERVICE failure on interface"),
+      	dup22,
+      ]));
+      
+      var msg429 = msg("RPD_KRT_IFDEST_GET", part447);
+      
+      var part448 = match("MESSAGE#425:RPD_KRT_IFDGET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} GET index for ifd interface failed, error \"%{result}\"", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","GET index for ifd interface failed"),
+      	dup22,
+      ]));
+      
+      var msg430 = msg("RPD_KRT_IFDGET", part448);
+      
+      var part449 = match("MESSAGE#426:RPD_KRT_IFD_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifd %{dclass_counter1->} generation mismatch -- %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","ifd generation mismatch"),
+      	dup22,
+      ]));
+      
+      var msg431 = msg("RPD_KRT_IFD_GENERATION", part449);
+      
+      var part450 = match("MESSAGE#427:RPD_KRT_IFL_CELL_RELAY_MODE_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl : %{agent}, %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","KRT IFL CELL RELAY MODE INVALID"),
+      	dup22,
+      ]));
+      
+      var msg432 = msg("RPD_KRT_IFL_CELL_RELAY_MODE_INVALID", part450);
+      
+      var part451 = match("MESSAGE#428:RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl : %{agent}, %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","KRT IFL CELL RELAY MODE UNSPECIFIED"),
+      	dup22,
+      ]));
+      
+      var msg433 = msg("RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED", part451);
+      
+      var part452 = match("MESSAGE#429:RPD_KRT_IFL_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl %{interface->} generation mismatch -- %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","ifl generation mismatch"),
+      	dup22,
+      ]));
+      
+      var msg434 = msg("RPD_KRT_IFL_GENERATION", part452);
+      
+      var part453 = match("MESSAGE#430:RPD_KRT_KERNEL_BAD_ROUTE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: lost %{interface->} %{dclass_counter1->} for route %{dclass_counter2}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","lost interface for route"),
+      	dup22,
+      ]));
+      
+      var msg435 = msg("RPD_KRT_KERNEL_BAD_ROUTE", part453);
+      
+      var part454 = match("MESSAGE#431:RPD_KRT_NEXTHOP_OVERFLOW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: number of next hops (%{dclass_counter1}) exceeded the maximum allowed (%{dclass_counter2}) -- %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","number of next hops exceeded the maximum"),
+      	dup22,
+      ]));
+      
+      var msg436 = msg("RPD_KRT_NEXTHOP_OVERFLOW", part454);
+      
+      var part455 = match("MESSAGE#432:RPD_KRT_NOIFD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No device %{dclass_counter1->} for interface %{interface}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","No device for interface"),
+      	dup22,
+      ]));
+      
+      var msg437 = msg("RPD_KRT_NOIFD", part455);
+      
+      var part456 = match("MESSAGE#433:RPD_KRT_UNKNOWN_RTT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: received routing table message for unknown table with kernel ID %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","received routing table message for unknown table"),
+      	dup22,
+      ]));
+      
+      var msg438 = msg("RPD_KRT_UNKNOWN_RTT", part456);
+      
+      var part457 = match("MESSAGE#434:RPD_KRT_VERSION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket version mismatch (%{info}) -- %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Routing socket version mismatch"),
+      	dup22,
+      ]));
+      
+      var msg439 = msg("RPD_KRT_VERSION", part457);
+      
+      var part458 = match("MESSAGE#435:RPD_KRT_VERSIONNONE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket message type %{agent}'s version is not supported by kernel, %{info->} -- %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Routing socket message type not supported by kernel"),
+      	dup22,
+      ]));
+      
+      var msg440 = msg("RPD_KRT_VERSIONNONE", part458);
+      
+      var part459 = match("MESSAGE#436:RPD_KRT_VERSIONOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket message type %{agent}'s version is older than expected (%{info}) -- %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Routing socket message type version is older than expected"),
+      	dup22,
+      ]));
+      
+      var msg441 = msg("RPD_KRT_VERSIONOLD", part459);
+      
+      var part460 = match("MESSAGE#437:RPD_LDP_INTF_BLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate session ID detected from %{daddr}, interface %{interface}, %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Duplicate session ID detected"),
+      	dup22,
+      ]));
+      
+      var msg442 = msg("RPD_LDP_INTF_BLOCKED", part460);
+      
+      var part461 = match("MESSAGE#438:RPD_LDP_INTF_UNBLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP interface %{interface->} is now %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","LDP interface now unblocked"),
+      	dup22,
+      ]));
+      
+      var msg443 = msg("RPD_LDP_INTF_UNBLOCKED", part461);
+      
+      var part462 = match("MESSAGE#439:RPD_LDP_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP neighbor %{daddr->} (%{interface}) is %{result}", processor_chain([
+      	setc("eventcategory","1603030000"),
+      	dup21,
+      	setc("event_description","LDP neighbor down"),
+      	dup22,
+      ]));
+      
+      var msg444 = msg("RPD_LDP_NBRDOWN", part462);
+      
+      var part463 = match("MESSAGE#440:RPD_LDP_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP neighbor %{daddr->} (%{interface}) is %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","LDP neighbor up"),
+      	dup22,
+      ]));
+      
+      var msg445 = msg("RPD_LDP_NBRUP", part463);
+      
+      var part464 = match("MESSAGE#441:RPD_LDP_SESSIONDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP session %{daddr->} is down, %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","LDP session down"),
+      	dup22,
+      ]));
+      
+      var msg446 = msg("RPD_LDP_SESSIONDOWN", part464);
+      
+      var part465 = match("MESSAGE#442:RPD_LDP_SESSIONUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP session %{daddr->} is up", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","LDP session up"),
+      	dup22,
+      ]));
+      
+      var msg447 = msg("RPD_LDP_SESSIONUP", part465);
+      
+      var part466 = match("MESSAGE#443:RPD_LOCK_FLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain a lock on %{agent}, %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to obtain a lock"),
+      	dup22,
+      ]));
+      
+      var msg448 = msg("RPD_LOCK_FLOCKED", part466);
+      
+      var part467 = match("MESSAGE#444:RPD_LOCK_LOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain a lock on %{agent}, %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to obtain service lock"),
+      	dup22,
+      ]));
+      
+      var msg449 = msg("RPD_LOCK_LOCKED", part467);
+      
+      var part468 = match("MESSAGE#445:RPD_MPLS_LSP_CHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result->} Route %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","MPLS LSP CHANGE"),
+      	dup22,
+      ]));
+      
+      var msg450 = msg("RPD_MPLS_LSP_CHANGE", part468);
+      
+      var part469 = match("MESSAGE#446:RPD_MPLS_LSP_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","MPLS LSP DOWN"),
+      	dup22,
+      ]));
+      
+      var msg451 = msg("RPD_MPLS_LSP_DOWN", part469);
+      
+      var part470 = match("MESSAGE#447:RPD_MPLS_LSP_SWITCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result}, Route %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","MPLS LSP SWITCH"),
+      	dup22,
+      ]));
+      
+      var msg452 = msg("RPD_MPLS_LSP_SWITCH", part470);
+      
+      var part471 = match("MESSAGE#448:RPD_MPLS_LSP_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result->} Route %{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","MPLS LSP UP"),
+      	dup22,
+      ]));
+      
+      var msg453 = msg("RPD_MPLS_LSP_UP", part471);
+      
+      var part472 = match("MESSAGE#449:RPD_MSDP_PEER_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MSDP peer %{group->} %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","MSDP PEER DOWN"),
+      	dup22,
+      ]));
+      
+      var msg454 = msg("RPD_MSDP_PEER_DOWN", part472);
+      
+      var part473 = match("MESSAGE#450:RPD_MSDP_PEER_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MSDP peer %{group->} %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","MSDP PEER UP"),
+      	dup22,
+      ]));
+      
+      var msg455 = msg("RPD_MSDP_PEER_UP", part473);
+      
+      var part474 = match("MESSAGE#451:RPD_OSPF_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: OSPF neighbor %{daddr->} (%{interface}) %{disposition->} due to %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","OSPF neighbor down"),
+      	dup22,
+      ]));
+      
+      var msg456 = msg("RPD_OSPF_NBRDOWN", part474);
+      
+      var part475 = match("MESSAGE#452:RPD_OSPF_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: OSPF neighbor %{daddr->} (%{interface}) %{disposition->} due to %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","OSPF neighbor up"),
+      	dup22,
+      ]));
+      
+      var msg457 = msg("RPD_OSPF_NBRUP", part475);
+      
+      var part476 = match("MESSAGE#453:RPD_OS_MEMHIGH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using %{dclass_counter1->} KB of memory, %{info}", processor_chain([
+      	dup50,
+      	dup21,
+      	setc("event_description","OS MEMHIGH"),
+      	dup22,
+      ]));
+      
+      var msg458 = msg("RPD_OS_MEMHIGH", part476);
+      
+      var part477 = match("MESSAGE#454:RPD_PIM_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PIM neighbor %{daddr->} timeout interface %{interface}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","PIM neighbor down"),
+      	setc("result","timeout"),
+      	dup22,
+      ]));
+      
+      var msg459 = msg("RPD_PIM_NBRDOWN", part477);
+      
+      var part478 = match("MESSAGE#455:RPD_PIM_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PIM new neighbor %{daddr->} interface %{interface}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","PIM neighbor up"),
+      	dup22,
+      ]));
+      
+      var msg460 = msg("RPD_PIM_NBRUP", part478);
+      
+      var part479 = match("MESSAGE#456:RPD_RDISC_CKSUM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Bad checksum for router solicitation from %{saddr->} to %{daddr}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Bad checksum for router solicitation"),
+      	dup22,
+      ]));
+      
+      var msg461 = msg("RPD_RDISC_CKSUM", part479);
+      
+      var part480 = match("MESSAGE#457:RPD_RDISC_NOMULTI", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Ignoring interface %{dclass_counter1->} on %{interface->} -- %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Ignoring interface"),
+      	dup22,
+      ]));
+      
+      var msg462 = msg("RPD_RDISC_NOMULTI", part480);
+      
+      var part481 = match("MESSAGE#458:RPD_RDISC_NORECVIF", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to locate interface for router solicitation from %{saddr->} to %{daddr}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to locate interface for router"),
+      	dup22,
+      ]));
+      
+      var msg463 = msg("RPD_RDISC_NORECVIF", part481);
+      
+      var part482 = match("MESSAGE#459:RPD_RDISC_SOLICITADDR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Expected multicast (%{dclass_counter1}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Expected multicast for router solicitation"),
+      	dup22,
+      ]));
+      
+      var msg464 = msg("RPD_RDISC_SOLICITADDR", part482);
+      
+      var part483 = match("MESSAGE#460:RPD_RDISC_SOLICITICMP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Nonzero ICMP code (%{resultcode}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Nonzero ICMP code for router solicitation"),
+      	dup22,
+      ]));
+      
+      var msg465 = msg("RPD_RDISC_SOLICITICMP", part483);
+      
+      var part484 = match("MESSAGE#461:RPD_RDISC_SOLICITLEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Insufficient length (%{dclass_counter1}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Insufficient length for router solicitation"),
+      	dup22,
+      ]));
+      
+      var msg466 = msg("RPD_RDISC_SOLICITLEN", part484);
+      
+      var part485 = match("MESSAGE#462:RPD_RIP_AUTH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Update with invalid authentication from %{saddr->} (%{interface})", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RIP update with invalid authentication"),
+      	dup22,
+      ]));
+      
+      var msg467 = msg("RPD_RIP_AUTH", part485);
+      
+      var part486 = match("MESSAGE#463:RPD_RIP_JOIN_BROADCAST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to get broadcast address %{interface}; %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RIP - unable to get broadcast address"),
+      	dup22,
+      ]));
+      
+      var msg468 = msg("RPD_RIP_JOIN_BROADCAST", part486);
+      
+      var part487 = match("MESSAGE#464:RPD_RIP_JOIN_MULTICAST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to join multicast group %{interface}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RIP - Unable to join multicast group"),
+      	dup22,
+      ]));
+      
+      var msg469 = msg("RPD_RIP_JOIN_MULTICAST", part487);
+      
+      var part488 = match("MESSAGE#465:RPD_RT_IFUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: UP route for interface %{interface->} index %{dclass_counter1->} %{saddr}/%{dclass_counter2}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","RIP interface up"),
+      	dup22,
+      ]));
+      
+      var msg470 = msg("RPD_RT_IFUP", part488);
+      
+      var msg471 = msg("RPD_SCHED_CALLBACK_LONGRUNTIME", dup145);
+      
+      var part489 = match("MESSAGE#467:RPD_SCHED_CUMULATIVE_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime (%{result}) after action of module", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","excessive runtime after action of module"),
+      	dup22,
+      ]));
+      
+      var msg472 = msg("RPD_SCHED_CUMULATIVE_LONGRUNTIME", part489);
+      
+      var msg473 = msg("RPD_SCHED_MODULE_LONGRUNTIME", dup145);
+      
+      var part490 = match("MESSAGE#469:RPD_SCHED_TASK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} ran for %{dclass_counter1}(%{dclass_counter2})", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","task extended runtime"),
+      	dup22,
+      ]));
+      
+      var msg474 = msg("RPD_SCHED_TASK_LONGRUNTIME", part490);
+      
+      var part491 = match("MESSAGE#470:RPD_SIGNAL_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} termination signal received", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","termination signal received for service"),
+      	dup22,
+      ]));
+      
+      var msg475 = msg("RPD_SIGNAL_TERMINATE", part491);
+      
+      var part492 = match("MESSAGE#471:RPD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Start %{dclass_counter1->} version version built %{dclass_counter2}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","version built"),
+      	dup22,
+      ]));
+      
+      var msg476 = msg("RPD_START", part492);
+      
+      var part493 = match("MESSAGE#472:RPD_SYSTEM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: detail: %{action}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","system command"),
+      	dup22,
+      ]));
+      
+      var msg477 = msg("RPD_SYSTEM", part493);
+      
+      var part494 = match("MESSAGE#473:RPD_TASK_BEGIN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Commencing routing updates, version %{dclass_counter1}, built %{dclass_counter2->} by builder", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Commencing routing updates"),
+      	dup22,
+      ]));
+      
+      var msg478 = msg("RPD_TASK_BEGIN", part494);
+      
+      var part495 = match("MESSAGE#474:RPD_TASK_CHILDKILLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2->} %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","task killed by signal"),
+      	dup22,
+      ]));
+      
+      var msg479 = msg("RPD_TASK_CHILDKILLED", part495);
+      
+      var part496 = match("MESSAGE#475:RPD_TASK_CHILDSTOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2->} %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","task stopped by signal"),
+      	dup22,
+      ]));
+      
+      var msg480 = msg("RPD_TASK_CHILDSTOPPED", part496);
+      
+      var part497 = match("MESSAGE#476:RPD_TASK_FORK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fork task: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to fork task"),
+      	dup22,
+      ]));
+      
+      var msg481 = msg("RPD_TASK_FORK", part497);
+      
+      var part498 = match("MESSAGE#477:RPD_TASK_GETWD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: getwd: %{action}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","RPD TASK GETWD"),
+      	dup22,
+      ]));
+      
+      var msg482 = msg("RPD_TASK_GETWD", part498);
+      
+      var part499 = match("MESSAGE#478:RPD_TASK_NOREINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitialization not possible", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Reinitialization not possible"),
+      	dup22,
+      ]));
+      
+      var msg483 = msg("RPD_TASK_NOREINIT", part499);
+      
+      var part500 = match("MESSAGE#479:RPD_TASK_PIDCLOSED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to close and remove %{agent}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to close and remove task"),
+      	dup22,
+      ]));
+      
+      var msg484 = msg("RPD_TASK_PIDCLOSED", part500);
+      
+      var part501 = match("MESSAGE#480:RPD_TASK_PIDFLOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: flock(%{agent}, %{action}): %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RPD TASK PIDFLOCK"),
+      	dup22,
+      ]));
+      
+      var msg485 = msg("RPD_TASK_PIDFLOCK", part501);
+      
+      var part502 = match("MESSAGE#481:RPD_TASK_PIDWRITE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to write %{agent}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to write"),
+      	dup22,
+      ]));
+      
+      var msg486 = msg("RPD_TASK_PIDWRITE", part502);
+      
+      var msg487 = msg("RPD_TASK_REINIT", dup146);
+      
+      var part503 = match("MESSAGE#483:RPD_TASK_SIGNALIGNORE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: sigaction(%{result}): %{resultcode}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","ignoring task signal"),
+      	dup22,
+      ]));
+      
+      var msg488 = msg("RPD_TASK_SIGNALIGNORE", part503);
+      
+      var part504 = match("MESSAGE#484:RT_COS", "nwparser.payload", "%{process}: %{event_type}: COS IPC op %{dclass_counter1->} (%{agent}) failed, err %{resultcode->} (%{result})", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","COS IPC op failed"),
+      	dup22,
+      ]));
+      
+      var msg489 = msg("RT_COS", part504);
+      
+      var part505 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/2", "nwparser.p0", "%{fld5}\" nat-source-address=\"%{stransaddr}\" nat-source-port=\"%{stransport}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{p0}");
+      
+      var part506 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{fld10}\" dst-nat-rule-%{p0}");
+      
+      var part507 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/5_0", "nwparser.p0", "type=%{fld21->} dst-nat-rule-name=\"%{fld11}\"%{p0}");
+      
+      var part508 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/5_1", "nwparser.p0", "name=\"%{fld11}\"%{p0}");
+      
+      var select39 = linear_select([
+      	part507,
+      	part508,
+      ]);
+      
+      var part509 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/6", "nwparser.p0", "%{}protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{fld13}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{p0}");
+      
+      var part510 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/7_0", "nwparser.p0", "%{dinterface}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" encrypted=%{fld8->} %{p0}");
+      
+      var select40 = linear_select([
+      	part510,
+      	dup91,
+      ]);
+      
+      var all22 = all_match({
+      	processors: [
+      		dup86,
+      		dup147,
+      		part505,
+      		dup148,
+      		part506,
+      		select39,
+      		part509,
+      		select40,
+      		dup92,
+      	],
+      	on_success: processor_chain([
+      		dup27,
+      		dup52,
+      		dup53,
+      		dup21,
+      		dup51,
+      	]),
+      });
+      
+      var msg490 = msg("RT_FLOW_SESSION_CREATE:02", all22);
+      
+      var part511 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/1_0", "nwparser.p0", "%{dport}\" service-name=\"%{service}\" nat-source-address=\"%{stransaddr}\" nat-source-port=\"%{stransport}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-type=\"%{fld20}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-type=\"%{fld10}\" dst-nat-rule-name=\"%{rule_template}\"%{p0}");
+      
+      var part512 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/1_1", "nwparser.p0", "%{dport}\"%{p0}");
+      
+      var select41 = linear_select([
+      	part511,
+      	part512,
+      ]);
+      
+      var part513 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/2", "nwparser.p0", "%{}protocol-id=\"%{protocol}\" policy-name=\"%{p0}");
+      
+      var part514 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/3_0", "nwparser.p0", "%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" username=\"%{username}\" roles=\"%{fld50}\" packet-incoming-interface=\"%{dinterface}\" application=\"%{application}\" nested-application=\"%{fld7}\" encrypted=\"%{fld8}\"%{p0}");
+      
+      var part515 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/3_1", "nwparser.p0", "%{policyname}\"%{p0}");
+      
+      var select42 = linear_select([
+      	part514,
+      	part515,
+      ]);
+      
+      var all23 = all_match({
+      	processors: [
+      		dup86,
+      		select41,
+      		part513,
+      		select42,
+      		dup92,
+      	],
+      	on_success: processor_chain([
+      		dup27,
+      		dup52,
+      		dup53,
+      		dup21,
+      		dup51,
+      	]),
+      });
+      
+      var msg491 = msg("RT_FLOW_SESSION_CREATE", all23);
+      
+      var part516 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/0_0", "nwparser.payload", "%{process}: %{event_type}: session created%{p0}");
+      
+      var part517 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/0_1", "nwparser.payload", "%{event_type}: session created%{p0}");
+      
+      var select43 = linear_select([
+      	part516,
+      	part517,
+      ]);
+      
+      var part518 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/1", "nwparser.p0", "%{} %{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{p0}");
+      
+      var part519 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_0", "nwparser.p0", "%{rulename->} %{rule_template->} %{fld12->} %{fld13->} %{fld14->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username}(%{fld10}) %{interface->} %{protocol->} %{fld15->} UNKNOWN UNKNOWN ");
+      
+      var part520 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_1", "nwparser.p0", "%{rulename->} %{rule_template->} %{fld12->} %{fld13->} %{fld14->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username}(%{fld10}) %{interface->} %{fld15->} ");
+      
+      var part521 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_2", "nwparser.p0", "%{info->} ");
+      
+      var select44 = linear_select([
+      	part519,
+      	part520,
+      	part521,
+      ]);
+      
+      var all24 = all_match({
+      	processors: [
+      		select43,
+      		part518,
+      		select44,
+      	],
+      	on_success: processor_chain([
+      		dup27,
+      		dup52,
+      		dup53,
+      		dup21,
+      		setc("event_description","session created"),
+      		dup22,
+      	]),
+      });
+      
+      var msg492 = msg("RT_FLOW_SESSION_CREATE:01", all24);
+      
+      var select45 = linear_select([
+      	msg490,
+      	msg491,
+      	msg492,
+      ]);
+      
+      var part522 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/2", "nwparser.p0", "%{fld5}\" protocol-id=\"%{protocol}\" icmp-type=\"%{obj_type}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{user_role}\" packet-incoming-interface=\"%{p0}");
+      
+      var part523 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/3_0", "nwparser.p0", "%{dinterface}\" encrypted=\"%{fld16}\" reason=\"%{result}\" src-vrf-grp=\"%{fld99}\" dst-vrf-grp=\"%{fld98}\"%{p0}");
+      
+      var part524 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/3_1", "nwparser.p0", "%{dinterface}\" encrypted=%{fld16->} reason=\"%{result}\"%{p0}");
+      
+      var select46 = linear_select([
+      	part523,
+      	part524,
+      	dup91,
+      ]);
+      
+      var all25 = all_match({
+      	processors: [
+      		dup86,
+      		dup147,
+      		part522,
+      		select46,
+      		dup92,
+      	],
+      	on_success: processor_chain([
+      		dup93,
+      		dup52,
+      		dup94,
+      		dup21,
+      		dup51,
+      	]),
+      });
+      
+      var msg493 = msg("RT_FLOW_SESSION_DENY:02", all25);
+      
+      var part525 = match("MESSAGE#489:RT_FLOW_SESSION_DENY", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" icmp-type=\"%{obj_type}\" policy-name=\"%{policyname}\"]", processor_chain([
+      	dup93,
+      	dup52,
+      	dup94,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var msg494 = msg("RT_FLOW_SESSION_DENY", part525);
+      
+      var part526 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/1", "nwparser.p0", "%{} %{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{fld1->} %{result->} %{src_zone->} %{dst_zone->} HTTP %{info}");
+      
+      var all26 = all_match({
+      	processors: [
+      		dup149,
+      		part526,
+      	],
+      	on_success: processor_chain([
+      		dup26,
+      		dup52,
+      		dup94,
+      		dup21,
+      		dup97,
+      		dup22,
+      	]),
+      });
+      
+      var msg495 = msg("RT_FLOW_SESSION_DENY:03", all26);
+      
+      var part527 = match("MESSAGE#491:RT_FLOW_SESSION_DENY:01/1", "nwparser.p0", "%{} %{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{fld1->} %{result->} %{src_zone->} %{dst_zone}");
+      
+      var all27 = all_match({
+      	processors: [
+      		dup149,
+      		part527,
+      	],
+      	on_success: processor_chain([
+      		dup26,
+      		dup52,
+      		dup94,
+      		dup21,
+      		dup97,
+      		dup22,
+      	]),
+      });
+      
+      var msg496 = msg("RT_FLOW_SESSION_DENY:01", all27);
+      
+      var select47 = linear_select([
+      	msg493,
+      	msg494,
+      	msg495,
+      	msg496,
+      ]);
+      
+      var part528 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/6", "nwparser.p0", "%{}protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{p0}");
+      
+      var part529 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/7_0", "nwparser.p0", "%{duration}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{dinterface}\" encrypted=%{fld16->} %{p0}");
+      
+      var part530 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/7_1", "nwparser.p0", "%{duration}\"%{p0}");
+      
+      var select48 = linear_select([
+      	part529,
+      	part530,
+      ]);
+      
+      var all28 = all_match({
+      	processors: [
+      		dup98,
+      		dup147,
+      		dup99,
+      		dup148,
+      		dup100,
+      		dup150,
+      		part528,
+      		select48,
+      		dup92,
+      	],
+      	on_success: processor_chain([
+      		dup26,
+      		dup52,
+      		dup54,
+      		dup103,
+      		dup21,
+      		dup51,
+      	]),
+      });
+      
+      var msg497 = msg("RT_FLOW_SESSION_CLOSE:01", all28);
+      
+      var part531 = match("MESSAGE#493:RT_FLOW_SESSION_CLOSE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" inbound-packets=\"%{packets}\" inbound-bytes=\"%{rbytes}\" outbound-packets=\"%{dclass_counter1}\" outbound-bytes=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([
+      	dup26,
+      	dup52,
+      	dup54,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var msg498 = msg("RT_FLOW_SESSION_CLOSE", part531);
+      
+      var part532 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/0_0", "nwparser.payload", "%{process}: %{event_type}: session closed%{p0}");
+      
+      var part533 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/0_1", "nwparser.payload", "%{event_type}: session closed%{p0}");
+      
+      var select49 = linear_select([
+      	part532,
+      	part533,
+      ]);
+      
+      var part534 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/1", "nwparser.p0", "%{} %{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{info}");
+      
+      var all29 = all_match({
+      	processors: [
+      		select49,
+      		part534,
+      	],
+      	on_success: processor_chain([
+      		dup26,
+      		dup52,
+      		dup54,
+      		dup21,
+      		setc("event_description","session closed"),
+      		dup22,
+      	]),
+      });
+      
+      var msg499 = msg("RT_FLOW_SESSION_CLOSE:02", all29);
+      
+      var part535 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/6", "nwparser.p0", "%{}protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" %{p0}");
+      
+      var part536 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/7_0", "nwparser.p0", " elapsed-time=\"%{duration}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{dinterface}\" encrypted=%{fld16->} %{p0}");
+      
+      var part537 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/7_1", "nwparser.p0", " elapsed-time=\"%{duration}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{user_role}\" packet-incoming-interface=\"%{dinterface}\" %{p0}");
+      
+      var part538 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/7_2", "nwparser.p0", "elapsed-time=\"%{duration}\"%{p0}");
+      
+      var select50 = linear_select([
+      	part536,
+      	part537,
+      	part538,
+      ]);
+      
+      var part539 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/8", "nwparser.p0", "] session closed %{fld60}: %{fld51}/%{fld52}->%{fld53}/%{fld54->} %{fld55->} %{fld56}/%{fld57}->%{fld58}/%{fld59->} %{info}");
+      
+      var all30 = all_match({
+      	processors: [
+      		dup98,
+      		dup147,
+      		dup99,
+      		dup148,
+      		dup100,
+      		dup150,
+      		part535,
+      		select50,
+      		part539,
+      	],
+      	on_success: processor_chain([
+      		dup26,
+      		dup52,
+      		dup54,
+      		dup103,
+      		dup21,
+      		dup51,
+      		dup60,
+      	]),
+      });
+      
+      var msg500 = msg("RT_FLOW_SESSION_CLOSE:03", all30);
+      
+      var select51 = linear_select([
+      	msg497,
+      	msg498,
+      	msg499,
+      	msg500,
+      ]);
+      
+      var part540 = match("MESSAGE#496:RT_SCREEN_IP", "nwparser.payload", "%{process}: %{event_type}: Fragmented traffic! source:%{saddr}, destination: %{daddr}, protocol-id: %{protocol}, zone name: %{zone}, interface name: %{interface}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Fragmented traffic"),
+      	dup22,
+      ]));
+      
+      var msg501 = msg("RT_SCREEN_IP", part540);
+      
+      var part541 = match("MESSAGE#497:RT_SCREEN_IP:01", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" protocol-id=\"%{protocol}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([
+      	dup29,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var msg502 = msg("RT_SCREEN_IP:01", part541);
+      
+      var select52 = linear_select([
+      	msg501,
+      	msg502,
+      ]);
+      
+      var msg503 = msg("RT_SCREEN_TCP", dup151);
+      
+      var part542 = match("MESSAGE#499:RT_SCREEN_SESSION_LIMIT", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" message=\"%{info}\" ip-address=\"%{hostip}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([
+      	dup29,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var msg504 = msg("RT_SCREEN_SESSION_LIMIT", part542);
+      
+      var msg505 = msg("RT_SCREEN_UDP", dup151);
+      
+      var part543 = match("MESSAGE#501:SERVICED_CLIENT_CONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: attempt to connect to interface failed with error: %{result}", processor_chain([
+      	dup26,
+      	dup21,
+      	setc("event_description","attempt to connect to interface failed"),
+      	dup22,
+      ]));
+      
+      var msg506 = msg("SERVICED_CLIENT_CONNECT", part543);
+      
+      var part544 = match("MESSAGE#502:SERVICED_CLIENT_DISCONNECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unexpected termination of connection to interface", processor_chain([
+      	dup26,
+      	dup21,
+      	setc("event_description","unexpected termination of connection"),
+      	dup22,
+      ]));
+      
+      var msg507 = msg("SERVICED_CLIENT_DISCONNECTED", part544);
+      
+      var part545 = match("MESSAGE#503:SERVICED_CLIENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: client interface connection failure: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","client interface connection failure"),
+      	dup22,
+      ]));
+      
+      var msg508 = msg("SERVICED_CLIENT_ERROR", part545);
+      
+      var part546 = match("MESSAGE#504:SERVICED_COMMAND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: remote command execution failed with error: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","remote command execution failed"),
+      	dup22,
+      ]));
+      
+      var msg509 = msg("SERVICED_COMMAND_FAILED", part546);
+      
+      var part547 = match("MESSAGE#505:SERVICED_COMMIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: client failed to commit configuration with error: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","client commit configuration failed"),
+      	dup22,
+      ]));
+      
+      var msg510 = msg("SERVICED_COMMIT_FAILED", part547);
+      
+      var part548 = match("MESSAGE#506:SERVICED_CONFIGURATION_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: configuration process failed with error: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","configuration process failed"),
+      	dup22,
+      ]));
+      
+      var msg511 = msg("SERVICED_CONFIGURATION_FAILED", part548);
+      
+      var part549 = match("MESSAGE#507:SERVICED_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SERVICED CONFIG ERROR"),
+      	dup22,
+      ]));
+      
+      var msg512 = msg("SERVICED_CONFIG_ERROR", part549);
+      
+      var part550 = match("MESSAGE#508:SERVICED_CONFIG_FILE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} failed to read path with error: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","service failed to read path"),
+      	dup22,
+      ]));
+      
+      var msg513 = msg("SERVICED_CONFIG_FILE", part550);
+      
+      var part551 = match("MESSAGE#509:SERVICED_CONNECTION_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SERVICED CONNECTION ERROR"),
+      	dup22,
+      ]));
+      
+      var msg514 = msg("SERVICED_CONNECTION_ERROR", part551);
+      
+      var part552 = match("MESSAGE#510:SERVICED_DISABLED_GGSN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: GGSN services disabled: object: %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","GGSN services disabled"),
+      	dup22,
+      ]));
+      
+      var msg515 = msg("SERVICED_DISABLED_GGSN", part552);
+      
+      var msg516 = msg("SERVICED_DUPLICATE", dup138);
+      
+      var part553 = match("MESSAGE#512:SERVICED_EVENT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: event function %{dclass_counter2->} failed with error: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","event function failed"),
+      	dup22,
+      ]));
+      
+      var msg517 = msg("SERVICED_EVENT_FAILED", part553);
+      
+      var part554 = match("MESSAGE#513:SERVICED_INIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: initialization failed with error: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","service initialization failed"),
+      	dup22,
+      ]));
+      
+      var msg518 = msg("SERVICED_INIT_FAILED", part554);
+      
+      var part555 = match("MESSAGE#514:SERVICED_MALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: failed to allocate [%{dclass_counter2}] object [%{dclass_counter1->} bytes %{bytes}]: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","memory allocation failure"),
+      	dup22,
+      ]));
+      
+      var msg519 = msg("SERVICED_MALLOC_FAILURE", part555);
+      
+      var part556 = match("MESSAGE#515:SERVICED_NETWORK_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} had error: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","NETWORK FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg520 = msg("SERVICED_NETWORK_FAILURE", part556);
+      
+      var part557 = match("MESSAGE#516:SERVICED_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([
+      	dup62,
+      	dup21,
+      	setc("event_description","SERVICED must be run as root"),
+      	dup22,
+      ]));
+      
+      var msg521 = msg("SERVICED_NOT_ROOT", part557);
+      
+      var msg522 = msg("SERVICED_PID_FILE_LOCK", dup139);
+      
+      var msg523 = msg("SERVICED_PID_FILE_UPDATE", dup140);
+      
+      var part558 = match("MESSAGE#519:SERVICED_RTSOCK_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: routing socket sequence error, %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","routing socket sequence error"),
+      	dup22,
+      ]));
+      
+      var msg524 = msg("SERVICED_RTSOCK_SEQUENCE", part558);
+      
+      var part559 = match("MESSAGE#520:SERVICED_SIGNAL_HANDLER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: set up of signal name handler failed with error: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","set up of signal name handler failed"),
+      	dup22,
+      ]));
+      
+      var msg525 = msg("SERVICED_SIGNAL_HANDLER", part559);
+      
+      var part560 = match("MESSAGE#521:SERVICED_SOCKET_CREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket create failed with error: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","socket create failed with error"),
+      	dup22,
+      ]));
+      
+      var msg526 = msg("SERVICED_SOCKET_CREATE", part560);
+      
+      var part561 = match("MESSAGE#522:SERVICED_SOCKET_IO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket function %{dclass_counter2->} failed with error: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","socket function failed"),
+      	dup22,
+      ]));
+      
+      var msg527 = msg("SERVICED_SOCKET_IO", part561);
+      
+      var part562 = match("MESSAGE#523:SERVICED_SOCKET_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unable to set socket option %{dclass_counter2}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","unable to set socket option"),
+      	dup22,
+      ]));
+      
+      var msg528 = msg("SERVICED_SOCKET_OPTION", part562);
+      
+      var part563 = match("MESSAGE#524:SERVICED_STDLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} had error: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","STDLIB FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg529 = msg("SERVICED_STDLIB_FAILURE", part563);
+      
+      var part564 = match("MESSAGE#525:SERVICED_USAGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect usage: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Incorrect service usage"),
+      	dup22,
+      ]));
+      
+      var msg530 = msg("SERVICED_USAGE", part564);
+      
+      var part565 = match("MESSAGE#526:SERVICED_WORK_INCONSISTENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: object has unexpected value %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","object has unexpected value"),
+      	dup22,
+      ]));
+      
+      var msg531 = msg("SERVICED_WORK_INCONSISTENCY", part565);
+      
+      var msg532 = msg("SSL_PROXY_SSL_SESSION_ALLOW", dup152);
+      
+      var msg533 = msg("SSL_PROXY_SSL_SESSION_DROP", dup152);
+      
+      var msg534 = msg("SSL_PROXY_SESSION_IGNORE", dup152);
+      
+      var part566 = match("MESSAGE#530:SNMP_NS_LOG_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NET-SNMP version %{version->} AgentX subagent connected", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","AgentX subagent connected"),
+      	dup60,
+      	dup22,
+      ]));
+      
+      var msg535 = msg("SNMP_NS_LOG_INFO", part566);
+      
+      var part567 = match("MESSAGE#531:SNMP_SUBAGENT_IPC_REG_ROWS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ns_subagent_register_mibs: registering %{dclass_counter1->} rows", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","ns_subagent registering rows"),
+      	dup60,
+      	dup22,
+      ]));
+      
+      var msg536 = msg("SNMP_SUBAGENT_IPC_REG_ROWS", part567);
+      
+      var part568 = match("MESSAGE#532:SNMPD_ACCESS_GROUP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} access group %{group}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMPD ACCESS GROUP ERROR"),
+      	dup22,
+      ]));
+      
+      var msg537 = msg("SNMPD_ACCESS_GROUP_ERROR", part568);
+      
+      var part569 = match("MESSAGE#533:SNMPD_AUTH_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unauthorized SNMP community from %{daddr->} to unknown community name (%{pool_name})", processor_chain([
+      	dup29,
+      	dup21,
+      	dup104,
+      	setc("result","unauthorized SNMP community to unknown community name"),
+      	dup22,
+      ]));
+      
+      var msg538 = msg("SNMPD_AUTH_FAILURE", part569);
+      
+      var part570 = match("MESSAGE#534:SNMPD_AUTH_FAILURE:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: failed input interface authorization from %{daddr->} to unknown (%{pool_name})", processor_chain([
+      	dup29,
+      	dup21,
+      	dup104,
+      	setc("result","failed input interface authorization to unknown"),
+      	dup22,
+      ]));
+      
+      var msg539 = msg("SNMPD_AUTH_FAILURE:01", part570);
+      
+      var part571 = match("MESSAGE#535:SNMPD_AUTH_FAILURE:02", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unauthorized SNMP community from %{daddr->} to %{saddr->} (%{pool_name})", processor_chain([
+      	dup29,
+      	dup21,
+      	dup104,
+      	setc("result","unauthorized SNMP community "),
+      	dup22,
+      ]));
+      
+      var msg540 = msg("SNMPD_AUTH_FAILURE:02", part571);
+      
+      var part572 = match("MESSAGE#595:SNMPD_AUTH_FAILURE:03", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} function-name=\"%{fld1}\" message=\"%{info}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" index1=\"%{fld4}\"]", processor_chain([
+      	dup29,
+      	dup21,
+      	dup104,
+      	dup60,
+      	dup61,
+      ]));
+      
+      var msg541 = msg("SNMPD_AUTH_FAILURE:03", part572);
+      
+      var select53 = linear_select([
+      	msg538,
+      	msg539,
+      	msg540,
+      	msg541,
+      ]);
+      
+      var part573 = match("MESSAGE#536:SNMPD_AUTH_PRIVILEGES_EXCEEDED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{saddr}: request exceeded community privileges", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMP request exceeded community privileges"),
+      	dup22,
+      ]));
+      
+      var msg542 = msg("SNMPD_AUTH_PRIVILEGES_EXCEEDED", part573);
+      
+      var part574 = match("MESSAGE#537:SNMPD_AUTH_RESTRICTED_ADDRESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: request from address %{daddr->} not allowed", processor_chain([
+      	dup47,
+      	dup21,
+      	setc("event_description","SNMPD AUTH RESTRICTED ADDRESS"),
+      	setc("result","request not allowed"),
+      	dup22,
+      ]));
+      
+      var msg543 = msg("SNMPD_AUTH_RESTRICTED_ADDRESS", part574);
+      
+      var part575 = match("MESSAGE#538:SNMPD_AUTH_WRONG_PDU_TYPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{saddr}: unauthorized SNMP PDU type: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","unauthorized SNMP PDU type"),
+      	dup22,
+      ]));
+      
+      var msg544 = msg("SNMPD_AUTH_WRONG_PDU_TYPE", part575);
+      
+      var part576 = match("MESSAGE#539:SNMPD_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Configuration database has errors", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Configuration database has errors"),
+      	dup22,
+      ]));
+      
+      var msg545 = msg("SNMPD_CONFIG_ERROR", part576);
+      
+      var part577 = match("MESSAGE#540:SNMPD_CONTEXT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} context %{dclass_counter2}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMPD CONTEXT ERROR"),
+      	dup22,
+      ]));
+      
+      var msg546 = msg("SNMPD_CONTEXT_ERROR", part577);
+      
+      var part578 = match("MESSAGE#541:SNMPD_ENGINE_FILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2}: operation: %{dclass_counter1->} %{agent}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMPD ENGINE FILE FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg547 = msg("SNMPD_ENGINE_FILE_FAILURE", part578);
+      
+      var part579 = match("MESSAGE#542:SNMPD_ENGINE_PROCESS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: from-path: undecodable/unmatched subagent response", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description"," from-path - SNMP undecodable/unmatched subagent response"),
+      	dup22,
+      ]));
+      
+      var msg548 = msg("SNMPD_ENGINE_PROCESS_ERROR", part579);
+      
+      var part580 = match("MESSAGE#543:SNMPD_FILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: fopen %{dclass_counter2}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMPD FILE FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg549 = msg("SNMPD_FILE_FAILURE", part580);
+      
+      var part581 = match("MESSAGE#544:SNMPD_GROUP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} group: '%{group}' user '%{username}' model '%{version}'", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMPD GROUP ERROR"),
+      	dup22,
+      ]));
+      
+      var msg550 = msg("SNMPD_GROUP_ERROR", part581);
+      
+      var part582 = match("MESSAGE#545:SNMPD_INIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: snmpd initialization failure: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","snmpd initialization failure"),
+      	dup22,
+      ]));
+      
+      var msg551 = msg("SNMPD_INIT_FAILED", part582);
+      
+      var part583 = match("MESSAGE#546:SNMPD_LIBJUNIPER_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: system_default_inaddr: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","LIBJUNIPER FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg552 = msg("SNMPD_LIBJUNIPER_FAILURE", part583);
+      
+      var part584 = match("MESSAGE#547:SNMPD_LOOPBACK_ADDR_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","LOOPBACK ADDR ERROR"),
+      	dup22,
+      ]));
+      
+      var msg553 = msg("SNMPD_LOOPBACK_ADDR_ERROR", part584);
+      
+      var part585 = match("MESSAGE#548:SNMPD_MEMORY_FREED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: called for freed - already freed", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","duplicate memory free"),
+      	dup22,
+      ]));
+      
+      var msg554 = msg("SNMPD_MEMORY_FREED", part585);
+      
+      var part586 = match("MESSAGE#549:SNMPD_RADIX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: radix_add failed: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","radix_add failed"),
+      	dup22,
+      ]));
+      
+      var msg555 = msg("SNMPD_RADIX_FAILURE", part586);
+      
+      var part587 = match("MESSAGE#550:SNMPD_RECEIVE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: receive %{dclass_counter1->} failure: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMPD RECEIVE FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg556 = msg("SNMPD_RECEIVE_FAILURE", part587);
+      
+      var part588 = match("MESSAGE#551:SNMPD_RMONFILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2}: operation: %{dclass_counter1->} %{agent}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","RMONFILE FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg557 = msg("SNMPD_RMONFILE_FAILURE", part588);
+      
+      var part589 = match("MESSAGE#552:SNMPD_RMON_COOKIE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: Null cookie", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Null cookie"),
+      	dup22,
+      ]));
+      
+      var msg558 = msg("SNMPD_RMON_COOKIE", part589);
+      
+      var part590 = match("MESSAGE#553:SNMPD_RMON_EVENTLOG", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","RMON EVENTLOG"),
+      	dup22,
+      ]));
+      
+      var msg559 = msg("SNMPD_RMON_EVENTLOG", part590);
+      
+      var part591 = match("MESSAGE#554:SNMPD_RMON_IOERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: Received io error, %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Received io error"),
+      	dup22,
+      ]));
+      
+      var msg560 = msg("SNMPD_RMON_IOERROR", part591);
+      
+      var part592 = match("MESSAGE#555:SNMPD_RMON_MIBERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: internal Get request error: description, %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","internal Get request error"),
+      	dup22,
+      ]));
+      
+      var msg561 = msg("SNMPD_RMON_MIBERROR", part592);
+      
+      var part593 = match("MESSAGE#556:SNMPD_RTSLIB_ASYNC_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: sequence mismatch %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","sequence mismatch"),
+      	dup22,
+      ]));
+      
+      var msg562 = msg("SNMPD_RTSLIB_ASYNC_EVENT", part593);
+      
+      var part594 = match("MESSAGE#557:SNMPD_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: send send-type (index1) failure: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup105,
+      	dup22,
+      ]));
+      
+      var msg563 = msg("SNMPD_SEND_FAILURE", part594);
+      
+      var part595 = match("MESSAGE#558:SNMPD_SEND_FAILURE:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: send to (%{saddr}) failure: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup105,
+      	dup22,
+      ]));
+      
+      var msg564 = msg("SNMPD_SEND_FAILURE:01", part595);
+      
+      var select54 = linear_select([
+      	msg563,
+      	msg564,
+      ]);
+      
+      var part596 = match("MESSAGE#559:SNMPD_SOCKET_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket failure: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMPD SOCKET FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg565 = msg("SNMPD_SOCKET_FAILURE", part596);
+      
+      var part597 = match("MESSAGE#560:SNMPD_SUBAGENT_NO_BUFFERS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No buffers available for subagent (%{agent})", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","No buffers available for subagent"),
+      	dup22,
+      ]));
+      
+      var msg566 = msg("SNMPD_SUBAGENT_NO_BUFFERS", part597);
+      
+      var part598 = match("MESSAGE#561:SNMPD_SUBAGENT_SEND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Send to subagent failed (%{agent}): %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Send to subagent failed"),
+      	dup22,
+      ]));
+      
+      var msg567 = msg("SNMPD_SUBAGENT_SEND_FAILED", part598);
+      
+      var part599 = match("MESSAGE#562:SNMPD_SYSLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: system function '%{dclass_counter1}' failed: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","system function failed"),
+      	dup22,
+      ]));
+      
+      var msg568 = msg("SNMPD_SYSLIB_FAILURE", part599);
+      
+      var part600 = match("MESSAGE#563:SNMPD_THROTTLE_QUEUE_DRAINED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: cleared all throttled traps", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","cleared all throttled traps"),
+      	dup22,
+      ]));
+      
+      var msg569 = msg("SNMPD_THROTTLE_QUEUE_DRAINED", part600);
+      
+      var part601 = match("MESSAGE#564:SNMPD_TRAP_COLD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap: cold start", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","SNMP trap: cold start"),
+      	dup22,
+      ]));
+      
+      var msg570 = msg("SNMPD_TRAP_COLD_START", part601);
+      
+      var part602 = match("MESSAGE#565:SNMPD_TRAP_GEN_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{resultcode->} (%{result})", processor_chain([
+      	dup29,
+      	dup21,
+      	dup106,
+      	dup22,
+      ]));
+      
+      var msg571 = msg("SNMPD_TRAP_GEN_FAILURE", part602);
+      
+      var part603 = match("MESSAGE#566:SNMPD_TRAP_GEN_FAILURE2", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{dclass_counter2->} %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup106,
+      	dup22,
+      ]));
+      
+      var msg572 = msg("SNMPD_TRAP_GEN_FAILURE2", part603);
+      
+      var part604 = match("MESSAGE#567:SNMPD_TRAP_INVALID_DATA", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{result->} (%{dclass_counter2}) received", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMPD TRAP INVALID DATA"),
+      	dup22,
+      ]));
+      
+      var msg573 = msg("SNMPD_TRAP_INVALID_DATA", part604);
+      
+      var part605 = match("MESSAGE#568:SNMPD_TRAP_NOT_ENOUGH_VARBINDS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{info->} (%{result})", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMPD TRAP ERROR"),
+      	dup22,
+      ]));
+      
+      var msg574 = msg("SNMPD_TRAP_NOT_ENOUGH_VARBINDS", part605);
+      
+      var part606 = match("MESSAGE#569:SNMPD_TRAP_QUEUED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Adding trap to %{dclass_counter2->} to %{obj_name->} queue, %{dclass_counter1->} traps in queue", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Adding trap to queue"),
+      	dup22,
+      ]));
+      
+      var msg575 = msg("SNMPD_TRAP_QUEUED", part606);
+      
+      var part607 = match("MESSAGE#570:SNMPD_TRAP_QUEUE_DRAINED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: traps queued to %{obj_name->} sent successfully", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","traps queued - sent successfully"),
+      	dup22,
+      ]));
+      
+      var msg576 = msg("SNMPD_TRAP_QUEUE_DRAINED", part607);
+      
+      var part608 = match("MESSAGE#571:SNMPD_TRAP_QUEUE_MAX_ATTEMPTS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: after %{dclass_counter1->} attempts, deleting %{dclass_counter2->} traps queued to %{obj_name}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMPD TRAP QUEUE MAX_ATTEMPTS - deleting some traps"),
+      	dup22,
+      ]));
+      
+      var msg577 = msg("SNMPD_TRAP_QUEUE_MAX_ATTEMPTS", part608);
+      
+      var part609 = match("MESSAGE#572:SNMPD_TRAP_QUEUE_MAX_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: maximum queue size exceeded (%{dclass_counter1}), discarding trap to %{dclass_counter2->} from %{obj_name->} queue", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","SNMP TRAP maximum queue size exceeded"),
+      	dup22,
+      ]));
+      
+      var msg578 = msg("SNMPD_TRAP_QUEUE_MAX_SIZE", part609);
+      
+      var part610 = match("MESSAGE#573:SNMPD_TRAP_THROTTLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: traps throttled after %{dclass_counter1->} traps", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","SNMP traps throttled"),
+      	dup22,
+      ]));
+      
+      var msg579 = msg("SNMPD_TRAP_THROTTLED", part610);
+      
+      var part611 = match("MESSAGE#574:SNMPD_TRAP_TYPE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unknown trap type requested (%{obj_type->} )", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","unknown SNMP trap type requested"),
+      	dup22,
+      ]));
+      
+      var msg580 = msg("SNMPD_TRAP_TYPE_ERROR", part611);
+      
+      var part612 = match("MESSAGE#575:SNMPD_TRAP_VARBIND_TYPE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: expecting %{dclass_counter1->} varbind to be VT_NUMBER (%{resultcode->} )", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMPD TRAP VARBIND TYPE ERROR"),
+      	dup22,
+      ]));
+      
+      var msg581 = msg("SNMPD_TRAP_VARBIND_TYPE_ERROR", part612);
+      
+      var part613 = match("MESSAGE#576:SNMPD_TRAP_VERSION_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: invalid version signature (%{result})", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMPD TRAP ERROR - invalid version signature"),
+      	dup22,
+      ]));
+      
+      var msg582 = msg("SNMPD_TRAP_VERSION_ERROR", part613);
+      
+      var part614 = match("MESSAGE#577:SNMPD_TRAP_WARM_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap: warm start", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","SNMPD TRAP WARM START"),
+      	dup22,
+      ]));
+      
+      var msg583 = msg("SNMPD_TRAP_WARM_START", part614);
+      
+      var part615 = match("MESSAGE#578:SNMPD_USER_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} user '%{username}' %{dclass_counter2}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMPD USER ERROR"),
+      	dup22,
+      ]));
+      
+      var msg584 = msg("SNMPD_USER_ERROR", part615);
+      
+      var part616 = match("MESSAGE#579:SNMPD_VIEW_DELETE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: deleting view %{dclass_counter2->} %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","SNMP deleting view"),
+      	dup22,
+      ]));
+      
+      var msg585 = msg("SNMPD_VIEW_DELETE", part616);
+      
+      var part617 = match("MESSAGE#580:SNMPD_VIEW_INSTALL_DEFAULT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} installing default %{dclass_counter1->} view %{dclass_counter2}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","installing default SNMP view"),
+      	dup22,
+      ]));
+      
+      var msg586 = msg("SNMPD_VIEW_INSTALL_DEFAULT", part617);
+      
+      var part618 = match("MESSAGE#581:SNMPD_VIEW_OID_PARSE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: oid parsing failed for view %{dclass_counter2->} oid %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","oid parsing failed for SNMP view"),
+      	dup22,
+      ]));
+      
+      var msg587 = msg("SNMPD_VIEW_OID_PARSE", part618);
+      
+      var part619 = match("MESSAGE#582:SNMP_GET_ERROR1", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMP_GET_ERROR 1"),
+      	dup22,
+      ]));
+      
+      var msg588 = msg("SNMP_GET_ERROR1", part619);
+      
+      var part620 = match("MESSAGE#583:SNMP_GET_ERROR2", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMP GET ERROR 2"),
+      	dup22,
+      ]));
+      
+      var msg589 = msg("SNMP_GET_ERROR2", part620);
+      
+      var part621 = match("MESSAGE#584:SNMP_GET_ERROR3", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMP GET ERROR 3"),
+      	dup22,
+      ]));
+      
+      var msg590 = msg("SNMP_GET_ERROR3", part621);
+      
+      var part622 = match("MESSAGE#585:SNMP_GET_ERROR4", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMP GET ERROR 4"),
+      	dup22,
+      ]));
+      
+      var msg591 = msg("SNMP_GET_ERROR4", part622);
+      
+      var part623 = match("MESSAGE#586:SNMP_RTSLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: rtslib-error: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMP RTSLIB FAILURE"),
+      	dup22,
+      ]));
+      
+      var msg592 = msg("SNMP_RTSLIB_FAILURE", part623);
+      
+      var part624 = match("MESSAGE#587:SNMP_TRAP_LINK_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifIndex %{dclass_counter1}, ifAdminStatus %{resultcode}, ifOperStatus %{result}, ifName %{interface}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup107,
+      	dup22,
+      ]));
+      
+      var msg593 = msg("SNMP_TRAP_LINK_DOWN", part624);
+      
+      var part625 = match("MESSAGE#596:SNMP_TRAP_LINK_DOWN:01", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} snmp-interface-index=\"%{fld1}\" admin-status=\"%{fld3}\" operational-status=\"%{fld2}\" interface-name=\"%{interface}\"]", processor_chain([
+      	dup29,
+      	dup21,
+      	dup107,
+      	dup60,
+      	dup61,
+      ]));
+      
+      var msg594 = msg("SNMP_TRAP_LINK_DOWN:01", part625);
+      
+      var select55 = linear_select([
+      	msg593,
+      	msg594,
+      ]);
+      
+      var part626 = match("MESSAGE#588:SNMP_TRAP_LINK_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifIndex %{dclass_counter1}, ifAdminStatus %{resultcode}, ifOperStatus %{result}, ifName %{interface}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup108,
+      	dup22,
+      ]));
+      
+      var msg595 = msg("SNMP_TRAP_LINK_UP", part626);
+      
+      var part627 = match("MESSAGE#597:SNMP_TRAP_LINK_UP:01", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} snmp-interface-index=\"%{fld1}\" admin-status=\"%{fld3}\" operational-status=\"%{event_state}\" interface-name=\"%{interface}\"]", processor_chain([
+      	dup20,
+      	dup21,
+      	dup108,
+      	dup60,
+      	dup61,
+      ]));
+      
+      var msg596 = msg("SNMP_TRAP_LINK_UP:01", part627);
+      
+      var select56 = linear_select([
+      	msg595,
+      	msg596,
+      ]);
+      
+      var part628 = match("MESSAGE#589:SNMP_TRAP_PING_PROBE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMP TRAP PING PROBE FAILED"),
+      	dup22,
+      ]));
+      
+      var msg597 = msg("SNMP_TRAP_PING_PROBE_FAILED", part628);
+      
+      var part629 = match("MESSAGE#590:SNMP_TRAP_PING_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","SNMP TRAP PING TEST COMPLETED"),
+      	dup22,
+      ]));
+      
+      var msg598 = msg("SNMP_TRAP_PING_TEST_COMPLETED", part629);
+      
+      var part630 = match("MESSAGE#591:SNMP_TRAP_PING_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMP TRAP PING TEST FAILED"),
+      	dup22,
+      ]));
+      
+      var msg599 = msg("SNMP_TRAP_PING_TEST_FAILED", part630);
+      
+      var part631 = match("MESSAGE#592:SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","SNMP TRAP TRACE ROUTE PATH CHANGE"),
+      	dup22,
+      ]));
+      
+      var msg600 = msg("SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE", part631);
+      
+      var part632 = match("MESSAGE#593:SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","SNMP TRAP TRACE ROUTE TEST COMPLETED"),
+      	dup22,
+      ]));
+      
+      var msg601 = msg("SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED", part632);
+      
+      var part633 = match("MESSAGE#594:SNMP_TRAP_TRACE_ROUTE_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","SNMP TRAP TRACE ROUTE TEST FAILED"),
+      	dup22,
+      ]));
+      
+      var msg602 = msg("SNMP_TRAP_TRACE_ROUTE_TEST_FAILED", part633);
+      
+      var part634 = match("MESSAGE#598:SSHD_LOGIN_FAILED", "nwparser.payload", "%{process}: %{event_type}: Login failed for user '%{username}' from host '%{saddr}'", processor_chain([
+      	dup43,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup42,
+      	dup21,
+      	dup109,
+      	dup22,
+      ]));
+      
+      var msg603 = msg("SSHD_LOGIN_FAILED", part634);
+      
+      var part635 = match("MESSAGE#599:SSHD_LOGIN_FAILED:01", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} username=\"%{username}\" source-address=\"%{saddr}\"]", processor_chain([
+      	dup43,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup42,
+      	dup21,
+      	dup109,
+      	dup60,
+      	dup51,
+      	setf("process","hfld33"),
+      ]));
+      
+      var msg604 = msg("SSHD_LOGIN_FAILED:01", part635);
+      
+      var select57 = linear_select([
+      	msg603,
+      	msg604,
+      ]);
+      
+      var part636 = match("MESSAGE#600:task_connect", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: task %{agent->} addr %{daddr}+%{dport}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","task connect failure"),
+      	dup22,
+      ]));
+      
+      var msg605 = msg("task_connect", part636);
+      
+      var msg606 = msg("TASK_TASK_REINIT", dup146);
+      
+      var part637 = match("MESSAGE#602:TFTPD_AF_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected address family %{dclass_counter2}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unexpected address family"),
+      	dup22,
+      ]));
+      
+      var msg607 = msg("TFTPD_AF_ERR", part637);
+      
+      var part638 = match("MESSAGE#603:TFTPD_BIND_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: bind: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","TFTPD BIND ERROR"),
+      	dup22,
+      ]));
+      
+      var msg608 = msg("TFTPD_BIND_ERR", part638);
+      
+      var part639 = match("MESSAGE#604:TFTPD_CONNECT_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: connect: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","TFTPD CONNECT ERROR"),
+      	dup22,
+      ]));
+      
+      var msg609 = msg("TFTPD_CONNECT_ERR", part639);
+      
+      var part640 = match("MESSAGE#605:TFTPD_CONNECT_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: TFTP %{protocol->} from address %{daddr->} port %{dport->} file %{filename}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","TFTPD CONNECT INFO"),
+      	dup22,
+      ]));
+      
+      var msg610 = msg("TFTPD_CONNECT_INFO", part640);
+      
+      var part641 = match("MESSAGE#606:TFTPD_CREATE_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: check_space %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","TFTPD CREATE ERROR"),
+      	dup22,
+      ]));
+      
+      var msg611 = msg("TFTPD_CREATE_ERR", part641);
+      
+      var part642 = match("MESSAGE#607:TFTPD_FIO_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","TFTPD FIO ERR"),
+      	dup22,
+      ]));
+      
+      var msg612 = msg("TFTPD_FIO_ERR", part642);
+      
+      var part643 = match("MESSAGE#608:TFTPD_FORK_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: fork: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","TFTPD FORK ERROR"),
+      	dup22,
+      ]));
+      
+      var msg613 = msg("TFTPD_FORK_ERR", part643);
+      
+      var part644 = match("MESSAGE#609:TFTPD_NAK_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: nak error %{resultcode}, %{dclass_counter1}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","TFTPD NAK ERROR"),
+      	dup22,
+      ]));
+      
+      var msg614 = msg("TFTPD_NAK_ERR", part644);
+      
+      var part645 = match("MESSAGE#610:TFTPD_OPEN_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open file '%{filename}', error: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup77,
+      	dup22,
+      ]));
+      
+      var msg615 = msg("TFTPD_OPEN_ERR", part645);
+      
+      var part646 = match("MESSAGE#611:TFTPD_RECVCOMPLETE_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received %{dclass_counter1->} blocks of %{dclass_counter2->} size for file '%{filename}'", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","TFTPD RECVCOMPLETE INFO"),
+      	dup22,
+      ]));
+      
+      var msg616 = msg("TFTPD_RECVCOMPLETE_INFO", part646);
+      
+      var part647 = match("MESSAGE#612:TFTPD_RECVFROM_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: recvfrom: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","TFTPD RECVFROM ERROR"),
+      	dup22,
+      ]));
+      
+      var msg617 = msg("TFTPD_RECVFROM_ERR", part647);
+      
+      var part648 = match("MESSAGE#613:TFTPD_RECV_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: recv: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","TFTPD RECV ERROR"),
+      	dup22,
+      ]));
+      
+      var msg618 = msg("TFTPD_RECV_ERR", part648);
+      
+      var part649 = match("MESSAGE#614:TFTPD_SENDCOMPLETE_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Sent %{dclass_counter1->} blocks of %{dclass_counter2->} and %{info->} for file '%{filename}'", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","TFTPD SENDCOMPLETE INFO"),
+      	dup22,
+      ]));
+      
+      var msg619 = msg("TFTPD_SENDCOMPLETE_INFO", part649);
+      
+      var part650 = match("MESSAGE#615:TFTPD_SEND_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: send: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","TFTPD SEND ERROR"),
+      	dup22,
+      ]));
+      
+      var msg620 = msg("TFTPD_SEND_ERR", part650);
+      
+      var part651 = match("MESSAGE#616:TFTPD_SOCKET_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: socket: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","TFTPD SOCKET ERROR"),
+      	dup22,
+      ]));
+      
+      var msg621 = msg("TFTPD_SOCKET_ERR", part651);
+      
+      var part652 = match("MESSAGE#617:TFTPD_STATFS_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: statfs %{agent}, error: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","TFTPD STATFS ERROR"),
+      	dup22,
+      ]));
+      
+      var msg622 = msg("TFTPD_STATFS_ERR", part652);
+      
+      var part653 = match("MESSAGE#618:TNP", "nwparser.payload", "%{process}: %{event_type}: adding neighbor %{dclass_counter1->} to interface %{interface}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","adding neighbor to interface"),
+      	dup22,
+      ]));
+      
+      var msg623 = msg("TNP", part653);
+      
+      var part654 = match("MESSAGE#619:trace_on", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: tracing to %{fld33->} started", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","tracing to file"),
+      	dup22,
+      	call({
+      		dest: "nwparser.filename",
+      		fn: RMQ,
+      		args: [
+      			field("fld33"),
+      		],
+      	}),
+      ]));
+      
+      var msg624 = msg("trace_on", part654);
+      
+      var part655 = match("MESSAGE#620:trace_rotate", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: rotating %{filename}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","trace rotating file"),
+      	dup22,
+      ]));
+      
+      var msg625 = msg("trace_rotate", part655);
+      
+      var part656 = match("MESSAGE#621:transfer-file", "nwparser.payload", "%{process}: %{event_type}: Transferred %{filename}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","transfered file"),
+      	dup22,
+      ]));
+      
+      var msg626 = msg("transfer-file", part656);
+      
+      var part657 = match("MESSAGE#622:ttloop", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer died: %{result}: %{resultcode}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","ttloop - peer died"),
+      	dup22,
+      ]));
+      
+      var msg627 = msg("ttloop", part657);
+      
+      var part658 = match("MESSAGE#623:UI_AUTH_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authenticated user '%{username}' at permission level '%{privilege}'", processor_chain([
+      	dup79,
+      	dup33,
+      	dup34,
+      	dup36,
+      	dup21,
+      	setc("event_description","Authenticated user"),
+      	dup22,
+      ]));
+      
+      var msg628 = msg("UI_AUTH_EVENT", part658);
+      
+      var part659 = match("MESSAGE#624:UI_AUTH_INVALID_CHALLENGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received invalid authentication challenge for user '%{username}': response", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Received invalid authentication challenge for user response"),
+      	dup22,
+      ]));
+      
+      var msg629 = msg("UI_AUTH_INVALID_CHALLENGE", part659);
+      
+      var part660 = match("MESSAGE#625:UI_BOOTTIME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fetch boot time: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to fetch boot time"),
+      	dup22,
+      ]));
+      
+      var msg630 = msg("UI_BOOTTIME_FAILED", part660);
+      
+      var part661 = match("MESSAGE#626:UI_CFG_AUDIT_NEW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' %{dclass_counter2->} path unknown", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","user path unknown"),
+      	dup22,
+      ]));
+      
+      var msg631 = msg("UI_CFG_AUDIT_NEW", part661);
+      
+      var part662 = match("MESSAGE#627:UI_CFG_AUDIT_NEW:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' insert: [edit-config config %{filename->} security policies %{policyname}] %{info}", processor_chain([
+      	dup41,
+      	dup21,
+      	setc("event_description"," user Inserted Security Policies in config"),
+      	dup22,
+      ]));
+      
+      var msg632 = msg("UI_CFG_AUDIT_NEW:01", part662);
+      
+      var select58 = linear_select([
+      	msg631,
+      	msg632,
+      ]);
+      
+      var part663 = match("MESSAGE#628:UI_CFG_AUDIT_OTHER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' delete: [%{filename}]", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","User deleted file"),
+      	setc("action","delete"),
+      	dup22,
+      ]));
+      
+      var msg633 = msg("UI_CFG_AUDIT_OTHER", part663);
+      
+      var part664 = match("MESSAGE#629:UI_CFG_AUDIT_OTHER:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' rollback: %{filename}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","User rollback file"),
+      	dup22,
+      ]));
+      
+      var msg634 = msg("UI_CFG_AUDIT_OTHER:01", part664);
+      
+      var part665 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_0", "nwparser.p0", "\"%{info}\" ");
+      
+      var part666 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_1", "nwparser.p0", "%{space->} ");
+      
+      var select59 = linear_select([
+      	part665,
+      	part666,
+      ]);
+      
+      var all31 = all_match({
+      	processors: [
+      		dup110,
+      		select59,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup21,
+      		setc("event_description","User set"),
+      		dup22,
+      	]),
+      });
+      
+      var msg635 = msg("UI_CFG_AUDIT_OTHER:02", all31);
+      
+      var part667 = match("MESSAGE#631:UI_CFG_AUDIT_OTHER:03", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' replace: [edit-config config %{filename->} applications %{info}]", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","User config replace"),
+      	setc("action","replace"),
+      	dup22,
+      ]));
+      
+      var msg636 = msg("UI_CFG_AUDIT_OTHER:03", part667);
+      
+      var part668 = match("MESSAGE#632:UI_CFG_AUDIT_OTHER:04", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' deactivate: [groups %{info}]", processor_chain([
+      	setc("eventcategory","1701070000"),
+      	dup21,
+      	setc("event_description","User deactivating group(s)"),
+      	setc("action","deactivate"),
+      	dup22,
+      ]));
+      
+      var msg637 = msg("UI_CFG_AUDIT_OTHER:04", part668);
+      
+      var part669 = match("MESSAGE#633:UI_CFG_AUDIT_OTHER:05", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' update: %{filename}", processor_chain([
+      	dup111,
+      	dup21,
+      	setc("event_description","User updates config file"),
+      	setc("action","update"),
+      	dup22,
+      ]));
+      
+      var msg638 = msg("UI_CFG_AUDIT_OTHER:05", part669);
+      
+      var select60 = linear_select([
+      	msg633,
+      	msg634,
+      	msg635,
+      	msg636,
+      	msg637,
+      	msg638,
+      ]);
+      
+      var part670 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_0", "nwparser.p0", "\"%{change_old}\" %{p0}");
+      
+      var select61 = linear_select([
+      	part670,
+      	dup112,
+      ]);
+      
+      var all32 = all_match({
+      	processors: [
+      		dup110,
+      		select61,
+      		dup113,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup21,
+      		dup114,
+      		dup22,
+      	]),
+      });
+      
+      var msg639 = msg("UI_CFG_AUDIT_SET:01", all32);
+      
+      var part671 = match("MESSAGE#635:UI_CFG_AUDIT_SET:02/1_0", "nwparser.p0", "\"%{change_old->} %{p0}");
+      
+      var select62 = linear_select([
+      	part671,
+      	dup112,
+      ]);
+      
+      var all33 = all_match({
+      	processors: [
+      		dup110,
+      		select62,
+      		dup113,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup21,
+      		dup114,
+      		dup22,
+      	]),
+      });
+      
+      var msg640 = msg("UI_CFG_AUDIT_SET:02", all33);
+      
+      var part672 = match("MESSAGE#636:UI_CFG_AUDIT_SET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' replace: [edit-config config %{filename->} applications %{info}] \u003c\u003c%{disposition}> -> \"%{agent}\"", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","User replace config application(s)"),
+      	dup22,
+      ]));
+      
+      var msg641 = msg("UI_CFG_AUDIT_SET", part672);
+      
+      var select63 = linear_select([
+      	msg639,
+      	msg640,
+      	msg641,
+      ]);
+      
+      var part673 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/2", "nwparser.p0", ": [groups %{info->} secret]");
+      
+      var all34 = all_match({
+      	processors: [
+      		dup115,
+      		dup153,
+      		part673,
+      	],
+      	on_success: processor_chain([
+      		dup111,
+      		dup21,
+      		dup118,
+      		dup22,
+      	]),
+      });
+      
+      var msg642 = msg("UI_CFG_AUDIT_SET_SECRET:01", all34);
+      
+      var part674 = match("MESSAGE#638:UI_CFG_AUDIT_SET_SECRET:02/2", "nwparser.p0", ": [%{info}]");
+      
+      var all35 = all_match({
+      	processors: [
+      		dup115,
+      		dup153,
+      		part674,
+      	],
+      	on_success: processor_chain([
+      		dup111,
+      		dup21,
+      		dup118,
+      		dup22,
+      	]),
+      });
+      
+      var msg643 = msg("UI_CFG_AUDIT_SET_SECRET:02", all35);
+      
+      var part675 = match("MESSAGE#639:UI_CFG_AUDIT_SET_SECRET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' %{dclass_counter2->} %{directory}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","UI CFG AUDIT SET SECRET"),
+      	dup22,
+      ]));
+      
+      var msg644 = msg("UI_CFG_AUDIT_SET_SECRET", part675);
+      
+      var select64 = linear_select([
+      	msg642,
+      	msg643,
+      	msg644,
+      ]);
+      
+      var part676 = match("MESSAGE#640:UI_CHILD_ARGS_EXCEEDED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Too many arguments for child process '%{agent}'", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Too many arguments for child process"),
+      	dup22,
+      ]));
+      
+      var msg645 = msg("UI_CHILD_ARGS_EXCEEDED", part676);
+      
+      var part677 = match("MESSAGE#641:UI_CHILD_CHANGE_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to switch to local user: %{username}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to switch to local user"),
+      	dup22,
+      ]));
+      
+      var msg646 = msg("UI_CHILD_CHANGE_USER", part677);
+      
+      var part678 = match("MESSAGE#642:UI_CHILD_EXEC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exec failed for command '%{action}': %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Child exec failed"),
+      	dup22,
+      ]));
+      
+      var msg647 = msg("UI_CHILD_EXEC", part678);
+      
+      var part679 = match("MESSAGE#643:UI_CHILD_EXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exited: PID %{child_pid}, status %{result}, command '%{action}'", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Child exited"),
+      	dup22,
+      ]));
+      
+      var msg648 = msg("UI_CHILD_EXITED", part679);
+      
+      var part680 = match("MESSAGE#644:UI_CHILD_FOPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to append to log '%{filename}': %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to append to log"),
+      	dup22,
+      ]));
+      
+      var msg649 = msg("UI_CHILD_FOPEN", part680);
+      
+      var part681 = match("MESSAGE#645:UI_CHILD_PIPE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipe for command '%{action}': %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to create pipe for command"),
+      	dup22,
+      ]));
+      
+      var msg650 = msg("UI_CHILD_PIPE_FAILED", part681);
+      
+      var part682 = match("MESSAGE#646:UI_CHILD_SIGNALED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child received signal: PID %{child_pid}, signal %{result}: %{resultcode}, command='%{action}'", processor_chain([
+      	dup20,
+      	dup21,
+      	dup60,
+      	setc("event_description","Child received signal"),
+      	dup22,
+      ]));
+      
+      var msg651 = msg("UI_CHILD_SIGNALED", part682);
+      
+      var part683 = match("MESSAGE#647:UI_CHILD_STOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child stopped: PID %{child_pid}, signal=%{resultcode->} command='%{action}')", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Child stopped"),
+      	dup22,
+      ]));
+      
+      var msg652 = msg("UI_CHILD_STOPPED", part683);
+      
+      var part684 = match("MESSAGE#648:UI_CHILD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Starting child '%{agent}'", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Starting child"),
+      	dup22,
+      ]));
+      
+      var msg653 = msg("UI_CHILD_START", part684);
+      
+      var part685 = match("MESSAGE#649:UI_CHILD_STATUS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Cleanup child '%{agent}', PID %{child_pid}, status %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Cleanup child"),
+      	dup22,
+      ]));
+      
+      var msg654 = msg("UI_CHILD_STATUS", part685);
+      
+      var part686 = match("MESSAGE#650:UI_CHILD_WAITPID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: waitpid failed: PID %{child_pid}, rc %{dclass_counter2}, status %{resultcode}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","waitpid failed"),
+      	dup22,
+      ]));
+      
+      var msg655 = msg("UI_CHILD_WAITPID", part686);
+      
+      var part687 = match("MESSAGE#651:UI_CLI_IDLE_TIMEOUT", "nwparser.payload", "%{event_type}: Idle timeout for user '%{username}' exceeded and %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Idle timeout for user exceeded"),
+      	dup22,
+      ]));
+      
+      var msg656 = msg("UI_CLI_IDLE_TIMEOUT", part687);
+      
+      var part688 = match("MESSAGE#652:UI_CMDLINE_READ_LINE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}', command '%{action}'", processor_chain([
+      	dup20,
+      	dup21,
+      	dup119,
+      	dup22,
+      ]));
+      
+      var msg657 = msg("UI_CMDLINE_READ_LINE", part688);
+      
+      var part689 = match("MESSAGE#653:UI_CMDSET_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command execution failed for '%{agent}': %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Command execution failed"),
+      	dup22,
+      ]));
+      
+      var msg658 = msg("UI_CMDSET_EXEC_FAILED", part689);
+      
+      var part690 = match("MESSAGE#654:UI_CMDSET_FORK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fork command '%{agent}': %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to fork command"),
+      	dup22,
+      ]));
+      
+      var msg659 = msg("UI_CMDSET_FORK_FAILED", part690);
+      
+      var msg660 = msg("UI_CMDSET_PIPE_FAILED", dup141);
+      
+      var part691 = match("MESSAGE#656:UI_CMDSET_STOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command stopped: PID %{child_pid}, signal '%{resultcode}, command '%{action}'", processor_chain([
+      	dup29,
+      	dup21,
+      	dup69,
+      	dup22,
+      ]));
+      
+      var msg661 = msg("UI_CMDSET_STOPPED", part691);
+      
+      var part692 = match("MESSAGE#657:UI_CMDSET_WEXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command exited: PID %{child_pid}, status %{resultcode}, command '%{action}'", processor_chain([
+      	dup29,
+      	dup21,
+      	dup71,
+      	dup22,
+      ]));
+      
+      var msg662 = msg("UI_CMDSET_WEXITED", part692);
+      
+      var part693 = match("MESSAGE#658:UI_CMD_AUTH_REGEX_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid '%{action}' command authorization regular expression '%{agent}': %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Invalid regexp command"),
+      	dup22,
+      ]));
+      
+      var msg663 = msg("UI_CMD_AUTH_REGEX_INVALID", part693);
+      
+      var part694 = match("MESSAGE#659:UI_COMMIT/1_0", "nwparser.p0", "requested '%{action}' operation (comment:%{info}) ");
+      
+      var part695 = match("MESSAGE#659:UI_COMMIT/1_1", "nwparser.p0", "performed %{action->} ");
+      
+      var select65 = linear_select([
+      	part694,
+      	part695,
+      ]);
+      
+      var all36 = all_match({
+      	processors: [
+      		dup115,
+      		select65,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup21,
+      		dup120,
+      		dup22,
+      	]),
+      });
+      
+      var msg664 = msg("UI_COMMIT", all36);
+      
+      var part696 = match("MESSAGE#660:UI_COMMIT_AT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup120,
+      	dup22,
+      ]));
+      
+      var msg665 = msg("UI_COMMIT_AT", part696);
+      
+      var part697 = match("MESSAGE#661:UI_COMMIT_AT_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: '%{agent}' was successful", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","User commit successful"),
+      	dup22,
+      ]));
+      
+      var msg666 = msg("UI_COMMIT_AT_COMPLETED", part697);
+      
+      var part698 = match("MESSAGE#662:UI_COMMIT_AT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}, %{info}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","User commit failed"),
+      	dup22,
+      ]));
+      
+      var msg667 = msg("UI_COMMIT_AT_FAILED", part698);
+      
+      var part699 = match("MESSAGE#663:UI_COMMIT_COMPRESS_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to compress file %{filename}'", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to compress file"),
+      	dup22,
+      ]));
+      
+      var msg668 = msg("UI_COMMIT_COMPRESS_FAILED", part699);
+      
+      var part700 = match("MESSAGE#664:UI_COMMIT_CONFIRMED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed '%{action}'", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","UI COMMIT CONFIRMED"),
+      	dup22,
+      ]));
+      
+      var msg669 = msg("UI_COMMIT_CONFIRMED", part700);
+      
+      var part701 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: '%{action}' must be confirmed within %{p0}");
+      
+      var part702 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/1_0", "nwparser.p0", "minutes %{dclass_counter1->} ");
+      
+      var part703 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/1_1", "nwparser.p0", "%{dclass_counter1->} minutes ");
+      
+      var select66 = linear_select([
+      	part702,
+      	part703,
+      ]);
+      
+      var all37 = all_match({
+      	processors: [
+      		part701,
+      		select66,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup21,
+      		setc("event_description","COMMIT must be confirmed within # minutes"),
+      		dup22,
+      	]),
+      });
+      
+      var msg670 = msg("UI_COMMIT_CONFIRMED_REMINDER", all37);
+      
+      var part704 = match("MESSAGE#666:UI_COMMIT_CONFIRMED_TIMED/2", "nwparser.p0", "%{}'%{username}' performed '%{action}'");
+      
+      var all38 = all_match({
+      	processors: [
+      		dup49,
+      		dup142,
+      		part704,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup21,
+      		setc("event_description","user performed commit confirm"),
+      		dup22,
+      	]),
+      });
+      
+      var msg671 = msg("UI_COMMIT_CONFIRMED_TIMED", all38);
+      
+      var part705 = match("MESSAGE#667:UI_COMMIT_EMPTY_CONTAINER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Skipped empty object %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Skipped empty object"),
+      	dup22,
+      ]));
+      
+      var msg672 = msg("UI_COMMIT_EMPTY_CONTAINER", part705);
+      
+      var part706 = match("MESSAGE#668:UI_COMMIT_NOT_CONFIRMED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Commit was not confirmed; %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","COMMIT NOT CONFIRMED"),
+      	dup22,
+      ]));
+      
+      var msg673 = msg("UI_COMMIT_NOT_CONFIRMED", part706);
+      
+      var part707 = match("MESSAGE#669:UI_COMMIT_PROGRESS/1_0", "nwparser.p0", "commit %{p0}");
+      
+      var part708 = match("MESSAGE#669:UI_COMMIT_PROGRESS/1_1", "nwparser.p0", "Commit operation in progress %{p0}");
+      
+      var select67 = linear_select([
+      	part707,
+      	part708,
+      ]);
+      
+      var part709 = match("MESSAGE#669:UI_COMMIT_PROGRESS/2", "nwparser.p0", ": %{action}");
+      
+      var all39 = all_match({
+      	processors: [
+      		dup49,
+      		select67,
+      		part709,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup21,
+      		setc("event_description","Commit operation in progress"),
+      		dup22,
+      	]),
+      });
+      
+      var msg674 = msg("UI_COMMIT_PROGRESS", all39);
+      
+      var part710 = match("MESSAGE#670:UI_COMMIT_QUIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{action}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","COMMIT QUIT"),
+      	dup22,
+      ]));
+      
+      var msg675 = msg("UI_COMMIT_QUIT", part710);
+      
+      var part711 = match("MESSAGE#671:UI_COMMIT_ROLLBACK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Automatic rollback failed", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Automatic rollback failed"),
+      	dup22,
+      ]));
+      
+      var msg676 = msg("UI_COMMIT_ROLLBACK_FAILED", part711);
+      
+      var part712 = match("MESSAGE#672:UI_COMMIT_SYNC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{action}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","COMMIT SYNC"),
+      	dup22,
+      ]));
+      
+      var msg677 = msg("UI_COMMIT_SYNC", part712);
+      
+      var part713 = match("MESSAGE#673:UI_COMMIT_SYNC_FORCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: All logins to local configuration database were terminated because %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","All logins to local configuration database were terminated"),
+      	dup22,
+      ]));
+      
+      var msg678 = msg("UI_COMMIT_SYNC_FORCE", part713);
+      
+      var part714 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process: %{agent}, path: %{p0}");
+      
+      var part715 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/1_0", "nwparser.p0", "[%{filename}], %{p0}");
+      
+      var part716 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/1_1", "nwparser.p0", "%{filename}, %{p0}");
+      
+      var select68 = linear_select([
+      	part715,
+      	part716,
+      ]);
+      
+      var part717 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/2", "nwparser.p0", "%{}statement: %{info->} %{p0}");
+      
+      var part718 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/3_0", "nwparser.p0", ", error: %{result->} ");
+      
+      var part719 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/3_1", "nwparser.p0", "%{space}");
+      
+      var select69 = linear_select([
+      	part718,
+      	part719,
+      ]);
+      
+      var all40 = all_match({
+      	processors: [
+      		part714,
+      		select68,
+      		part717,
+      		select69,
+      	],
+      	on_success: processor_chain([
+      		dup29,
+      		dup21,
+      		setc("event_description","CONFIGURATION ERROR"),
+      		dup22,
+      	]),
+      });
+      
+      var msg679 = msg("UI_CONFIGURATION_ERROR", all40);
+      
+      var part720 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/2", "nwparser.p0", "%{}socket connection accept failed: %{result}");
+      
+      var all41 = all_match({
+      	processors: [
+      		dup49,
+      		dup154,
+      		part720,
+      	],
+      	on_success: processor_chain([
+      		dup29,
+      		dup21,
+      		setc("event_description","socket connection accept failed"),
+      		dup22,
+      	]),
+      });
+      
+      var msg680 = msg("UI_DAEMON_ACCEPT_FAILED", all41);
+      
+      var part721 = match("MESSAGE#676:UI_DAEMON_FORK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create session child: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to create session child"),
+      	dup22,
+      ]));
+      
+      var msg681 = msg("UI_DAEMON_FORK_FAILED", part721);
+      
+      var part722 = match("MESSAGE#677:UI_DAEMON_SELECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: select failed: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","DAEMON SELECT FAILED"),
+      	dup22,
+      ]));
+      
+      var msg682 = msg("UI_DAEMON_SELECT_FAILED", part722);
+      
+      var part723 = match("MESSAGE#678:UI_DAEMON_SOCKET_FAILED/2", "nwparser.p0", "%{}socket create failed: %{result}");
+      
+      var all42 = all_match({
+      	processors: [
+      		dup49,
+      		dup154,
+      		part723,
+      	],
+      	on_success: processor_chain([
+      		dup29,
+      		dup21,
+      		setc("event_description","socket create failed"),
+      		dup22,
+      	]),
+      });
+      
+      var msg683 = msg("UI_DAEMON_SOCKET_FAILED", all42);
+      
+      var part724 = match("MESSAGE#679:UI_DBASE_ACCESS_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to reaccess database file '%{filename}', address %{interface}, size %{dclass_counter1}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to reaccess database file"),
+      	dup22,
+      ]));
+      
+      var msg684 = msg("UI_DBASE_ACCESS_FAILED", part724);
+      
+      var part725 = match("MESSAGE#680:UI_DBASE_CHECKOUT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database '%{filename}' is out of data and needs to be rebuilt", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Database is out of data"),
+      	dup22,
+      ]));
+      
+      var msg685 = msg("UI_DBASE_CHECKOUT_FAILED", part725);
+      
+      var part726 = match("MESSAGE#681:UI_DBASE_EXTEND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to extend database file '%{filename}' to size %{dclass_counter1}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to extend database file"),
+      	dup22,
+      ]));
+      
+      var msg686 = msg("UI_DBASE_EXTEND_FAILED", part726);
+      
+      var part727 = match("MESSAGE#682:UI_DBASE_LOGIN_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' entering configuration mode", processor_chain([
+      	dup32,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup36,
+      	dup21,
+      	setc("event_description","User entering configuration mode"),
+      	dup22,
+      ]));
+      
+      var msg687 = msg("UI_DBASE_LOGIN_EVENT", part727);
+      
+      var part728 = match("MESSAGE#683:UI_DBASE_LOGOUT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{event_description}", processor_chain([
+      	dup123,
+      	dup33,
+      	dup34,
+      	dup124,
+      	dup36,
+      	dup21,
+      	setc("event_description","User exiting configuration mode"),
+      	dup22,
+      ]));
+      
+      var msg688 = msg("UI_DBASE_LOGOUT_EVENT", part728);
+      
+      var part729 = match("MESSAGE#684:UI_DBASE_MISMATCH_EXTENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header extent mismatch for file '%{agent}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Database header extent mismatch"),
+      	dup22,
+      ]));
+      
+      var msg689 = msg("UI_DBASE_MISMATCH_EXTENT", part729);
+      
+      var part730 = match("MESSAGE#685:UI_DBASE_MISMATCH_MAJOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header major version number mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Database header major version number mismatch"),
+      	dup22,
+      ]));
+      
+      var msg690 = msg("UI_DBASE_MISMATCH_MAJOR", part730);
+      
+      var part731 = match("MESSAGE#686:UI_DBASE_MISMATCH_MINOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header minor version number mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Database header minor version number mismatch"),
+      	dup22,
+      ]));
+      
+      var msg691 = msg("UI_DBASE_MISMATCH_MINOR", part731);
+      
+      var part732 = match("MESSAGE#687:UI_DBASE_MISMATCH_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header sequence numbers mismatch for file '%{filename}'", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Database header sequence numbers mismatch"),
+      	dup22,
+      ]));
+      
+      var msg692 = msg("UI_DBASE_MISMATCH_SEQUENCE", part732);
+      
+      var part733 = match("MESSAGE#688:UI_DBASE_MISMATCH_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header size mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Database header size mismatch"),
+      	dup22,
+      ]));
+      
+      var msg693 = msg("UI_DBASE_MISMATCH_SIZE", part733);
+      
+      var part734 = match("MESSAGE#689:UI_DBASE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database open failed for file '%{filename}': %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Database open failed"),
+      	dup22,
+      ]));
+      
+      var msg694 = msg("UI_DBASE_OPEN_FAILED", part734);
+      
+      var part735 = match("MESSAGE#690:UI_DBASE_REBUILD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} Automatic rebuild of the database '%{filename}' failed", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","DBASE REBUILD FAILED"),
+      	dup22,
+      ]));
+      
+      var msg695 = msg("UI_DBASE_REBUILD_FAILED", part735);
+      
+      var part736 = match("MESSAGE#691:UI_DBASE_REBUILD_SCHEMA_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Automatic rebuild of the database failed", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Automatic rebuild of the database failed"),
+      	dup22,
+      ]));
+      
+      var msg696 = msg("UI_DBASE_REBUILD_SCHEMA_FAILED", part736);
+      
+      var part737 = match("MESSAGE#692:UI_DBASE_REBUILD_STARTED/1_1", "nwparser.p0", "Automatic %{p0}");
+      
+      var select70 = linear_select([
+      	dup75,
+      	part737,
+      ]);
+      
+      var part738 = match("MESSAGE#692:UI_DBASE_REBUILD_STARTED/2", "nwparser.p0", "%{} %{username->} rebuild/rollback of the database '%{filename}' started");
+      
+      var all43 = all_match({
+      	processors: [
+      		dup49,
+      		select70,
+      		part738,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup21,
+      		setc("event_description","DBASE REBUILD STARTED"),
+      		dup22,
+      	]),
+      });
+      
+      var msg697 = msg("UI_DBASE_REBUILD_STARTED", all43);
+      
+      var part739 = match("MESSAGE#693:UI_DBASE_RECREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' attempting database re-creation", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","user attempting database re-creation"),
+      	dup22,
+      ]));
+      
+      var msg698 = msg("UI_DBASE_RECREATE", part739);
+      
+      var part740 = match("MESSAGE#694:UI_DBASE_REOPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reopen of the database failed", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Reopen of the database failed"),
+      	dup22,
+      ]));
+      
+      var msg699 = msg("UI_DBASE_REOPEN_FAILED", part740);
+      
+      var part741 = match("MESSAGE#695:UI_DUPLICATE_UID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Users %{username->} have the same UID %{uid}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Users have the same UID"),
+      	dup22,
+      ]));
+      
+      var msg700 = msg("UI_DUPLICATE_UID", part741);
+      
+      var part742 = match("MESSAGE#696:UI_JUNOSCRIPT_CMD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' used JUNOScript client to run command '%{action}'", processor_chain([
+      	setc("eventcategory","1401050100"),
+      	dup21,
+      	setc("event_description","User used JUNOScript client to run command"),
+      	dup22,
+      ]));
+      
+      var msg701 = msg("UI_JUNOSCRIPT_CMD", part742);
+      
+      var part743 = match("MESSAGE#697:UI_JUNOSCRIPT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: JUNOScript error: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","JUNOScript error"),
+      	dup22,
+      ]));
+      
+      var msg702 = msg("UI_JUNOSCRIPT_ERROR", part743);
+      
+      var part744 = match("MESSAGE#698:UI_LOAD_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' is performing a '%{action}'", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","User command"),
+      	dup22,
+      ]));
+      
+      var msg703 = msg("UI_LOAD_EVENT", part744);
+      
+      var part745 = match("MESSAGE#699:UI_LOAD_JUNOS_DEFAULT_FILE_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Loading the default config from %{filename}", processor_chain([
+      	setc("eventcategory","1701040000"),
+      	dup21,
+      	setc("event_description","Loading default config from file"),
+      	dup22,
+      ]));
+      
+      var msg704 = msg("UI_LOAD_JUNOS_DEFAULT_FILE_EVENT", part745);
+      
+      var part746 = match("MESSAGE#700:UI_LOGIN_EVENT:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' login, class '%{group}' [%{fld01}], %{info->} '%{saddr->} %{sport->} %{daddr->} %{dport}', client-mode '%{fld02}'", processor_chain([
+      	dup32,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup36,
+      	dup21,
+      	dup125,
+      	dup126,
+      	dup22,
+      ]));
+      
+      var msg705 = msg("UI_LOGIN_EVENT:01", part746);
+      
+      var part747 = match("MESSAGE#701:UI_LOGIN_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' login, class '%{group}' %{info}", processor_chain([
+      	dup32,
+      	dup33,
+      	dup34,
+      	dup35,
+      	dup36,
+      	dup21,
+      	dup125,
+      	dup22,
+      ]));
+      
+      var msg706 = msg("UI_LOGIN_EVENT", part747);
+      
+      var select71 = linear_select([
+      	msg705,
+      	msg706,
+      ]);
+      
+      var part748 = match("MESSAGE#702:UI_LOGOUT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' logout", processor_chain([
+      	dup123,
+      	dup33,
+      	dup34,
+      	dup124,
+      	dup36,
+      	dup21,
+      	setc("event_description","User logout"),
+      	dup22,
+      ]));
+      
+      var msg707 = msg("UI_LOGOUT_EVENT", part748);
+      
+      var part749 = match("MESSAGE#703:UI_LOST_CONN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Lost connection to daemon %{agent}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Lost connection to daemon"),
+      	dup22,
+      ]));
+      
+      var msg708 = msg("UI_LOST_CONN", part749);
+      
+      var part750 = match("MESSAGE#704:UI_MASTERSHIP_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} by '%{username}'", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","MASTERSHIP EVENT"),
+      	dup22,
+      ]));
+      
+      var msg709 = msg("UI_MASTERSHIP_EVENT", part750);
+      
+      var part751 = match("MESSAGE#705:UI_MGD_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Terminating operation: exit status %{resultcode}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Terminating operation"),
+      	dup22,
+      ]));
+      
+      var msg710 = msg("UI_MGD_TERMINATE", part751);
+      
+      var part752 = match("MESSAGE#706:UI_NETCONF_CMD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' used NETCONF client to run command '%{action}'", processor_chain([
+      	dup28,
+      	dup21,
+      	setc("event_description","User used NETCONF client to run command"),
+      	dup22,
+      ]));
+      
+      var msg711 = msg("UI_NETCONF_CMD", part752);
+      
+      var part753 = match("MESSAGE#707:UI_READ_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: read failed for peer %{hostname}: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","read failed for peer"),
+      	dup22,
+      ]));
+      
+      var msg712 = msg("UI_READ_FAILED", part753);
+      
+      var part754 = match("MESSAGE#708:UI_READ_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Timeout on read of peer %{hostname}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Timeout on read of peer"),
+      	dup22,
+      ]));
+      
+      var msg713 = msg("UI_READ_TIMEOUT", part754);
+      
+      var part755 = match("MESSAGE#709:UI_REBOOT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: System %{action->} by '%{username}'", processor_chain([
+      	dup59,
+      	dup21,
+      	setc("event_description","System reboot or halt"),
+      	dup22,
+      ]));
+      
+      var msg714 = msg("UI_REBOOT_EVENT", part755);
+      
+      var part756 = match("MESSAGE#710:UI_RESTART_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' restarting daemon %{service}", processor_chain([
+      	dup28,
+      	dup21,
+      	setc("event_description","user restarting daemon"),
+      	dup22,
+      ]));
+      
+      var msg715 = msg("UI_RESTART_EVENT", part756);
+      
+      var part757 = match("MESSAGE#711:UI_SCHEMA_CHECKOUT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema is out of date and %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Schema is out of date"),
+      	dup22,
+      ]));
+      
+      var msg716 = msg("UI_SCHEMA_CHECKOUT_FAILED", part757);
+      
+      var part758 = match("MESSAGE#712:UI_SCHEMA_MISMATCH_MAJOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema major version mismatch for package %{filename->} %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Schema major version mismatch"),
+      	dup22,
+      ]));
+      
+      var msg717 = msg("UI_SCHEMA_MISMATCH_MAJOR", part758);
+      
+      var part759 = match("MESSAGE#713:UI_SCHEMA_MISMATCH_MINOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema minor version mismatch for package %{filename->} %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Schema minor version mismatch"),
+      	dup22,
+      ]));
+      
+      var msg718 = msg("UI_SCHEMA_MISMATCH_MINOR", part759);
+      
+      var part760 = match("MESSAGE#714:UI_SCHEMA_MISMATCH_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema header sequence numbers mismatch for package %{filename}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Schema header sequence numbers mismatch"),
+      	dup22,
+      ]));
+      
+      var msg719 = msg("UI_SCHEMA_MISMATCH_SEQUENCE", part760);
+      
+      var part761 = match("MESSAGE#715:UI_SCHEMA_SEQUENCE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema sequence number mismatch", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Schema sequence number mismatch"),
+      	dup22,
+      ]));
+      
+      var msg720 = msg("UI_SCHEMA_SEQUENCE_ERROR", part761);
+      
+      var part762 = match("MESSAGE#716:UI_SYNC_OTHER_RE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Configuration synchronization with remote Routing Engine %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Configuration synchronization with remote Routing Engine"),
+      	dup22,
+      ]));
+      
+      var msg721 = msg("UI_SYNC_OTHER_RE", part762);
+      
+      var part763 = match("MESSAGE#717:UI_TACPLUS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: TACACS+ failure: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup127,
+      	dup22,
+      ]));
+      
+      var msg722 = msg("UI_TACPLUS_ERROR", part763);
+      
+      var part764 = match("MESSAGE#718:UI_VERSION_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fetch system version: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	setc("event_description","Unable to fetch system version"),
+      	dup22,
+      ]));
+      
+      var msg723 = msg("UI_VERSION_FAILED", part764);
+      
+      var part765 = match("MESSAGE#719:UI_WRITE_RECONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Re-establishing connection to peer %{hostname}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Re-establishing connection to peer"),
+      	dup22,
+      ]));
+      
+      var msg724 = msg("UI_WRITE_RECONNECT", part765);
+      
+      var part766 = match("MESSAGE#720:VRRPD_NEWMASTER_TRAP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Interface %{interface->} (local addr: %{saddr}) is now master for %{username}", processor_chain([
+      	dup20,
+      	dup21,
+      	setc("event_description","Interface new master for User"),
+      	dup22,
+      ]));
+      
+      var msg725 = msg("VRRPD_NEWMASTER_TRAP", part766);
+      
+      var part767 = match("MESSAGE#721:WEB_AUTH_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to authenticate %{obj_name->} (username %{c_username})", processor_chain([
+      	dup68,
+      	dup33,
+      	dup34,
+      	dup42,
+      	dup21,
+      	setc("event_description","Unable to authenticate client"),
+      	dup22,
+      ]));
+      
+      var msg726 = msg("WEB_AUTH_FAIL", part767);
+      
+      var part768 = match("MESSAGE#722:WEB_AUTH_SUCCESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authenticated %{agent->} client (username %{c_username})", processor_chain([
+      	dup79,
+      	dup33,
+      	dup34,
+      	dup36,
+      	dup21,
+      	setc("event_description","Authenticated client"),
+      	dup22,
+      ]));
+      
+      var msg727 = msg("WEB_AUTH_SUCCESS", part768);
+      
+      var part769 = match("MESSAGE#723:WEB_INTERFACE_UNAUTH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Web services request received from unauthorized interface %{interface}", processor_chain([
+      	setc("eventcategory","1001030300"),
+      	dup21,
+      	setc("event_description","web request from unauthorized interface"),
+      	dup22,
+      ]));
+      
+      var msg728 = msg("WEB_INTERFACE_UNAUTH", part769);
+      
+      var part770 = match("MESSAGE#724:WEB_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to read from client: %{result}", processor_chain([
+      	dup73,
+      	dup21,
+      	setc("event_description","Unable to read from client"),
+      	dup22,
+      ]));
+      
+      var msg729 = msg("WEB_READ", part770);
+      
+      var part771 = match("MESSAGE#725:WEBFILTER_REQUEST_NOT_CHECKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Error encountered: %{result}, failed to check request %{url}", processor_chain([
+      	setc("eventcategory","1204020100"),
+      	dup21,
+      	setc("event_description","failed to check web request"),
+      	dup22,
+      ]));
+      
+      var msg730 = msg("WEBFILTER_REQUEST_NOT_CHECKED", part771);
+      
+      var part772 = match("MESSAGE#726:FLOW_REASSEMBLE_FAIL", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" destination-address=\"%{daddr}\" assembly-id=\"%{fld1}\"]", processor_chain([
+      	dup73,
+      	dup52,
+      	dup42,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var msg731 = msg("FLOW_REASSEMBLE_FAIL", part772);
+      
+      var part773 = match("MESSAGE#727:eswd", "nwparser.payload", "%{process}[%{process_id}]: Bridge Address: add %{macaddr}", processor_chain([
+      	dup28,
+      	dup21,
+      	setc("event_description","Bridge Address"),
+      	dup22,
+      ]));
+      
+      var msg732 = msg("eswd", part773);
+      
+      var part774 = match("MESSAGE#728:eswd:01", "nwparser.payload", "%{process}[%{process_id}]: %{info}: STP state for interface %{interface->} context id %{id->} changed from %{fld3}", processor_chain([
+      	dup28,
+      	dup21,
+      	setc("event_description","ESWD STP State Change Info"),
+      	dup22,
+      ]));
+      
+      var msg733 = msg("eswd:01", part774);
+      
+      var select72 = linear_select([
+      	msg732,
+      	msg733,
+      ]);
+      
+      var part775 = match("MESSAGE#729:/usr/sbin/cron", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) CMD ( %{action})", processor_chain([
+      	dup28,
+      	dup21,
+      	dup25,
+      	dup22,
+      ]));
+      
+      var msg734 = msg("/usr/sbin/cron", part775);
+      
+      var part776 = match("MESSAGE#730:chassism:02", "nwparser.payload", "%{process}[%{process_id}]: %{info}: ifd %{interface->} %{action}", processor_chain([
+      	dup28,
+      	dup21,
+      	setc("event_description","Link status change event"),
+      	dup22,
+      ]));
+      
+      var msg735 = msg("chassism:02", part776);
+      
+      var part777 = match("MESSAGE#731:chassism:01", "nwparser.payload", "%{process}[%{process_id}]: %{info}: %{interface}, %{action}", processor_chain([
+      	dup28,
+      	dup21,
+      	setc("event_description","ifd process flaps"),
+      	dup22,
+      ]));
+      
+      var msg736 = msg("chassism:01", part777);
+      
+      var part778 = match("MESSAGE#732:chassism", "nwparser.payload", "%{process}[%{process_id}]: %{info}: %{action}", processor_chain([
+      	dup28,
+      	dup21,
+      	setc("event_description","IFCM "),
+      	dup22,
+      ]));
+      
+      var msg737 = msg("chassism", part778);
+      
+      var select73 = linear_select([
+      	msg735,
+      	msg736,
+      	msg737,
+      ]);
+      
+      var msg738 = msg("WEBFILTER_URL_PERMITTED", dup155);
+      
+      var part779 = match("MESSAGE#734:WEBFILTER_URL_PERMITTED:01", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var msg739 = msg("WEBFILTER_URL_PERMITTED:01", part779);
+      
+      var part780 = match("MESSAGE#735:WEBFILTER_URL_PERMITTED:03", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=%{fld4}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var msg740 = msg("WEBFILTER_URL_PERMITTED:03", part780);
+      
+      var part781 = match("MESSAGE#736:WEBFILTER_URL_PERMITTED:02", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=%{url}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var msg741 = msg("WEBFILTER_URL_PERMITTED:02", part781);
+      
+      var select74 = linear_select([
+      	msg738,
+      	msg739,
+      	msg740,
+      	msg741,
+      ]);
+      
+      var msg742 = msg("WEBFILTER_URL_BLOCKED", dup155);
+      
+      var part782 = match("MESSAGE#738:WEBFILTER_URL_BLOCKED:01", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var msg743 = msg("WEBFILTER_URL_BLOCKED:01", part782);
+      
+      var select75 = linear_select([
+      	msg742,
+      	msg743,
+      ]);
+      
+      var part783 = match("MESSAGE#740:SECINTEL_NETWORK_CONNECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> Access url %{url->} on port %{network_port->} failed\u003c\u003c%{result}>.", processor_chain([
+      	dup45,
+      	dup46,
+      	dup22,
+      	dup21,
+      	dup126,
+      ]));
+      
+      var msg744 = msg("SECINTEL_NETWORK_CONNECT_FAILED", part783);
+      
+      var part784 = match("MESSAGE#741:AAMWD_NETWORK_CONNECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> Access host %{hostname->} on ip %{hostip->} port %{network_port->} %{result}.", processor_chain([
+      	dup45,
+      	dup46,
+      	dup22,
+      ]));
+      
+      var msg745 = msg("AAMWD_NETWORK_CONNECT_FAILED", part784);
+      
+      var part785 = match("MESSAGE#742:PKID_UNABLE_TO_GET_CRL", "nwparser.payload", "%{process}[%{process_id}]: %{id}: Failed to retrieve CRL from received file for %{node}", processor_chain([
+      	dup45,
+      	dup46,
+      	dup22,
+      	dup21,
+      	dup126,
+      ]));
+      
+      var msg746 = msg("PKID_UNABLE_TO_GET_CRL", part785);
+      
+      var part786 = match("MESSAGE#743:SECINTEL_ERROR_OTHERS", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> %{result}", processor_chain([
+      	dup45,
+      	dup46,
+      	dup22,
+      	dup21,
+      	dup126,
+      ]));
+      
+      var msg747 = msg("SECINTEL_ERROR_OTHERS", part786);
+      
+      var part787 = match("MESSAGE#744:JSRPD_HA_CONTROL_LINK_UP", "nwparser.payload", "%{process}[%{process_id}]: %{id}: HA control link monitor status is marked up", processor_chain([
+      	dup47,
+      	dup46,
+      	dup22,
+      	dup21,
+      	dup126,
+      ]));
+      
+      var msg748 = msg("JSRPD_HA_CONTROL_LINK_UP", part787);
+      
+      var part788 = match("MESSAGE#745:LACPD_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: LACPD_TIMEOUT: %{sinterface}: %{event_description}", processor_chain([
+      	dup45,
+      	dup46,
+      	dup22,
+      	dup21,
+      	dup126,
+      ]));
+      
+      var msg749 = msg("LACPD_TIMEOUT", part788);
+      
+      var msg750 = msg("cli", dup156);
+      
+      var msg751 = msg("pfed", dup156);
+      
+      var msg752 = msg("idpinfo", dup156);
+      
+      var msg753 = msg("kmd", dup156);
+      
+      var part789 = match("MESSAGE#751:node:01", "nwparser.payload", "%{hostname->} %{node->} Next-hop resolution requests from interface %{interface->} throttled", processor_chain([
+      	dup20,
+      	dup22,
+      	dup21,
+      ]));
+      
+      var msg754 = msg("node:01", part789);
+      
+      var part790 = match("MESSAGE#752:node:02", "nwparser.payload", "%{hostname->} %{node->} %{process}: Trying peer connection, status %{resultcode}, attempt %{fld1}", processor_chain([
+      	dup20,
+      	dup22,
+      	dup21,
+      ]));
+      
+      var msg755 = msg("node:02", part790);
+      
+      var part791 = match("MESSAGE#753:node:03", "nwparser.payload", "%{hostname->} %{node->} %{process}: trying master connection, status %{resultcode}, attempt %{fld1}", processor_chain([
+      	dup20,
+      	dup22,
+      	dup21,
+      ]));
+      
+      var msg756 = msg("node:03", part791);
+      
+      var part792 = match("MESSAGE#754:node:04", "nwparser.payload", "%{hostname->} %{node->} %{fld1->} key %{fld2->} %{fld3->} port priority %{fld6->} %{fld4->} port %{portname->} %{fld5->} state %{resultcode}", processor_chain([
+      	dup20,
+      	dup22,
+      	dup21,
+      ]));
+      
+      var msg757 = msg("node:04", part792);
+      
+      var select76 = linear_select([
+      	dup129,
+      	dup130,
+      ]);
+      
+      var part793 = match("MESSAGE#755:node:05/2", "nwparser.p0", "%{}sys priority %{fld4->} %{p0}");
+      
+      var select77 = linear_select([
+      	dup130,
+      	dup129,
+      ]);
+      
+      var part794 = match("MESSAGE#755:node:05/4", "nwparser.p0", "%{}sys %{interface}");
+      
+      var all44 = all_match({
+      	processors: [
+      		dup128,
+      		select76,
+      		part793,
+      		select77,
+      		part794,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup22,
+      		dup21,
+      	]),
+      });
+      
+      var msg758 = msg("node:05", all44);
+      
+      var part795 = match("MESSAGE#756:node:06/1_0", "nwparser.p0", "dst mac %{dinterface}");
+      
+      var part796 = match("MESSAGE#756:node:06/1_1", "nwparser.p0", "src mac %{sinterface->} ether type %{fld1}");
+      
+      var select78 = linear_select([
+      	part795,
+      	part796,
+      ]);
+      
+      var all45 = all_match({
+      	processors: [
+      		dup128,
+      		select78,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup22,
+      		dup21,
+      	]),
+      });
+      
+      var msg759 = msg("node:06", all45);
+      
+      var part797 = match("MESSAGE#757:node:07", "nwparser.payload", "%{hostname->} %{node->} %{process}: interface %{interface->} trigger reth_scan", processor_chain([
+      	dup20,
+      	dup22,
+      	dup21,
+      ]));
+      
+      var msg760 = msg("node:07", part797);
+      
+      var part798 = match("MESSAGE#758:node:08", "nwparser.payload", "%{hostname->} %{node->} %{process}: %{info}", processor_chain([
+      	dup20,
+      	dup22,
+      	dup21,
+      ]));
+      
+      var msg761 = msg("node:08", part798);
+      
+      var part799 = match("MESSAGE#759:node:09", "nwparser.payload", "%{hostname->} %{node->} %{fld1}", processor_chain([
+      	dup20,
+      	dup22,
+      	dup21,
+      ]));
+      
+      var msg762 = msg("node:09", part799);
+      
+      var select79 = linear_select([
+      	msg754,
+      	msg755,
+      	msg756,
+      	msg757,
+      	msg758,
+      	msg759,
+      	msg760,
+      	msg761,
+      	msg762,
+      ]);
+      
+      var part800 = match("MESSAGE#760:(FPC:01", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: deleting active remote neighbor entry %{fld2->} from interface %{interface}.", processor_chain([
+      	dup20,
+      	dup22,
+      	dup21,
+      	dup23,
+      ]));
+      
+      var msg763 = msg("(FPC:01", part800);
+      
+      var part801 = match("MESSAGE#761:(FPC:02", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type->} deleting nb %{fld2->} on ifd %{interface->} for cid %{fld3->} from active neighbor table", processor_chain([
+      	dup20,
+      	dup22,
+      	dup21,
+      	dup23,
+      ]));
+      
+      var msg764 = msg("(FPC:02", part801);
+      
+      var part802 = match("MESSAGE#762:(FPC:03/0", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: M%{p0}");
+      
+      var part803 = match("MESSAGE#762:(FPC:03/1_0", "nwparser.p0", "DOWN %{p0}");
+      
+      var part804 = match("MESSAGE#762:(FPC:03/1_1", "nwparser.p0", "UP %{p0}");
+      
+      var select80 = linear_select([
+      	part803,
+      	part804,
+      ]);
+      
+      var part805 = match("MESSAGE#762:(FPC:03/2", "nwparser.p0", "%{}received for interface %{interface}, member of %{fld4}");
+      
+      var all46 = all_match({
+      	processors: [
+      		part802,
+      		select80,
+      		part805,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup22,
+      		dup21,
+      		dup23,
+      	]),
+      });
+      
+      var msg765 = msg("(FPC:03", all46);
+      
+      var part806 = match("MESSAGE#763:(FPC:04", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: ifd=%{interface}, ifd flags=%{fld2}", processor_chain([
+      	dup20,
+      	dup22,
+      	dup21,
+      	dup23,
+      ]));
+      
+      var msg766 = msg("(FPC:04", part806);
+      
+      var part807 = match("MESSAGE#764:(FPC:05", "nwparser.payload", "%{fld1}) %{node->} kernel: rdp keepalive expired, connection dropped - src %{fld3}:%{fld2->} dest %{fld4}:%{fld5}", processor_chain([
+      	dup20,
+      	dup22,
+      	dup21,
+      	dup23,
+      ]));
+      
+      var msg767 = msg("(FPC:05", part807);
+      
+      var part808 = match("MESSAGE#765:(FPC", "nwparser.payload", "%{fld1}) %{node->} %{fld10}", processor_chain([
+      	dup20,
+      	dup22,
+      	dup21,
+      	dup23,
+      ]));
+      
+      var msg768 = msg("(FPC", part808);
+      
+      var select81 = linear_select([
+      	msg763,
+      	msg764,
+      	msg765,
+      	msg766,
+      	msg767,
+      	msg768,
+      ]);
+      
+      var part809 = match("MESSAGE#766:tnp.bootpd", "nwparser.payload", "%{process}[%{process_id}]:%{fld1}", processor_chain([
+      	dup47,
+      	dup22,
+      	dup21,
+      	dup23,
+      ]));
+      
+      var msg769 = msg("tnp.bootpd", part809);
+      
+      var part810 = match("MESSAGE#769:AAMW_ACTION_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} hostname=\"%{hostname}\" file-category=\"%{fld9}\" verdict-number=\"%{fld10}\" action=\"%{action}\" list-hit=\"%{fld19}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" policy-name=\"%{policyname}\" username=\"%{username}\" roles=\"%{user_role}\" session-id-32=\"%{sessionid}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" url=\"%{url}\"] %{fld27}", processor_chain([
+      	dup47,
+      	dup51,
+      	dup21,
+      	dup60,
+      ]));
+      
+      var msg770 = msg("AAMW_ACTION_LOG", part810);
+      
+      var part811 = match("MESSAGE#770:AAMW_HOST_INFECTED_EVENT_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} timestamp=\"%{fld30}\" tenant-id=\"%{fld1}\" client-ip-str=\"%{hostip}\" hostname=\"%{hostname}\" status=\"%{fld13}\" policy-name=\"%{policyname}\" verdict-number=\"%{fld15}\" state=\"%{fld16}\" reason=\"%{result}\" message=\"%{info}\" %{fld3}", processor_chain([
+      	dup131,
+      	dup51,
+      	dup21,
+      	dup60,
+      ]));
+      
+      var msg771 = msg("AAMW_HOST_INFECTED_EVENT_LOG", part811);
+      
+      var part812 = match("MESSAGE#771:AAMW_MALWARE_EVENT_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} timestamp=\"%{fld30}\" tenant-id=\"%{fld1}\" sample-sha256=\"%{checksum}\" client-ip-str=\"%{hostip}\" verdict-number=\"%{fld26}\" malware-info=\"%{threat_name}\" username=\"%{username}\" hostname=\"%{hostname}\" %{fld3}", processor_chain([
+      	dup131,
+      	dup51,
+      	dup21,
+      ]));
+      
+      var msg772 = msg("AAMW_MALWARE_EVENT_LOG", part812);
+      
+      var part813 = match("MESSAGE#772:IDP_ATTACK_LOG_EVENT", "nwparser.payload", "%{event_type}[junos@%{fld32->} epoch-time=\"%{fld1}\" message-type=\"%{info}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-name=\"%{protocol}\" service-name=\"%{service}\" application-name=\"%{application}\" rule-name=\"%{fld5}\" rulebase-name=\"%{rulename}\" policy-name=\"%{policyname}\" export-id=\"%{fld6}\" repeat-count=\"%{fld7}\" action=\"%{action}\" threat-severity=\"%{severity}\" attack-name=\"%{threat_name}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" elapsed-time=%{fld8->} inbound-bytes=\"%{rbytes}\" outbound-bytes=\"%{sbytes}\" inbound-packets=\"%{packets}\" outbound-packets=\"%{dclass_counter1}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" packet-log-id=\"%{fld9}\" alert=\"%{fld19}\" username=\"%{username}\" roles=\"%{fld15}\" message=\"%{fld28}\" %{fld3}", processor_chain([
+      	dup80,
+      	dup51,
+      	dup21,
+      	dup60,
+      ]));
+      
+      var msg773 = msg("IDP_ATTACK_LOG_EVENT", part813);
+      
+      var part814 = match("MESSAGE#773:RT_SCREEN_ICMP", "nwparser.payload", "%{event_type}[junos@%{fld32->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"] %{fld23}", processor_chain([
+      	dup80,
+      	dup51,
+      	dup21,
+      	dup60,
+      ]));
+      
+      var msg774 = msg("RT_SCREEN_ICMP", part814);
+      
+      var part815 = match("MESSAGE#774:SECINTEL_ACTION_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} category=\"%{fld1}\" sub-category=\"%{fld2}\" action=\"%{action}\" action-detail=\"%{fld4}\" http-host=\"%{fld17}\" threat-severity=\"%{severity}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" application=\"%{fld5}\" nested-application=\"%{fld6}\" feed-name=\"%{fld18}\" policy-name=\"%{policyname}\" profile-name=\"%{rulename}\" username=\"%{username}\" roles=\"%{user_role}\" session-id-32=\"%{sessionid}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\"]%{fld10}", processor_chain([
+      	dup45,
+      	dup51,
+      	dup21,
+      	dup60,
+      ]));
+      
+      var msg775 = msg("SECINTEL_ACTION_LOG", part815);
+      
+      var part816 = match("MESSAGE#775:qsfp/0", "nwparser.payload", "%{hostname->} %{p0}");
+      
+      var part817 = match("MESSAGE#775:qsfp/1_0", "nwparser.p0", "%{fld2->} %{fld3->} %{process}: qsfp-%{interface->} Chan# %{p0}");
+      
+      var part818 = match("MESSAGE#775:qsfp/1_1", "nwparser.p0", "%{fld2->} qsfp-%{interface->} Chan# %{p0}");
+      
+      var select82 = linear_select([
+      	part817,
+      	part818,
+      ]);
+      
+      var part819 = match("MESSAGE#775:qsfp/2", "nwparser.p0", "%{fld5}:%{event_description}");
+      
+      var all47 = all_match({
+      	processors: [
+      		part816,
+      		select82,
+      		part819,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup21,
+      		dup22,
+      	]),
+      });
+      
+      var msg776 = msg("qsfp", all47);
+      
+      var part820 = match("MESSAGE#776:JUNOSROUTER_GENERIC:03", "nwparser.payload", "%{event_type}: User '%{username}', command '%{action}'", processor_chain([
+      	dup20,
+      	dup21,
+      	dup119,
+      	dup22,
+      ]));
+      
+      var msg777 = msg("JUNOSROUTER_GENERIC:03", part820);
+      
+      var part821 = match("MESSAGE#777:JUNOSROUTER_GENERIC:04", "nwparser.payload", "%{event_type}: User '%{username}' %{fld1}", processor_chain([
+      	dup123,
+      	dup33,
+      	dup34,
+      	dup124,
+      	dup36,
+      	dup21,
+      	setc("event_description","LOGOUT"),
+      	dup22,
+      ]));
+      
+      var msg778 = msg("JUNOSROUTER_GENERIC:04", part821);
+      
+      var part822 = match("MESSAGE#778:JUNOSROUTER_GENERIC:05", "nwparser.payload", "%{event_type}: TACACS+ failure: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup127,
+      	dup22,
+      ]));
+      
+      var msg779 = msg("JUNOSROUTER_GENERIC:05", part822);
+      
+      var part823 = match("MESSAGE#779:JUNOSROUTER_GENERIC:06", "nwparser.payload", "%{event_type}: mismatch NLRI with %{hostip->} (%{hostname}): peer: %{daddr->} us: %{saddr}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup56,
+      	dup22,
+      ]));
+      
+      var msg780 = msg("JUNOSROUTER_GENERIC:06", part823);
+      
+      var part824 = match("MESSAGE#780:JUNOSROUTER_GENERIC:07", "nwparser.payload", "%{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{resultcode->} (%{action}), Reason: %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup37,
+      	dup22,
+      ]));
+      
+      var msg781 = msg("JUNOSROUTER_GENERIC:07", part824);
+      
+      var part825 = match("MESSAGE#781:JUNOSROUTER_GENERIC:08/0", "nwparser.payload", "%{event_type}: NOTIFICATION received from %{p0}");
+      
+      var part826 = match("MESSAGE#781:JUNOSROUTER_GENERIC:08/1_0", "nwparser.p0", "%{daddr->} (%{dhost}): code %{resultcode->} (%{action}), socket buffer sndcc: %{fld1->} rcvcc: %{fld2->} TCP state: %{event_state}, snd_una: %{fld3->} snd_nxt: %{fld4->} snd_wnd: %{fld5->} rcv_nxt: %{fld6->} rcv_adv: %{fld7}, hold timer %{fld8}");
+      
+      var part827 = match("MESSAGE#781:JUNOSROUTER_GENERIC:08/1_1", "nwparser.p0", "%{daddr->} (%{dhost}): code %{resultcode->} (%{action})");
+      
+      var select83 = linear_select([
+      	part826,
+      	part827,
+      ]);
+      
+      var all48 = all_match({
+      	processors: [
+      		part825,
+      		select83,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup21,
+      		dup37,
+      		dup22,
+      	]),
+      });
+      
+      var msg782 = msg("JUNOSROUTER_GENERIC:08", all48);
+      
+      var part828 = match("MESSAGE#782:JUNOSROUTER_GENERIC:09", "nwparser.payload", "%{event_type}: [edit interfaces%{interface}unit%{fld1}family inet address%{hostip}/%{network_port}] :%{event_description}:%{info}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup22,
+      ]));
+      
+      var msg783 = msg("JUNOSROUTER_GENERIC:09", part828);
+      
+      var part829 = match("MESSAGE#783:JUNOSROUTER_GENERIC:01", "nwparser.payload", "%{event_type->} Interface Monitor failed %{fld1}", processor_chain([
+      	dup132,
+      	dup22,
+      	dup21,
+      	setc("event_description","Interface Monitor failed "),
+      	dup23,
+      ]));
+      
+      var msg784 = msg("JUNOSROUTER_GENERIC:01", part829);
+      
+      var part830 = match("MESSAGE#784:JUNOSROUTER_GENERIC:02", "nwparser.payload", "%{event_type->} Interface Monitor failure recovered %{fld1}", processor_chain([
+      	dup132,
+      	dup22,
+      	dup21,
+      	setc("event_description","Interface Monitor failure recovered"),
+      	dup23,
+      ]));
+      
+      var msg785 = msg("JUNOSROUTER_GENERIC:02", part830);
+      
+      var part831 = match("MESSAGE#785:JUNOSROUTER_GENERIC", "nwparser.payload", "%{event_type->} %{fld1}", processor_chain([
+      	dup132,
+      	dup22,
+      	dup21,
+      	dup23,
+      ]));
+      
+      var msg786 = msg("JUNOSROUTER_GENERIC", part831);
+      
+      var select84 = linear_select([
+      	msg777,
+      	msg778,
+      	msg779,
+      	msg780,
+      	msg781,
+      	msg782,
+      	msg783,
+      	msg784,
+      	msg785,
+      	msg786,
+      ]);
+      
+      var chain1 = processor_chain([
+      	select5,
+      	msgid_select({
+      		"(FPC": select81,
+      		"/usr/libexec/telnetd": msg2,
+      		"/usr/sbin/cron": msg734,
+      		"/usr/sbin/sshd": msg1,
+      		"AAMWD_NETWORK_CONNECT_FAILED": msg745,
+      		"AAMW_ACTION_LOG": msg770,
+      		"AAMW_HOST_INFECTED_EVENT_LOG": msg771,
+      		"AAMW_MALWARE_EVENT_LOG": msg772,
+      		"ACCT_ACCOUNTING_FERROR": msg114,
+      		"ACCT_ACCOUNTING_FOPEN_ERROR": msg115,
+      		"ACCT_ACCOUNTING_SMALL_FILE_SIZE": msg116,
+      		"ACCT_BAD_RECORD_FORMAT": msg117,
+      		"ACCT_CU_RTSLIB_error": msg118,
+      		"ACCT_GETHOSTNAME_error": msg119,
+      		"ACCT_MALLOC_FAILURE": msg120,
+      		"ACCT_UNDEFINED_COUNTER_NAME": msg121,
+      		"ACCT_XFER_FAILED": msg122,
+      		"ACCT_XFER_POPEN_FAIL": msg123,
+      		"APPQOS_LOG_EVENT": msg124,
+      		"APPTRACK_SESSION_CLOSE": select30,
+      		"APPTRACK_SESSION_CREATE": msg125,
+      		"APPTRACK_SESSION_VOL_UPDATE": select31,
+      		"BCHIP": msg106,
+      		"BFDD_TRAP_STATE_DOWN": msg130,
+      		"BFDD_TRAP_STATE_UP": msg131,
+      		"BOOTPD_ARG_ERR": msg143,
+      		"BOOTPD_BAD_ID": msg144,
+      		"BOOTPD_BOOTSTRING": msg145,
+      		"BOOTPD_CONFIG_ERR": msg146,
+      		"BOOTPD_CONF_OPEN": msg147,
+      		"BOOTPD_DUP_REV": msg148,
+      		"BOOTPD_DUP_SLOT": msg149,
+      		"BOOTPD_MODEL_CHK": msg150,
+      		"BOOTPD_MODEL_ERR": msg151,
+      		"BOOTPD_NEW_CONF": msg152,
+      		"BOOTPD_NO_BOOTSTRING": msg153,
+      		"BOOTPD_NO_CONFIG": msg154,
+      		"BOOTPD_PARSE_ERR": msg155,
+      		"BOOTPD_REPARSE": msg156,
+      		"BOOTPD_SELECT_ERR": msg157,
+      		"BOOTPD_TIMEOUT": msg158,
+      		"BOOTPD_VERSION": msg159,
+      		"CHASSISD": msg160,
+      		"CHASSISD_ARGUMENT_ERROR": msg161,
+      		"CHASSISD_BLOWERS_SPEED": msg162,
+      		"CHASSISD_BLOWERS_SPEED_FULL": msg163,
+      		"CHASSISD_CB_READ": msg164,
+      		"CHASSISD_COMMAND_ACK_ERROR": msg165,
+      		"CHASSISD_COMMAND_ACK_SF_ERROR": msg166,
+      		"CHASSISD_CONCAT_MODE_ERROR": msg167,
+      		"CHASSISD_CONFIG_INIT_ERROR": msg168,
+      		"CHASSISD_CONFIG_WARNING": msg169,
+      		"CHASSISD_EXISTS": msg170,
+      		"CHASSISD_EXISTS_TERM_OTHER": msg171,
+      		"CHASSISD_FILE_OPEN": msg172,
+      		"CHASSISD_FILE_STAT": msg173,
+      		"CHASSISD_FRU_EVENT": msg174,
+      		"CHASSISD_FRU_IPC_WRITE_ERROR_EXT": msg175,
+      		"CHASSISD_FRU_STEP_ERROR": msg176,
+      		"CHASSISD_GETTIMEOFDAY": msg177,
+      		"CHASSISD_HIGH_TEMP_CONDITION": msg214,
+      		"CHASSISD_HOST_TEMP_READ": msg178,
+      		"CHASSISD_IFDEV_DETACH_ALL_PSEUDO": msg179,
+      		"CHASSISD_IFDEV_DETACH_FPC": msg180,
+      		"CHASSISD_IFDEV_DETACH_PIC": msg181,
+      		"CHASSISD_IFDEV_DETACH_PSEUDO": msg182,
+      		"CHASSISD_IFDEV_DETACH_TLV_ERROR": msg183,
+      		"CHASSISD_IFDEV_GET_BY_INDEX_FAIL": msg184,
+      		"CHASSISD_IPC_MSG_QFULL_ERROR": msg185,
+      		"CHASSISD_IPC_UNEXPECTED_RECV": msg186,
+      		"CHASSISD_IPC_WRITE_ERR_NO_PIPE": msg187,
+      		"CHASSISD_IPC_WRITE_ERR_NULL_ARGS": msg188,
+      		"CHASSISD_MAC_ADDRESS_ERROR": msg189,
+      		"CHASSISD_MAC_DEFAULT": msg190,
+      		"CHASSISD_MBUS_ERROR": msg191,
+      		"CHASSISD_PARSE_COMPLETE": msg192,
+      		"CHASSISD_PARSE_ERROR": msg193,
+      		"CHASSISD_PARSE_INIT": msg194,
+      		"CHASSISD_PIDFILE_OPEN": msg195,
+      		"CHASSISD_PIPE_WRITE_ERROR": msg196,
+      		"CHASSISD_POWER_CHECK": msg197,
+      		"CHASSISD_RECONNECT_SUCCESSFUL": msg198,
+      		"CHASSISD_RELEASE_MASTERSHIP": msg199,
+      		"CHASSISD_RE_INIT_INVALID_RE_SLOT": msg200,
+      		"CHASSISD_ROOT_MOUNT_ERROR": msg201,
+      		"CHASSISD_RTS_SEQ_ERROR": msg202,
+      		"CHASSISD_SBOARD_VERSION_MISMATCH": msg203,
+      		"CHASSISD_SERIAL_ID": msg204,
+      		"CHASSISD_SMB_ERROR": msg205,
+      		"CHASSISD_SNMP_TRAP10": msg208,
+      		"CHASSISD_SNMP_TRAP6": msg206,
+      		"CHASSISD_SNMP_TRAP7": msg207,
+      		"CHASSISD_TERM_SIGNAL": msg209,
+      		"CHASSISD_TRACE_PIC_OFFLINE": msg210,
+      		"CHASSISD_UNEXPECTED_EXIT": msg211,
+      		"CHASSISD_UNSUPPORTED_MODEL": msg212,
+      		"CHASSISD_VERSION_MISMATCH": msg213,
+      		"CM": msg107,
+      		"CM_JAVA": msg216,
+      		"COS": msg108,
+      		"COSFPC": msg109,
+      		"COSMAN": msg110,
+      		"CRON": msg16,
+      		"CROND": select11,
+      		"Cmerror": msg17,
+      		"DCD_AS_ROOT": msg217,
+      		"DCD_FILTER_LIB_ERROR": msg218,
+      		"DCD_MALLOC_FAILED_INIT": msg219,
+      		"DCD_PARSE_EMERGENCY": msg220,
+      		"DCD_PARSE_FILTER_EMERGENCY": msg221,
+      		"DCD_PARSE_MINI_EMERGENCY": msg222,
+      		"DCD_PARSE_STATE_EMERGENCY": msg223,
+      		"DCD_POLICER_PARSE_EMERGENCY": msg224,
+      		"DCD_PULL_LOG_FAILURE": msg225,
+      		"DFWD_ARGUMENT_ERROR": msg226,
+      		"DFWD_MALLOC_FAILED_INIT": msg227,
+      		"DFWD_PARSE_FILTER_EMERGENCY": msg228,
+      		"DFWD_PARSE_STATE_EMERGENCY": msg229,
+      		"ECCD_DAEMONIZE_FAILED": msg230,
+      		"ECCD_DUPLICATE": msg231,
+      		"ECCD_LOOP_EXIT_FAILURE": msg232,
+      		"ECCD_NOT_ROOT": msg233,
+      		"ECCD_PCI_FILE_OPEN_FAILED": msg234,
+      		"ECCD_PCI_READ_FAILED": msg235,
+      		"ECCD_PCI_WRITE_FAILED": msg236,
+      		"ECCD_PID_FILE_LOCK": msg237,
+      		"ECCD_PID_FILE_UPDATE": msg238,
+      		"ECCD_TRACE_FILE_OPEN_FAILED": msg239,
+      		"ECCD_usage": msg240,
+      		"EVENT": msg23,
+      		"EVENTD_AUDIT_SHOW": msg241,
+      		"FLOW_REASSEMBLE_FAIL": msg731,
+      		"FLOW_REASSEMBLE_SUCCEED": msg242,
+      		"FSAD_CHANGE_FILE_OWNER": msg243,
+      		"FSAD_CONFIG_ERROR": msg244,
+      		"FSAD_CONNTIMEDOUT": msg245,
+      		"FSAD_FAILED": msg246,
+      		"FSAD_FETCHTIMEDOUT": msg247,
+      		"FSAD_FILE_FAILED": msg248,
+      		"FSAD_FILE_REMOVE": msg249,
+      		"FSAD_FILE_RENAME": msg250,
+      		"FSAD_FILE_STAT": msg251,
+      		"FSAD_FILE_SYNC": msg252,
+      		"FSAD_MAXCONN": msg253,
+      		"FSAD_MEMORYALLOC_FAILED": msg254,
+      		"FSAD_NOT_ROOT": msg255,
+      		"FSAD_PARENT_DIRECTORY": msg256,
+      		"FSAD_PATH_IS_DIRECTORY": msg257,
+      		"FSAD_PATH_IS_SPECIAL": msg258,
+      		"FSAD_RECVERROR": msg259,
+      		"FSAD_TERMINATED_CONNECTION": msg260,
+      		"FSAD_TERMINATING_SIGNAL": msg261,
+      		"FSAD_TRACEOPEN_FAILED": msg262,
+      		"FSAD_USAGE": msg263,
+      		"Failed": select25,
+      		"GGSN_ALARM_TRAP_FAILED": msg264,
+      		"GGSN_ALARM_TRAP_SEND": msg265,
+      		"GGSN_TRAP_SEND": msg266,
+      		"IDP_ATTACK_LOG_EVENT": msg773,
+      		"JADE_AUTH_ERROR": msg267,
+      		"JADE_EXEC_ERROR": msg268,
+      		"JADE_NO_LOCAL_USER": msg269,
+      		"JADE_PAM_ERROR": msg270,
+      		"JADE_PAM_NO_LOCAL_USER": msg271,
+      		"JSRPD_HA_CONTROL_LINK_UP": msg748,
+      		"JUNOSROUTER_GENERIC": select84,
+      		"KERN_ARP_ADDR_CHANGE": msg272,
+      		"KMD_PM_SA_ESTABLISHED": msg273,
+      		"L2CPD_TASK_REINIT": msg274,
+      		"LACPD_TIMEOUT": msg749,
+      		"LIBJNX_EXEC_EXITED": msg275,
+      		"LIBJNX_EXEC_FAILED": msg276,
+      		"LIBJNX_EXEC_PIPE": msg277,
+      		"LIBJNX_EXEC_SIGNALED": msg278,
+      		"LIBJNX_EXEC_WEXIT": msg279,
+      		"LIBJNX_FILE_COPY_FAILED": msg280,
+      		"LIBJNX_PRIV_LOWER_FAILED": msg281,
+      		"LIBJNX_PRIV_RAISE_FAILED": msg282,
+      		"LIBJNX_REPLICATE_RCP_EXEC_FAILED": msg283,
+      		"LIBJNX_ROTATE_COMPRESS_EXEC_FAILED": msg284,
+      		"LIBSERVICED_CLIENT_CONNECTION": msg285,
+      		"LIBSERVICED_OUTBOUND_REQUEST": msg286,
+      		"LIBSERVICED_SNMP_LOST_CONNECTION": msg287,
+      		"LIBSERVICED_SOCKET_BIND": msg288,
+      		"LIBSERVICED_SOCKET_PRIVATIZE": msg289,
+      		"LICENSE_EXPIRED": msg290,
+      		"LICENSE_EXPIRED_KEY_DELETED": msg291,
+      		"LICENSE_NEARING_EXPIRY": msg292,
+      		"LOGIN_ABORTED": msg293,
+      		"LOGIN_FAILED": msg294,
+      		"LOGIN_FAILED_INCORRECT_PASSWORD": msg295,
+      		"LOGIN_FAILED_SET_CONTEXT": msg296,
+      		"LOGIN_FAILED_SET_LOGIN": msg297,
+      		"LOGIN_HOSTNAME_UNRESOLVED": msg298,
+      		"LOGIN_INFORMATION": msg299,
+      		"LOGIN_INVALID_LOCAL_USER": msg300,
+      		"LOGIN_MALFORMED_USER": msg301,
+      		"LOGIN_PAM_AUTHENTICATION_ERROR": msg302,
+      		"LOGIN_PAM_ERROR": msg303,
+      		"LOGIN_PAM_MAX_RETRIES": msg304,
+      		"LOGIN_PAM_NONLOCAL_USER": msg305,
+      		"LOGIN_PAM_STOP": msg306,
+      		"LOGIN_PAM_USER_UNKNOWN": msg307,
+      		"LOGIN_PASSWORD_EXPIRED": msg308,
+      		"LOGIN_REFUSED": msg309,
+      		"LOGIN_ROOT": msg310,
+      		"LOGIN_TIMED_OUT": msg311,
+      		"MIB2D_ATM_ERROR": msg312,
+      		"MIB2D_CONFIG_CHECK_FAILED": msg313,
+      		"MIB2D_FILE_OPEN_FAILURE": msg314,
+      		"MIB2D_IFD_IFINDEX_FAILURE": msg315,
+      		"MIB2D_IFL_IFINDEX_FAILURE": msg316,
+      		"MIB2D_INIT_FAILURE": msg317,
+      		"MIB2D_KVM_FAILURE": msg318,
+      		"MIB2D_RTSLIB_READ_FAILURE": msg319,
+      		"MIB2D_RTSLIB_SEQ_MISMATCH": msg320,
+      		"MIB2D_SYSCTL_FAILURE": msg321,
+      		"MIB2D_TRAP_HEADER_FAILURE": msg322,
+      		"MIB2D_TRAP_SEND_FAILURE": msg323,
+      		"MRVL-L2": msg56,
+      		"Multiuser": msg324,
+      		"NASD_AUTHENTICATION_CREATE_FAILED": msg325,
+      		"NASD_CHAP_AUTHENTICATION_IN_PROGRESS": msg326,
+      		"NASD_CHAP_GETHOSTNAME_FAILED": msg327,
+      		"NASD_CHAP_INVALID_CHAP_IDENTIFIER": msg328,
+      		"NASD_CHAP_INVALID_OPCODE": msg329,
+      		"NASD_CHAP_LOCAL_NAME_UNAVAILABLE": msg330,
+      		"NASD_CHAP_MESSAGE_UNEXPECTED": msg331,
+      		"NASD_CHAP_REPLAY_ATTACK_DETECTED": msg332,
+      		"NASD_CONFIG_GET_LAST_MODIFIED_FAILED": msg333,
+      		"NASD_DAEMONIZE_FAILED": msg334,
+      		"NASD_DB_ALLOC_FAILURE": msg335,
+      		"NASD_DB_TABLE_CREATE_FAILURE": msg336,
+      		"NASD_DUPLICATE": msg337,
+      		"NASD_EVLIB_CREATE_FAILURE": msg338,
+      		"NASD_EVLIB_EXIT_FAILURE": msg339,
+      		"NASD_LOCAL_CREATE_FAILED": msg340,
+      		"NASD_NOT_ROOT": msg341,
+      		"NASD_PID_FILE_LOCK": msg342,
+      		"NASD_PID_FILE_UPDATE": msg343,
+      		"NASD_POST_CONFIGURE_EVENT_FAILED": msg344,
+      		"NASD_PPP_READ_FAILURE": msg345,
+      		"NASD_PPP_SEND_FAILURE": msg346,
+      		"NASD_PPP_SEND_PARTIAL": msg347,
+      		"NASD_PPP_UNRECOGNIZED": msg348,
+      		"NASD_RADIUS_ALLOCATE_PASSWORD_FAILED": msg349,
+      		"NASD_RADIUS_CONFIG_FAILED": msg350,
+      		"NASD_RADIUS_CREATE_FAILED": msg351,
+      		"NASD_RADIUS_CREATE_REQUEST_FAILED": msg352,
+      		"NASD_RADIUS_GETHOSTNAME_FAILED": msg353,
+      		"NASD_RADIUS_MESSAGE_UNEXPECTED": msg354,
+      		"NASD_RADIUS_OPEN_FAILED": msg355,
+      		"NASD_RADIUS_SELECT_FAILED": msg356,
+      		"NASD_RADIUS_SET_TIMER_FAILED": msg357,
+      		"NASD_TRACE_FILE_OPEN_FAILED": msg358,
+      		"NASD_usage": msg359,
+      		"NOTICE": msg360,
+      		"PFEMAN": msg61,
+      		"PFE_FW_SYSLOG_IP": select36,
+      		"PFE_NH_RESOLVE_THROTTLED": msg363,
+      		"PING_TEST_COMPLETED": msg364,
+      		"PING_TEST_FAILED": msg365,
+      		"PKID_UNABLE_TO_GET_CRL": msg746,
+      		"PWC_EXIT": msg368,
+      		"PWC_HOLD_RELEASE": msg369,
+      		"PWC_INVALID_RUNS_ARGUMENT": msg370,
+      		"PWC_INVALID_TIMEOUT_ARGUMENT": msg371,
+      		"PWC_KILLED_BY_SIGNAL": msg372,
+      		"PWC_KILL_EVENT": msg373,
+      		"PWC_KILL_FAILED": msg374,
+      		"PWC_KQUEUE_ERROR": msg375,
+      		"PWC_KQUEUE_INIT": msg376,
+      		"PWC_KQUEUE_REGISTER_FILTER": msg377,
+      		"PWC_LOCKFILE_BAD_FORMAT": msg378,
+      		"PWC_LOCKFILE_ERROR": msg379,
+      		"PWC_LOCKFILE_MISSING": msg380,
+      		"PWC_LOCKFILE_NOT_LOCKED": msg381,
+      		"PWC_NO_PROCESS": msg382,
+      		"PWC_PROCESS_EXIT": msg383,
+      		"PWC_PROCESS_FORCED_HOLD": msg384,
+      		"PWC_PROCESS_HOLD": msg385,
+      		"PWC_PROCESS_HOLD_SKIPPED": msg386,
+      		"PWC_PROCESS_OPEN": msg387,
+      		"PWC_PROCESS_TIMED_HOLD": msg388,
+      		"PWC_PROCESS_TIMEOUT": msg389,
+      		"PWC_SIGNAL_INIT": msg390,
+      		"PWC_SOCKET_CONNECT": msg391,
+      		"PWC_SOCKET_CREATE": msg392,
+      		"PWC_SOCKET_OPTION": msg393,
+      		"PWC_STDOUT_WRITE": msg394,
+      		"PWC_SYSTEM_CALL": msg395,
+      		"PWC_UNKNOWN_KILL_OPTION": msg396,
+      		"RDP": msg111,
+      		"RMOPD_ADDRESS_MULTICAST_INVALID": msg397,
+      		"RMOPD_ADDRESS_SOURCE_INVALID": msg398,
+      		"RMOPD_ADDRESS_STRING_FAILURE": msg399,
+      		"RMOPD_ADDRESS_TARGET_INVALID": msg400,
+      		"RMOPD_DUPLICATE": msg401,
+      		"RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED": msg402,
+      		"RMOPD_ICMP_SENDMSG_FAILURE": msg403,
+      		"RMOPD_IFINDEX_NOT_ACTIVE": msg404,
+      		"RMOPD_IFINDEX_NO_INFO": msg405,
+      		"RMOPD_IFNAME_NOT_ACTIVE": msg406,
+      		"RMOPD_IFNAME_NO_INFO": msg407,
+      		"RMOPD_NOT_ROOT": msg408,
+      		"RMOPD_ROUTING_INSTANCE_NO_INFO": msg409,
+      		"RMOPD_TRACEROUTE_ERROR": msg410,
+      		"RMOPD_usage": msg411,
+      		"RPD_ABORT": msg412,
+      		"RPD_ACTIVE_TERMINATE": msg413,
+      		"RPD_ASSERT": msg414,
+      		"RPD_ASSERT_SOFT": msg415,
+      		"RPD_EXIT": msg416,
+      		"RPD_IFL_INDEXCOLLISION": msg417,
+      		"RPD_IFL_NAMECOLLISION": msg418,
+      		"RPD_ISIS_ADJDOWN": msg419,
+      		"RPD_ISIS_ADJUP": msg420,
+      		"RPD_ISIS_ADJUPNOIP": msg421,
+      		"RPD_ISIS_LSPCKSUM": msg422,
+      		"RPD_ISIS_OVERLOAD": msg423,
+      		"RPD_KRT_AFUNSUPRT": msg424,
+      		"RPD_KRT_CCC_IFL_MODIFY": msg425,
+      		"RPD_KRT_DELETED_RTT": msg426,
+      		"RPD_KRT_IFA_GENERATION": msg427,
+      		"RPD_KRT_IFDCHANGE": msg428,
+      		"RPD_KRT_IFDEST_GET": msg429,
+      		"RPD_KRT_IFDGET": msg430,
+      		"RPD_KRT_IFD_GENERATION": msg431,
+      		"RPD_KRT_IFL_CELL_RELAY_MODE_INVALID": msg432,
+      		"RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED": msg433,
+      		"RPD_KRT_IFL_GENERATION": msg434,
+      		"RPD_KRT_KERNEL_BAD_ROUTE": msg435,
+      		"RPD_KRT_NEXTHOP_OVERFLOW": msg436,
+      		"RPD_KRT_NOIFD": msg437,
+      		"RPD_KRT_UNKNOWN_RTT": msg438,
+      		"RPD_KRT_VERSION": msg439,
+      		"RPD_KRT_VERSIONNONE": msg440,
+      		"RPD_KRT_VERSIONOLD": msg441,
+      		"RPD_LDP_INTF_BLOCKED": msg442,
+      		"RPD_LDP_INTF_UNBLOCKED": msg443,
+      		"RPD_LDP_NBRDOWN": msg444,
+      		"RPD_LDP_NBRUP": msg445,
+      		"RPD_LDP_SESSIONDOWN": msg446,
+      		"RPD_LDP_SESSIONUP": msg447,
+      		"RPD_LOCK_FLOCKED": msg448,
+      		"RPD_LOCK_LOCKED": msg449,
+      		"RPD_MPLS_LSP_CHANGE": msg450,
+      		"RPD_MPLS_LSP_DOWN": msg451,
+      		"RPD_MPLS_LSP_SWITCH": msg452,
+      		"RPD_MPLS_LSP_UP": msg453,
+      		"RPD_MSDP_PEER_DOWN": msg454,
+      		"RPD_MSDP_PEER_UP": msg455,
+      		"RPD_OSPF_NBRDOWN": msg456,
+      		"RPD_OSPF_NBRUP": msg457,
+      		"RPD_OS_MEMHIGH": msg458,
+      		"RPD_PIM_NBRDOWN": msg459,
+      		"RPD_PIM_NBRUP": msg460,
+      		"RPD_RDISC_CKSUM": msg461,
+      		"RPD_RDISC_NOMULTI": msg462,
+      		"RPD_RDISC_NORECVIF": msg463,
+      		"RPD_RDISC_SOLICITADDR": msg464,
+      		"RPD_RDISC_SOLICITICMP": msg465,
+      		"RPD_RDISC_SOLICITLEN": msg466,
+      		"RPD_RIP_AUTH": msg467,
+      		"RPD_RIP_JOIN_BROADCAST": msg468,
+      		"RPD_RIP_JOIN_MULTICAST": msg469,
+      		"RPD_RT_IFUP": msg470,
+      		"RPD_SCHED_CALLBACK_LONGRUNTIME": msg471,
+      		"RPD_SCHED_CUMULATIVE_LONGRUNTIME": msg472,
+      		"RPD_SCHED_MODULE_LONGRUNTIME": msg473,
+      		"RPD_SCHED_TASK_LONGRUNTIME": msg474,
+      		"RPD_SIGNAL_TERMINATE": msg475,
+      		"RPD_START": msg476,
+      		"RPD_SYSTEM": msg477,
+      		"RPD_TASK_BEGIN": msg478,
+      		"RPD_TASK_CHILDKILLED": msg479,
+      		"RPD_TASK_CHILDSTOPPED": msg480,
+      		"RPD_TASK_FORK": msg481,
+      		"RPD_TASK_GETWD": msg482,
+      		"RPD_TASK_NOREINIT": msg483,
+      		"RPD_TASK_PIDCLOSED": msg484,
+      		"RPD_TASK_PIDFLOCK": msg485,
+      		"RPD_TASK_PIDWRITE": msg486,
+      		"RPD_TASK_REINIT": msg487,
+      		"RPD_TASK_SIGNALIGNORE": msg488,
+      		"RT_COS": msg489,
+      		"RT_FLOW_SESSION_CLOSE": select51,
+      		"RT_FLOW_SESSION_CREATE": select45,
+      		"RT_FLOW_SESSION_DENY": select47,
+      		"RT_SCREEN_ICMP": msg774,
+      		"RT_SCREEN_IP": select52,
+      		"RT_SCREEN_SESSION_LIMIT": msg504,
+      		"RT_SCREEN_TCP": msg503,
+      		"RT_SCREEN_UDP": msg505,
+      		"Resolve": msg63,
+      		"SECINTEL_ACTION_LOG": msg775,
+      		"SECINTEL_ERROR_OTHERS": msg747,
+      		"SECINTEL_NETWORK_CONNECT_FAILED": msg744,
+      		"SERVICED_CLIENT_CONNECT": msg506,
+      		"SERVICED_CLIENT_DISCONNECTED": msg507,
+      		"SERVICED_CLIENT_ERROR": msg508,
+      		"SERVICED_COMMAND_FAILED": msg509,
+      		"SERVICED_COMMIT_FAILED": msg510,
+      		"SERVICED_CONFIGURATION_FAILED": msg511,
+      		"SERVICED_CONFIG_ERROR": msg512,
+      		"SERVICED_CONFIG_FILE": msg513,
+      		"SERVICED_CONNECTION_ERROR": msg514,
+      		"SERVICED_DISABLED_GGSN": msg515,
+      		"SERVICED_DUPLICATE": msg516,
+      		"SERVICED_EVENT_FAILED": msg517,
+      		"SERVICED_INIT_FAILED": msg518,
+      		"SERVICED_MALLOC_FAILURE": msg519,
+      		"SERVICED_NETWORK_FAILURE": msg520,
+      		"SERVICED_NOT_ROOT": msg521,
+      		"SERVICED_PID_FILE_LOCK": msg522,
+      		"SERVICED_PID_FILE_UPDATE": msg523,
+      		"SERVICED_RTSOCK_SEQUENCE": msg524,
+      		"SERVICED_SIGNAL_HANDLER": msg525,
+      		"SERVICED_SOCKET_CREATE": msg526,
+      		"SERVICED_SOCKET_IO": msg527,
+      		"SERVICED_SOCKET_OPTION": msg528,
+      		"SERVICED_STDLIB_FAILURE": msg529,
+      		"SERVICED_USAGE": msg530,
+      		"SERVICED_WORK_INCONSISTENCY": msg531,
+      		"SNMPD_ACCESS_GROUP_ERROR": msg537,
+      		"SNMPD_AUTH_FAILURE": select53,
+      		"SNMPD_AUTH_PRIVILEGES_EXCEEDED": msg542,
+      		"SNMPD_AUTH_RESTRICTED_ADDRESS": msg543,
+      		"SNMPD_AUTH_WRONG_PDU_TYPE": msg544,
+      		"SNMPD_CONFIG_ERROR": msg545,
+      		"SNMPD_CONTEXT_ERROR": msg546,
+      		"SNMPD_ENGINE_FILE_FAILURE": msg547,
+      		"SNMPD_ENGINE_PROCESS_ERROR": msg548,
+      		"SNMPD_FILE_FAILURE": msg549,
+      		"SNMPD_GROUP_ERROR": msg550,
+      		"SNMPD_INIT_FAILED": msg551,
+      		"SNMPD_LIBJUNIPER_FAILURE": msg552,
+      		"SNMPD_LOOPBACK_ADDR_ERROR": msg553,
+      		"SNMPD_MEMORY_FREED": msg554,
+      		"SNMPD_RADIX_FAILURE": msg555,
+      		"SNMPD_RECEIVE_FAILURE": msg556,
+      		"SNMPD_RMONFILE_FAILURE": msg557,
+      		"SNMPD_RMON_COOKIE": msg558,
+      		"SNMPD_RMON_EVENTLOG": msg559,
+      		"SNMPD_RMON_IOERROR": msg560,
+      		"SNMPD_RMON_MIBERROR": msg561,
+      		"SNMPD_RTSLIB_ASYNC_EVENT": msg562,
+      		"SNMPD_SEND_FAILURE": select54,
+      		"SNMPD_SOCKET_FAILURE": msg565,
+      		"SNMPD_SUBAGENT_NO_BUFFERS": msg566,
+      		"SNMPD_SUBAGENT_SEND_FAILED": msg567,
+      		"SNMPD_SYSLIB_FAILURE": msg568,
+      		"SNMPD_THROTTLE_QUEUE_DRAINED": msg569,
+      		"SNMPD_TRAP_COLD_START": msg570,
+      		"SNMPD_TRAP_GEN_FAILURE": msg571,
+      		"SNMPD_TRAP_GEN_FAILURE2": msg572,
+      		"SNMPD_TRAP_INVALID_DATA": msg573,
+      		"SNMPD_TRAP_NOT_ENOUGH_VARBINDS": msg574,
+      		"SNMPD_TRAP_QUEUED": msg575,
+      		"SNMPD_TRAP_QUEUE_DRAINED": msg576,
+      		"SNMPD_TRAP_QUEUE_MAX_ATTEMPTS": msg577,
+      		"SNMPD_TRAP_QUEUE_MAX_SIZE": msg578,
+      		"SNMPD_TRAP_THROTTLED": msg579,
+      		"SNMPD_TRAP_TYPE_ERROR": msg580,
+      		"SNMPD_TRAP_VARBIND_TYPE_ERROR": msg581,
+      		"SNMPD_TRAP_VERSION_ERROR": msg582,
+      		"SNMPD_TRAP_WARM_START": msg583,
+      		"SNMPD_USER_ERROR": msg584,
+      		"SNMPD_VIEW_DELETE": msg585,
+      		"SNMPD_VIEW_INSTALL_DEFAULT": msg586,
+      		"SNMPD_VIEW_OID_PARSE": msg587,
+      		"SNMP_GET_ERROR1": msg588,
+      		"SNMP_GET_ERROR2": msg589,
+      		"SNMP_GET_ERROR3": msg590,
+      		"SNMP_GET_ERROR4": msg591,
+      		"SNMP_NS_LOG_INFO": msg535,
+      		"SNMP_RTSLIB_FAILURE": msg592,
+      		"SNMP_SUBAGENT_IPC_REG_ROWS": msg536,
+      		"SNMP_TRAP_LINK_DOWN": select55,
+      		"SNMP_TRAP_LINK_UP": select56,
+      		"SNMP_TRAP_PING_PROBE_FAILED": msg597,
+      		"SNMP_TRAP_PING_TEST_COMPLETED": msg598,
+      		"SNMP_TRAP_PING_TEST_FAILED": msg599,
+      		"SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE": msg600,
+      		"SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED": msg601,
+      		"SNMP_TRAP_TRACE_ROUTE_TEST_FAILED": msg602,
+      		"SNTPD": msg112,
+      		"SSB": msg113,
+      		"SSHD_LOGIN_FAILED": select57,
+      		"SSL_PROXY_SESSION_IGNORE": msg534,
+      		"SSL_PROXY_SSL_SESSION_ALLOW": msg532,
+      		"SSL_PROXY_SSL_SESSION_DROP": msg533,
+      		"TASK_TASK_REINIT": msg606,
+      		"TFTPD_AF_ERR": msg607,
+      		"TFTPD_BIND_ERR": msg608,
+      		"TFTPD_CONNECT_ERR": msg609,
+      		"TFTPD_CONNECT_INFO": msg610,
+      		"TFTPD_CREATE_ERR": msg611,
+      		"TFTPD_FIO_ERR": msg612,
+      		"TFTPD_FORK_ERR": msg613,
+      		"TFTPD_NAK_ERR": msg614,
+      		"TFTPD_OPEN_ERR": msg615,
+      		"TFTPD_RECVCOMPLETE_INFO": msg616,
+      		"TFTPD_RECVFROM_ERR": msg617,
+      		"TFTPD_RECV_ERR": msg618,
+      		"TFTPD_SENDCOMPLETE_INFO": msg619,
+      		"TFTPD_SEND_ERR": msg620,
+      		"TFTPD_SOCKET_ERR": msg621,
+      		"TFTPD_STATFS_ERR": msg622,
+      		"TNP": msg623,
+      		"UI_AUTH_EVENT": msg628,
+      		"UI_AUTH_INVALID_CHALLENGE": msg629,
+      		"UI_BOOTTIME_FAILED": msg630,
+      		"UI_CFG_AUDIT_NEW": select58,
+      		"UI_CFG_AUDIT_OTHER": select60,
+      		"UI_CFG_AUDIT_SET": select63,
+      		"UI_CFG_AUDIT_SET_SECRET": select64,
+      		"UI_CHILD_ARGS_EXCEEDED": msg645,
+      		"UI_CHILD_CHANGE_USER": msg646,
+      		"UI_CHILD_EXEC": msg647,
+      		"UI_CHILD_EXITED": msg648,
+      		"UI_CHILD_FOPEN": msg649,
+      		"UI_CHILD_PIPE_FAILED": msg650,
+      		"UI_CHILD_SIGNALED": msg651,
+      		"UI_CHILD_START": msg653,
+      		"UI_CHILD_STATUS": msg654,
+      		"UI_CHILD_STOPPED": msg652,
+      		"UI_CHILD_WAITPID": msg655,
+      		"UI_CLI_IDLE_TIMEOUT": msg656,
+      		"UI_CMDLINE_READ_LINE": msg657,
+      		"UI_CMDSET_EXEC_FAILED": msg658,
+      		"UI_CMDSET_FORK_FAILED": msg659,
+      		"UI_CMDSET_PIPE_FAILED": msg660,
+      		"UI_CMDSET_STOPPED": msg661,
+      		"UI_CMDSET_WEXITED": msg662,
+      		"UI_CMD_AUTH_REGEX_INVALID": msg663,
+      		"UI_COMMIT": msg664,
+      		"UI_COMMIT_AT": msg665,
+      		"UI_COMMIT_AT_COMPLETED": msg666,
+      		"UI_COMMIT_AT_FAILED": msg667,
+      		"UI_COMMIT_COMPRESS_FAILED": msg668,
+      		"UI_COMMIT_CONFIRMED": msg669,
+      		"UI_COMMIT_CONFIRMED_REMINDER": msg670,
+      		"UI_COMMIT_CONFIRMED_TIMED": msg671,
+      		"UI_COMMIT_EMPTY_CONTAINER": msg672,
+      		"UI_COMMIT_NOT_CONFIRMED": msg673,
+      		"UI_COMMIT_PROGRESS": msg674,
+      		"UI_COMMIT_QUIT": msg675,
+      		"UI_COMMIT_ROLLBACK_FAILED": msg676,
+      		"UI_COMMIT_SYNC": msg677,
+      		"UI_COMMIT_SYNC_FORCE": msg678,
+      		"UI_CONFIGURATION_ERROR": msg679,
+      		"UI_DAEMON_ACCEPT_FAILED": msg680,
+      		"UI_DAEMON_FORK_FAILED": msg681,
+      		"UI_DAEMON_SELECT_FAILED": msg682,
+      		"UI_DAEMON_SOCKET_FAILED": msg683,
+      		"UI_DBASE_ACCESS_FAILED": msg684,
+      		"UI_DBASE_CHECKOUT_FAILED": msg685,
+      		"UI_DBASE_EXTEND_FAILED": msg686,
+      		"UI_DBASE_LOGIN_EVENT": msg687,
+      		"UI_DBASE_LOGOUT_EVENT": msg688,
+      		"UI_DBASE_MISMATCH_EXTENT": msg689,
+      		"UI_DBASE_MISMATCH_MAJOR": msg690,
+      		"UI_DBASE_MISMATCH_MINOR": msg691,
+      		"UI_DBASE_MISMATCH_SEQUENCE": msg692,
+      		"UI_DBASE_MISMATCH_SIZE": msg693,
+      		"UI_DBASE_OPEN_FAILED": msg694,
+      		"UI_DBASE_REBUILD_FAILED": msg695,
+      		"UI_DBASE_REBUILD_SCHEMA_FAILED": msg696,
+      		"UI_DBASE_REBUILD_STARTED": msg697,
+      		"UI_DBASE_RECREATE": msg698,
+      		"UI_DBASE_REOPEN_FAILED": msg699,
+      		"UI_DUPLICATE_UID": msg700,
+      		"UI_JUNOSCRIPT_CMD": msg701,
+      		"UI_JUNOSCRIPT_ERROR": msg702,
+      		"UI_LOAD_EVENT": msg703,
+      		"UI_LOAD_JUNOS_DEFAULT_FILE_EVENT": msg704,
+      		"UI_LOGIN_EVENT": select71,
+      		"UI_LOGOUT_EVENT": msg707,
+      		"UI_LOST_CONN": msg708,
+      		"UI_MASTERSHIP_EVENT": msg709,
+      		"UI_MGD_TERMINATE": msg710,
+      		"UI_NETCONF_CMD": msg711,
+      		"UI_READ_FAILED": msg712,
+      		"UI_READ_TIMEOUT": msg713,
+      		"UI_REBOOT_EVENT": msg714,
+      		"UI_RESTART_EVENT": msg715,
+      		"UI_SCHEMA_CHECKOUT_FAILED": msg716,
+      		"UI_SCHEMA_MISMATCH_MAJOR": msg717,
+      		"UI_SCHEMA_MISMATCH_MINOR": msg718,
+      		"UI_SCHEMA_MISMATCH_SEQUENCE": msg719,
+      		"UI_SCHEMA_SEQUENCE_ERROR": msg720,
+      		"UI_SYNC_OTHER_RE": msg721,
+      		"UI_TACPLUS_ERROR": msg722,
+      		"UI_VERSION_FAILED": msg723,
+      		"UI_WRITE_RECONNECT": msg724,
+      		"VRRPD_NEWMASTER_TRAP": msg725,
+      		"Version": msg99,
+      		"WEBFILTER_REQUEST_NOT_CHECKED": msg730,
+      		"WEBFILTER_URL_BLOCKED": select75,
+      		"WEBFILTER_URL_PERMITTED": select74,
+      		"WEB_AUTH_FAIL": msg726,
+      		"WEB_AUTH_SUCCESS": msg727,
+      		"WEB_INTERFACE_UNAUTH": msg728,
+      		"WEB_READ": msg729,
+      		"alarmd": msg3,
+      		"bgp_connect_start": msg132,
+      		"bgp_event": msg133,
+      		"bgp_listen_accept": msg134,
+      		"bgp_listen_reset": msg135,
+      		"bgp_nexthop_sanity": msg136,
+      		"bgp_pp_recv": select33,
+      		"bgp_process_caps": select32,
+      		"bgp_send": msg141,
+      		"bgp_traffic_timeout": msg142,
+      		"bigd": select6,
+      		"bigpipe": select7,
+      		"bigstart": msg9,
+      		"cgatool": msg10,
+      		"chassisd": msg11,
+      		"chassism": select73,
+      		"checkd": select8,
+      		"clean_process": msg215,
+      		"cli": msg750,
+      		"cosd": msg14,
+      		"craftd": msg15,
+      		"cron": msg18,
+      		"crond": msg21,
+      		"dcd": msg22,
+      		"eswd": select72,
+      		"ftpd": msg24,
+      		"ha_rto_stats_handler": msg25,
+      		"hostinit": msg26,
+      		"idpinfo": msg752,
+      		"ifinfo": select13,
+      		"ifp_ifl_anydown_change_event": msg30,
+      		"ifp_ifl_config_event": msg31,
+      		"ifp_ifl_ext_chg": msg32,
+      		"inetd": select14,
+      		"init": select15,
+      		"ipc_msg_write": msg40,
+      		"kernel": select17,
+      		"kmd": msg753,
+      		"last": select28,
+      		"login": select18,
+      		"lsys_ssam_handler": msg53,
+      		"mcsn": msg54,
+      		"mgd": msg62,
+      		"mrvl_dfw_log_effuse_status": msg55,
+      		"node": select79,
+      		"pfed": msg751,
+      		"process_mode": select38,
+      		"profile_ssam_handler": msg57,
+      		"pst_nat_binding_set_profile": msg58,
+      		"qsfp": msg776,
+      		"respawn": msg64,
+      		"root": msg65,
+      		"rpd": select20,
+      		"rshd": msg70,
+      		"sfd": msg71,
+      		"sshd": select21,
+      		"syslogd": msg92,
+      		"task_connect": msg605,
+      		"task_reconfigure": msg59,
+      		"tnetd": msg60,
+      		"tnp.bootpd": msg769,
+      		"trace_on": msg624,
+      		"trace_rotate": msg625,
+      		"transfer-file": msg626,
+      		"ttloop": msg627,
+      		"ucd-snmp": select26,
+      		"usp_ipc_client_reconnect": msg95,
+      		"usp_trace_ipc_disconnect": msg96,
+      		"usp_trace_ipc_reconnect": msg97,
+      		"uspinfo": msg98,
+      		"xntpd": select27,
+      	}),
+      ]);
+      
+      var hdr43 = match("HEADER#3:0004/0", "message", "%{month->} %{day->} %{time->} %{p0}");
+      
+      var part832 = match("HEADER#3:0004/1_0", "nwparser.p0", "fpc0 %{p0}");
+      
+      var part833 = match("HEADER#3:0004/1_1", "nwparser.p0", "fpc1 %{p0}");
+      
+      var part834 = match("HEADER#3:0004/1_2", "nwparser.p0", "fpc2 %{p0}");
+      
+      var part835 = match("HEADER#3:0004/1_3", "nwparser.p0", "fpc3 %{p0}");
+      
+      var part836 = match("HEADER#3:0004/1_4", "nwparser.p0", "fpc4 %{p0}");
+      
+      var part837 = match("HEADER#3:0004/1_5", "nwparser.p0", "fpc5 %{p0}");
+      
+      var part838 = match("HEADER#3:0004/1_11", "nwparser.p0", "ssb %{p0}");
+      
+      var part839 = match("HEADER#15:0026.upd.a/1_0", "nwparser.p0", "RT_FLOW - %{p0}");
+      
+      var part840 = match("HEADER#15:0026.upd.a/1_1", "nwparser.p0", "junos-ssl-proxy - %{p0}");
+      
+      var part841 = match("HEADER#15:0026.upd.a/1_2", "nwparser.p0", "RT_APPQOS - %{p0}");
+      
+      var part842 = match("HEADER#15:0026.upd.a/1_3", "nwparser.p0", "%{hfld33->} - %{p0}");
+      
+      var part843 = match("HEADER#15:0026.upd.a/2", "nwparser.p0", "%{messageid->} [%{payload}");
+      
+      var hdr44 = match("HEADER#16:0026.upd.b/0", "message", "%{event_time->} %{hfld32->} %{hhostname->} %{p0}");
+      
+      var part844 = match("MESSAGE#77:sshd:06/0", "nwparser.payload", "%{} %{p0}");
+      
+      var part845 = match("MESSAGE#77:sshd:06/1_0", "nwparser.p0", "%{process}[%{process_id}]: %{p0}");
+      
+      var part846 = match("MESSAGE#77:sshd:06/1_1", "nwparser.p0", "%{process}: %{p0}");
+      
+      var part847 = match("MESSAGE#72:Failed:05/1_2", "nwparser.p0", "%{p0}");
+      
+      var part848 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{p0}");
+      
+      var part849 = match("MESSAGE#294:LOGIN_INFORMATION/3_0", "nwparser.p0", "User %{p0}");
+      
+      var part850 = match("MESSAGE#294:LOGIN_INFORMATION/3_1", "nwparser.p0", "user %{p0}");
+      
+      var part851 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{p0}");
+      
+      var part852 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_0", "nwparser.p0", "%{dport}\" connection-tag=%{fld20->} service-name=\"%{p0}");
+      
+      var part853 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_1", "nwparser.p0", "%{dport}\" service-name=\"%{p0}");
+      
+      var part854 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_0", "nwparser.p0", "%{dtransport}\" nat-connection-tag=%{fld6->} src-nat-rule-type=%{fld20->} %{p0}");
+      
+      var part855 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_1", "nwparser.p0", "%{dtransport}\"%{p0}");
+      
+      var part856 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/7_1", "nwparser.p0", "%{dinterface}\"%{p0}");
+      
+      var part857 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/8", "nwparser.p0", "]%{}");
+      
+      var part858 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_0", "nwparser.payload", "%{process}: %{event_type}: session denied%{p0}");
+      
+      var part859 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_1", "nwparser.payload", "%{event_type}: session denied%{p0}");
+      
+      var part860 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{p0}");
+      
+      var part861 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/2", "nwparser.p0", "%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{p0}");
+      
+      var part862 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{rulename}\" dst-nat-rule-%{p0}");
+      
+      var part863 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_0", "nwparser.p0", "type=%{fld7->} dst-nat-rule-name=\"%{rule_template}\"%{p0}");
+      
+      var part864 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_1", "nwparser.p0", "name=\"%{rule_template}\"%{p0}");
+      
+      var part865 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' set: [%{action}] %{p0}");
+      
+      var part866 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_1", "nwparser.p0", "\u003c\u003c%{change_old}> %{p0}");
+      
+      var part867 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/2", "nwparser.p0", "%{}-> \"%{change_new}\"");
+      
+      var part868 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{p0}");
+      
+      var part869 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_0", "nwparser.p0", "set %{p0}");
+      
+      var part870 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_1", "nwparser.p0", "replace %{p0}");
+      
+      var part871 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_0", "nwparser.p0", "Network %{p0}");
+      
+      var part872 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_1", "nwparser.p0", "Local %{p0}");
+      
+      var part873 = match("MESSAGE#755:node:05/0", "nwparser.payload", "%{hostname->} %{node->} %{p0}");
+      
+      var part874 = match("MESSAGE#755:node:05/1_0", "nwparser.p0", "partner%{p0}");
+      
+      var part875 = match("MESSAGE#755:node:05/1_1", "nwparser.p0", "actor%{p0}");
+      
+      var select85 = linear_select([
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      ]);
+      
+      var select86 = linear_select([
+      	dup39,
+      	dup40,
+      ]);
+      
+      var part876 = match("MESSAGE#125:BFDD_TRAP_STATE_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: local discriminator: %{resultcode}, new state: %{result}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup55,
+      	dup22,
+      ]));
+      
+      var part877 = match("MESSAGE#214:DCD_MALLOC_FAILED_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed during initialization for configuration load", processor_chain([
+      	dup50,
+      	dup21,
+      	dup63,
+      	dup22,
+      ]));
+      
+      var part878 = match("MESSAGE#225:ECCD_DAEMONIZE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}, unable to run in the background as a daemon: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup64,
+      	dup22,
+      ]));
+      
+      var part879 = match("MESSAGE#226:ECCD_DUPLICATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Another copy of this program is running", processor_chain([
+      	dup29,
+      	dup21,
+      	dup65,
+      	dup22,
+      ]));
+      
+      var part880 = match("MESSAGE#232:ECCD_PID_FILE_LOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lock PID file: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup66,
+      	dup22,
+      ]));
+      
+      var part881 = match("MESSAGE#233:ECCD_PID_FILE_UPDATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to update process PID file: %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup67,
+      	dup22,
+      ]));
+      
+      var part882 = match("MESSAGE#272:LIBJNX_EXEC_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipes for command '%{action}': %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup70,
+      	dup22,
+      ]));
+      
+      var select87 = linear_select([
+      	dup75,
+      	dup76,
+      ]);
+      
+      var part883 = match("MESSAGE#310:MIB2D_IFD_IFINDEX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP index assigned to %{uid->} changed from %{dclass_counter1->} to %{result}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup78,
+      	dup22,
+      ]));
+      
+      var part884 = match("MESSAGE#412:RPD_IFL_INDEXCOLLISION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Logical interface collision -- %{result}, %{info}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup83,
+      	dup22,
+      ]));
+      
+      var part885 = match("MESSAGE#466:RPD_SCHED_CALLBACK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime time during action of module", processor_chain([
+      	dup29,
+      	dup21,
+      	dup84,
+      	dup22,
+      ]));
+      
+      var part886 = match("MESSAGE#482:RPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitializing", processor_chain([
+      	dup20,
+      	dup21,
+      	dup85,
+      	dup22,
+      ]));
+      
+      var select88 = linear_select([
+      	dup87,
+      	dup88,
+      ]);
+      
+      var select89 = linear_select([
+      	dup89,
+      	dup90,
+      ]);
+      
+      var select90 = linear_select([
+      	dup95,
+      	dup96,
+      ]);
+      
+      var select91 = linear_select([
+      	dup101,
+      	dup102,
+      ]);
+      
+      var part887 = match("MESSAGE#498:RT_SCREEN_TCP", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([
+      	dup29,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var part888 = match("MESSAGE#527:SSL_PROXY_SSL_SESSION_ALLOW", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} logical-system-name=\"%{hostname}\" session-id=\"%{sessionid}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" profile-name=\"%{rulename}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" message=\"%{info}\"]", processor_chain([
+      	dup26,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var select92 = linear_select([
+      	dup116,
+      	dup117,
+      ]);
+      
+      var select93 = linear_select([
+      	dup121,
+      	dup122,
+      ]);
+      
+      var part889 = match("MESSAGE#733:WEBFILTER_URL_PERMITTED", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7->} USERNAME=%{fld8->} ROLES=%{fld9}", processor_chain([
+      	dup29,
+      	dup21,
+      	dup51,
+      ]));
+      
+      var part890 = match("MESSAGE#747:cli", "nwparser.payload", "%{fld12}", processor_chain([
+      	dup47,
+      	dup46,
+      	dup22,
+      	dup21,
+      ]));
+      
+- community_id:
+- add_locale: ~
+- add_fields:
+    target: ''
+    fields:
+        ecs.version: 1.5.0
diff --git a/packages/juniper/0.1.0/dataset/junos/elasticsearch/ingest_pipeline/default.yml b/packages/juniper/0.1.0/dataset/junos/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 0000000000..64ad00379f
--- /dev/null
+++ b/packages/juniper/0.1.0/dataset/junos/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,55 @@
+---
+description: Pipeline for Juniper JUNOS
+
+processors:
+  # User agent
+  - user_agent:
+        field: user_agent.original
+        ignore_missing: true
+  # IP Geolocation Lookup
+  - geoip:
+        field: source.ip
+        target_field: source.geo
+        ignore_missing: true
+  - geoip:
+        field: destination.ip
+        target_field: destination.geo
+        ignore_missing: true
+
+  # IP Autonomous System (AS) Lookup
+  - geoip:
+        database_file: GeoLite2-ASN.mmdb
+        field: source.ip
+        target_field: source.as
+        properties:
+            - asn
+            - organization_name
+        ignore_missing: true
+  - geoip:
+        database_file: GeoLite2-ASN.mmdb
+        field: destination.ip
+        target_field: destination.as
+        properties:
+            - asn
+            - organization_name
+        ignore_missing: true
+  - rename:
+        field: source.as.asn
+        target_field: source.as.number
+        ignore_missing: true
+  - rename:
+        field: source.as.organization_name
+        target_field: source.as.organization.name
+        ignore_missing: true
+  - rename:
+        field: destination.as.asn
+        target_field: destination.as.number
+        ignore_missing: true
+  - rename:
+        field: destination.as.organization_name
+        target_field: destination.as.organization.name
+        ignore_missing: true
+on_failure:
+  - append:
+        field: error.message
+        value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/juniper/0.1.0/dataset/junos/fields/base-fields.yml b/packages/juniper/0.1.0/dataset/junos/fields/base-fields.yml
new file mode 100644
index 0000000000..b294eaf20e
--- /dev/null
+++ b/packages/juniper/0.1.0/dataset/junos/fields/base-fields.yml
@@ -0,0 +1,26 @@
+- name: datastream.type
+  type: constant_keyword
+  description: Datastream type.
+- name: datastream.dataset
+  type: constant_keyword
+  description: Datastream dataset.
+- name: datastream.namespace
+  type: constant_keyword
+  description: Datastream namespace.
+
+- name: dataset.type
+  type: constant_keyword
+  description: >
+    Dataset type.
+- name: dataset.name
+  type: constant_keyword
+  description: >
+    Dataset name.
+- name: dataset.namespace
+  type: constant_keyword
+  description: >
+    Dataset namespace.
+- name: "@timestamp"
+  type: date
+  description: >
+    Event timestamp.
diff --git a/packages/juniper/0.1.0/dataset/junos/fields/ecs.yml b/packages/juniper/0.1.0/dataset/junos/fields/ecs.yml
new file mode 100644
index 0000000000..92af91c339
--- /dev/null
+++ b/packages/juniper/0.1.0/dataset/junos/fields/ecs.yml
@@ -0,0 +1,836 @@
+- name: log
+  type: group
+  fields:
+  - name: original
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'This is the original log message and contains the full log message
+      before splitting it up in multiple parts.
+
+      In contrast to the `message` field which can contain an extracted part of the
+      log message, this field contains the original, full log message. It can have
+      already some modifications applied like encoding or new lines removed to clean
+      up the log message.
+
+      This field is not indexed and doc_values are disabled so it can''t be queried
+      but the value can be retrieved from `_source`.'
+    example: Sep 19 08:26:10 localhost My log
+  - name: level
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Original log level of the log event.
+
+      If the source of the event provides a log level or textual severity, this is
+      the one that goes in `log.level`. If your source doesn''t specify one, you may
+      put your event transport''s severity here (e.g. Syslog severity).
+
+      Some examples are `warn`, `err`, `i`, `informational`.'
+    example: error
+  - name: syslog
+    type: group
+    fields:
+    - name: priority
+      level: extended
+      type: long
+      format: string
+      description: 'Syslog numeric priority of the event, if available.
+
+        According to RFCs 5424 and 3164, the priority is 8 * facility + severity.
+        This number is therefore expected to contain a value between 0 and 191.'
+      example: 135
+    - name: facility
+      type: group
+      fields:
+      - name: code
+        level: extended
+        type: long
+        format: string
+        description: 'The Syslog numeric facility of the log event, if available.
+
+          According to RFCs 5424 and 3164, this value should be an integer between
+          0 and 23.'
+        example: 23
+    - name: severity
+      type: group
+      fields:
+      - name: code
+        level: extended
+        type: long
+        description: 'The Syslog numeric severity of the log event, if available.
+
+          If the event source publishing via Syslog provides a different numeric severity
+          value (e.g. firewall, IDS), your source''s numeric severity should go to
+          `event.severity`. If the event source does not specify a distinct severity,
+          you can optionally copy the Syslog severity to `event.severity`.'
+        example: 3
+- name: event
+  type: group
+  fields:
+  - name: code
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Identification code for this event, if one exists.
+
+      Some event sources use event codes to identify messages unambiguously, regardless
+      of message language or wording adjustments over time. An example of this is
+      the Windows Event ID.'
+    example: 4648
+  - name: action
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'The action captured by the event.
+
+      This describes the information in the event. It is more specific than `event.category`.
+      Examples are `group-add`, `process-started`, `file-created`. The value is normally
+      defined by the implementer.'
+    example: user-password-change
+  - name: outcome
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'This is one of four ECS Categorization Fields, and indicates the
+      lowest level in the ECS category hierarchy.
+
+      `event.outcome` simply denotes whether the event represents a success or a failure
+      from the perspective of the entity that produced the event.
+
+      Note that when a single transaction is described in multiple events, each event
+      may populate different values of `event.outcome`, according to their perspective.
+
+      Also note that in the case of a compound event (a single event that contains
+      multiple logical events), this field should be populated with the value that
+      best captures the overall success or failure from the perspective of the event
+      producer.
+
+      Further note that not all events will have an associated outcome. For example,
+      this field is generally not populated for metric events, events with `event.type:info`,
+      or any events for which an outcome does not make logical sense.'
+    example: success
+  - name: category
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'This is one of four ECS Categorization Fields, and indicates the
+      second level in the ECS category hierarchy.
+
+      `event.category` represents the "big buckets" of ECS categories. For example,
+      filtering on `event.category:process` yields all events relating to process
+      activity. This field is closely related to `event.type`, which is used as a
+      subcategory.
+
+      This field is an array. This will allow proper categorization of some events
+      that fall in multiple categories.'
+    example: authentication
+  - name: timezone
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'This field should be populated when the event''s timestamp does
+      not include timezone information already (e.g. default Syslog timestamps). It''s
+      optional otherwise.
+
+      Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated
+      (e.g. "EST") or an HH:mm differential (e.g. "-05:00").'
+- name: '@timestamp'
+  level: core
+  required: true
+  type: date
+  description: 'Date/time when the event originated.
+
+    This is the date/time extracted from the event, typically representing when the
+    event was generated by the source.
+
+    If the event source has no original timestamp, this value is typically populated
+    by the first time the event was received by the pipeline.
+
+    Required field for all events.'
+  example: '2016-05-23T08:05:34.853Z'
+- name: user
+  type: group
+  fields:
+  - name: name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: Short name or login of the user.
+    example: albert
+  - name: full_name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: User's full name, if available.
+    example: Albert Einstein
+  - name: domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Name of the directory the user is a member of.
+
+      For example, an LDAP or Active Directory domain name.'
+  - name: id
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Unique identifiers of the user.
+- name: message
+  level: core
+  type: text
+  description: 'For log events the message field contains the log message, optimized
+    for viewing in a log viewer.
+
+    For structured logs without an original message field, other fields can be concatenated
+    to form a human-readable summary of the event.
+
+    If multiple messages exist, they can be combined into one message.'
+  example: Hello World
+- name: source
+  type: group
+  fields:
+  - name: ip
+    level: core
+    type: ip
+    description: 'IP address of the source.
+
+      Can be one or multiple IPv4 or IPv6 addresses.'
+  - name: port
+    level: core
+    type: long
+    format: string
+    description: Port of the source.
+  - name: address
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Some event source addresses are defined ambiguously. The event will
+      sometimes list an IP, a domain or a unix socket.  You should always store the
+      raw address in the `.address` field.
+
+      Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+      is.'
+  - name: mac
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: MAC address of the source.
+  - name: bytes
+    level: core
+    type: long
+    format: bytes
+    description: Bytes sent from the source to the destination.
+    example: 184
+  - name: nat
+    type: group
+    fields:
+    - name: ip
+      level: extended
+      type: ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+    - name: port
+      level: extended
+      type: long
+      format: string
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+  - name: domain
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Source domain.
+  - name: geo
+    type: group
+    fields:
+    - name: country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+    - name: location
+      type: group
+      fields:
+      - type: double
+        name: lat
+      - type: double
+        name: lon
+    - name: city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+- name: host
+  type: group
+  fields:
+  - name: name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Name of the host.
+
+      It can contain what `hostname` returns on Unix systems, the fully qualified
+      domain name, or a name specified by the user. The sender decides which value
+      to use.'
+  - name: ip
+    level: core
+    type: ip
+    description: Host ip addresses.
+  - name: hostname
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Hostname of the host.
+
+      It normally contains what the `hostname` command returns on the host machine.'
+  - name: mac
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Host mac addresses.
+- name: destination
+  type: group
+  fields:
+  - name: ip
+    level: core
+    type: ip
+    description: 'IP address of the destination.
+
+      Can be one or multiple IPv4 or IPv6 addresses.'
+  - name: port
+    level: core
+    type: long
+    format: string
+    description: Port of the destination.
+  - name: address
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Some event destination addresses are defined ambiguously. The event
+      will sometimes list an IP, a domain or a unix socket.  You should always store
+      the raw address in the `.address` field.
+
+      Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+      is.'
+  - name: bytes
+    level: core
+    type: long
+    format: bytes
+    description: Bytes sent from the destination to the source.
+    example: 184
+  - name: mac
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: MAC address of the destination.
+  - name: nat
+    type: group
+    fields:
+    - name: ip
+      level: extended
+      type: ip
+      description: 'Translated ip of destination based NAT sessions (e.g. internet
+        to private DMZ)
+
+        Typically used with load balancers, firewalls, or routers.'
+    - name: port
+      level: extended
+      type: long
+      format: string
+      description: 'Port the source session is translated to by NAT Device.
+
+        Typically used with load balancers, firewalls, or routers.'
+  - name: domain
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Destination domain.
+  - name: geo
+    type: group
+    fields:
+    - name: country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+    - name: location
+      type: group
+      fields:
+      - type: double
+        name: lat
+      - type: double
+        name: lon
+    - name: city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+- name: network
+  type: group
+  fields:
+  - name: protocol
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'L7 Network protocol name. ex. http, lumberjack, transport protocol.
+
+      The field value must be normalized to lowercase for querying. See the documentation
+      section "Implementing ECS".'
+    example: http
+  - name: application
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'A name given to an application level protocol. This can be arbitrarily
+      assigned for things like microservices, but also apply to things like skype,
+      icq, facebook, twitter. This would be used in situations where the vendor or
+      service can be decoded such as from the source/dest IP owners, ports, or wire
+      format.
+
+      The field value must be normalized to lowercase for querying. See the documentation
+      section "Implementing ECS".'
+    example: aim
+  - name: interface
+    type: group
+    fields:
+    - type: keyword
+      name: name
+  - name: bytes
+    level: core
+    type: long
+    format: bytes
+    description: 'Total bytes transferred in both directions.
+
+      If `source.bytes` and `destination.bytes` are known, `network.bytes` is their
+      sum.'
+    example: 368
+  - name: direction
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: "Direction of the network traffic.\nRecommended values are:\n  *\
+      \ inbound\n  * outbound\n  * internal\n  * external\n  * unknown\n\nWhen mapping\
+      \ events from a host-based monitoring context, populate this field from the\
+      \ host's point of view.\nWhen mapping events from a network or perimeter-based\
+      \ monitoring context, populate this field from the point of view of your network\
+      \ perimeter."
+    example: inbound
+  - name: packets
+    level: core
+    type: long
+    description: 'Total packets transferred in both directions.
+
+      If `source.packets` and `destination.packets` are known, `network.packets` is
+      their sum.'
+    example: 24
+  - name: forwarded_ip
+    level: core
+    type: ip
+    description: Host IP address when the source IP address is the proxy.
+    example: 192.1.1.2
+- name: observer
+  type: group
+  fields:
+  - name: version
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Observer version.
+  - name: product
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: The product name of the observer.
+    example: s200
+  - name: ingress
+    type: group
+    fields:
+    - name: interface
+      type: group
+      fields:
+      - name: name
+        level: extended
+        type: keyword
+        ignore_above: 1024
+        description: Interface name as reported by the system.
+        example: eth0
+        default_field: false
+  - name: egress
+    type: group
+    fields:
+    - name: interface
+      type: group
+      fields:
+      - name: name
+        level: extended
+        type: keyword
+        ignore_above: 1024
+        description: Interface name as reported by the system.
+        example: eth0
+        default_field: false
+- name: file
+  type: group
+  fields:
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: Name of the file including the extension, without the directory.
+    example: example.png
+  - name: directory
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: Directory where the file is located. It should include the drive
+      letter, when appropriate.
+    example: /home/alice
+  - name: size
+    level: extended
+    type: long
+    description: 'File size in bytes.
+
+      Only relevant when `file.type` is "file".'
+    example: 16384
+  - name: type
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: File type (file, dir, or symlink).
+    example: file
+  - name: extension
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: File extension.
+    example: png
+  - name: path
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: Full path to the file, including the file name. It should include
+      the drive letter, when appropriate.
+    example: /home/alice/example.png
+  - name: attributes
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Array of file attributes.
+
+      Attributes names will vary by platform. Here''s a non-exhaustive list of values
+      that are expected in this field: archive, compressed, directory, encrypted,
+      execute, hidden, read, readonly, system, write.'
+    example: '["readonly", "system"]'
+    default_field: false
+- name: url
+  type: group
+  fields:
+  - name: original
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: 'Unmodified original url as seen in the event source.
+
+      Note that in network monitoring, the observed URL may be a full URL, whereas
+      in access logs, the URL is often just represented as a path.
+
+      This field is meant to represent the URL as it was observed, complete or not.'
+    example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
+  - name: query
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'The query field describes the query string of the request, such
+      as "q=elasticsearch".
+
+      The `?` is excluded from the query string. If a URL contains no `?`, there is
+      no query field. If there is a `?` but no query, the query field exists with
+      an empty string. The `exists` query can be used to differentiate between the
+      two cases.'
+  - name: domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Domain of the url, such as "www.elastic.co".
+
+      In some cases a URL may refer to an IP and/or port directly, without a domain
+      name. In this case, the IP address would go to the `domain` field.'
+    example: www.elastic.co
+  - name: path
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: Path of the request, such as "/search".
+  - name: top_level_domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'The effective top level domain (eTLD), also known as the domain
+      suffix, is the last part of the domain name. For example, the top level domain
+      for google.com is "com".
+
+      This value can be determined precisely with a list like the public suffix list
+      (http://publicsuffix.org). Trying to approximate this by simply taking the last
+      label will not work well for effective TLDs such as "co.uk".'
+    example: co.uk
+  - name: registered_domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'The highest registered url domain, stripped of the subdomain.
+
+      For example, the registered domain for "foo.google.com" is "google.com".
+
+      This value can be determined precisely with a list like the public suffix list
+      (http://publicsuffix.org). Trying to approximate this by simply taking the last
+      two labels will not work well for TLDs such as "co.uk".'
+    example: google.com
+- name: service
+  type: group
+  fields:
+  - name: name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Name of the service data is collected from.
+
+      The name of the service is normally user given. This allows for distributed
+      services that run on multiple hosts to correlate the related instances based
+      on the name.
+
+      In the case of Elasticsearch the `service.name` could contain the cluster name.
+      For Beats the `service.name` is by default a copy of the `service.type` field
+      if no name is specified.'
+    example: elasticsearch-metrics
+- name: server
+  type: group
+  fields:
+  - name: domain
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Server domain.
+- name: process
+  type: group
+  fields:
+  - name: pid
+    level: core
+    type: long
+    format: string
+    description: Process id.
+    example: 4242
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: 'Process name.
+
+      Sometimes called program name or similar.'
+    example: ssh
+  - name: ppid
+    level: extended
+    type: long
+    format: string
+    description: Parent process' pid.
+    example: 4241
+  - name: parent
+    type: group
+    fields:
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      default_field: false
+    - name: title
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      default_field: false
+  - name: title
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: 'Process title.
+
+      The proctitle, some times the same as process name. Can also be different: for
+      example a browser setting its title to the web page currently opened.'
+- name: rule
+  type: group
+  fields:
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: The name of the rule or signature generating the event.
+    example: BLOCK_DNS_over_TLS
+    default_field: false
+- name: user_agent
+  type: group
+  fields:
+  - name: original
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+    description: Unparsed user_agent string.
+    example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15
+      (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
+- name: http
+  type: group
+  fields:
+  - name: response
+    type: group
+    fields:
+    - name: body
+      type: group
+      fields:
+      - name: content
+        level: extended
+        type: keyword
+        ignore_above: 1024
+        multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+        description: The full HTTP response body.
+        example: Hello world
+  - name: request
+    type: group
+    fields:
+    - name: referrer
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Referrer for this HTTP request.
+      example: https://blog.example.com/
+    - name: method
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'HTTP request method.
+
+        The field value must be normalized to lowercase for querying. See the documentation
+        section "Implementing ECS".'
+      example: get, post, put
+- name: geo
+  type: group
+  fields:
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'User-defined description of a location, at the level of granularity
+      they care about.
+
+      Could be the name of their data centers, the floor number, if this describes
+      a local physical entity, city names.
+
+      Not typically used in automated geolocation.'
+    example: boston-dc
+  - name: country_name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Country name.
+    example: Canada
+  - name: city_name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: City name.
+    example: Montreal
+  - name: region_name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Region name.
+    example: Quebec
+- name: dns
+  type: group
+  fields:
+  - name: question
+    type: group
+    fields:
+    - name: type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The type of record being queried.
+      example: AAAA
+  - name: answers
+    type: group
+    fields:
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The domain name to which this resource record pertains.
+
+        If a chain of CNAME is being resolved, each answer''s `name` should be the
+        one that corresponds with the answer''s `data`. It should not simply be the
+        original `question.name` repeated.'
+      example: www.google.com
+    - name: type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The type of data contained in this resource record.
+      example: CNAME
diff --git a/packages/juniper/0.1.0/dataset/junos/fields/fields.yml b/packages/juniper/0.1.0/dataset/junos/fields/fields.yml
new file mode 100644
index 0000000000..2abc947fe7
--- /dev/null
+++ b/packages/juniper/0.1.0/dataset/junos/fields/fields.yml
@@ -0,0 +1,1939 @@
+- name: rsa
+  type: group
+  fields:
+  - name: internal
+    type: group
+    fields:
+    - name: msg
+      type: keyword
+      description: This key is used to capture the raw message that comes into the
+        Log Decoder
+    - name: messageid
+      type: keyword
+    - name: event_desc
+      type: keyword
+    - name: message
+      type: keyword
+      description: This key captures the contents of instant messages
+    - name: time
+      type: date
+      description: This is the time at which a session hits a NetWitness Decoder.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness.
+    - name: level
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: msg_id
+      type: keyword
+      description: This is the Message ID1 value that identifies the exact log parser
+        definition which parses a particular log session. This key should never be
+        used to parse Meta data from a session (Logs/Packets) Directly, this is a
+        Reserved key in NetWitness
+    - name: msg_vid
+      type: keyword
+      description: This is the Message ID2 value that identifies the exact log parser
+        definition which parses a particular log session. This key should never be
+        used to parse Meta data from a session (Logs/Packets) Directly, this is a
+        Reserved key in NetWitness
+    - name: data
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: obj_server
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: obj_val
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: resource
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: obj_id
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: statement
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: audit_class
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: entry
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: hcode
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: inode
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: resource_class
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: dead
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: feed_desc
+      type: keyword
+      description: This is used to capture the description of the feed. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: feed_name
+      type: keyword
+      description: This is used to capture the name of the feed. This key should never
+        be used to parse Meta data from a session (Logs/Packets) Directly, this is
+        a Reserved key in NetWitness
+    - name: cid
+      type: keyword
+      description: This is the unique identifier used to identify a NetWitness Concentrator.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: device_class
+      type: keyword
+      description: This is the Classification of the Log Event Source under a predefined
+        fixed set of Event Source Classifications. This key should never be used to
+        parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
+        key in NetWitness
+    - name: device_group
+      type: keyword
+      description: This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_host
+      type: keyword
+      description: This is the Hostname of the log Event Source sending the logs to
+        NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_ip
+      type: ip
+      description: This is the IPv4 address of the Log Event Source sending the logs
+        to NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_ipv6
+      type: ip
+      description: This is the IPv6 address of the Log Event Source sending the logs
+        to NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_type
+      type: keyword
+      description: This is the name of the log parser which parsed a given session.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: device_type_id
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: did
+      type: keyword
+      description: This is the unique identifier used to identify a NetWitness Decoder.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: entropy_req
+      type: long
+      description: This key is only used by the Entropy Parser, the Meta Type can
+        be either UInt16 or Float32 based on the configuration
+    - name: entropy_res
+      type: long
+      description: This key is only used by the Entropy Parser, the Meta Type can
+        be either UInt16 or Float32 based on the configuration
+    - name: event_name
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: feed_category
+      type: keyword
+      description: This is used to capture the category of the feed. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: forward_ip
+      type: ip
+      description: This key should be used to capture the IPV4 address of a relay
+        system which forwarded the events from the original system to NetWitness.
+    - name: forward_ipv6
+      type: ip
+      description: This key is used to capture the IPV6 address of a relay system
+        which forwarded the events from the original system to NetWitness. This key
+        should never be used to parse Meta data from a session (Logs/Packets) Directly,
+        this is a Reserved key in NetWitness
+    - name: header_id
+      type: keyword
+      description: This is the Header ID value that identifies the exact log parser
+        header definition that parses a particular log session. This key should never
+        be used to parse Meta data from a session (Logs/Packets) Directly, this is
+        a Reserved key in NetWitness
+    - name: lc_cid
+      type: keyword
+      description: This is a unique Identifier of a Log Collector. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: lc_ctime
+      type: date
+      description: This is the time at which a log is collected in a NetWitness Log
+        Collector. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: mcb_req
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        request is simply which byte for each side (0 thru 255) was seen the most
+    - name: mcb_res
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        response is simply which byte for each side (0 thru 255) was seen the most
+    - name: mcbc_req
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        count is the number of times the most common byte (above) was seen in the
+        session streams
+    - name: mcbc_res
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        count is the number of times the most common byte (above) was seen in the
+        session streams
+    - name: medium
+      type: long
+      description: "This key is used to identify if it\u2019s a log/packet session\
+        \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
+        \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
+        \ 32 = log, 33 = correlation session, &lt; 32 is packet session"
+    - name: node_name
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: nwe_callback_id
+      type: keyword
+      description: This key denotes that event is endpoint related
+    - name: parse_error
+      type: keyword
+      description: This is a special key that stores any Meta key validation error
+        found while parsing a log session. This key should never be used to parse
+        Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
+        NetWitness
+    - name: payload_req
+      type: long
+      description: This key is only used by the Entropy Parser, the payload size metrics
+        are the payload sizes of each session side at the time of parsing. However,
+        in order to keep
+    - name: payload_res
+      type: long
+      description: This key is only used by the Entropy Parser, the payload size metrics
+        are the payload sizes of each session side at the time of parsing. However,
+        in order to keep
+    - name: process_vid_dst
+      type: keyword
+      description: Endpoint generates and uses a unique virtual ID to identify any
+        similar group of process. This ID represents the target process.
+    - name: process_vid_src
+      type: keyword
+      description: Endpoint generates and uses a unique virtual ID to identify any
+        similar group of process. This ID represents the source process.
+    - name: rid
+      type: long
+      description: This is a special ID of the Remote Session created by NetWitness
+        Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: session_split
+      type: keyword
+      description: This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: site
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: size
+      type: long
+      description: This is the size of the session as seen by the NetWitness Decoder.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: sourcefile
+      type: keyword
+      description: This is the name of the log file or PCAPs that can be imported
+        into NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: ubc_req
+      type: long
+      description: This key is only used by the Entropy Parser, Unique byte count
+        is the number of unique bytes seen in each stream. 256 would mean all byte
+        values of 0 thru 255 were seen at least once
+    - name: ubc_res
+      type: long
+      description: This key is only used by the Entropy Parser, Unique byte count
+        is the number of unique bytes seen in each stream. 256 would mean all byte
+        values of 0 thru 255 were seen at least once
+    - name: word
+      type: keyword
+      description: This is used by the Word Parsing technology to capture the first
+        5 character of every word in an unparsed log
+  - name: time
+    type: group
+    fields:
+    - name: event_time
+      type: date
+      description: This key is used to capture the time mentioned in a raw session
+        that represents the actual time an event occured in a standard normalized
+        form
+    - name: duration_time
+      type: double
+      description: This key is used to capture the normalized duration/lifetime in
+        seconds.
+    - name: event_time_str
+      type: keyword
+      description: This key is used to capture the incomplete time mentioned in a
+        session as a string
+    - name: starttime
+      type: date
+      description: This key is used to capture the Start time mentioned in a session
+        in a standard form
+    - name: month
+      type: keyword
+    - name: day
+      type: keyword
+    - name: endtime
+      type: date
+      description: This key is used to capture the End time mentioned in a session
+        in a standard form
+    - name: timezone
+      type: keyword
+      description: This key is used to capture the timezone of the Event Time
+    - name: duration_str
+      type: keyword
+      description: A text string version of the duration
+    - name: date
+      type: keyword
+    - name: year
+      type: keyword
+    - name: recorded_time
+      type: date
+      description: The event time as recorded by the system the event is collected
+        from. The usage scenario is a multi-tier application where the management
+        layer of the system records it's own timestamp at the time of collection from
+        its child nodes. Must be in timestamp format.
+    - name: datetime
+      type: keyword
+    - name: effective_time
+      type: date
+      description: This key is the effective time referenced by an individual event
+        in a Standard Timestamp format
+    - name: expire_time
+      type: date
+      description: This key is the timestamp that explicitly refers to an expiration.
+    - name: process_time
+      type: keyword
+      description: Deprecated, use duration.time
+    - name: hour
+      type: keyword
+    - name: min
+      type: keyword
+    - name: timestamp
+      type: keyword
+    - name: event_queue_time
+      type: date
+      description: This key is the Time that the event was queued.
+    - name: p_time1
+      type: keyword
+    - name: tzone
+      type: keyword
+    - name: eventtime
+      type: keyword
+    - name: gmtdate
+      type: keyword
+    - name: gmttime
+      type: keyword
+    - name: p_date
+      type: keyword
+    - name: p_month
+      type: keyword
+    - name: p_time
+      type: keyword
+    - name: p_time2
+      type: keyword
+    - name: p_year
+      type: keyword
+    - name: expire_time_str
+      type: keyword
+      description: This key is used to capture incomplete timestamp that explicitly
+        refers to an expiration.
+    - name: stamp
+      type: date
+      description: Deprecated key defined only in table map.
+  - name: misc
+    type: group
+    fields:
+    - name: action
+      type: keyword
+    - name: result
+      type: keyword
+      description: This key is used to capture the outcome/result string value of
+        an action in a session.
+    - name: severity
+      type: keyword
+      description: This key is used to capture the severity given the session
+    - name: event_type
+      type: keyword
+      description: This key captures the event category type as specified by the event
+        source.
+    - name: reference_id
+      type: keyword
+      description: This key is used to capture an event id from the session directly
+    - name: version
+      type: keyword
+      description: This key captures Version of the application or OS which is generating
+        the event.
+    - name: disposition
+      type: keyword
+      description: This key captures the The end state of an action.
+    - name: result_code
+      type: keyword
+      description: This key is used to capture the outcome/result numeric value of
+        an action in a session
+    - name: category
+      type: keyword
+      description: This key is used to capture the category of an event given by the
+        vendor in the session
+    - name: obj_name
+      type: keyword
+      description: This is used to capture name of object
+    - name: obj_type
+      type: keyword
+      description: This is used to capture type of object
+    - name: event_source
+      type: keyword
+      description: "This key captures Source of the event that\u2019s not a hostname"
+    - name: log_session_id
+      type: keyword
+      description: This key is used to capture a sessionid from the session directly
+    - name: group
+      type: keyword
+      description: This key captures the Group Name value
+    - name: policy_name
+      type: keyword
+      description: This key is used to capture the Policy Name only.
+    - name: rule_name
+      type: keyword
+      description: This key captures the Rule Name
+    - name: context
+      type: keyword
+      description: This key captures Information which adds additional context to
+        the event.
+    - name: change_new
+      type: keyword
+      description: "This key is used to capture the new values of the attribute that\u2019\
+        s changing in a session"
+    - name: space
+      type: keyword
+    - name: client
+      type: keyword
+      description: This key is used to capture only the name of the client application
+        requesting resources of the server. See the user.agent meta key for capture
+        of the specific user agent identifier or browser identification string.
+    - name: msgIdPart1
+      type: keyword
+    - name: msgIdPart2
+      type: keyword
+    - name: change_old
+      type: keyword
+      description: "This key is used to capture the old value of the attribute that\u2019\
+        s changing in a session"
+    - name: operation_id
+      type: keyword
+      description: An alert number or operation number. The values should be unique
+        and non-repeating.
+    - name: event_state
+      type: keyword
+      description: This key captures the current state of the object/item referenced
+        within the event. Describing an on-going event.
+    - name: group_object
+      type: keyword
+      description: This key captures a collection/grouping of entities. Specific usage
+    - name: node
+      type: keyword
+      description: Common use case is the node name within a cluster. The cluster
+        name is reflected by the host name.
+    - name: rule
+      type: keyword
+      description: This key captures the Rule number
+    - name: device_name
+      type: keyword
+      description: 'This is used to capture name of the Device associated with the
+        node Like: a physical disk, printer, etc'
+    - name: param
+      type: keyword
+      description: This key is the parameters passed as part of a command or application,
+        etc.
+    - name: change_attrib
+      type: keyword
+      description: "This key is used to capture the name of the attribute that\u2019\
+        s changing in a session"
+    - name: event_computer
+      type: keyword
+      description: This key is a windows only concept, where this key is used to capture
+        fully qualified domain name in a windows log.
+    - name: reference_id1
+      type: keyword
+      description: This key is for Linked ID to be used as an addition to "reference.id"
+    - name: event_log
+      type: keyword
+      description: This key captures the Name of the event log
+    - name: OS
+      type: keyword
+      description: This key captures the Name of the Operating System
+    - name: terminal
+      type: keyword
+      description: This key captures the Terminal Names only
+    - name: msgIdPart3
+      type: keyword
+    - name: filter
+      type: keyword
+      description: This key captures Filter used to reduce result set
+    - name: serial_number
+      type: keyword
+      description: This key is the Serial number associated with a physical asset.
+    - name: checksum
+      type: keyword
+      description: This key is used to capture the checksum or hash of the entity
+        such as a file or process. Checksum should be used over checksum.src or checksum.dst
+        when it is unclear whether the entity is a source or target of an action.
+    - name: event_user
+      type: keyword
+      description: This key is a windows only concept, where this key is used to capture
+        combination of domain name and username in a windows log.
+    - name: virusname
+      type: keyword
+      description: This key captures the name of the virus
+    - name: content_type
+      type: keyword
+      description: This key is used to capture Content Type only.
+    - name: group_id
+      type: keyword
+      description: This key captures Group ID Number (related to the group name)
+    - name: policy_id
+      type: keyword
+      description: This key is used to capture the Policy ID only, this should be
+        a numeric value, use policy.name otherwise
+    - name: vsys
+      type: keyword
+      description: This key captures Virtual System Name
+    - name: connection_id
+      type: keyword
+      description: This key captures the Connection ID
+    - name: reference_id2
+      type: keyword
+      description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
+        or "reference.id1" value but should not be used unless the other two variables
+        are in play.
+    - name: sensor
+      type: keyword
+      description: This key captures Name of the sensor. Typically used in IDS/IPS
+        based devices
+    - name: sig_id
+      type: long
+      description: This key captures IDS/IPS Int Signature ID
+    - name: port_name
+      type: keyword
+      description: 'This key is used for Physical or logical port connection but does
+        NOT include a network port. (Example: Printer port name).'
+    - name: rule_group
+      type: keyword
+      description: This key captures the Rule group name
+    - name: risk_num
+      type: double
+      description: This key captures a Numeric Risk value
+    - name: trigger_val
+      type: keyword
+      description: This key captures the Value of the trigger or threshold condition.
+    - name: log_session_id1
+      type: keyword
+      description: This key is used to capture a Linked (Related) Session ID from
+        the session directly
+    - name: comp_version
+      type: keyword
+      description: This key captures the Version level of a sub-component of a product.
+    - name: content_version
+      type: keyword
+      description: This key captures Version level of a signature or database content.
+    - name: hardware_id
+      type: keyword
+      description: This key is used to capture unique identifier for a device or system
+        (NOT a Mac address)
+    - name: risk
+      type: keyword
+      description: This key captures the non-numeric risk value
+    - name: event_id
+      type: keyword
+    - name: reason
+      type: keyword
+    - name: status
+      type: keyword
+    - name: mail_id
+      type: keyword
+      description: This key is used to capture the mailbox id/name
+    - name: rule_uid
+      type: keyword
+      description: This key is the Unique Identifier for a rule.
+    - name: trigger_desc
+      type: keyword
+      description: This key captures the Description of the trigger or threshold condition.
+    - name: inout
+      type: keyword
+    - name: p_msgid
+      type: keyword
+    - name: data_type
+      type: keyword
+    - name: msgIdPart4
+      type: keyword
+    - name: error
+      type: keyword
+      description: This key captures All non successful Error codes or responses
+    - name: index
+      type: keyword
+    - name: listnum
+      type: keyword
+      description: This key is used to capture listname or listnumber, primarily for
+        collecting access-list
+    - name: ntype
+      type: keyword
+    - name: observed_val
+      type: keyword
+      description: This key captures the Value observed (from the perspective of the
+        device generating the log).
+    - name: policy_value
+      type: keyword
+      description: This key captures the contents of the policy. This contains details
+        about the policy
+    - name: pool_name
+      type: keyword
+      description: This key captures the name of a resource pool
+    - name: rule_template
+      type: keyword
+      description: A default set of parameters which are overlayed onto a rule (or
+        rulename) which efffectively constitutes a template
+    - name: count
+      type: keyword
+    - name: number
+      type: keyword
+    - name: sigcat
+      type: keyword
+    - name: type
+      type: keyword
+    - name: comments
+      type: keyword
+      description: Comment information provided in the log message
+    - name: doc_number
+      type: long
+      description: This key captures File Identification number
+    - name: expected_val
+      type: keyword
+      description: This key captures the Value expected (from the perspective of the
+        device generating the log).
+    - name: job_num
+      type: keyword
+      description: This key captures the Job Number
+    - name: spi_dst
+      type: keyword
+      description: Destination SPI Index
+    - name: spi_src
+      type: keyword
+      description: Source SPI Index
+    - name: code
+      type: keyword
+    - name: agent_id
+      type: keyword
+      description: This key is used to capture agent id
+    - name: message_body
+      type: keyword
+      description: This key captures the The contents of the message body.
+    - name: phone
+      type: keyword
+    - name: sig_id_str
+      type: keyword
+      description: This key captures a string object of the sigid variable.
+    - name: cmd
+      type: keyword
+    - name: misc
+      type: keyword
+    - name: name
+      type: keyword
+    - name: cpu
+      type: long
+      description: This key is the CPU time used in the execution of the event being
+        recorded.
+    - name: event_desc
+      type: keyword
+      description: This key is used to capture a description of an event available
+        directly or inferred
+    - name: sig_id1
+      type: long
+      description: This key captures IDS/IPS Int Signature ID. This must be linked
+        to the sig.id
+    - name: im_buddyid
+      type: keyword
+    - name: im_client
+      type: keyword
+    - name: im_userid
+      type: keyword
+    - name: pid
+      type: keyword
+    - name: priority
+      type: keyword
+    - name: context_subject
+      type: keyword
+      description: This key is to be used in an audit context where the subject is
+        the object being identified
+    - name: context_target
+      type: keyword
+    - name: cve
+      type: keyword
+      description: This key captures CVE (Common Vulnerabilities and Exposures) -
+        an identifier for known information security vulnerabilities.
+    - name: fcatnum
+      type: keyword
+      description: This key captures Filter Category Number. Legacy Usage
+    - name: library
+      type: keyword
+      description: This key is used to capture library information in mainframe devices
+    - name: parent_node
+      type: keyword
+      description: This key captures the Parent Node Name. Must be related to node
+        variable.
+    - name: risk_info
+      type: keyword
+      description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: tcp_flags
+      type: long
+      description: This key is captures the TCP flags set in any packet of session
+    - name: tos
+      type: long
+      description: This key describes the type of service
+    - name: vm_target
+      type: keyword
+      description: VMWare Target **VMWARE** only varaible.
+    - name: workspace
+      type: keyword
+      description: This key captures Workspace Description
+    - name: command
+      type: keyword
+    - name: event_category
+      type: keyword
+    - name: facilityname
+      type: keyword
+    - name: forensic_info
+      type: keyword
+    - name: jobname
+      type: keyword
+    - name: mode
+      type: keyword
+    - name: policy
+      type: keyword
+    - name: policy_waiver
+      type: keyword
+    - name: second
+      type: keyword
+    - name: space1
+      type: keyword
+    - name: subcategory
+      type: keyword
+    - name: tbdstr2
+      type: keyword
+    - name: alert_id
+      type: keyword
+      description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: checksum_dst
+      type: keyword
+      description: This key is used to capture the checksum or hash of the the target
+        entity such as a process or file.
+    - name: checksum_src
+      type: keyword
+      description: This key is used to capture the checksum or hash of the source
+        entity such as a file or process.
+    - name: fresult
+      type: long
+      description: This key captures the Filter Result
+    - name: payload_dst
+      type: keyword
+      description: This key is used to capture destination payload
+    - name: payload_src
+      type: keyword
+      description: This key is used to capture source payload
+    - name: pool_id
+      type: keyword
+      description: This key captures the identifier (typically numeric field) of a
+        resource pool
+    - name: process_id_val
+      type: keyword
+      description: This key is a failure key for Process ID when it is not an integer
+        value
+    - name: risk_num_comm
+      type: double
+      description: This key captures Risk Number Community
+    - name: risk_num_next
+      type: double
+      description: This key captures Risk Number NextGen
+    - name: risk_num_sand
+      type: double
+      description: This key captures Risk Number SandBox
+    - name: risk_num_static
+      type: double
+      description: This key captures Risk Number Static
+    - name: risk_suspicious
+      type: keyword
+      description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: risk_warning
+      type: keyword
+      description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: snmp_oid
+      type: keyword
+      description: SNMP Object Identifier
+    - name: sql
+      type: keyword
+      description: This key captures the SQL query
+    - name: vuln_ref
+      type: keyword
+      description: This key captures the Vulnerability Reference details
+    - name: acl_id
+      type: keyword
+    - name: acl_op
+      type: keyword
+    - name: acl_pos
+      type: keyword
+    - name: acl_table
+      type: keyword
+    - name: admin
+      type: keyword
+    - name: alarm_id
+      type: keyword
+    - name: alarmname
+      type: keyword
+    - name: app_id
+      type: keyword
+    - name: audit
+      type: keyword
+    - name: audit_object
+      type: keyword
+    - name: auditdata
+      type: keyword
+    - name: benchmark
+      type: keyword
+    - name: bypass
+      type: keyword
+    - name: cache
+      type: keyword
+    - name: cache_hit
+      type: keyword
+    - name: cefversion
+      type: keyword
+    - name: cfg_attr
+      type: keyword
+    - name: cfg_obj
+      type: keyword
+    - name: cfg_path
+      type: keyword
+    - name: changes
+      type: keyword
+    - name: client_ip
+      type: keyword
+    - name: clustermembers
+      type: keyword
+    - name: cn_acttimeout
+      type: keyword
+    - name: cn_asn_src
+      type: keyword
+    - name: cn_bgpv4nxthop
+      type: keyword
+    - name: cn_ctr_dst_code
+      type: keyword
+    - name: cn_dst_tos
+      type: keyword
+    - name: cn_dst_vlan
+      type: keyword
+    - name: cn_engine_id
+      type: keyword
+    - name: cn_engine_type
+      type: keyword
+    - name: cn_f_switch
+      type: keyword
+    - name: cn_flowsampid
+      type: keyword
+    - name: cn_flowsampintv
+      type: keyword
+    - name: cn_flowsampmode
+      type: keyword
+    - name: cn_inacttimeout
+      type: keyword
+    - name: cn_inpermbyts
+      type: keyword
+    - name: cn_inpermpckts
+      type: keyword
+    - name: cn_invalid
+      type: keyword
+    - name: cn_ip_proto_ver
+      type: keyword
+    - name: cn_ipv4_ident
+      type: keyword
+    - name: cn_l_switch
+      type: keyword
+    - name: cn_log_did
+      type: keyword
+    - name: cn_log_rid
+      type: keyword
+    - name: cn_max_ttl
+      type: keyword
+    - name: cn_maxpcktlen
+      type: keyword
+    - name: cn_min_ttl
+      type: keyword
+    - name: cn_minpcktlen
+      type: keyword
+    - name: cn_mpls_lbl_1
+      type: keyword
+    - name: cn_mpls_lbl_10
+      type: keyword
+    - name: cn_mpls_lbl_2
+      type: keyword
+    - name: cn_mpls_lbl_3
+      type: keyword
+    - name: cn_mpls_lbl_4
+      type: keyword
+    - name: cn_mpls_lbl_5
+      type: keyword
+    - name: cn_mpls_lbl_6
+      type: keyword
+    - name: cn_mpls_lbl_7
+      type: keyword
+    - name: cn_mpls_lbl_8
+      type: keyword
+    - name: cn_mpls_lbl_9
+      type: keyword
+    - name: cn_mplstoplabel
+      type: keyword
+    - name: cn_mplstoplabip
+      type: keyword
+    - name: cn_mul_dst_byt
+      type: keyword
+    - name: cn_mul_dst_pks
+      type: keyword
+    - name: cn_muligmptype
+      type: keyword
+    - name: cn_sampalgo
+      type: keyword
+    - name: cn_sampint
+      type: keyword
+    - name: cn_seqctr
+      type: keyword
+    - name: cn_spackets
+      type: keyword
+    - name: cn_src_tos
+      type: keyword
+    - name: cn_src_vlan
+      type: keyword
+    - name: cn_sysuptime
+      type: keyword
+    - name: cn_template_id
+      type: keyword
+    - name: cn_totbytsexp
+      type: keyword
+    - name: cn_totflowexp
+      type: keyword
+    - name: cn_totpcktsexp
+      type: keyword
+    - name: cn_unixnanosecs
+      type: keyword
+    - name: cn_v6flowlabel
+      type: keyword
+    - name: cn_v6optheaders
+      type: keyword
+    - name: comp_class
+      type: keyword
+    - name: comp_name
+      type: keyword
+    - name: comp_rbytes
+      type: keyword
+    - name: comp_sbytes
+      type: keyword
+    - name: cpu_data
+      type: keyword
+    - name: criticality
+      type: keyword
+    - name: cs_agency_dst
+      type: keyword
+    - name: cs_analyzedby
+      type: keyword
+    - name: cs_av_other
+      type: keyword
+    - name: cs_av_primary
+      type: keyword
+    - name: cs_av_secondary
+      type: keyword
+    - name: cs_bgpv6nxthop
+      type: keyword
+    - name: cs_bit9status
+      type: keyword
+    - name: cs_context
+      type: keyword
+    - name: cs_control
+      type: keyword
+    - name: cs_data
+      type: keyword
+    - name: cs_datecret
+      type: keyword
+    - name: cs_dst_tld
+      type: keyword
+    - name: cs_eth_dst_ven
+      type: keyword
+    - name: cs_eth_src_ven
+      type: keyword
+    - name: cs_event_uuid
+      type: keyword
+    - name: cs_filetype
+      type: keyword
+    - name: cs_fld
+      type: keyword
+    - name: cs_if_desc
+      type: keyword
+    - name: cs_if_name
+      type: keyword
+    - name: cs_ip_next_hop
+      type: keyword
+    - name: cs_ipv4dstpre
+      type: keyword
+    - name: cs_ipv4srcpre
+      type: keyword
+    - name: cs_lifetime
+      type: keyword
+    - name: cs_log_medium
+      type: keyword
+    - name: cs_loginname
+      type: keyword
+    - name: cs_modulescore
+      type: keyword
+    - name: cs_modulesign
+      type: keyword
+    - name: cs_opswatresult
+      type: keyword
+    - name: cs_payload
+      type: keyword
+    - name: cs_registrant
+      type: keyword
+    - name: cs_registrar
+      type: keyword
+    - name: cs_represult
+      type: keyword
+    - name: cs_rpayload
+      type: keyword
+    - name: cs_sampler_name
+      type: keyword
+    - name: cs_sourcemodule
+      type: keyword
+    - name: cs_streams
+      type: keyword
+    - name: cs_targetmodule
+      type: keyword
+    - name: cs_v6nxthop
+      type: keyword
+    - name: cs_whois_server
+      type: keyword
+    - name: cs_yararesult
+      type: keyword
+    - name: description
+      type: keyword
+    - name: devvendor
+      type: keyword
+    - name: distance
+      type: keyword
+    - name: dstburb
+      type: keyword
+    - name: edomain
+      type: keyword
+    - name: edomaub
+      type: keyword
+    - name: euid
+      type: keyword
+    - name: facility
+      type: keyword
+    - name: finterface
+      type: keyword
+    - name: flags
+      type: keyword
+    - name: gaddr
+      type: keyword
+    - name: id3
+      type: keyword
+    - name: im_buddyname
+      type: keyword
+    - name: im_croomid
+      type: keyword
+    - name: im_croomtype
+      type: keyword
+    - name: im_members
+      type: keyword
+    - name: im_username
+      type: keyword
+    - name: ipkt
+      type: keyword
+    - name: ipscat
+      type: keyword
+    - name: ipspri
+      type: keyword
+    - name: latitude
+      type: keyword
+    - name: linenum
+      type: keyword
+    - name: list_name
+      type: keyword
+    - name: load_data
+      type: keyword
+    - name: location_floor
+      type: keyword
+    - name: location_mark
+      type: keyword
+    - name: log_id
+      type: keyword
+    - name: log_type
+      type: keyword
+    - name: logid
+      type: keyword
+    - name: logip
+      type: keyword
+    - name: logname
+      type: keyword
+    - name: longitude
+      type: keyword
+    - name: lport
+      type: keyword
+    - name: mbug_data
+      type: keyword
+    - name: misc_name
+      type: keyword
+    - name: msg_type
+      type: keyword
+    - name: msgid
+      type: keyword
+    - name: netsessid
+      type: keyword
+    - name: num
+      type: keyword
+    - name: number1
+      type: keyword
+    - name: number2
+      type: keyword
+    - name: nwwn
+      type: keyword
+    - name: object
+      type: keyword
+    - name: operation
+      type: keyword
+    - name: opkt
+      type: keyword
+    - name: orig_from
+      type: keyword
+    - name: owner_id
+      type: keyword
+    - name: p_action
+      type: keyword
+    - name: p_filter
+      type: keyword
+    - name: p_group_object
+      type: keyword
+    - name: p_id
+      type: keyword
+    - name: p_msgid1
+      type: keyword
+    - name: p_msgid2
+      type: keyword
+    - name: p_result1
+      type: keyword
+    - name: password_chg
+      type: keyword
+    - name: password_expire
+      type: keyword
+    - name: permgranted
+      type: keyword
+    - name: permwanted
+      type: keyword
+    - name: pgid
+      type: keyword
+    - name: policyUUID
+      type: keyword
+    - name: prog_asp_num
+      type: keyword
+    - name: program
+      type: keyword
+    - name: real_data
+      type: keyword
+    - name: rec_asp_device
+      type: keyword
+    - name: rec_asp_num
+      type: keyword
+    - name: rec_library
+      type: keyword
+    - name: recordnum
+      type: keyword
+    - name: ruid
+      type: keyword
+    - name: sburb
+      type: keyword
+    - name: sdomain_fld
+      type: keyword
+    - name: sec
+      type: keyword
+    - name: sensorname
+      type: keyword
+    - name: seqnum
+      type: keyword
+    - name: session
+      type: keyword
+    - name: sessiontype
+      type: keyword
+    - name: sigUUID
+      type: keyword
+    - name: spi
+      type: keyword
+    - name: srcburb
+      type: keyword
+    - name: srcdom
+      type: keyword
+    - name: srcservice
+      type: keyword
+    - name: state
+      type: keyword
+    - name: status1
+      type: keyword
+    - name: svcno
+      type: keyword
+    - name: system
+      type: keyword
+    - name: tbdstr1
+      type: keyword
+    - name: tgtdom
+      type: keyword
+    - name: tgtdomain
+      type: keyword
+    - name: threshold
+      type: keyword
+    - name: type1
+      type: keyword
+    - name: udb_class
+      type: keyword
+    - name: url_fld
+      type: keyword
+    - name: user_div
+      type: keyword
+    - name: userid
+      type: keyword
+    - name: username_fld
+      type: keyword
+    - name: utcstamp
+      type: keyword
+    - name: v_instafname
+      type: keyword
+    - name: virt_data
+      type: keyword
+    - name: vpnid
+      type: keyword
+    - name: autorun_type
+      type: keyword
+      description: This is used to capture Auto Run type
+    - name: cc_number
+      type: long
+      description: Valid Credit Card Numbers only
+    - name: content
+      type: keyword
+      description: This key captures the content type from protocol headers
+    - name: ein_number
+      type: long
+      description: Employee Identification Numbers only
+    - name: found
+      type: keyword
+      description: This is used to capture the results of regex match
+    - name: language
+      type: keyword
+      description: This is used to capture list of languages the client support and
+        what it prefers
+    - name: lifetime
+      type: long
+      description: This key is used to capture the session lifetime in seconds.
+    - name: link
+      type: keyword
+      description: This key is used to link the sessions together. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: match
+      type: keyword
+      description: This key is for regex match name from search.ini
+    - name: param_dst
+      type: keyword
+      description: This key captures the command line/launch argument of the target
+        process or file
+    - name: param_src
+      type: keyword
+      description: This key captures source parameter
+    - name: search_text
+      type: keyword
+      description: This key captures the Search Text used
+    - name: sig_name
+      type: keyword
+      description: This key is used to capture the Signature Name only.
+    - name: snmp_value
+      type: keyword
+      description: SNMP set request value
+    - name: streams
+      type: long
+      description: This key captures number of streams in session
+  - name: db
+    type: group
+    fields:
+    - name: index
+      type: keyword
+      description: This key captures IndexID of the index.
+    - name: instance
+      type: keyword
+      description: This key is used to capture the database server instance name
+    - name: database
+      type: keyword
+      description: This key is used to capture the name of a database or an instance
+        as seen in a session
+    - name: transact_id
+      type: keyword
+      description: This key captures the SQL transantion ID of the current session
+    - name: permissions
+      type: keyword
+      description: This key captures permission or privilege level assigned to a resource.
+    - name: table_name
+      type: keyword
+      description: This key is used to capture the table name
+    - name: db_id
+      type: keyword
+      description: This key is used to capture the unique identifier for a database
+    - name: db_pid
+      type: long
+      description: This key captures the process id of a connection with database
+        server
+    - name: lread
+      type: long
+      description: This key is used for the number of logical reads
+    - name: lwrite
+      type: long
+      description: This key is used for the number of logical writes
+    - name: pread
+      type: long
+      description: This key is used for the number of physical writes
+  - name: network
+    type: group
+    fields:
+    - name: alias_host
+      type: keyword
+      description: This key should be used when the source or destination context
+        of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
+        that isnt ad.computer.
+    - name: domain
+      type: keyword
+    - name: host_dst
+      type: keyword
+      description: "This key should only be used when it\u2019s a Destination Hostname"
+    - name: network_service
+      type: keyword
+      description: This is used to capture layer 7 protocols/service names
+    - name: interface
+      type: keyword
+      description: This key should be used when the source or destination context
+        of an interface is not clear
+    - name: network_port
+      type: long
+      description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
+        used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
+    - name: eth_host
+      type: keyword
+      description: Deprecated, use alias.mac
+    - name: sinterface
+      type: keyword
+      description: "This key should only be used when it\u2019s a Source Interface"
+    - name: dinterface
+      type: keyword
+      description: "This key should only be used when it\u2019s a Destination Interface"
+    - name: vlan
+      type: long
+      description: This key should only be used to capture the ID of the Virtual LAN
+    - name: zone_src
+      type: keyword
+      description: "This key should only be used when it\u2019s a Source Zone."
+    - name: zone
+      type: keyword
+      description: This key should be used when the source or destination context
+        of a Zone is not clear
+    - name: zone_dst
+      type: keyword
+      description: "This key should only be used when it\u2019s a Destination Zone."
+    - name: gateway
+      type: keyword
+      description: This key is used to capture the IP Address of the gateway
+    - name: icmp_type
+      type: long
+      description: This key is used to capture the ICMP type only
+    - name: mask
+      type: keyword
+      description: This key is used to capture the device network IPmask.
+    - name: icmp_code
+      type: long
+      description: This key is used to capture the ICMP code only
+    - name: protocol_detail
+      type: keyword
+      description: This key should be used to capture additional protocol information
+    - name: dmask
+      type: keyword
+      description: This key is used for Destionation Device network mask
+    - name: port
+      type: long
+      description: This key should only be used to capture a Network Port when the
+        directionality is not clear
+    - name: smask
+      type: keyword
+      description: This key is used for capturing source Network Mask
+    - name: netname
+      type: keyword
+      description: This key is used to capture the network name associated with an
+        IP range. This is configured by the end user.
+    - name: paddr
+      type: ip
+      description: Deprecated
+    - name: faddr
+      type: keyword
+    - name: lhost
+      type: keyword
+    - name: origin
+      type: keyword
+    - name: remote_domain_id
+      type: keyword
+    - name: addr
+      type: keyword
+    - name: dns_a_record
+      type: keyword
+    - name: dns_ptr_record
+      type: keyword
+    - name: fhost
+      type: keyword
+    - name: fport
+      type: keyword
+    - name: laddr
+      type: keyword
+    - name: linterface
+      type: keyword
+    - name: phost
+      type: keyword
+    - name: ad_computer_dst
+      type: keyword
+      description: Deprecated, use host.dst
+    - name: eth_type
+      type: long
+      description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
+        Only
+    - name: ip_proto
+      type: long
+      description: This key should be used to capture the Protocol number, all the
+        protocol nubers are converted into string in UI
+    - name: dns_cname_record
+      type: keyword
+    - name: dns_id
+      type: keyword
+    - name: dns_opcode
+      type: keyword
+    - name: dns_resp
+      type: keyword
+    - name: dns_type
+      type: keyword
+    - name: domain1
+      type: keyword
+    - name: host_type
+      type: keyword
+    - name: packet_length
+      type: keyword
+    - name: host_orig
+      type: keyword
+      description: This is used to capture the original hostname in case of a Forwarding
+        Agent or a Proxy in between.
+    - name: rpayload
+      type: keyword
+      description: This key is used to capture the total number of payload bytes seen
+        in the retransmitted packets.
+    - name: vlan_name
+      type: keyword
+      description: This key should only be used to capture the name of the Virtual
+        LAN
+  - name: investigations
+    type: group
+    fields:
+    - name: ec_activity
+      type: keyword
+      description: This key captures the particular event activity(Ex:Logoff)
+    - name: ec_theme
+      type: keyword
+      description: This key captures the Theme of a particular Event(Ex:Authentication)
+    - name: ec_subject
+      type: keyword
+      description: This key captures the Subject of a particular Event(Ex:User)
+    - name: ec_outcome
+      type: keyword
+      description: This key captures the outcome of a particular Event(Ex:Success)
+    - name: event_cat
+      type: long
+      description: This key captures the Event category number
+    - name: event_cat_name
+      type: keyword
+      description: This key captures the event category name corresponding to the
+        event cat code
+    - name: event_vcat
+      type: keyword
+      description: This is a vendor supplied category. This should be used in situations
+        where the vendor has adopted their own event_category taxonomy.
+    - name: analysis_file
+      type: keyword
+      description: This is used to capture all indicators used in a File Analysis.
+        This key should be used to capture an analysis of a file
+    - name: analysis_service
+      type: keyword
+      description: This is used to capture all indicators used in a Service Analysis.
+        This key should be used to capture an analysis of a service
+    - name: analysis_session
+      type: keyword
+      description: This is used to capture all indicators used for a Session Analysis.
+        This key should be used to capture an analysis of a session
+    - name: boc
+      type: keyword
+      description: This is used to capture behaviour of compromise
+    - name: eoc
+      type: keyword
+      description: This is used to capture Enablers of Compromise
+    - name: inv_category
+      type: keyword
+      description: This used to capture investigation category
+    - name: inv_context
+      type: keyword
+      description: This used to capture investigation context
+    - name: ioc
+      type: keyword
+      description: This is key capture indicator of compromise
+  - name: counters
+    type: group
+    fields:
+    - name: dclass_c1
+      type: long
+      description: This is a generic counter key that should be used with the label
+        dclass.c1.str only
+    - name: dclass_c2
+      type: long
+      description: This is a generic counter key that should be used with the label
+        dclass.c2.str only
+    - name: event_counter
+      type: long
+      description: This is used to capture the number of times an event repeated
+    - name: dclass_r1
+      type: keyword
+      description: This is a generic ratio key that should be used with the label
+        dclass.r1.str only
+    - name: dclass_c3
+      type: long
+      description: This is a generic counter key that should be used with the label
+        dclass.c3.str only
+    - name: dclass_c1_str
+      type: keyword
+      description: This is a generic counter string key that should be used with the
+        label dclass.c1 only
+    - name: dclass_c2_str
+      type: keyword
+      description: This is a generic counter string key that should be used with the
+        label dclass.c2 only
+    - name: dclass_r1_str
+      type: keyword
+      description: This is a generic ratio string key that should be used with the
+        label dclass.r1 only
+    - name: dclass_r2
+      type: keyword
+      description: This is a generic ratio key that should be used with the label
+        dclass.r2.str only
+    - name: dclass_c3_str
+      type: keyword
+      description: This is a generic counter string key that should be used with the
+        label dclass.c3 only
+    - name: dclass_r3
+      type: keyword
+      description: This is a generic ratio key that should be used with the label
+        dclass.r3.str only
+    - name: dclass_r2_str
+      type: keyword
+      description: This is a generic ratio string key that should be used with the
+        label dclass.r2 only
+    - name: dclass_r3_str
+      type: keyword
+      description: This is a generic ratio string key that should be used with the
+        label dclass.r3 only
+  - name: identity
+    type: group
+    fields:
+    - name: auth_method
+      type: keyword
+      description: This key is used to capture authentication methods used only
+    - name: user_role
+      type: keyword
+      description: This key is used to capture the Role of a user only
+    - name: dn
+      type: keyword
+      description: X.500 (LDAP) Distinguished Name
+    - name: logon_type
+      type: keyword
+      description: This key is used to capture the type of logon method used.
+    - name: profile
+      type: keyword
+      description: This key is used to capture the user profile
+    - name: accesses
+      type: keyword
+      description: This key is used to capture actual privileges used in accessing
+        an object
+    - name: realm
+      type: keyword
+      description: Radius realm or similar grouping of accounts
+    - name: user_sid_dst
+      type: keyword
+      description: This key captures Destination User Session ID
+    - name: dn_src
+      type: keyword
+      description: An X.500 (LDAP) Distinguished name that is used in a context that
+        indicates a Source dn
+    - name: org
+      type: keyword
+      description: This key captures the User organization
+    - name: dn_dst
+      type: keyword
+      description: An X.500 (LDAP) Distinguished name that used in a context that
+        indicates a Destination dn
+    - name: firstname
+      type: keyword
+      description: This key is for First Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: lastname
+      type: keyword
+      description: This key is for Last Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: user_dept
+      type: keyword
+      description: User's Department Names only
+    - name: user_sid_src
+      type: keyword
+      description: This key captures Source User Session ID
+    - name: federated_sp
+      type: keyword
+      description: This key is the Federated Service Provider. This is the application
+        requesting authentication.
+    - name: federated_idp
+      type: keyword
+      description: This key is the federated Identity Provider. This is the server
+        providing the authentication.
+    - name: logon_type_desc
+      type: keyword
+      description: This key is used to capture the textual description of an integer
+        logon type as stored in the meta key 'logon.type'.
+    - name: middlename
+      type: keyword
+      description: This key is for Middle Names only, this is used for Healthcare
+        predominantly to capture Patients information
+    - name: password
+      type: keyword
+      description: This key is for Passwords seen in any session, plain text or encrypted
+    - name: host_role
+      type: keyword
+      description: This key should only be used to capture the role of a Host Machine
+    - name: ldap
+      type: keyword
+      description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
+        t have a clear query or response context"
+    - name: ldap_query
+      type: keyword
+      description: This key is the Search criteria from an LDAP search
+    - name: ldap_response
+      type: keyword
+      description: This key is to capture Results from an LDAP search
+    - name: owner
+      type: keyword
+      description: This is used to capture username the process or service is running
+        as, the author of the task
+    - name: service_account
+      type: keyword
+      description: This key is a windows specific key, used for capturing name of
+        the account a service (referenced in the event) is running under. Legacy Usage
+  - name: email
+    type: group
+    fields:
+    - name: email_dst
+      type: keyword
+      description: This key is used to capture the Destination email address only,
+        when the destination context is not clear use email
+    - name: email_src
+      type: keyword
+      description: This key is used to capture the source email address only, when
+        the source context is not clear use email
+    - name: subject
+      type: keyword
+      description: This key is used to capture the subject string from an Email only.
+    - name: email
+      type: keyword
+      description: This key is used to capture a generic email address where the source
+        or destination context is not clear
+    - name: trans_from
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: trans_to
+      type: keyword
+      description: Deprecated key defined only in table map.
+  - name: file
+    type: group
+    fields:
+    - name: privilege
+      type: keyword
+      description: Deprecated, use permissions
+    - name: attachment
+      type: keyword
+      description: This key captures the attachment file name
+    - name: filesystem
+      type: keyword
+    - name: binary
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: filename_dst
+      type: keyword
+      description: This is used to capture name of the file targeted by the action
+    - name: filename_src
+      type: keyword
+      description: This is used to capture name of the parent filename, the file which
+        performed the action
+    - name: filename_tmp
+      type: keyword
+    - name: directory_dst
+      type: keyword
+      description: <span>This key is used to capture the directory of the target process
+        or file</span>
+    - name: directory_src
+      type: keyword
+      description: This key is used to capture the directory of the source process
+        or file
+    - name: file_entropy
+      type: double
+      description: This is used to capture entropy vale of a file
+    - name: file_vendor
+      type: keyword
+      description: This is used to capture Company name of file located in version_info
+    - name: task_name
+      type: keyword
+      description: This is used to capture name of the task
+  - name: web
+    type: group
+    fields:
+    - name: fqdn
+      type: keyword
+      description: Fully Qualified Domain Names
+    - name: web_cookie
+      type: keyword
+      description: This key is used to capture the Web cookies specifically.
+    - name: alias_host
+      type: keyword
+    - name: reputation_num
+      type: double
+      description: Reputation Number of an entity. Typically used for Web Domains
+    - name: web_ref_domain
+      type: keyword
+      description: Web referer's domain
+    - name: web_ref_query
+      type: keyword
+      description: This key captures Web referer's query portion of the URL
+    - name: remote_domain
+      type: keyword
+    - name: web_ref_page
+      type: keyword
+      description: This key captures Web referer's page information
+    - name: web_ref_root
+      type: keyword
+      description: Web referer's root URL path
+    - name: cn_asn_dst
+      type: keyword
+    - name: cn_rpackets
+      type: keyword
+    - name: urlpage
+      type: keyword
+    - name: urlroot
+      type: keyword
+    - name: p_url
+      type: keyword
+    - name: p_user_agent
+      type: keyword
+    - name: p_web_cookie
+      type: keyword
+    - name: p_web_method
+      type: keyword
+    - name: p_web_referer
+      type: keyword
+    - name: web_extension_tmp
+      type: keyword
+    - name: web_page
+      type: keyword
+  - name: threat
+    type: group
+    fields:
+    - name: threat_category
+      type: keyword
+      description: This key captures Threat Name/Threat Category/Categorization of
+        alert
+    - name: threat_desc
+      type: keyword
+      description: This key is used to capture the threat description from the session
+        directly or inferred
+    - name: alert
+      type: keyword
+      description: This key is used to capture name of the alert
+    - name: threat_source
+      type: keyword
+      description: This key is used to capture source of the threat
+  - name: crypto
+    type: group
+    fields:
+    - name: crypto
+      type: keyword
+      description: This key is used to capture the Encryption Type or Encryption Key
+        only
+    - name: cipher_src
+      type: keyword
+      description: This key is for Source (Client) Cipher
+    - name: cert_subject
+      type: keyword
+      description: This key is used to capture the Certificate organization only
+    - name: peer
+      type: keyword
+      description: This key is for Encryption peer's IP Address
+    - name: cipher_size_src
+      type: long
+      description: This key captures Source (Client) Cipher Size
+    - name: ike
+      type: keyword
+      description: IKE negotiation phase.
+    - name: scheme
+      type: keyword
+      description: This key captures the Encryption scheme used
+    - name: peer_id
+      type: keyword
+      description: "This key is for Encryption peer\u2019s identity"
+    - name: sig_type
+      type: keyword
+      description: This key captures the Signature Type
+    - name: cert_issuer
+      type: keyword
+    - name: cert_host_name
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: cert_error
+      type: keyword
+      description: This key captures the Certificate Error String
+    - name: cipher_dst
+      type: keyword
+      description: This key is for Destination (Server) Cipher
+    - name: cipher_size_dst
+      type: long
+      description: This key captures Destination (Server) Cipher Size
+    - name: ssl_ver_src
+      type: keyword
+      description: Deprecated, use version
+    - name: d_certauth
+      type: keyword
+    - name: s_certauth
+      type: keyword
+    - name: ike_cookie1
+      type: keyword
+      description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
+    - name: ike_cookie2
+      type: keyword
+      description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
+    - name: cert_checksum
+      type: keyword
+    - name: cert_host_cat
+      type: keyword
+      description: This key is used for the hostname category value of a certificate
+    - name: cert_serial
+      type: keyword
+      description: This key is used to capture the Certificate serial number only
+    - name: cert_status
+      type: keyword
+      description: This key captures Certificate validation status
+    - name: ssl_ver_dst
+      type: keyword
+      description: Deprecated, use version
+    - name: cert_keysize
+      type: keyword
+    - name: cert_username
+      type: keyword
+    - name: https_insact
+      type: keyword
+    - name: https_valid
+      type: keyword
+    - name: cert_ca
+      type: keyword
+      description: This key is used to capture the Certificate signing authority only
+    - name: cert_common
+      type: keyword
+      description: This key is used to capture the Certificate common name only
+  - name: wireless
+    type: group
+    fields:
+    - name: wlan_ssid
+      type: keyword
+      description: This key is used to capture the ssid of a Wireless Session
+    - name: access_point
+      type: keyword
+      description: This key is used to capture the access point name.
+    - name: wlan_channel
+      type: long
+      description: This is used to capture the channel names
+    - name: wlan_name
+      type: keyword
+      description: This key captures either WLAN number/name
+  - name: storage
+    type: group
+    fields:
+    - name: disk_volume
+      type: keyword
+      description: A unique name assigned to logical units (volumes) within a physical
+        disk
+    - name: lun
+      type: keyword
+      description: Logical Unit Number.This key is a very useful concept in Storage.
+    - name: pwwn
+      type: keyword
+      description: This uniquely identifies a port on a HBA.
+  - name: physical
+    type: group
+    fields:
+    - name: org_dst
+      type: keyword
+      description: This is used to capture the destination organization based on the
+        GEOPIP Maxmind database.
+    - name: org_src
+      type: keyword
+      description: This is used to capture the source organization based on the GEOPIP
+        Maxmind database.
+  - name: healthcare
+    type: group
+    fields:
+    - name: patient_fname
+      type: keyword
+      description: This key is for First Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: patient_id
+      type: keyword
+      description: This key captures the unique ID for a patient
+    - name: patient_lname
+      type: keyword
+      description: This key is for Last Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: patient_mname
+      type: keyword
+      description: This key is for Middle Names only, this is used for Healthcare
+        predominantly to capture Patients information
+  - name: endpoint
+    type: group
+    fields:
+    - name: host_state
+      type: keyword
+      description: This key is used to capture the current state of the machine, such
+        as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
+        disabled</strong> and so on
+    - name: registry_key
+      type: keyword
+      description: This key captures the path to the registry key
+    - name: registry_value
+      type: keyword
+      description: This key captures values or decorators used within a registry entry
diff --git a/packages/juniper/0.1.0/dataset/junos/manifest.yml b/packages/juniper/0.1.0/dataset/junos/manifest.yml
new file mode 100644
index 0000000000..85a336fcc9
--- /dev/null
+++ b/packages/juniper/0.1.0/dataset/junos/manifest.yml
@@ -0,0 +1,155 @@
+title: Juniper JUNOS logs
+release: experimental
+type: logs
+streams:
+- input: udp
+  title: Juniper JUNOS logs
+  description: Collect Juniper JUNOS logs
+  template_path: udp.yml.hbs
+  vars:
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - juniper-junos
+      - forwarded
+  - name: udp_host
+    type: text
+    title: UDP host to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: localhost
+  - name: udp_port
+    type: integer
+    title: UDP port to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: 9512
+  - name: tz_offset
+    type: text
+    title: Timezone offset (+HH:mm format)
+    required: false
+    show_user: true
+    default: "local"
+  - name: rsa_fields
+    type: bool
+    title: Add non-ECS fields
+    required: false
+    show_user: true
+    default: true
+  - name: keep_raw_fields
+    type: bool
+    title: Keep raw parser fields
+    required: false
+    show_user: false
+    default: false
+  - name: debug
+    type: bool
+    title: Enable debug logging
+    required: false
+    show_user: false
+    default: false
+
+- input: tcp
+  title: Juniper JUNOS logs
+  description: Collect Juniper JUNOS logs
+  template_path: tcp.yml.hbs
+  vars:
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - juniper-junos
+      - forwarded
+  - name: tcp_host
+    type: text
+    title: TCP host to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: localhost
+  - name: tcp_port
+    type: integer
+    title: TCP port to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: 9512
+  - name: tz_offset
+    type: text
+    title: Timezone offset (+HH:mm format)
+    required: false
+    show_user: true
+    default: "local"
+  - name: rsa_fields
+    type: bool
+    title: Add non-ECS fields
+    required: false
+    show_user: true
+    default: true
+  - name: keep_raw_fields
+    type: bool
+    title: Keep raw parser fields
+    required: false
+    show_user: false
+    default: false
+  - name: debug
+    type: bool
+    title: Enable debug logging
+    required: false
+    show_user: false
+    default: false
+
+- input: file
+  title: Juniper JUNOS logs
+  description: Collect Juniper JUNOS logs from file
+  vars:
+  - name: paths
+    type: text
+    title: Paths
+    multi: true
+    required: true
+    show_user: true
+    default:
+      - /var/log/juniper-junos.log
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - juniper-junos
+      - forwarded
+  - name: tz_offset
+    type: text
+    title: Timezone offset (+HH:mm format)
+    required: false
+    show_user: true
+    default: "local"
+  - name: rsa_fields
+    type: bool
+    title: Add non-ECS fields
+    required: false
+    show_user: true
+    default: true
+  - name: keep_raw_fields
+    type: bool
+    title: Keep raw parser fields
+    required: false
+    show_user: false
+    default: false
+  - name: debug
+    type: bool
+    title: Enable debug logging
+    required: false
+    show_user: false
+    default: false
diff --git a/packages/juniper/0.1.0/docs/README.md b/packages/juniper/0.1.0/docs/README.md
new file mode 100644
index 0000000000..86d644b3f5
--- /dev/null
+++ b/packages/juniper/0.1.0/docs/README.md
@@ -0,0 +1,780 @@
+# Juniper integration
+
+This integration is for Juniper device's logs. It includes the following
+datasets for receiving logs over syslog or read from a file:
+- `junos` dataset: supports Juniper JUNOS logs.
+
+### Junos
+
+The `junos` dataset collects Juniper JUNOS logs.
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
+| dataset.name | Dataset name. | constant_keyword |
+| dataset.namespace | Dataset namespace. | constant_keyword |
+| dataset.type | Dataset type. | constant_keyword |
+| datastream.dataset | Datastream dataset. | constant_keyword |
+| datastream.namespace | Datastream namespace. | constant_keyword |
+| datastream.type | Datastream type. | constant_keyword |
+| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| destination.bytes | Bytes sent from the destination to the source. | long |
+| destination.domain | Destination domain. | keyword |
+| destination.geo.city_name | City name. | keyword |
+| destination.geo.country_name | Country name. | keyword |
+| destination.geo.location.lat |  | double |
+| destination.geo.location.lon |  | double |
+| destination.ip | IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses. | ip |
+| destination.mac | MAC address of the destination. | keyword |
+| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip |
+| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long |
+| destination.port | Port of the destination. | long |
+| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword |
+| dns.answers.type | The type of data contained in this resource record. | keyword |
+| dns.question.type | The type of record being queried. | keyword |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword |
+| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword |
+| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword |
+| file.extension | File extension. | keyword |
+| file.name | Name of the file including the extension, without the directory. | keyword |
+| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword |
+| file.size | File size in bytes. Only relevant when `file.type` is "file". | long |
+| file.type | File type (file, dir, or symlink). | keyword |
+| geo.city_name | City name. | keyword |
+| geo.country_name | Country name. | keyword |
+| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| geo.region_name | Region name. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| http.request.method | HTTP request method. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| http.request.referrer | Referrer for this HTTP request. | keyword |
+| http.response.body.content | The full HTTP response body. | keyword |
+| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword |
+| log.original | This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. | keyword |
+| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long |
+| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. | long |
+| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text |
+| network.application | A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long |
+| network.direction | Direction of the network traffic. Recommended values are: * inbound * outbound * internal * external * unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view. When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. | keyword |
+| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip |
+| network.interface.name |  | keyword |
+| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long |
+| network.protocol | L7 Network protocol name. ex. http, lumberjack, transport protocol. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| observer.egress.interface.name | Interface name as reported by the system. | keyword |
+| observer.ingress.interface.name | Interface name as reported by the system. | keyword |
+| observer.product | The product name of the observer. | keyword |
+| observer.version | Observer version. | keyword |
+| process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.parent.name | Process name. Sometimes called program name or similar. | keyword |
+| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword |
+| process.pid | Process id. | long |
+| process.ppid | Parent process' pid. | long |
+| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword |
+| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long |
+| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword |
+| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long |
+| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword |
+| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long |
+| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword |
+| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword |
+| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword |
+| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword |
+| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword |
+| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword |
+| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword |
+| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long |
+| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword |
+| rsa.crypto.cert_checksum |  | keyword |
+| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword |
+| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword |
+| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword |
+| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword |
+| rsa.crypto.cert_issuer |  | keyword |
+| rsa.crypto.cert_keysize |  | keyword |
+| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword |
+| rsa.crypto.cert_status | This key captures Certificate validation status | keyword |
+| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword |
+| rsa.crypto.cert_username |  | keyword |
+| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword |
+| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long |
+| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long |
+| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword |
+| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword |
+| rsa.crypto.d_certauth |  | keyword |
+| rsa.crypto.https_insact |  | keyword |
+| rsa.crypto.https_valid |  | keyword |
+| rsa.crypto.ike | IKE negotiation phase. | keyword |
+| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword |
+| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword |
+| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword |
+| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword |
+| rsa.crypto.s_certauth |  | keyword |
+| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword |
+| rsa.crypto.sig_type | This key captures the Signature Type | keyword |
+| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword |
+| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword |
+| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword |
+| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword |
+| rsa.db.db_pid | This key captures the process id of a connection with database server | long |
+| rsa.db.index | This key captures IndexID of the index. | keyword |
+| rsa.db.instance | This key is used to capture the database server instance name | keyword |
+| rsa.db.lread | This key is used for the number of logical reads | long |
+| rsa.db.lwrite | This key is used for the number of logical writes | long |
+| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword |
+| rsa.db.pread | This key is used for the number of physical writes | long |
+| rsa.db.table_name | This key is used to capture the table name | keyword |
+| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword |
+| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword |
+| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword |
+| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword |
+| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword |
+| rsa.email.trans_from | Deprecated key defined only in table map. | keyword |
+| rsa.email.trans_to | Deprecated key defined only in table map. | keyword |
+| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall disabled</strong> and so on | keyword |
+| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword |
+| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword |
+| rsa.file.attachment | This key captures the attachment file name | keyword |
+| rsa.file.binary | Deprecated key defined only in table map. | keyword |
+| rsa.file.directory_dst | <span>This key is used to capture the directory of the target process or file</span> | keyword |
+| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword |
+| rsa.file.file_entropy | This is used to capture entropy vale of a file | double |
+| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword |
+| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword |
+| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword |
+| rsa.file.filename_tmp |  | keyword |
+| rsa.file.filesystem |  | keyword |
+| rsa.file.privilege | Deprecated, use permissions | keyword |
+| rsa.file.task_name | This is used to capture name of the task | keyword |
+| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword |
+| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword |
+| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword |
+| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword |
+| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword |
+| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword |
+| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword |
+| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword |
+| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword |
+| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword |
+| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword |
+| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword |
+| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword |
+| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword |
+| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.org | This key captures the User organization | keyword |
+| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword |
+| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword |
+| rsa.identity.profile | This key is used to capture the user profile | keyword |
+| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword |
+| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword |
+| rsa.identity.user_dept | User's Department Names only | keyword |
+| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword |
+| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword |
+| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword |
+| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword |
+| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.data | Deprecated key defined only in table map. | keyword |
+| rsa.internal.dead | Deprecated key defined only in table map. | long |
+| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_type_id | Deprecated key defined only in table map. | long |
+| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long |
+| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long |
+| rsa.internal.entry | Deprecated key defined only in table map. | keyword |
+| rsa.internal.event_desc |  | keyword |
+| rsa.internal.event_name | Deprecated key defined only in table map. | keyword |
+| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip |
+| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.hcode | Deprecated key defined only in table map. | keyword |
+| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.inode | Deprecated key defined only in table map. | long |
+| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date |
+| rsa.internal.level | Deprecated key defined only in table map. | long |
+| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long |
+| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long |
+| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long |
+| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long |
+| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, &lt; 32 is packet session | long |
+| rsa.internal.message | This key captures the contents of instant messages | keyword |
+| rsa.internal.messageid |  | keyword |
+| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword |
+| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.node_name | Deprecated key defined only in table map. | keyword |
+| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword |
+| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword |
+| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword |
+| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword |
+| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long |
+| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long |
+| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword |
+| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword |
+| rsa.internal.resource | Deprecated key defined only in table map. | keyword |
+| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword |
+| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long |
+| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.site | Deprecated key defined only in table map. | keyword |
+| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long |
+| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.statement | Deprecated key defined only in table map. | keyword |
+| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date |
+| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long |
+| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long |
+| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword |
+| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword |
+| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword |
+| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword |
+| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword |
+| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword |
+| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword |
+| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword |
+| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword |
+| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword |
+| rsa.investigations.event_cat | This key captures the Event category number | long |
+| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword |
+| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword |
+| rsa.investigations.inv_category | This used to capture investigation category | keyword |
+| rsa.investigations.inv_context | This used to capture investigation context | keyword |
+| rsa.investigations.ioc | This is key capture indicator of compromise | keyword |
+| rsa.misc.OS | This key captures the Name of the Operating System | keyword |
+| rsa.misc.acl_id |  | keyword |
+| rsa.misc.acl_op |  | keyword |
+| rsa.misc.acl_pos |  | keyword |
+| rsa.misc.acl_table |  | keyword |
+| rsa.misc.action |  | keyword |
+| rsa.misc.admin |  | keyword |
+| rsa.misc.agent_id | This key is used to capture agent id | keyword |
+| rsa.misc.alarm_id |  | keyword |
+| rsa.misc.alarmname |  | keyword |
+| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.app_id |  | keyword |
+| rsa.misc.audit |  | keyword |
+| rsa.misc.audit_object |  | keyword |
+| rsa.misc.auditdata |  | keyword |
+| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword |
+| rsa.misc.benchmark |  | keyword |
+| rsa.misc.bypass |  | keyword |
+| rsa.misc.cache |  | keyword |
+| rsa.misc.cache_hit |  | keyword |
+| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword |
+| rsa.misc.cc_number | Valid Credit Card Numbers only | long |
+| rsa.misc.cefversion |  | keyword |
+| rsa.misc.cfg_attr |  | keyword |
+| rsa.misc.cfg_obj |  | keyword |
+| rsa.misc.cfg_path |  | keyword |
+| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword |
+| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword |
+| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword |
+| rsa.misc.changes |  | keyword |
+| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword |
+| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword |
+| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword |
+| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword |
+| rsa.misc.client_ip |  | keyword |
+| rsa.misc.clustermembers |  | keyword |
+| rsa.misc.cmd |  | keyword |
+| rsa.misc.cn_acttimeout |  | keyword |
+| rsa.misc.cn_asn_src |  | keyword |
+| rsa.misc.cn_bgpv4nxthop |  | keyword |
+| rsa.misc.cn_ctr_dst_code |  | keyword |
+| rsa.misc.cn_dst_tos |  | keyword |
+| rsa.misc.cn_dst_vlan |  | keyword |
+| rsa.misc.cn_engine_id |  | keyword |
+| rsa.misc.cn_engine_type |  | keyword |
+| rsa.misc.cn_f_switch |  | keyword |
+| rsa.misc.cn_flowsampid |  | keyword |
+| rsa.misc.cn_flowsampintv |  | keyword |
+| rsa.misc.cn_flowsampmode |  | keyword |
+| rsa.misc.cn_inacttimeout |  | keyword |
+| rsa.misc.cn_inpermbyts |  | keyword |
+| rsa.misc.cn_inpermpckts |  | keyword |
+| rsa.misc.cn_invalid |  | keyword |
+| rsa.misc.cn_ip_proto_ver |  | keyword |
+| rsa.misc.cn_ipv4_ident |  | keyword |
+| rsa.misc.cn_l_switch |  | keyword |
+| rsa.misc.cn_log_did |  | keyword |
+| rsa.misc.cn_log_rid |  | keyword |
+| rsa.misc.cn_max_ttl |  | keyword |
+| rsa.misc.cn_maxpcktlen |  | keyword |
+| rsa.misc.cn_min_ttl |  | keyword |
+| rsa.misc.cn_minpcktlen |  | keyword |
+| rsa.misc.cn_mpls_lbl_1 |  | keyword |
+| rsa.misc.cn_mpls_lbl_10 |  | keyword |
+| rsa.misc.cn_mpls_lbl_2 |  | keyword |
+| rsa.misc.cn_mpls_lbl_3 |  | keyword |
+| rsa.misc.cn_mpls_lbl_4 |  | keyword |
+| rsa.misc.cn_mpls_lbl_5 |  | keyword |
+| rsa.misc.cn_mpls_lbl_6 |  | keyword |
+| rsa.misc.cn_mpls_lbl_7 |  | keyword |
+| rsa.misc.cn_mpls_lbl_8 |  | keyword |
+| rsa.misc.cn_mpls_lbl_9 |  | keyword |
+| rsa.misc.cn_mplstoplabel |  | keyword |
+| rsa.misc.cn_mplstoplabip |  | keyword |
+| rsa.misc.cn_mul_dst_byt |  | keyword |
+| rsa.misc.cn_mul_dst_pks |  | keyword |
+| rsa.misc.cn_muligmptype |  | keyword |
+| rsa.misc.cn_sampalgo |  | keyword |
+| rsa.misc.cn_sampint |  | keyword |
+| rsa.misc.cn_seqctr |  | keyword |
+| rsa.misc.cn_spackets |  | keyword |
+| rsa.misc.cn_src_tos |  | keyword |
+| rsa.misc.cn_src_vlan |  | keyword |
+| rsa.misc.cn_sysuptime |  | keyword |
+| rsa.misc.cn_template_id |  | keyword |
+| rsa.misc.cn_totbytsexp |  | keyword |
+| rsa.misc.cn_totflowexp |  | keyword |
+| rsa.misc.cn_totpcktsexp |  | keyword |
+| rsa.misc.cn_unixnanosecs |  | keyword |
+| rsa.misc.cn_v6flowlabel |  | keyword |
+| rsa.misc.cn_v6optheaders |  | keyword |
+| rsa.misc.code |  | keyword |
+| rsa.misc.command |  | keyword |
+| rsa.misc.comments | Comment information provided in the log message | keyword |
+| rsa.misc.comp_class |  | keyword |
+| rsa.misc.comp_name |  | keyword |
+| rsa.misc.comp_rbytes |  | keyword |
+| rsa.misc.comp_sbytes |  | keyword |
+| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword |
+| rsa.misc.connection_id | This key captures the Connection ID | keyword |
+| rsa.misc.content | This key captures the content type from protocol headers | keyword |
+| rsa.misc.content_type | This key is used to capture Content Type only. | keyword |
+| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword |
+| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword |
+| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword |
+| rsa.misc.context_target |  | keyword |
+| rsa.misc.count |  | keyword |
+| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long |
+| rsa.misc.cpu_data |  | keyword |
+| rsa.misc.criticality |  | keyword |
+| rsa.misc.cs_agency_dst |  | keyword |
+| rsa.misc.cs_analyzedby |  | keyword |
+| rsa.misc.cs_av_other |  | keyword |
+| rsa.misc.cs_av_primary |  | keyword |
+| rsa.misc.cs_av_secondary |  | keyword |
+| rsa.misc.cs_bgpv6nxthop |  | keyword |
+| rsa.misc.cs_bit9status |  | keyword |
+| rsa.misc.cs_context |  | keyword |
+| rsa.misc.cs_control |  | keyword |
+| rsa.misc.cs_data |  | keyword |
+| rsa.misc.cs_datecret |  | keyword |
+| rsa.misc.cs_dst_tld |  | keyword |
+| rsa.misc.cs_eth_dst_ven |  | keyword |
+| rsa.misc.cs_eth_src_ven |  | keyword |
+| rsa.misc.cs_event_uuid |  | keyword |
+| rsa.misc.cs_filetype |  | keyword |
+| rsa.misc.cs_fld |  | keyword |
+| rsa.misc.cs_if_desc |  | keyword |
+| rsa.misc.cs_if_name |  | keyword |
+| rsa.misc.cs_ip_next_hop |  | keyword |
+| rsa.misc.cs_ipv4dstpre |  | keyword |
+| rsa.misc.cs_ipv4srcpre |  | keyword |
+| rsa.misc.cs_lifetime |  | keyword |
+| rsa.misc.cs_log_medium |  | keyword |
+| rsa.misc.cs_loginname |  | keyword |
+| rsa.misc.cs_modulescore |  | keyword |
+| rsa.misc.cs_modulesign |  | keyword |
+| rsa.misc.cs_opswatresult |  | keyword |
+| rsa.misc.cs_payload |  | keyword |
+| rsa.misc.cs_registrant |  | keyword |
+| rsa.misc.cs_registrar |  | keyword |
+| rsa.misc.cs_represult |  | keyword |
+| rsa.misc.cs_rpayload |  | keyword |
+| rsa.misc.cs_sampler_name |  | keyword |
+| rsa.misc.cs_sourcemodule |  | keyword |
+| rsa.misc.cs_streams |  | keyword |
+| rsa.misc.cs_targetmodule |  | keyword |
+| rsa.misc.cs_v6nxthop |  | keyword |
+| rsa.misc.cs_whois_server |  | keyword |
+| rsa.misc.cs_yararesult |  | keyword |
+| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword |
+| rsa.misc.data_type |  | keyword |
+| rsa.misc.description |  | keyword |
+| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword |
+| rsa.misc.devvendor |  | keyword |
+| rsa.misc.disposition | This key captures the The end state of an action. | keyword |
+| rsa.misc.distance |  | keyword |
+| rsa.misc.doc_number | This key captures File Identification number | long |
+| rsa.misc.dstburb |  | keyword |
+| rsa.misc.edomain |  | keyword |
+| rsa.misc.edomaub |  | keyword |
+| rsa.misc.ein_number | Employee Identification Numbers only | long |
+| rsa.misc.error | This key captures All non successful Error codes or responses | keyword |
+| rsa.misc.euid |  | keyword |
+| rsa.misc.event_category |  | keyword |
+| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword |
+| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword |
+| rsa.misc.event_id |  | keyword |
+| rsa.misc.event_log | This key captures the Name of the event log | keyword |
+| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword |
+| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword |
+| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword |
+| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword |
+| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword |
+| rsa.misc.facility |  | keyword |
+| rsa.misc.facilityname |  | keyword |
+| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword |
+| rsa.misc.filter | This key captures Filter used to reduce result set | keyword |
+| rsa.misc.finterface |  | keyword |
+| rsa.misc.flags |  | keyword |
+| rsa.misc.forensic_info |  | keyword |
+| rsa.misc.found | This is used to capture the results of regex match | keyword |
+| rsa.misc.fresult | This key captures the Filter Result | long |
+| rsa.misc.gaddr |  | keyword |
+| rsa.misc.group | This key captures the Group Name value | keyword |
+| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword |
+| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword |
+| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword |
+| rsa.misc.id3 |  | keyword |
+| rsa.misc.im_buddyid |  | keyword |
+| rsa.misc.im_buddyname |  | keyword |
+| rsa.misc.im_client |  | keyword |
+| rsa.misc.im_croomid |  | keyword |
+| rsa.misc.im_croomtype |  | keyword |
+| rsa.misc.im_members |  | keyword |
+| rsa.misc.im_userid |  | keyword |
+| rsa.misc.im_username |  | keyword |
+| rsa.misc.index |  | keyword |
+| rsa.misc.inout |  | keyword |
+| rsa.misc.ipkt |  | keyword |
+| rsa.misc.ipscat |  | keyword |
+| rsa.misc.ipspri |  | keyword |
+| rsa.misc.job_num | This key captures the Job Number | keyword |
+| rsa.misc.jobname |  | keyword |
+| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword |
+| rsa.misc.latitude |  | keyword |
+| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword |
+| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long |
+| rsa.misc.linenum |  | keyword |
+| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.misc.list_name |  | keyword |
+| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword |
+| rsa.misc.load_data |  | keyword |
+| rsa.misc.location_floor |  | keyword |
+| rsa.misc.location_mark |  | keyword |
+| rsa.misc.log_id |  | keyword |
+| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword |
+| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword |
+| rsa.misc.log_type |  | keyword |
+| rsa.misc.logid |  | keyword |
+| rsa.misc.logip |  | keyword |
+| rsa.misc.logname |  | keyword |
+| rsa.misc.longitude |  | keyword |
+| rsa.misc.lport |  | keyword |
+| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword |
+| rsa.misc.match | This key is for regex match name from search.ini | keyword |
+| rsa.misc.mbug_data |  | keyword |
+| rsa.misc.message_body | This key captures the The contents of the message body. | keyword |
+| rsa.misc.misc |  | keyword |
+| rsa.misc.misc_name |  | keyword |
+| rsa.misc.mode |  | keyword |
+| rsa.misc.msgIdPart1 |  | keyword |
+| rsa.misc.msgIdPart2 |  | keyword |
+| rsa.misc.msgIdPart3 |  | keyword |
+| rsa.misc.msgIdPart4 |  | keyword |
+| rsa.misc.msg_type |  | keyword |
+| rsa.misc.msgid |  | keyword |
+| rsa.misc.name |  | keyword |
+| rsa.misc.netsessid |  | keyword |
+| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword |
+| rsa.misc.ntype |  | keyword |
+| rsa.misc.num |  | keyword |
+| rsa.misc.number |  | keyword |
+| rsa.misc.number1 |  | keyword |
+| rsa.misc.number2 |  | keyword |
+| rsa.misc.nwwn |  | keyword |
+| rsa.misc.obj_name | This is used to capture name of object | keyword |
+| rsa.misc.obj_type | This is used to capture type of object | keyword |
+| rsa.misc.object |  | keyword |
+| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword |
+| rsa.misc.operation |  | keyword |
+| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword |
+| rsa.misc.opkt |  | keyword |
+| rsa.misc.orig_from |  | keyword |
+| rsa.misc.owner_id |  | keyword |
+| rsa.misc.p_action |  | keyword |
+| rsa.misc.p_filter |  | keyword |
+| rsa.misc.p_group_object |  | keyword |
+| rsa.misc.p_id |  | keyword |
+| rsa.misc.p_msgid |  | keyword |
+| rsa.misc.p_msgid1 |  | keyword |
+| rsa.misc.p_msgid2 |  | keyword |
+| rsa.misc.p_result1 |  | keyword |
+| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword |
+| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword |
+| rsa.misc.param_src | This key captures source parameter | keyword |
+| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword |
+| rsa.misc.password_chg |  | keyword |
+| rsa.misc.password_expire |  | keyword |
+| rsa.misc.payload_dst | This key is used to capture destination payload | keyword |
+| rsa.misc.payload_src | This key is used to capture source payload | keyword |
+| rsa.misc.permgranted |  | keyword |
+| rsa.misc.permwanted |  | keyword |
+| rsa.misc.pgid |  | keyword |
+| rsa.misc.phone |  | keyword |
+| rsa.misc.pid |  | keyword |
+| rsa.misc.policy |  | keyword |
+| rsa.misc.policyUUID |  | keyword |
+| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword |
+| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword |
+| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword |
+| rsa.misc.policy_waiver |  | keyword |
+| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword |
+| rsa.misc.pool_name | This key captures the name of a resource pool | keyword |
+| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword |
+| rsa.misc.priority |  | keyword |
+| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword |
+| rsa.misc.prog_asp_num |  | keyword |
+| rsa.misc.program |  | keyword |
+| rsa.misc.real_data |  | keyword |
+| rsa.misc.reason |  | keyword |
+| rsa.misc.rec_asp_device |  | keyword |
+| rsa.misc.rec_asp_num |  | keyword |
+| rsa.misc.rec_library |  | keyword |
+| rsa.misc.recordnum |  | keyword |
+| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword |
+| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword |
+| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword |
+| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword |
+| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword |
+| rsa.misc.risk | This key captures the non-numeric risk value | keyword |
+| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.risk_num | This key captures a Numeric Risk value | double |
+| rsa.misc.risk_num_comm | This key captures Risk Number Community | double |
+| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double |
+| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double |
+| rsa.misc.risk_num_static | This key captures Risk Number Static | double |
+| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.ruid |  | keyword |
+| rsa.misc.rule | This key captures the Rule number | keyword |
+| rsa.misc.rule_group | This key captures the Rule group name | keyword |
+| rsa.misc.rule_name | This key captures the Rule Name | keyword |
+| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword |
+| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword |
+| rsa.misc.sburb |  | keyword |
+| rsa.misc.sdomain_fld |  | keyword |
+| rsa.misc.search_text | This key captures the Search Text used | keyword |
+| rsa.misc.sec |  | keyword |
+| rsa.misc.second |  | keyword |
+| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword |
+| rsa.misc.sensorname |  | keyword |
+| rsa.misc.seqnum |  | keyword |
+| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword |
+| rsa.misc.session |  | keyword |
+| rsa.misc.sessiontype |  | keyword |
+| rsa.misc.severity | This key is used to capture the severity given the session | keyword |
+| rsa.misc.sigUUID |  | keyword |
+| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long |
+| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long |
+| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword |
+| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword |
+| rsa.misc.sigcat |  | keyword |
+| rsa.misc.snmp_oid | SNMP Object Identifier | keyword |
+| rsa.misc.snmp_value | SNMP set request value | keyword |
+| rsa.misc.space |  | keyword |
+| rsa.misc.space1 |  | keyword |
+| rsa.misc.spi |  | keyword |
+| rsa.misc.spi_dst | Destination SPI Index | keyword |
+| rsa.misc.spi_src | Source SPI Index | keyword |
+| rsa.misc.sql | This key captures the SQL query | keyword |
+| rsa.misc.srcburb |  | keyword |
+| rsa.misc.srcdom |  | keyword |
+| rsa.misc.srcservice |  | keyword |
+| rsa.misc.state |  | keyword |
+| rsa.misc.status |  | keyword |
+| rsa.misc.status1 |  | keyword |
+| rsa.misc.streams | This key captures number of streams in session | long |
+| rsa.misc.subcategory |  | keyword |
+| rsa.misc.svcno |  | keyword |
+| rsa.misc.system |  | keyword |
+| rsa.misc.tbdstr1 |  | keyword |
+| rsa.misc.tbdstr2 |  | keyword |
+| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long |
+| rsa.misc.terminal | This key captures the Terminal Names only | keyword |
+| rsa.misc.tgtdom |  | keyword |
+| rsa.misc.tgtdomain |  | keyword |
+| rsa.misc.threshold |  | keyword |
+| rsa.misc.tos | This key describes the type of service | long |
+| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword |
+| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword |
+| rsa.misc.type |  | keyword |
+| rsa.misc.type1 |  | keyword |
+| rsa.misc.udb_class |  | keyword |
+| rsa.misc.url_fld |  | keyword |
+| rsa.misc.user_div |  | keyword |
+| rsa.misc.userid |  | keyword |
+| rsa.misc.username_fld |  | keyword |
+| rsa.misc.utcstamp |  | keyword |
+| rsa.misc.v_instafname |  | keyword |
+| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword |
+| rsa.misc.virt_data |  | keyword |
+| rsa.misc.virusname | This key captures the name of the virus | keyword |
+| rsa.misc.vm_target | VMWare Target **VMWARE** only varaible. | keyword |
+| rsa.misc.vpnid |  | keyword |
+| rsa.misc.vsys | This key captures Virtual System Name | keyword |
+| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword |
+| rsa.misc.workspace | This key captures Workspace Description | keyword |
+| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword |
+| rsa.network.addr |  | keyword |
+| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword |
+| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword |
+| rsa.network.dmask | This key is used for Destionation Device network mask | keyword |
+| rsa.network.dns_a_record |  | keyword |
+| rsa.network.dns_cname_record |  | keyword |
+| rsa.network.dns_id |  | keyword |
+| rsa.network.dns_opcode |  | keyword |
+| rsa.network.dns_ptr_record |  | keyword |
+| rsa.network.dns_resp |  | keyword |
+| rsa.network.dns_type |  | keyword |
+| rsa.network.domain |  | keyword |
+| rsa.network.domain1 |  | keyword |
+| rsa.network.eth_host | Deprecated, use alias.mac | keyword |
+| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long |
+| rsa.network.faddr |  | keyword |
+| rsa.network.fhost |  | keyword |
+| rsa.network.fport |  | keyword |
+| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword |
+| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword |
+| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword |
+| rsa.network.host_type |  | keyword |
+| rsa.network.icmp_code | This key is used to capture the ICMP code only | long |
+| rsa.network.icmp_type | This key is used to capture the ICMP type only | long |
+| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword |
+| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long |
+| rsa.network.laddr |  | keyword |
+| rsa.network.lhost |  | keyword |
+| rsa.network.linterface |  | keyword |
+| rsa.network.mask | This key is used to capture the device network IPmask. | keyword |
+| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword |
+| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long |
+| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword |
+| rsa.network.origin |  | keyword |
+| rsa.network.packet_length |  | keyword |
+| rsa.network.paddr | Deprecated | ip |
+| rsa.network.phost |  | keyword |
+| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long |
+| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword |
+| rsa.network.remote_domain_id |  | keyword |
+| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword |
+| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword |
+| rsa.network.smask | This key is used for capturing source Network Mask | keyword |
+| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long |
+| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword |
+| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword |
+| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword |
+| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword |
+| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword |
+| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword |
+| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword |
+| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword |
+| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword |
+| rsa.threat.alert | This key is used to capture name of the alert | keyword |
+| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword |
+| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword |
+| rsa.threat.threat_source | This key is used to capture source of the threat | keyword |
+| rsa.time.date |  | keyword |
+| rsa.time.datetime |  | keyword |
+| rsa.time.day |  | keyword |
+| rsa.time.duration_str | A text string version of the duration | keyword |
+| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double |
+| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date |
+| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date |
+| rsa.time.event_queue_time | This key is the Time that the event was queued. | date |
+| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date |
+| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword |
+| rsa.time.eventtime |  | keyword |
+| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date |
+| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword |
+| rsa.time.gmtdate |  | keyword |
+| rsa.time.gmttime |  | keyword |
+| rsa.time.hour |  | keyword |
+| rsa.time.min |  | keyword |
+| rsa.time.month |  | keyword |
+| rsa.time.p_date |  | keyword |
+| rsa.time.p_month |  | keyword |
+| rsa.time.p_time |  | keyword |
+| rsa.time.p_time1 |  | keyword |
+| rsa.time.p_time2 |  | keyword |
+| rsa.time.p_year |  | keyword |
+| rsa.time.process_time | Deprecated, use duration.time | keyword |
+| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date |
+| rsa.time.stamp | Deprecated key defined only in table map. | date |
+| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date |
+| rsa.time.timestamp |  | keyword |
+| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword |
+| rsa.time.tzone |  | keyword |
+| rsa.time.year |  | keyword |
+| rsa.web.alias_host |  | keyword |
+| rsa.web.cn_asn_dst |  | keyword |
+| rsa.web.cn_rpackets |  | keyword |
+| rsa.web.fqdn | Fully Qualified Domain Names | keyword |
+| rsa.web.p_url |  | keyword |
+| rsa.web.p_user_agent |  | keyword |
+| rsa.web.p_web_cookie |  | keyword |
+| rsa.web.p_web_method |  | keyword |
+| rsa.web.p_web_referer |  | keyword |
+| rsa.web.remote_domain |  | keyword |
+| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double |
+| rsa.web.urlpage |  | keyword |
+| rsa.web.urlroot |  | keyword |
+| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword |
+| rsa.web.web_extension_tmp |  | keyword |
+| rsa.web.web_page |  | keyword |
+| rsa.web.web_ref_domain | Web referer's domain | keyword |
+| rsa.web.web_ref_page | This key captures Web referer's page information | keyword |
+| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword |
+| rsa.web.web_ref_root | Web referer's root URL path | keyword |
+| rsa.wireless.access_point | This key is used to capture the access point name. | keyword |
+| rsa.wireless.wlan_channel | This is used to capture the channel names | long |
+| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword |
+| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword |
+| rule.name | The name of the rule or signature generating the event. | keyword |
+| server.domain | Server domain. | keyword |
+| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword |
+| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.bytes | Bytes sent from the source to the destination. | long |
+| source.domain | Source domain. | keyword |
+| source.geo.city_name | City name. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location.lat |  | double |
+| source.geo.location.lon |  | double |
+| source.ip | IP address of the source. Can be one or multiple IPv4 or IPv6 addresses. | ip |
+| source.mac | MAC address of the source. | keyword |
+| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip |
+| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long |
+| source.port | Port of the source. | long |
+| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. | keyword |
+| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | keyword |
+| url.path | Path of the request, such as "/search". | keyword |
+| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword |
+| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.google.com" is "google.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword |
+| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword |
+| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| user.full_name | User's full name, if available. | keyword |
+| user.id | Unique identifiers of the user. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user_agent.original | Unparsed user_agent string. | keyword |
diff --git a/packages/juniper/0.1.0/img/logo.svg b/packages/juniper/0.1.0/img/logo.svg
new file mode 100644
index 0000000000..8802414a5a
--- /dev/null
+++ b/packages/juniper/0.1.0/img/logo.svg
@@ -0,0 +1,72 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   viewBox="0 0 957.61334 261.66666"
+   height="261.66666"
+   width="957.61334"
+   xml:space="preserve"
+   id="svg2"
+   version="1.1"><metadata
+     id="metadata8"><rdf:RDF><cc:Work
+         rdf:about=""><dc:format>image/svg+xml</dc:format><dc:type
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" /></cc:Work></rdf:RDF></metadata><defs
+     id="defs6" /><g
+     transform="matrix(1.3333333,0,0,-1.3333333,0,261.66667)"
+     id="g10"><g
+       transform="scale(0.1)"
+       id="g12"><path
+         id="path14"
+         style="fill:#231f20;fill-opacity:1;fill-rule:nonzero;stroke:none"
+         d="m 3522.67,386.301 h 44.12 L 3794.08,72.8516 V 386.301 h 39 V 6.14844 h -36.96 L 3561.66,328.859 V 6.14844 h -38.99 V 386.301" /><path
+         id="path16"
+         style="fill:#231f20;fill-opacity:1;fill-rule:nonzero;stroke:none"
+         d="M 3930.04,386.301 H 4181.4 V 347.82 H 3970.56 V 222.148 h 205.71 V 184.16 H 3970.56 V 43.0898 h 212.9 V 6.14844 H 3930.04 V 386.301" /><path
+         id="path18"
+         style="fill:#231f20;fill-opacity:1;fill-rule:nonzero;stroke:none"
+         d="m 4385.07,347.82 h -142.6 v 38.481 h 325.76 V 347.82 H 4425.61 V 6.14844 h -40.54 V 347.82" /><path
+         id="path20"
+         style="fill:#231f20;fill-opacity:1;fill-rule:nonzero;stroke:none"
+         d="m 4617.46,386.301 h 41.56 L 4759.05,71.8516 4861.14,386.301 h 34.9 L 4997.61,71.8516 5098.15,386.301 h 39.01 L 5015.05,3.60156 h -34.87 L 4877.56,320.109 4775.47,3.60156 h -35.38 L 4617.46,386.301" /><path
+         id="path22"
+         style="fill:#231f20;fill-opacity:1;fill-rule:nonzero;stroke:none"
+         d="m 5515.75,195.988 c 0,102.602 -47.7,157.981 -151.35,157.981 -103.12,0 -150.31,-55.379 -150.31,-157.981 0,-103.1286 47.19,-158.5583 150.31,-158.5583 103.65,0 151.35,55.4297 151.35,158.5583 z m -342.18,0.492 c 0,135.43 69.25,195.981 190.83,195.981 122.1,0 191.87,-60.551 191.87,-195.981 C 5556.27,60.5391 5486.5,0 5364.4,0 5242.82,0 5173.57,60.5391 5173.57,196.48" /><path
+         id="path24"
+         style="fill:#231f20;fill-opacity:1;fill-rule:nonzero;stroke:none"
+         d="m 5803.55,198.031 c 53.87,0 87.21,16.41 87.21,76.438 0,59 -32.31,74.371 -88.74,74.371 H 5678.38 V 198.031 Z m -11.28,-36.929 H 5678.38 V 6.14844 h -39.51 V 386.301 h 164.17 c 88.23,0 128.26,-35.403 128.26,-110.821 0,-65.652 -31.29,-104.121 -97.49,-112.832 L 5925.63,6.14844 h -43.07 L 5792.27,161.102" /><path
+         id="path26"
+         style="fill:#231f20;fill-opacity:1;fill-rule:nonzero;stroke:none"
+         d="m 6132.91,207.77 -75.94,-83.09 V 6.14844 h -39.49 V 386.301 h 39.49 V 176.469 l 192.39,209.832 h 46.68 L 6159.59,237.012 6314.51,6.14844 h -45.65 L 6132.91,207.77" /><path
+         id="path28"
+         style="fill:#231f20;fill-opacity:1;fill-rule:nonzero;stroke:none"
+         d="m 6348.38,44.6289 20.52,30.7695 c 45.63,-28.707 90.29,-38.4765 135.93,-38.4765 78.51,0 113.38,22.0586 113.38,74.4101 0,53.867 -45.13,61.539 -113.38,73.84 -82.08,14.398 -137.49,28.269 -137.49,105.168 0,73.398 47.19,102.121 137.49,102.121 59.54,0 102.11,-13.359 132.37,-33.871 l -21.55,-32.828 c -27.19,17.957 -67.73,29.769 -110.82,29.769 -68.21,0 -97.46,-19.011 -97.46,-64.133 0,-48.25 39.51,-57.457 107.23,-69.757 83.1,-14.903 143.11,-27.219 143.11,-108.77 0,-75.4413 -48.22,-111.83194 -151.84,-111.83194 -57.45,0 -109.28,11.78124 -157.49,43.58984" /><path
+         id="path30"
+         style="fill:#231f20;fill-opacity:1;fill-rule:nonzero;stroke:none"
+         d="m 7055.16,1957.45 c -534.43,0 -557.12,-239.44 -557.12,-577.24 V 550.898 h 126 v 829.312 c 0,254.59 -10.08,458.77 431.12,458.77 47.25,0 89.2,-2.48 126.94,-6.89 v 120.07 c -38.93,3.41 -80.97,5.29 -126.94,5.29" /><path
+         id="path32"
+         style="fill:#231f20;fill-opacity:1;fill-rule:nonzero;stroke:none"
+         d="m 821.941,1090.33 v 839.43 h 128.567 v -841.92 c 0,-242.02 -2.5,-446.168 441.142,-446.168 441.12,0 431.06,204.148 431.06,458.768 v 829.32 h 126.03 v -829.32 c 0,-337.819 -22.71,-577.268 -557.09,-577.268 -536.943,0 -569.709,239.449 -569.709,567.158" /><path
+         id="path34"
+         style="fill:#231f20;fill-opacity:1;fill-rule:nonzero;stroke:none"
+         d="M 3288.78,1390.32 V 550.898 h -128.57 v 841.912 c 0,241.99 2.51,446.17 -441.12,446.17 -441.16,0 -431.04,-204.18 -431.04,-458.77 V 550.898 H 2162 v 829.312 c 0,337.8 22.71,577.24 557.09,577.24 536.94,0 569.69,-239.44 569.69,-567.13" /><path
+         id="path36"
+         style="fill:#231f20;fill-opacity:1;fill-rule:nonzero;stroke:none"
+         d="m 3522.69,1927.2 h 123.36 V 550.898 H 3522.69 V 1927.2" /><path
+         id="path38"
+         style="fill:#231f20;fill-opacity:1;fill-rule:nonzero;stroke:none"
+         d="m 4523.34,1152.87 c 222.62,0 333.24,108.48 333.24,327.66 0,219.12 -119.37,323.14 -338.76,323.14 h -517.27 v -650.8 z m -646.2,774.33 h 644.33 c 319.52,0 464.4,-158.81 464.4,-441.13 0,-284.18 -143.05,-456.96 -466.18,-456.96 H 4000.55 V 550.898 H 3877.14 V 1927.2" /><path
+         id="path40"
+         style="fill:#231f20;fill-opacity:1;fill-rule:nonzero;stroke:none"
+         d="m 5255.55,1337.39 h 937.7 c -12.59,274.75 -30.26,509.16 -431.06,509.16 -385.65,0 -491.51,-209.23 -506.64,-509.16 z m -126.09,-93.3 c 0,405.81 116.02,718.42 635.31,718.42 536.89,0 554.5,-360.44 552.03,-741.08 H 5253.03 c 2.52,-335.289 85.66,-584.871 521.77,-584.871 231.91,0 337.81,63.062 451.24,146.242 l 70.54,-93.262 c -126,-93.269 -274.7,-166.367 -521.78,-166.367 -544.46,0 -645.34,315.117 -645.34,720.918" /><path
+         id="path42"
+         style="fill:#231f20;fill-opacity:1;fill-rule:nonzero;stroke:none"
+         d="m 47.9414,252.238 c 534.4026,0 557.0976,239.461 557.0976,577.274 V 1929.76 H 478.977 V 829.512 c 0,-254.563 10.086,-458.821 -431.0356,-458.821 -16.6719,0 -32.5234,0.411 -47.9414,1.02 L 0,252.879 c 15.5078,-0.399 31.457,-0.641 47.9414,-0.641" /><path
+         id="path44"
+         style="fill:#231f20;fill-opacity:1;fill-rule:nonzero;stroke:none"
+         d="m 6899.98,707.691 c -41.8,0 -75.8,-33.98 -75.8,-75.769 0,-41.723 34,-75.75 75.8,-75.75 41.71,0 75.71,34.027 75.71,75.75 0,41.789 -34,75.769 -75.71,75.769 z m 0,-162.761 c -47.98,0 -87.05,39.031 -87.05,86.992 0,47.988 39.07,87.027 87.05,87.027 47.97,0 86.96,-39.039 86.96,-87.027 0,-47.961 -38.99,-86.992 -86.96,-86.992 v 0" /><path
+         id="path46"
+         style="fill:#231f20;fill-opacity:1;fill-rule:nonzero;stroke:none"
+         d="m 6908.69,632.84 c 13.65,0 21.47,3.949 21.47,18.531 0,14.438 -7.59,17.77 -21.88,17.77 h -30.61 V 632.84 Z m -3.1,-12.5 h -27.92 v -38.442 h -13.31 v 99.942 h 44.49 c 25.33,0 35.08,-10.379 35.08,-30.102 0,-16.129 -6.86,-27.277 -24.14,-30.488 l 22.61,-39.352 h -14.49 l -22.32,38.442" /></g></g></svg>
\ No newline at end of file
diff --git a/packages/juniper/0.1.0/manifest.yml b/packages/juniper/0.1.0/manifest.yml
new file mode 100644
index 0000000000..a8f0e24dac
--- /dev/null
+++ b/packages/juniper/0.1.0/manifest.yml
@@ -0,0 +1,36 @@
+format_version: 1.0.0
+name: juniper
+title: Juniper JUNOS
+version: 0.1.0
+description: Juniper JUNOS Integration
+categories: ["network","security"]
+release: experimental
+removable: true
+license: basic
+type: integration
+conditions:
+    kibana:
+        version: '>=7.9.0'
+    elasticsearch:
+        version: '>=7.9.0'
+config_templates:
+- name: junos
+  title: Juniper JUNOS
+  description: Collect Juniper JUNOS logs from syslog or a file.
+  inputs:
+      - type: udp
+        title: Collect logs from Juniper JUNOS via UDP
+        description: Collecting syslog from Juniper JUNOS via UDP
+      - type: tcp
+        title: Collect logs from Juniper JUNOS via TCP
+        description: Collecting syslog from Juniper JUNOS via TCP
+      - type: file
+        title: Collect logs from Juniper JUNOS via file
+        description: Collecting syslog from Juniper JUNOS via file.
+# No icon
+icons:
+ - src: /img/logo.svg
+   title: Juniper JUNOS logo
+   size: 32x32
+   type: image/svg+xml
+
diff --git a/packages/kaspersky/0.1.0/dataset/av/agent/stream/stream.yml.hbs b/packages/kaspersky/0.1.0/dataset/av/agent/stream/stream.yml.hbs
new file mode 100644
index 0000000000..bac83e29eb
--- /dev/null
+++ b/packages/kaspersky/0.1.0/dataset/av/agent/stream/stream.yml.hbs
@@ -0,0 +1,3296 @@
+paths:
+{{#each paths as |path i|}}
+  - {{path}}
+{{/each}}
+exclude_files: [".gz$"]
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "Kaspersky"
+        product: "Kaspersky"
+        type: "Anti-Virus"
+publisher_pipeline.disable_host: true
+
+processors:
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.error(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(populate_fields);
+      	builder.Add(restore_flags);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var map_getSeveritylevel = {
+      	keyvaluepairs: {
+      		"1": constant("Info"),
+      		"2": constant("Warning"),
+      		"3": constant("Error"),
+      		"4": constant("Critical"),
+      	},
+      };
+      
+      var dup1 = setc("eventcategory","1609000000");
+      
+      var dup2 = date_time({
+      	dest: "event_time",
+      	args: ["fld2","fld3"],
+      	fmts: [
+      		[dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup3 = field("fld6");
+      
+      var dup4 = setc("eventcategory","1603000000");
+      
+      var dup5 = setc("eventcategory","1612000000");
+      
+      var dup6 = setc("eventcategory","1003010000");
+      
+      var dup7 = setc("obj_type","Dangerous Object");
+      
+      var dup8 = setc("eventcategory","1605000000");
+      
+      var dup9 = setc("ec_subject","NetworkComm");
+      
+      var dup10 = setc("ec_activity","Detect");
+      
+      var dup11 = setc("ec_theme","TEV");
+      
+      var dup12 = match("MESSAGE#51:HTTP:Object_Infected/0", "nwparser.payload", "%{fld11->} %{fld12->} %{fld13->} %{protocol->} %{p0}");
+      
+      var dup13 = match("MESSAGE#51:HTTP:Object_Infected/1_0", "nwparser.p0", "object %{p0}");
+      
+      var dup14 = match("MESSAGE#51:HTTP:Object_Infected/1_1", "nwparser.p0", "Object %{p0}");
+      
+      var dup15 = match("MESSAGE#51:HTTP:Object_Infected/3_0", "nwparser.p0", "Client's %{p0}");
+      
+      var dup16 = match("MESSAGE#51:HTTP:Object_Infected/3_1", "nwparser.p0", "client's %{p0}");
+      
+      var dup17 = match("MESSAGE#51:HTTP:Object_Infected/4", "nwparser.p0", "%{}address: %{hostip})");
+      
+      var dup18 = setf("msg","$MSG");
+      
+      var dup19 = date_time({
+      	dest: "event_time",
+      	args: ["fld11","fld12","fld13"],
+      	fmts: [
+      		[dG,dc("/"),dF,dc("/"),dW,dN,dc(":"),dU,dc(":"),dO,dP],
+      	],
+      });
+      
+      var dup20 = setf("obj_type","protocol");
+      
+      var dup21 = setc("eventcategory","1601020000");
+      
+      var dup22 = lookup({
+      	dest: "nwparser.severity",
+      	map: map_getSeveritylevel,
+      	key: dup3,
+      });
+      
+      var dup23 = linear_select([
+      	dup13,
+      	dup14,
+      ]);
+      
+      var dup24 = linear_select([
+      	dup15,
+      	dup16,
+      ]);
+      
+      var dup25 = match("MESSAGE#0:KLSRV_EVENT_HOSTS_NEW_DETECTED:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var dup26 = match("MESSAGE#1:KLSRV_EVENT_HOSTS_NEW_DETECTED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var dup27 = match("MESSAGE#11:KLAUD_EV_OBJECTMODIFY:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{username}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([
+      	dup5,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var dup28 = match("MESSAGE#12:KLAUD_EV_OBJECTMODIFY", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{username}^^%{fld18}", processor_chain([
+      	dup5,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var dup29 = match("MESSAGE#31:GNRL_EV_OBJECT_CURED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{virusname}", processor_chain([
+      	dup6,
+      	dup2,
+      	dup7,
+      	dup22,
+      ]));
+      
+      var dup30 = match("MESSAGE#42:KLEVP_GroupTaskSyncState:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([
+      	dup5,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var dup31 = match("MESSAGE#43:KLEVP_GroupTaskSyncState", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}", processor_chain([
+      	dup5,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var dup32 = match("MESSAGE#46:KLSRV_EV_LICENSE_CHECK_90", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}", processor_chain([
+      	dup5,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var dup33 = match("MESSAGE#58:000000ce", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([
+      	dup21,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var dup34 = match("MESSAGE#63:000000db", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([
+      	dup8,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var dup35 = match("MESSAGE#77:KLSRV_EV_LICENSE_SRV_LIMITED_MODE", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^", processor_chain([
+      	dup1,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var hdr1 = match("HEADER#0:0001", "message", "%kasperskyav: %{hfld1}^^%{hrecorded_time}^^%{messageid}^^%{payload}", processor_chain([
+      	setc("header_id","0001"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld1"),
+      			constant("^^"),
+      			field("hrecorded_time"),
+      			constant("^^"),
+      			field("messageid"),
+      			constant("^^"),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr2 = match("HEADER#1:0002", "message", "%kasperskyav-%{hlevel}: %{hdate->} %{htime->} %{hfld1->} %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0002"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hdate"),
+      			constant(" "),
+      			field("htime"),
+      			constant(" "),
+      			field("hfld1"),
+      			constant(" "),
+      			field("messageid"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var select1 = linear_select([
+      	hdr1,
+      	hdr2,
+      ]);
+      
+      var msg1 = msg("KLSRV_EVENT_HOSTS_NEW_DETECTED:01", dup25);
+      
+      var msg2 = msg("KLSRV_EVENT_HOSTS_NEW_DETECTED", dup26);
+      
+      var select2 = linear_select([
+      	msg1,
+      	msg2,
+      ]);
+      
+      var msg3 = msg("KLSRV_EVENT_HOSTS_NOT_VISIBLE", dup26);
+      
+      var msg4 = msg("KLSRV_HOST_STATUS_WARNING:01", dup25);
+      
+      var msg5 = msg("KLSRV_HOST_STATUS_WARNING", dup26);
+      
+      var select3 = linear_select([
+      	msg4,
+      	msg5,
+      ]);
+      
+      var part1 = match("MESSAGE#5:KLSRV_RUNTIME_ERROR", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([
+      	dup4,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var msg6 = msg("KLSRV_RUNTIME_ERROR", part1);
+      
+      var msg7 = msg("KLSRV_HOST_STATUS_CRITICAL:01", dup25);
+      
+      var msg8 = msg("KLSRV_HOST_STATUS_CRITICAL", dup26);
+      
+      var select4 = linear_select([
+      	msg7,
+      	msg8,
+      ]);
+      
+      var msg9 = msg("KLSRV_HOST_MOVED_WITH_RULE_EX", dup26);
+      
+      var msg10 = msg("KLSRV_HOST_OUT_CONTROL", dup26);
+      
+      var msg11 = msg("KLSRV_INVISIBLE_HOSTS_REMOVED", dup26);
+      
+      var msg12 = msg("KLAUD_EV_OBJECTMODIFY:01", dup27);
+      
+      var msg13 = msg("KLAUD_EV_OBJECTMODIFY", dup28);
+      
+      var select5 = linear_select([
+      	msg12,
+      	msg13,
+      ]);
+      
+      var msg14 = msg("KLAUD_EV_TASK_STATE_CHANGED:01", dup27);
+      
+      var msg15 = msg("KLAUD_EV_TASK_STATE_CHANGED", dup28);
+      
+      var select6 = linear_select([
+      	msg14,
+      	msg15,
+      ]);
+      
+      var msg16 = msg("KLAUD_EV_ADMGROUP_CHANGED:01", dup27);
+      
+      var msg17 = msg("KLAUD_EV_ADMGROUP_CHANGED", dup28);
+      
+      var select7 = linear_select([
+      	msg16,
+      	msg17,
+      ]);
+      
+      var msg18 = msg("KLAUD_EV_SERVERCONNECT:01", dup27);
+      
+      var msg19 = msg("KLAUD_EV_SERVERCONNECT", dup28);
+      
+      var select8 = linear_select([
+      	msg18,
+      	msg19,
+      ]);
+      
+      var msg20 = msg("00010009", dup26);
+      
+      var msg21 = msg("00010013", dup26);
+      
+      var msg22 = msg("00020006", dup26);
+      
+      var msg23 = msg("00020007", dup26);
+      
+      var msg24 = msg("00020008", dup26);
+      
+      var msg25 = msg("00030006", dup26);
+      
+      var msg26 = msg("00030015", dup26);
+      
+      var msg27 = msg("00040007", dup26);
+      
+      var msg28 = msg("00040008", dup26);
+      
+      var part2 = match("MESSAGE#28:GNRL_EV_SUSPICIOUS_OBJECT_FOUND:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{fld18}^^%{virusname}^^%{username}^^%{fld19}", processor_chain([
+      	dup6,
+      	dup2,
+      	dup7,
+      	dup22,
+      ]));
+      
+      var msg29 = msg("GNRL_EV_SUSPICIOUS_OBJECT_FOUND:01", part2);
+      
+      var part3 = match("MESSAGE#29:GNRL_EV_SUSPICIOUS_OBJECT_FOUND", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{fld18}", processor_chain([
+      	dup6,
+      	dup2,
+      	dup7,
+      	dup22,
+      ]));
+      
+      var msg30 = msg("GNRL_EV_SUSPICIOUS_OBJECT_FOUND", part3);
+      
+      var select9 = linear_select([
+      	msg29,
+      	msg30,
+      ]);
+      
+      var part4 = match("MESSAGE#30:GNRL_EV_OBJECT_CURED:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{virusname}^^%{username}^^%{fld18}", processor_chain([
+      	dup6,
+      	dup2,
+      	dup7,
+      	dup22,
+      ]));
+      
+      var msg31 = msg("GNRL_EV_OBJECT_CURED:01", part4);
+      
+      var msg32 = msg("GNRL_EV_OBJECT_CURED", dup29);
+      
+      var select10 = linear_select([
+      	msg31,
+      	msg32,
+      ]);
+      
+      var part5 = match("MESSAGE#32:GNRL_EV_OBJECT_NOTCURED:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([
+      	dup8,
+      	dup2,
+      	dup7,
+      	dup22,
+      ]));
+      
+      var msg33 = msg("GNRL_EV_OBJECT_NOTCURED:01", part5);
+      
+      var msg34 = msg("GNRL_EV_OBJECT_NOTCURED", dup29);
+      
+      var select11 = linear_select([
+      	msg33,
+      	msg34,
+      ]);
+      
+      var part6 = match("MESSAGE#34:GNRL_EV_OBJECT_DELETED:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^^^%{virusname}^^%{username}^^%{fld18}", processor_chain([
+      	dup6,
+      	dup2,
+      	dup7,
+      	dup22,
+      ]));
+      
+      var msg35 = msg("GNRL_EV_OBJECT_DELETED:01", part6);
+      
+      var msg36 = msg("GNRL_EV_OBJECT_DELETED", dup29);
+      
+      var select12 = linear_select([
+      	msg35,
+      	msg36,
+      ]);
+      
+      var part7 = match("MESSAGE#36:GNRL_EV_VIRUS_FOUND:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^Virus '%{fld7}' detected in message from '%{from}' to '%{to}'.^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{virusname}", processor_chain([
+      	dup6,
+      	dup2,
+      	dup7,
+      	dup22,
+      	setc("event_description","Virus detected in email message"),
+      ]));
+      
+      var msg37 = msg("GNRL_EV_VIRUS_FOUND:01", part7);
+      
+      var part8 = match("MESSAGE#37:GNRL_EV_VIRUS_FOUND:03", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{fld18}^^%{virusname}^^%{username}^^%{fld22}", processor_chain([
+      	dup8,
+      	dup2,
+      	dup7,
+      	dup22,
+      ]));
+      
+      var msg38 = msg("GNRL_EV_VIRUS_FOUND:03", part8);
+      
+      var msg39 = msg("GNRL_EV_VIRUS_FOUND:02", dup29);
+      
+      var select13 = linear_select([
+      	msg37,
+      	msg38,
+      	msg39,
+      ]);
+      
+      var part9 = match("MESSAGE#39:GNRL_EV_VIRUS_OUTBREAK", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}", processor_chain([
+      	dup6,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var msg40 = msg("GNRL_EV_VIRUS_OUTBREAK", part9);
+      
+      var part10 = match("MESSAGE#40:GNRL_EV_ATTACK_DETECTED:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{threat_name}^^%{protocol}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([
+      	dup5,
+      	dup9,
+      	dup10,
+      	dup11,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var msg41 = msg("GNRL_EV_ATTACK_DETECTED:01", part10);
+      
+      var part11 = match("MESSAGE#41:GNRL_EV_ATTACK_DETECTED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}", processor_chain([
+      	dup6,
+      	dup9,
+      	dup10,
+      	dup11,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var msg42 = msg("GNRL_EV_ATTACK_DETECTED", part11);
+      
+      var select14 = linear_select([
+      	msg41,
+      	msg42,
+      ]);
+      
+      var msg43 = msg("KLEVP_GroupTaskSyncState:01", dup30);
+      
+      var msg44 = msg("KLEVP_GroupTaskSyncState", dup31);
+      
+      var select15 = linear_select([
+      	msg43,
+      	msg44,
+      ]);
+      
+      var msg45 = msg("KLPRCI_TaskState:01", dup30);
+      
+      var msg46 = msg("KLPRCI_TaskState", dup31);
+      
+      var select16 = linear_select([
+      	msg45,
+      	msg46,
+      ]);
+      
+      var msg47 = msg("KLSRV_EV_LICENSE_CHECK_90", dup32);
+      
+      var msg48 = msg("KLNAG_EV_INV_APP_UNINSTALLED", dup32);
+      
+      var msg49 = msg("KLNAG_EV_DEVICE_ARRIVAL", dup32);
+      
+      var msg50 = msg("KLNAG_EV_DEVICE_REMOVE", dup32);
+      
+      var msg51 = msg("FSEE_AKPLUGIN_CRITICAL_PATCHES_AVAILABLE", dup31);
+      
+      var part12 = match("MESSAGE#51:HTTP:Object_Infected/2", "nwparser.p0", "%{}'%{obj_name}' is infected with '%{virusname}'(Database date: %{fld14}, %{p0}");
+      
+      var all1 = all_match({
+      	processors: [
+      		dup12,
+      		dup23,
+      		part12,
+      		dup24,
+      		dup17,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup18,
+      		dup19,
+      		dup20,
+      	]),
+      });
+      
+      var msg52 = msg("HTTP:Object_Infected", all1);
+      
+      var part13 = match("MESSAGE#52:HTTP:Object_Scanning_Error/2", "nwparser.p0", "%{}'%{obj_name}' scanning resulted in an error (Database date: %{fld14}, %{p0}");
+      
+      var all2 = all_match({
+      	processors: [
+      		dup12,
+      		dup23,
+      		part13,
+      		dup24,
+      		dup17,
+      	],
+      	on_success: processor_chain([
+      		dup4,
+      		dup18,
+      		dup19,
+      		dup20,
+      	]),
+      });
+      
+      var msg53 = msg("HTTP:Object_Scanning_Error", all2);
+      
+      var part14 = match("MESSAGE#53:HTTP:Object_Scanned_And_Clean/2", "nwparser.p0", "%{}'%{obj_name}' has been scanned and flagged as clean(Database date: %{fld14}, %{p0}");
+      
+      var all3 = all_match({
+      	processors: [
+      		dup12,
+      		dup23,
+      		part14,
+      		dup24,
+      		dup17,
+      	],
+      	on_success: processor_chain([
+      		dup8,
+      		dup18,
+      		dup19,
+      		dup20,
+      	]),
+      });
+      
+      var msg54 = msg("HTTP:Object_Scanned_And_Clean", all3);
+      
+      var part15 = match("MESSAGE#54:HTTP:Object_Not_Scanned_01/2", "nwparser.p0", "%{}'%{obj_name}' has not been scanned as defined by the policy as %{policyname->} %{fld17->} ( %{p0}");
+      
+      var all4 = all_match({
+      	processors: [
+      		dup12,
+      		dup23,
+      		part15,
+      		dup24,
+      		dup17,
+      	],
+      	on_success: processor_chain([
+      		dup8,
+      		dup18,
+      		dup19,
+      		dup20,
+      	]),
+      });
+      
+      var msg55 = msg("HTTP:Object_Not_Scanned_01", all4);
+      
+      var part16 = match("MESSAGE#55:HTTP:Object_Not_Scanned_02/2", "nwparser.p0", "%{}'%{obj_name}' has not been scanned as defined by the policy ( %{p0}");
+      
+      var all5 = all_match({
+      	processors: [
+      		dup12,
+      		dup23,
+      		part16,
+      		dup24,
+      		dup17,
+      	],
+      	on_success: processor_chain([
+      		dup8,
+      		dup18,
+      		dup19,
+      		dup20,
+      	]),
+      });
+      
+      var msg56 = msg("HTTP:Object_Not_Scanned_02", all5);
+      
+      var part17 = match("MESSAGE#57:HTTP:01/2", "nwparser.p0", "%{}'%{obj_name}");
+      
+      var all6 = all_match({
+      	processors: [
+      		dup12,
+      		dup23,
+      		part17,
+      	],
+      	on_success: processor_chain([
+      		dup8,
+      		dup18,
+      		dup19,
+      		dup20,
+      	]),
+      });
+      
+      var msg57 = msg("HTTP:01", all6);
+      
+      var select17 = linear_select([
+      	msg52,
+      	msg53,
+      	msg54,
+      	msg55,
+      	msg56,
+      	msg57,
+      ]);
+      
+      var msg58 = msg("KLSRV_EV_LICENSE_CHECK_MORE_110", dup30);
+      
+      var msg59 = msg("000000ce", dup33);
+      
+      var msg60 = msg("000000d4", dup33);
+      
+      var msg61 = msg("000000d5", dup25);
+      
+      var msg62 = msg("000000d8", dup25);
+      
+      var msg63 = msg("000000da", dup25);
+      
+      var msg64 = msg("000000db", dup34);
+      
+      var msg65 = msg("000000d6", dup25);
+      
+      var msg66 = msg("000000de", dup34);
+      
+      var part18 = match("MESSAGE#66:000000e1", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([
+      	setc("eventcategory","1606000000"),
+      	dup2,
+      	dup22,
+      ]));
+      
+      var msg67 = msg("000000e1", part18);
+      
+      var msg68 = msg("0000012f", dup25);
+      
+      var msg69 = msg("00000134", dup34);
+      
+      var msg70 = msg("00000143", dup34);
+      
+      var msg71 = msg("00000141", dup25);
+      
+      var msg72 = msg("00000353", dup25);
+      
+      var msg73 = msg("00000354", dup25);
+      
+      var msg74 = msg("000003fb", dup34);
+      
+      var msg75 = msg("000003fd", dup25);
+      
+      var msg76 = msg("000000cc", dup25);
+      
+      var part19 = match("MESSAGE#76:000000e2", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{fld7}^^%{fld8}^^%{fld15}^^", processor_chain([
+      	dup1,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var msg77 = msg("000000e2", part19);
+      
+      var msg78 = msg("KLSRV_EV_LICENSE_SRV_LIMITED_MODE", dup35);
+      
+      var part20 = match("MESSAGE#78:KSNPROXY_STOPPED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{fld5}^^%{fld7}^^%{fld8}^^", processor_chain([
+      	setc("eventcategory","1801030000"),
+      	dup2,
+      	dup22,
+      ]));
+      
+      var msg79 = msg("KSNPROXY_STOPPED", part20);
+      
+      var part21 = match("MESSAGE#79:KLSRV_UPD_BASES_UPDATED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{fld5}^^%{fld7}^^%{fld8}^^", processor_chain([
+      	dup1,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var msg80 = msg("KLSRV_UPD_BASES_UPDATED", part21);
+      
+      var part22 = match("MESSAGE#80:FSEE_AKPLUGIN_OBJECT_NOT_PROCESSED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^Object not scanned. Reason: %{event_description->} Object name: %{filename}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var msg81 = msg("FSEE_AKPLUGIN_OBJECT_NOT_PROCESSED", part22);
+      
+      var part23 = match("MESSAGE#81:KLNAG_EV_INV_APP_INSTALLED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{fld5}^^%{fld7}^^%{product}^^%{version}^^%{fld8}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var msg82 = msg("KLNAG_EV_INV_APP_INSTALLED", part23);
+      
+      var part24 = match("MESSAGE#82:GNRL_EV_LICENSE_EXPIRATION", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info->} User: %{username->} Component: %{fld5}Result\\Description: %{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^", processor_chain([
+      	dup1,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var msg83 = msg("GNRL_EV_LICENSE_EXPIRATION", part24);
+      
+      var part25 = match("MESSAGE#83:KSNPROXY_STARTED_CON_CHK_FAILED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{fld5}^^%{fld7}^^%{fld8}^^", processor_chain([
+      	setc("eventcategory","1703000000"),
+      	dup2,
+      	dup22,
+      ]));
+      
+      var msg84 = msg("KSNPROXY_STARTED_CON_CHK_FAILED", part25);
+      
+      var part26 = match("MESSAGE#84:000003f8", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_description}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^Event type:%{event_type->} Result: %{fld23->} Object: %{obj_name->} Object\\Path: %{url->} User:%{username->} Update ID: %{fld51}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var msg85 = msg("000003f8", part26);
+      
+      var msg86 = msg("FSEE_AKPLUGIN_AVBASES_CORRUPTED", dup35);
+      
+      var part27 = match("MESSAGE#86:GNRL_EV_OBJECT_BLOCKED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{fld19}^^%{virusname}^^%{username}^^%{fld18}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup7,
+      	dup22,
+      ]));
+      
+      var msg87 = msg("GNRL_EV_OBJECT_BLOCKED", part27);
+      
+      var part28 = match("MESSAGE#87:0000014d", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var msg88 = msg("0000014d", part28);
+      
+      var part29 = match("MESSAGE#88:000003f7/0", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_description}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^Event type:%{event_type->} Result: %{result->} %{p0}");
+      
+      var part30 = match("MESSAGE#88:000003f7/1_0", "nwparser.p0", "Object: %{obj_name->} Object\\Path: %{url->} User:%{username}(%{privilege})%{p0}");
+      
+      var part31 = match("MESSAGE#88:000003f7/1_1", "nwparser.p0", "User:%{username}(%{privilege})%{p0}");
+      
+      var select18 = linear_select([
+      	part30,
+      	part31,
+      ]);
+      
+      var part32 = match("MESSAGE#88:000003f7/2", "nwparser.p0", "%{}Release date: %{fld23}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}");
+      
+      var all7 = all_match({
+      	processors: [
+      		part29,
+      		select18,
+      		part32,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup22,
+      	]),
+      });
+      
+      var msg89 = msg("000003f7", all7);
+      
+      var part33 = match("MESSAGE#89:FSEE_AKPLUGIN_OBJECT_NOT_ISOLATED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^Object not quarantined. Reason: %{event_description}^^%{context}^^%{product}^^%{version}^^%{filename}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var msg90 = msg("FSEE_AKPLUGIN_OBJECT_NOT_ISOLATED", part33);
+      
+      var chain1 = processor_chain([
+      	select1,
+      	msgid_select({
+      		"000000cc": msg76,
+      		"000000ce": msg59,
+      		"000000d4": msg60,
+      		"000000d5": msg61,
+      		"000000d6": msg65,
+      		"000000d8": msg62,
+      		"000000da": msg63,
+      		"000000db": msg64,
+      		"000000de": msg66,
+      		"000000e1": msg67,
+      		"000000e2": msg77,
+      		"0000012f": msg68,
+      		"00000134": msg69,
+      		"00000141": msg71,
+      		"00000143": msg70,
+      		"0000014d": msg88,
+      		"00000353": msg72,
+      		"00000354": msg73,
+      		"000003f7": msg89,
+      		"000003f8": msg85,
+      		"000003fb": msg74,
+      		"000003fd": msg75,
+      		"00010009": msg20,
+      		"00010013": msg21,
+      		"00020006": msg22,
+      		"00020007": msg23,
+      		"00020008": msg24,
+      		"00030006": msg25,
+      		"00030015": msg26,
+      		"00040007": msg27,
+      		"00040008": msg28,
+      		"FSEE_AKPLUGIN_AVBASES_CORRUPTED": msg86,
+      		"FSEE_AKPLUGIN_CRITICAL_PATCHES_AVAILABLE": msg51,
+      		"FSEE_AKPLUGIN_OBJECT_NOT_ISOLATED": msg90,
+      		"FSEE_AKPLUGIN_OBJECT_NOT_PROCESSED": msg81,
+      		"GNRL_EV_ATTACK_DETECTED": select14,
+      		"GNRL_EV_LICENSE_EXPIRATION": msg83,
+      		"GNRL_EV_OBJECT_BLOCKED": msg87,
+      		"GNRL_EV_OBJECT_CURED": select10,
+      		"GNRL_EV_OBJECT_DELETED": select12,
+      		"GNRL_EV_OBJECT_NOTCURED": select11,
+      		"GNRL_EV_SUSPICIOUS_OBJECT_FOUND": select9,
+      		"GNRL_EV_VIRUS_FOUND": select13,
+      		"GNRL_EV_VIRUS_OUTBREAK": msg40,
+      		"HTTP": select17,
+      		"KLAUD_EV_ADMGROUP_CHANGED": select7,
+      		"KLAUD_EV_OBJECTMODIFY": select5,
+      		"KLAUD_EV_SERVERCONNECT": select8,
+      		"KLAUD_EV_TASK_STATE_CHANGED": select6,
+      		"KLEVP_GroupTaskSyncState": select15,
+      		"KLNAG_EV_DEVICE_ARRIVAL": msg49,
+      		"KLNAG_EV_DEVICE_REMOVE": msg50,
+      		"KLNAG_EV_INV_APP_INSTALLED": msg82,
+      		"KLNAG_EV_INV_APP_UNINSTALLED": msg48,
+      		"KLPRCI_TaskState": select16,
+      		"KLSRV_EVENT_HOSTS_NEW_DETECTED": select2,
+      		"KLSRV_EVENT_HOSTS_NOT_VISIBLE": msg3,
+      		"KLSRV_EV_LICENSE_CHECK_90": msg47,
+      		"KLSRV_EV_LICENSE_CHECK_MORE_110": msg58,
+      		"KLSRV_EV_LICENSE_SRV_LIMITED_MODE": msg78,
+      		"KLSRV_HOST_MOVED_WITH_RULE_EX": msg9,
+      		"KLSRV_HOST_OUT_CONTROL": msg10,
+      		"KLSRV_HOST_STATUS_CRITICAL": select4,
+      		"KLSRV_HOST_STATUS_WARNING": select3,
+      		"KLSRV_INVISIBLE_HOSTS_REMOVED": msg11,
+      		"KLSRV_RUNTIME_ERROR": msg6,
+      		"KLSRV_UPD_BASES_UPDATED": msg80,
+      		"KSNPROXY_STARTED_CON_CHK_FAILED": msg84,
+      		"KSNPROXY_STOPPED": msg79,
+      	}),
+      ]);
+      
+      var part34 = match("MESSAGE#51:HTTP:Object_Infected/0", "nwparser.payload", "%{fld11->} %{fld12->} %{fld13->} %{protocol->} %{p0}");
+      
+      var part35 = match("MESSAGE#51:HTTP:Object_Infected/1_0", "nwparser.p0", "object %{p0}");
+      
+      var part36 = match("MESSAGE#51:HTTP:Object_Infected/1_1", "nwparser.p0", "Object %{p0}");
+      
+      var part37 = match("MESSAGE#51:HTTP:Object_Infected/3_0", "nwparser.p0", "Client's %{p0}");
+      
+      var part38 = match("MESSAGE#51:HTTP:Object_Infected/3_1", "nwparser.p0", "client's %{p0}");
+      
+      var part39 = match("MESSAGE#51:HTTP:Object_Infected/4", "nwparser.p0", "%{}address: %{hostip})");
+      
+      var select19 = linear_select([
+      	dup13,
+      	dup14,
+      ]);
+      
+      var select20 = linear_select([
+      	dup15,
+      	dup16,
+      ]);
+      
+      var part40 = match("MESSAGE#0:KLSRV_EVENT_HOSTS_NEW_DETECTED:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var part41 = match("MESSAGE#1:KLSRV_EVENT_HOSTS_NEW_DETECTED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var part42 = match("MESSAGE#11:KLAUD_EV_OBJECTMODIFY:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{username}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([
+      	dup5,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var part43 = match("MESSAGE#12:KLAUD_EV_OBJECTMODIFY", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{username}^^%{fld18}", processor_chain([
+      	dup5,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var part44 = match("MESSAGE#31:GNRL_EV_OBJECT_CURED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{virusname}", processor_chain([
+      	dup6,
+      	dup2,
+      	dup7,
+      	dup22,
+      ]));
+      
+      var part45 = match("MESSAGE#42:KLEVP_GroupTaskSyncState:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([
+      	dup5,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var part46 = match("MESSAGE#43:KLEVP_GroupTaskSyncState", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}", processor_chain([
+      	dup5,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var part47 = match("MESSAGE#46:KLSRV_EV_LICENSE_CHECK_90", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}", processor_chain([
+      	dup5,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var part48 = match("MESSAGE#58:000000ce", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([
+      	dup21,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var part49 = match("MESSAGE#63:000000db", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([
+      	dup8,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var part50 = match("MESSAGE#77:KLSRV_EV_LICENSE_SRV_LIMITED_MODE", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^", processor_chain([
+      	dup1,
+      	dup2,
+      	dup22,
+      ]));
+      
+- community_id:
+- add_locale: ~
+- add_fields:
+    target: ''
+    fields:
+        ecs.version: 1.5.0
diff --git a/packages/kaspersky/0.1.0/dataset/av/agent/stream/tcp.yml.hbs b/packages/kaspersky/0.1.0/dataset/av/agent/stream/tcp.yml.hbs
new file mode 100644
index 0000000000..db16b39d99
--- /dev/null
+++ b/packages/kaspersky/0.1.0/dataset/av/agent/stream/tcp.yml.hbs
@@ -0,0 +1,3293 @@
+tcp:
+host: "{{tcp_host}}:{{tcp_port}}"
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "Kaspersky"
+        product: "Kaspersky"
+        type: "Anti-Virus"
+publisher_pipeline.disable_host: true
+
+processors:
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.error(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(populate_fields);
+      	builder.Add(restore_flags);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var map_getSeveritylevel = {
+      	keyvaluepairs: {
+      		"1": constant("Info"),
+      		"2": constant("Warning"),
+      		"3": constant("Error"),
+      		"4": constant("Critical"),
+      	},
+      };
+      
+      var dup1 = setc("eventcategory","1609000000");
+      
+      var dup2 = date_time({
+      	dest: "event_time",
+      	args: ["fld2","fld3"],
+      	fmts: [
+      		[dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup3 = field("fld6");
+      
+      var dup4 = setc("eventcategory","1603000000");
+      
+      var dup5 = setc("eventcategory","1612000000");
+      
+      var dup6 = setc("eventcategory","1003010000");
+      
+      var dup7 = setc("obj_type","Dangerous Object");
+      
+      var dup8 = setc("eventcategory","1605000000");
+      
+      var dup9 = setc("ec_subject","NetworkComm");
+      
+      var dup10 = setc("ec_activity","Detect");
+      
+      var dup11 = setc("ec_theme","TEV");
+      
+      var dup12 = match("MESSAGE#51:HTTP:Object_Infected/0", "nwparser.payload", "%{fld11->} %{fld12->} %{fld13->} %{protocol->} %{p0}");
+      
+      var dup13 = match("MESSAGE#51:HTTP:Object_Infected/1_0", "nwparser.p0", "object %{p0}");
+      
+      var dup14 = match("MESSAGE#51:HTTP:Object_Infected/1_1", "nwparser.p0", "Object %{p0}");
+      
+      var dup15 = match("MESSAGE#51:HTTP:Object_Infected/3_0", "nwparser.p0", "Client's %{p0}");
+      
+      var dup16 = match("MESSAGE#51:HTTP:Object_Infected/3_1", "nwparser.p0", "client's %{p0}");
+      
+      var dup17 = match("MESSAGE#51:HTTP:Object_Infected/4", "nwparser.p0", "%{}address: %{hostip})");
+      
+      var dup18 = setf("msg","$MSG");
+      
+      var dup19 = date_time({
+      	dest: "event_time",
+      	args: ["fld11","fld12","fld13"],
+      	fmts: [
+      		[dG,dc("/"),dF,dc("/"),dW,dN,dc(":"),dU,dc(":"),dO,dP],
+      	],
+      });
+      
+      var dup20 = setf("obj_type","protocol");
+      
+      var dup21 = setc("eventcategory","1601020000");
+      
+      var dup22 = lookup({
+      	dest: "nwparser.severity",
+      	map: map_getSeveritylevel,
+      	key: dup3,
+      });
+      
+      var dup23 = linear_select([
+      	dup13,
+      	dup14,
+      ]);
+      
+      var dup24 = linear_select([
+      	dup15,
+      	dup16,
+      ]);
+      
+      var dup25 = match("MESSAGE#0:KLSRV_EVENT_HOSTS_NEW_DETECTED:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var dup26 = match("MESSAGE#1:KLSRV_EVENT_HOSTS_NEW_DETECTED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var dup27 = match("MESSAGE#11:KLAUD_EV_OBJECTMODIFY:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{username}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([
+      	dup5,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var dup28 = match("MESSAGE#12:KLAUD_EV_OBJECTMODIFY", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{username}^^%{fld18}", processor_chain([
+      	dup5,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var dup29 = match("MESSAGE#31:GNRL_EV_OBJECT_CURED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{virusname}", processor_chain([
+      	dup6,
+      	dup2,
+      	dup7,
+      	dup22,
+      ]));
+      
+      var dup30 = match("MESSAGE#42:KLEVP_GroupTaskSyncState:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([
+      	dup5,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var dup31 = match("MESSAGE#43:KLEVP_GroupTaskSyncState", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}", processor_chain([
+      	dup5,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var dup32 = match("MESSAGE#46:KLSRV_EV_LICENSE_CHECK_90", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}", processor_chain([
+      	dup5,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var dup33 = match("MESSAGE#58:000000ce", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([
+      	dup21,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var dup34 = match("MESSAGE#63:000000db", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([
+      	dup8,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var dup35 = match("MESSAGE#77:KLSRV_EV_LICENSE_SRV_LIMITED_MODE", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^", processor_chain([
+      	dup1,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var hdr1 = match("HEADER#0:0001", "message", "%kasperskyav: %{hfld1}^^%{hrecorded_time}^^%{messageid}^^%{payload}", processor_chain([
+      	setc("header_id","0001"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld1"),
+      			constant("^^"),
+      			field("hrecorded_time"),
+      			constant("^^"),
+      			field("messageid"),
+      			constant("^^"),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr2 = match("HEADER#1:0002", "message", "%kasperskyav-%{hlevel}: %{hdate->} %{htime->} %{hfld1->} %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0002"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hdate"),
+      			constant(" "),
+      			field("htime"),
+      			constant(" "),
+      			field("hfld1"),
+      			constant(" "),
+      			field("messageid"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var select1 = linear_select([
+      	hdr1,
+      	hdr2,
+      ]);
+      
+      var msg1 = msg("KLSRV_EVENT_HOSTS_NEW_DETECTED:01", dup25);
+      
+      var msg2 = msg("KLSRV_EVENT_HOSTS_NEW_DETECTED", dup26);
+      
+      var select2 = linear_select([
+      	msg1,
+      	msg2,
+      ]);
+      
+      var msg3 = msg("KLSRV_EVENT_HOSTS_NOT_VISIBLE", dup26);
+      
+      var msg4 = msg("KLSRV_HOST_STATUS_WARNING:01", dup25);
+      
+      var msg5 = msg("KLSRV_HOST_STATUS_WARNING", dup26);
+      
+      var select3 = linear_select([
+      	msg4,
+      	msg5,
+      ]);
+      
+      var part1 = match("MESSAGE#5:KLSRV_RUNTIME_ERROR", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([
+      	dup4,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var msg6 = msg("KLSRV_RUNTIME_ERROR", part1);
+      
+      var msg7 = msg("KLSRV_HOST_STATUS_CRITICAL:01", dup25);
+      
+      var msg8 = msg("KLSRV_HOST_STATUS_CRITICAL", dup26);
+      
+      var select4 = linear_select([
+      	msg7,
+      	msg8,
+      ]);
+      
+      var msg9 = msg("KLSRV_HOST_MOVED_WITH_RULE_EX", dup26);
+      
+      var msg10 = msg("KLSRV_HOST_OUT_CONTROL", dup26);
+      
+      var msg11 = msg("KLSRV_INVISIBLE_HOSTS_REMOVED", dup26);
+      
+      var msg12 = msg("KLAUD_EV_OBJECTMODIFY:01", dup27);
+      
+      var msg13 = msg("KLAUD_EV_OBJECTMODIFY", dup28);
+      
+      var select5 = linear_select([
+      	msg12,
+      	msg13,
+      ]);
+      
+      var msg14 = msg("KLAUD_EV_TASK_STATE_CHANGED:01", dup27);
+      
+      var msg15 = msg("KLAUD_EV_TASK_STATE_CHANGED", dup28);
+      
+      var select6 = linear_select([
+      	msg14,
+      	msg15,
+      ]);
+      
+      var msg16 = msg("KLAUD_EV_ADMGROUP_CHANGED:01", dup27);
+      
+      var msg17 = msg("KLAUD_EV_ADMGROUP_CHANGED", dup28);
+      
+      var select7 = linear_select([
+      	msg16,
+      	msg17,
+      ]);
+      
+      var msg18 = msg("KLAUD_EV_SERVERCONNECT:01", dup27);
+      
+      var msg19 = msg("KLAUD_EV_SERVERCONNECT", dup28);
+      
+      var select8 = linear_select([
+      	msg18,
+      	msg19,
+      ]);
+      
+      var msg20 = msg("00010009", dup26);
+      
+      var msg21 = msg("00010013", dup26);
+      
+      var msg22 = msg("00020006", dup26);
+      
+      var msg23 = msg("00020007", dup26);
+      
+      var msg24 = msg("00020008", dup26);
+      
+      var msg25 = msg("00030006", dup26);
+      
+      var msg26 = msg("00030015", dup26);
+      
+      var msg27 = msg("00040007", dup26);
+      
+      var msg28 = msg("00040008", dup26);
+      
+      var part2 = match("MESSAGE#28:GNRL_EV_SUSPICIOUS_OBJECT_FOUND:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{fld18}^^%{virusname}^^%{username}^^%{fld19}", processor_chain([
+      	dup6,
+      	dup2,
+      	dup7,
+      	dup22,
+      ]));
+      
+      var msg29 = msg("GNRL_EV_SUSPICIOUS_OBJECT_FOUND:01", part2);
+      
+      var part3 = match("MESSAGE#29:GNRL_EV_SUSPICIOUS_OBJECT_FOUND", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{fld18}", processor_chain([
+      	dup6,
+      	dup2,
+      	dup7,
+      	dup22,
+      ]));
+      
+      var msg30 = msg("GNRL_EV_SUSPICIOUS_OBJECT_FOUND", part3);
+      
+      var select9 = linear_select([
+      	msg29,
+      	msg30,
+      ]);
+      
+      var part4 = match("MESSAGE#30:GNRL_EV_OBJECT_CURED:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{virusname}^^%{username}^^%{fld18}", processor_chain([
+      	dup6,
+      	dup2,
+      	dup7,
+      	dup22,
+      ]));
+      
+      var msg31 = msg("GNRL_EV_OBJECT_CURED:01", part4);
+      
+      var msg32 = msg("GNRL_EV_OBJECT_CURED", dup29);
+      
+      var select10 = linear_select([
+      	msg31,
+      	msg32,
+      ]);
+      
+      var part5 = match("MESSAGE#32:GNRL_EV_OBJECT_NOTCURED:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([
+      	dup8,
+      	dup2,
+      	dup7,
+      	dup22,
+      ]));
+      
+      var msg33 = msg("GNRL_EV_OBJECT_NOTCURED:01", part5);
+      
+      var msg34 = msg("GNRL_EV_OBJECT_NOTCURED", dup29);
+      
+      var select11 = linear_select([
+      	msg33,
+      	msg34,
+      ]);
+      
+      var part6 = match("MESSAGE#34:GNRL_EV_OBJECT_DELETED:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^^^%{virusname}^^%{username}^^%{fld18}", processor_chain([
+      	dup6,
+      	dup2,
+      	dup7,
+      	dup22,
+      ]));
+      
+      var msg35 = msg("GNRL_EV_OBJECT_DELETED:01", part6);
+      
+      var msg36 = msg("GNRL_EV_OBJECT_DELETED", dup29);
+      
+      var select12 = linear_select([
+      	msg35,
+      	msg36,
+      ]);
+      
+      var part7 = match("MESSAGE#36:GNRL_EV_VIRUS_FOUND:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^Virus '%{fld7}' detected in message from '%{from}' to '%{to}'.^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{virusname}", processor_chain([
+      	dup6,
+      	dup2,
+      	dup7,
+      	dup22,
+      	setc("event_description","Virus detected in email message"),
+      ]));
+      
+      var msg37 = msg("GNRL_EV_VIRUS_FOUND:01", part7);
+      
+      var part8 = match("MESSAGE#37:GNRL_EV_VIRUS_FOUND:03", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{fld18}^^%{virusname}^^%{username}^^%{fld22}", processor_chain([
+      	dup8,
+      	dup2,
+      	dup7,
+      	dup22,
+      ]));
+      
+      var msg38 = msg("GNRL_EV_VIRUS_FOUND:03", part8);
+      
+      var msg39 = msg("GNRL_EV_VIRUS_FOUND:02", dup29);
+      
+      var select13 = linear_select([
+      	msg37,
+      	msg38,
+      	msg39,
+      ]);
+      
+      var part9 = match("MESSAGE#39:GNRL_EV_VIRUS_OUTBREAK", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}", processor_chain([
+      	dup6,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var msg40 = msg("GNRL_EV_VIRUS_OUTBREAK", part9);
+      
+      var part10 = match("MESSAGE#40:GNRL_EV_ATTACK_DETECTED:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{threat_name}^^%{protocol}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([
+      	dup5,
+      	dup9,
+      	dup10,
+      	dup11,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var msg41 = msg("GNRL_EV_ATTACK_DETECTED:01", part10);
+      
+      var part11 = match("MESSAGE#41:GNRL_EV_ATTACK_DETECTED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}", processor_chain([
+      	dup6,
+      	dup9,
+      	dup10,
+      	dup11,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var msg42 = msg("GNRL_EV_ATTACK_DETECTED", part11);
+      
+      var select14 = linear_select([
+      	msg41,
+      	msg42,
+      ]);
+      
+      var msg43 = msg("KLEVP_GroupTaskSyncState:01", dup30);
+      
+      var msg44 = msg("KLEVP_GroupTaskSyncState", dup31);
+      
+      var select15 = linear_select([
+      	msg43,
+      	msg44,
+      ]);
+      
+      var msg45 = msg("KLPRCI_TaskState:01", dup30);
+      
+      var msg46 = msg("KLPRCI_TaskState", dup31);
+      
+      var select16 = linear_select([
+      	msg45,
+      	msg46,
+      ]);
+      
+      var msg47 = msg("KLSRV_EV_LICENSE_CHECK_90", dup32);
+      
+      var msg48 = msg("KLNAG_EV_INV_APP_UNINSTALLED", dup32);
+      
+      var msg49 = msg("KLNAG_EV_DEVICE_ARRIVAL", dup32);
+      
+      var msg50 = msg("KLNAG_EV_DEVICE_REMOVE", dup32);
+      
+      var msg51 = msg("FSEE_AKPLUGIN_CRITICAL_PATCHES_AVAILABLE", dup31);
+      
+      var part12 = match("MESSAGE#51:HTTP:Object_Infected/2", "nwparser.p0", "%{}'%{obj_name}' is infected with '%{virusname}'(Database date: %{fld14}, %{p0}");
+      
+      var all1 = all_match({
+      	processors: [
+      		dup12,
+      		dup23,
+      		part12,
+      		dup24,
+      		dup17,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup18,
+      		dup19,
+      		dup20,
+      	]),
+      });
+      
+      var msg52 = msg("HTTP:Object_Infected", all1);
+      
+      var part13 = match("MESSAGE#52:HTTP:Object_Scanning_Error/2", "nwparser.p0", "%{}'%{obj_name}' scanning resulted in an error (Database date: %{fld14}, %{p0}");
+      
+      var all2 = all_match({
+      	processors: [
+      		dup12,
+      		dup23,
+      		part13,
+      		dup24,
+      		dup17,
+      	],
+      	on_success: processor_chain([
+      		dup4,
+      		dup18,
+      		dup19,
+      		dup20,
+      	]),
+      });
+      
+      var msg53 = msg("HTTP:Object_Scanning_Error", all2);
+      
+      var part14 = match("MESSAGE#53:HTTP:Object_Scanned_And_Clean/2", "nwparser.p0", "%{}'%{obj_name}' has been scanned and flagged as clean(Database date: %{fld14}, %{p0}");
+      
+      var all3 = all_match({
+      	processors: [
+      		dup12,
+      		dup23,
+      		part14,
+      		dup24,
+      		dup17,
+      	],
+      	on_success: processor_chain([
+      		dup8,
+      		dup18,
+      		dup19,
+      		dup20,
+      	]),
+      });
+      
+      var msg54 = msg("HTTP:Object_Scanned_And_Clean", all3);
+      
+      var part15 = match("MESSAGE#54:HTTP:Object_Not_Scanned_01/2", "nwparser.p0", "%{}'%{obj_name}' has not been scanned as defined by the policy as %{policyname->} %{fld17->} ( %{p0}");
+      
+      var all4 = all_match({
+      	processors: [
+      		dup12,
+      		dup23,
+      		part15,
+      		dup24,
+      		dup17,
+      	],
+      	on_success: processor_chain([
+      		dup8,
+      		dup18,
+      		dup19,
+      		dup20,
+      	]),
+      });
+      
+      var msg55 = msg("HTTP:Object_Not_Scanned_01", all4);
+      
+      var part16 = match("MESSAGE#55:HTTP:Object_Not_Scanned_02/2", "nwparser.p0", "%{}'%{obj_name}' has not been scanned as defined by the policy ( %{p0}");
+      
+      var all5 = all_match({
+      	processors: [
+      		dup12,
+      		dup23,
+      		part16,
+      		dup24,
+      		dup17,
+      	],
+      	on_success: processor_chain([
+      		dup8,
+      		dup18,
+      		dup19,
+      		dup20,
+      	]),
+      });
+      
+      var msg56 = msg("HTTP:Object_Not_Scanned_02", all5);
+      
+      var part17 = match("MESSAGE#57:HTTP:01/2", "nwparser.p0", "%{}'%{obj_name}");
+      
+      var all6 = all_match({
+      	processors: [
+      		dup12,
+      		dup23,
+      		part17,
+      	],
+      	on_success: processor_chain([
+      		dup8,
+      		dup18,
+      		dup19,
+      		dup20,
+      	]),
+      });
+      
+      var msg57 = msg("HTTP:01", all6);
+      
+      var select17 = linear_select([
+      	msg52,
+      	msg53,
+      	msg54,
+      	msg55,
+      	msg56,
+      	msg57,
+      ]);
+      
+      var msg58 = msg("KLSRV_EV_LICENSE_CHECK_MORE_110", dup30);
+      
+      var msg59 = msg("000000ce", dup33);
+      
+      var msg60 = msg("000000d4", dup33);
+      
+      var msg61 = msg("000000d5", dup25);
+      
+      var msg62 = msg("000000d8", dup25);
+      
+      var msg63 = msg("000000da", dup25);
+      
+      var msg64 = msg("000000db", dup34);
+      
+      var msg65 = msg("000000d6", dup25);
+      
+      var msg66 = msg("000000de", dup34);
+      
+      var part18 = match("MESSAGE#66:000000e1", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([
+      	setc("eventcategory","1606000000"),
+      	dup2,
+      	dup22,
+      ]));
+      
+      var msg67 = msg("000000e1", part18);
+      
+      var msg68 = msg("0000012f", dup25);
+      
+      var msg69 = msg("00000134", dup34);
+      
+      var msg70 = msg("00000143", dup34);
+      
+      var msg71 = msg("00000141", dup25);
+      
+      var msg72 = msg("00000353", dup25);
+      
+      var msg73 = msg("00000354", dup25);
+      
+      var msg74 = msg("000003fb", dup34);
+      
+      var msg75 = msg("000003fd", dup25);
+      
+      var msg76 = msg("000000cc", dup25);
+      
+      var part19 = match("MESSAGE#76:000000e2", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{fld7}^^%{fld8}^^%{fld15}^^", processor_chain([
+      	dup1,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var msg77 = msg("000000e2", part19);
+      
+      var msg78 = msg("KLSRV_EV_LICENSE_SRV_LIMITED_MODE", dup35);
+      
+      var part20 = match("MESSAGE#78:KSNPROXY_STOPPED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{fld5}^^%{fld7}^^%{fld8}^^", processor_chain([
+      	setc("eventcategory","1801030000"),
+      	dup2,
+      	dup22,
+      ]));
+      
+      var msg79 = msg("KSNPROXY_STOPPED", part20);
+      
+      var part21 = match("MESSAGE#79:KLSRV_UPD_BASES_UPDATED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{fld5}^^%{fld7}^^%{fld8}^^", processor_chain([
+      	dup1,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var msg80 = msg("KLSRV_UPD_BASES_UPDATED", part21);
+      
+      var part22 = match("MESSAGE#80:FSEE_AKPLUGIN_OBJECT_NOT_PROCESSED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^Object not scanned. Reason: %{event_description->} Object name: %{filename}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var msg81 = msg("FSEE_AKPLUGIN_OBJECT_NOT_PROCESSED", part22);
+      
+      var part23 = match("MESSAGE#81:KLNAG_EV_INV_APP_INSTALLED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{fld5}^^%{fld7}^^%{product}^^%{version}^^%{fld8}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var msg82 = msg("KLNAG_EV_INV_APP_INSTALLED", part23);
+      
+      var part24 = match("MESSAGE#82:GNRL_EV_LICENSE_EXPIRATION", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info->} User: %{username->} Component: %{fld5}Result\\Description: %{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^", processor_chain([
+      	dup1,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var msg83 = msg("GNRL_EV_LICENSE_EXPIRATION", part24);
+      
+      var part25 = match("MESSAGE#83:KSNPROXY_STARTED_CON_CHK_FAILED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{fld5}^^%{fld7}^^%{fld8}^^", processor_chain([
+      	setc("eventcategory","1703000000"),
+      	dup2,
+      	dup22,
+      ]));
+      
+      var msg84 = msg("KSNPROXY_STARTED_CON_CHK_FAILED", part25);
+      
+      var part26 = match("MESSAGE#84:000003f8", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_description}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^Event type:%{event_type->} Result: %{fld23->} Object: %{obj_name->} Object\\Path: %{url->} User:%{username->} Update ID: %{fld51}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var msg85 = msg("000003f8", part26);
+      
+      var msg86 = msg("FSEE_AKPLUGIN_AVBASES_CORRUPTED", dup35);
+      
+      var part27 = match("MESSAGE#86:GNRL_EV_OBJECT_BLOCKED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{fld19}^^%{virusname}^^%{username}^^%{fld18}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup7,
+      	dup22,
+      ]));
+      
+      var msg87 = msg("GNRL_EV_OBJECT_BLOCKED", part27);
+      
+      var part28 = match("MESSAGE#87:0000014d", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var msg88 = msg("0000014d", part28);
+      
+      var part29 = match("MESSAGE#88:000003f7/0", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_description}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^Event type:%{event_type->} Result: %{result->} %{p0}");
+      
+      var part30 = match("MESSAGE#88:000003f7/1_0", "nwparser.p0", "Object: %{obj_name->} Object\\Path: %{url->} User:%{username}(%{privilege})%{p0}");
+      
+      var part31 = match("MESSAGE#88:000003f7/1_1", "nwparser.p0", "User:%{username}(%{privilege})%{p0}");
+      
+      var select18 = linear_select([
+      	part30,
+      	part31,
+      ]);
+      
+      var part32 = match("MESSAGE#88:000003f7/2", "nwparser.p0", "%{}Release date: %{fld23}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}");
+      
+      var all7 = all_match({
+      	processors: [
+      		part29,
+      		select18,
+      		part32,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup22,
+      	]),
+      });
+      
+      var msg89 = msg("000003f7", all7);
+      
+      var part33 = match("MESSAGE#89:FSEE_AKPLUGIN_OBJECT_NOT_ISOLATED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^Object not quarantined. Reason: %{event_description}^^%{context}^^%{product}^^%{version}^^%{filename}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var msg90 = msg("FSEE_AKPLUGIN_OBJECT_NOT_ISOLATED", part33);
+      
+      var chain1 = processor_chain([
+      	select1,
+      	msgid_select({
+      		"000000cc": msg76,
+      		"000000ce": msg59,
+      		"000000d4": msg60,
+      		"000000d5": msg61,
+      		"000000d6": msg65,
+      		"000000d8": msg62,
+      		"000000da": msg63,
+      		"000000db": msg64,
+      		"000000de": msg66,
+      		"000000e1": msg67,
+      		"000000e2": msg77,
+      		"0000012f": msg68,
+      		"00000134": msg69,
+      		"00000141": msg71,
+      		"00000143": msg70,
+      		"0000014d": msg88,
+      		"00000353": msg72,
+      		"00000354": msg73,
+      		"000003f7": msg89,
+      		"000003f8": msg85,
+      		"000003fb": msg74,
+      		"000003fd": msg75,
+      		"00010009": msg20,
+      		"00010013": msg21,
+      		"00020006": msg22,
+      		"00020007": msg23,
+      		"00020008": msg24,
+      		"00030006": msg25,
+      		"00030015": msg26,
+      		"00040007": msg27,
+      		"00040008": msg28,
+      		"FSEE_AKPLUGIN_AVBASES_CORRUPTED": msg86,
+      		"FSEE_AKPLUGIN_CRITICAL_PATCHES_AVAILABLE": msg51,
+      		"FSEE_AKPLUGIN_OBJECT_NOT_ISOLATED": msg90,
+      		"FSEE_AKPLUGIN_OBJECT_NOT_PROCESSED": msg81,
+      		"GNRL_EV_ATTACK_DETECTED": select14,
+      		"GNRL_EV_LICENSE_EXPIRATION": msg83,
+      		"GNRL_EV_OBJECT_BLOCKED": msg87,
+      		"GNRL_EV_OBJECT_CURED": select10,
+      		"GNRL_EV_OBJECT_DELETED": select12,
+      		"GNRL_EV_OBJECT_NOTCURED": select11,
+      		"GNRL_EV_SUSPICIOUS_OBJECT_FOUND": select9,
+      		"GNRL_EV_VIRUS_FOUND": select13,
+      		"GNRL_EV_VIRUS_OUTBREAK": msg40,
+      		"HTTP": select17,
+      		"KLAUD_EV_ADMGROUP_CHANGED": select7,
+      		"KLAUD_EV_OBJECTMODIFY": select5,
+      		"KLAUD_EV_SERVERCONNECT": select8,
+      		"KLAUD_EV_TASK_STATE_CHANGED": select6,
+      		"KLEVP_GroupTaskSyncState": select15,
+      		"KLNAG_EV_DEVICE_ARRIVAL": msg49,
+      		"KLNAG_EV_DEVICE_REMOVE": msg50,
+      		"KLNAG_EV_INV_APP_INSTALLED": msg82,
+      		"KLNAG_EV_INV_APP_UNINSTALLED": msg48,
+      		"KLPRCI_TaskState": select16,
+      		"KLSRV_EVENT_HOSTS_NEW_DETECTED": select2,
+      		"KLSRV_EVENT_HOSTS_NOT_VISIBLE": msg3,
+      		"KLSRV_EV_LICENSE_CHECK_90": msg47,
+      		"KLSRV_EV_LICENSE_CHECK_MORE_110": msg58,
+      		"KLSRV_EV_LICENSE_SRV_LIMITED_MODE": msg78,
+      		"KLSRV_HOST_MOVED_WITH_RULE_EX": msg9,
+      		"KLSRV_HOST_OUT_CONTROL": msg10,
+      		"KLSRV_HOST_STATUS_CRITICAL": select4,
+      		"KLSRV_HOST_STATUS_WARNING": select3,
+      		"KLSRV_INVISIBLE_HOSTS_REMOVED": msg11,
+      		"KLSRV_RUNTIME_ERROR": msg6,
+      		"KLSRV_UPD_BASES_UPDATED": msg80,
+      		"KSNPROXY_STARTED_CON_CHK_FAILED": msg84,
+      		"KSNPROXY_STOPPED": msg79,
+      	}),
+      ]);
+      
+      var part34 = match("MESSAGE#51:HTTP:Object_Infected/0", "nwparser.payload", "%{fld11->} %{fld12->} %{fld13->} %{protocol->} %{p0}");
+      
+      var part35 = match("MESSAGE#51:HTTP:Object_Infected/1_0", "nwparser.p0", "object %{p0}");
+      
+      var part36 = match("MESSAGE#51:HTTP:Object_Infected/1_1", "nwparser.p0", "Object %{p0}");
+      
+      var part37 = match("MESSAGE#51:HTTP:Object_Infected/3_0", "nwparser.p0", "Client's %{p0}");
+      
+      var part38 = match("MESSAGE#51:HTTP:Object_Infected/3_1", "nwparser.p0", "client's %{p0}");
+      
+      var part39 = match("MESSAGE#51:HTTP:Object_Infected/4", "nwparser.p0", "%{}address: %{hostip})");
+      
+      var select19 = linear_select([
+      	dup13,
+      	dup14,
+      ]);
+      
+      var select20 = linear_select([
+      	dup15,
+      	dup16,
+      ]);
+      
+      var part40 = match("MESSAGE#0:KLSRV_EVENT_HOSTS_NEW_DETECTED:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var part41 = match("MESSAGE#1:KLSRV_EVENT_HOSTS_NEW_DETECTED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var part42 = match("MESSAGE#11:KLAUD_EV_OBJECTMODIFY:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{username}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([
+      	dup5,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var part43 = match("MESSAGE#12:KLAUD_EV_OBJECTMODIFY", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{username}^^%{fld18}", processor_chain([
+      	dup5,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var part44 = match("MESSAGE#31:GNRL_EV_OBJECT_CURED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{virusname}", processor_chain([
+      	dup6,
+      	dup2,
+      	dup7,
+      	dup22,
+      ]));
+      
+      var part45 = match("MESSAGE#42:KLEVP_GroupTaskSyncState:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([
+      	dup5,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var part46 = match("MESSAGE#43:KLEVP_GroupTaskSyncState", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}", processor_chain([
+      	dup5,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var part47 = match("MESSAGE#46:KLSRV_EV_LICENSE_CHECK_90", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}", processor_chain([
+      	dup5,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var part48 = match("MESSAGE#58:000000ce", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([
+      	dup21,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var part49 = match("MESSAGE#63:000000db", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([
+      	dup8,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var part50 = match("MESSAGE#77:KLSRV_EV_LICENSE_SRV_LIMITED_MODE", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^", processor_chain([
+      	dup1,
+      	dup2,
+      	dup22,
+      ]));
+      
+- community_id:
+- add_locale: ~
+- add_fields:
+    target: ''
+    fields:
+        ecs.version: 1.5.0
diff --git a/packages/kaspersky/0.1.0/dataset/av/agent/stream/udp.yml.hbs b/packages/kaspersky/0.1.0/dataset/av/agent/stream/udp.yml.hbs
new file mode 100644
index 0000000000..95d67b2091
--- /dev/null
+++ b/packages/kaspersky/0.1.0/dataset/av/agent/stream/udp.yml.hbs
@@ -0,0 +1,3293 @@
+udp:
+host: "{{udp_host}}:{{udp_port}}"
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "Kaspersky"
+        product: "Kaspersky"
+        type: "Anti-Virus"
+publisher_pipeline.disable_host: true
+
+processors:
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.error(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(populate_fields);
+      	builder.Add(restore_flags);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var map_getSeveritylevel = {
+      	keyvaluepairs: {
+      		"1": constant("Info"),
+      		"2": constant("Warning"),
+      		"3": constant("Error"),
+      		"4": constant("Critical"),
+      	},
+      };
+      
+      var dup1 = setc("eventcategory","1609000000");
+      
+      var dup2 = date_time({
+      	dest: "event_time",
+      	args: ["fld2","fld3"],
+      	fmts: [
+      		[dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup3 = field("fld6");
+      
+      var dup4 = setc("eventcategory","1603000000");
+      
+      var dup5 = setc("eventcategory","1612000000");
+      
+      var dup6 = setc("eventcategory","1003010000");
+      
+      var dup7 = setc("obj_type","Dangerous Object");
+      
+      var dup8 = setc("eventcategory","1605000000");
+      
+      var dup9 = setc("ec_subject","NetworkComm");
+      
+      var dup10 = setc("ec_activity","Detect");
+      
+      var dup11 = setc("ec_theme","TEV");
+      
+      var dup12 = match("MESSAGE#51:HTTP:Object_Infected/0", "nwparser.payload", "%{fld11->} %{fld12->} %{fld13->} %{protocol->} %{p0}");
+      
+      var dup13 = match("MESSAGE#51:HTTP:Object_Infected/1_0", "nwparser.p0", "object %{p0}");
+      
+      var dup14 = match("MESSAGE#51:HTTP:Object_Infected/1_1", "nwparser.p0", "Object %{p0}");
+      
+      var dup15 = match("MESSAGE#51:HTTP:Object_Infected/3_0", "nwparser.p0", "Client's %{p0}");
+      
+      var dup16 = match("MESSAGE#51:HTTP:Object_Infected/3_1", "nwparser.p0", "client's %{p0}");
+      
+      var dup17 = match("MESSAGE#51:HTTP:Object_Infected/4", "nwparser.p0", "%{}address: %{hostip})");
+      
+      var dup18 = setf("msg","$MSG");
+      
+      var dup19 = date_time({
+      	dest: "event_time",
+      	args: ["fld11","fld12","fld13"],
+      	fmts: [
+      		[dG,dc("/"),dF,dc("/"),dW,dN,dc(":"),dU,dc(":"),dO,dP],
+      	],
+      });
+      
+      var dup20 = setf("obj_type","protocol");
+      
+      var dup21 = setc("eventcategory","1601020000");
+      
+      var dup22 = lookup({
+      	dest: "nwparser.severity",
+      	map: map_getSeveritylevel,
+      	key: dup3,
+      });
+      
+      var dup23 = linear_select([
+      	dup13,
+      	dup14,
+      ]);
+      
+      var dup24 = linear_select([
+      	dup15,
+      	dup16,
+      ]);
+      
+      var dup25 = match("MESSAGE#0:KLSRV_EVENT_HOSTS_NEW_DETECTED:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var dup26 = match("MESSAGE#1:KLSRV_EVENT_HOSTS_NEW_DETECTED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var dup27 = match("MESSAGE#11:KLAUD_EV_OBJECTMODIFY:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{username}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([
+      	dup5,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var dup28 = match("MESSAGE#12:KLAUD_EV_OBJECTMODIFY", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{username}^^%{fld18}", processor_chain([
+      	dup5,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var dup29 = match("MESSAGE#31:GNRL_EV_OBJECT_CURED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{virusname}", processor_chain([
+      	dup6,
+      	dup2,
+      	dup7,
+      	dup22,
+      ]));
+      
+      var dup30 = match("MESSAGE#42:KLEVP_GroupTaskSyncState:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([
+      	dup5,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var dup31 = match("MESSAGE#43:KLEVP_GroupTaskSyncState", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}", processor_chain([
+      	dup5,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var dup32 = match("MESSAGE#46:KLSRV_EV_LICENSE_CHECK_90", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}", processor_chain([
+      	dup5,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var dup33 = match("MESSAGE#58:000000ce", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([
+      	dup21,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var dup34 = match("MESSAGE#63:000000db", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([
+      	dup8,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var dup35 = match("MESSAGE#77:KLSRV_EV_LICENSE_SRV_LIMITED_MODE", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^", processor_chain([
+      	dup1,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var hdr1 = match("HEADER#0:0001", "message", "%kasperskyav: %{hfld1}^^%{hrecorded_time}^^%{messageid}^^%{payload}", processor_chain([
+      	setc("header_id","0001"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld1"),
+      			constant("^^"),
+      			field("hrecorded_time"),
+      			constant("^^"),
+      			field("messageid"),
+      			constant("^^"),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr2 = match("HEADER#1:0002", "message", "%kasperskyav-%{hlevel}: %{hdate->} %{htime->} %{hfld1->} %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0002"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hdate"),
+      			constant(" "),
+      			field("htime"),
+      			constant(" "),
+      			field("hfld1"),
+      			constant(" "),
+      			field("messageid"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var select1 = linear_select([
+      	hdr1,
+      	hdr2,
+      ]);
+      
+      var msg1 = msg("KLSRV_EVENT_HOSTS_NEW_DETECTED:01", dup25);
+      
+      var msg2 = msg("KLSRV_EVENT_HOSTS_NEW_DETECTED", dup26);
+      
+      var select2 = linear_select([
+      	msg1,
+      	msg2,
+      ]);
+      
+      var msg3 = msg("KLSRV_EVENT_HOSTS_NOT_VISIBLE", dup26);
+      
+      var msg4 = msg("KLSRV_HOST_STATUS_WARNING:01", dup25);
+      
+      var msg5 = msg("KLSRV_HOST_STATUS_WARNING", dup26);
+      
+      var select3 = linear_select([
+      	msg4,
+      	msg5,
+      ]);
+      
+      var part1 = match("MESSAGE#5:KLSRV_RUNTIME_ERROR", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([
+      	dup4,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var msg6 = msg("KLSRV_RUNTIME_ERROR", part1);
+      
+      var msg7 = msg("KLSRV_HOST_STATUS_CRITICAL:01", dup25);
+      
+      var msg8 = msg("KLSRV_HOST_STATUS_CRITICAL", dup26);
+      
+      var select4 = linear_select([
+      	msg7,
+      	msg8,
+      ]);
+      
+      var msg9 = msg("KLSRV_HOST_MOVED_WITH_RULE_EX", dup26);
+      
+      var msg10 = msg("KLSRV_HOST_OUT_CONTROL", dup26);
+      
+      var msg11 = msg("KLSRV_INVISIBLE_HOSTS_REMOVED", dup26);
+      
+      var msg12 = msg("KLAUD_EV_OBJECTMODIFY:01", dup27);
+      
+      var msg13 = msg("KLAUD_EV_OBJECTMODIFY", dup28);
+      
+      var select5 = linear_select([
+      	msg12,
+      	msg13,
+      ]);
+      
+      var msg14 = msg("KLAUD_EV_TASK_STATE_CHANGED:01", dup27);
+      
+      var msg15 = msg("KLAUD_EV_TASK_STATE_CHANGED", dup28);
+      
+      var select6 = linear_select([
+      	msg14,
+      	msg15,
+      ]);
+      
+      var msg16 = msg("KLAUD_EV_ADMGROUP_CHANGED:01", dup27);
+      
+      var msg17 = msg("KLAUD_EV_ADMGROUP_CHANGED", dup28);
+      
+      var select7 = linear_select([
+      	msg16,
+      	msg17,
+      ]);
+      
+      var msg18 = msg("KLAUD_EV_SERVERCONNECT:01", dup27);
+      
+      var msg19 = msg("KLAUD_EV_SERVERCONNECT", dup28);
+      
+      var select8 = linear_select([
+      	msg18,
+      	msg19,
+      ]);
+      
+      var msg20 = msg("00010009", dup26);
+      
+      var msg21 = msg("00010013", dup26);
+      
+      var msg22 = msg("00020006", dup26);
+      
+      var msg23 = msg("00020007", dup26);
+      
+      var msg24 = msg("00020008", dup26);
+      
+      var msg25 = msg("00030006", dup26);
+      
+      var msg26 = msg("00030015", dup26);
+      
+      var msg27 = msg("00040007", dup26);
+      
+      var msg28 = msg("00040008", dup26);
+      
+      var part2 = match("MESSAGE#28:GNRL_EV_SUSPICIOUS_OBJECT_FOUND:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{fld18}^^%{virusname}^^%{username}^^%{fld19}", processor_chain([
+      	dup6,
+      	dup2,
+      	dup7,
+      	dup22,
+      ]));
+      
+      var msg29 = msg("GNRL_EV_SUSPICIOUS_OBJECT_FOUND:01", part2);
+      
+      var part3 = match("MESSAGE#29:GNRL_EV_SUSPICIOUS_OBJECT_FOUND", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{fld18}", processor_chain([
+      	dup6,
+      	dup2,
+      	dup7,
+      	dup22,
+      ]));
+      
+      var msg30 = msg("GNRL_EV_SUSPICIOUS_OBJECT_FOUND", part3);
+      
+      var select9 = linear_select([
+      	msg29,
+      	msg30,
+      ]);
+      
+      var part4 = match("MESSAGE#30:GNRL_EV_OBJECT_CURED:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{virusname}^^%{username}^^%{fld18}", processor_chain([
+      	dup6,
+      	dup2,
+      	dup7,
+      	dup22,
+      ]));
+      
+      var msg31 = msg("GNRL_EV_OBJECT_CURED:01", part4);
+      
+      var msg32 = msg("GNRL_EV_OBJECT_CURED", dup29);
+      
+      var select10 = linear_select([
+      	msg31,
+      	msg32,
+      ]);
+      
+      var part5 = match("MESSAGE#32:GNRL_EV_OBJECT_NOTCURED:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([
+      	dup8,
+      	dup2,
+      	dup7,
+      	dup22,
+      ]));
+      
+      var msg33 = msg("GNRL_EV_OBJECT_NOTCURED:01", part5);
+      
+      var msg34 = msg("GNRL_EV_OBJECT_NOTCURED", dup29);
+      
+      var select11 = linear_select([
+      	msg33,
+      	msg34,
+      ]);
+      
+      var part6 = match("MESSAGE#34:GNRL_EV_OBJECT_DELETED:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^^^%{virusname}^^%{username}^^%{fld18}", processor_chain([
+      	dup6,
+      	dup2,
+      	dup7,
+      	dup22,
+      ]));
+      
+      var msg35 = msg("GNRL_EV_OBJECT_DELETED:01", part6);
+      
+      var msg36 = msg("GNRL_EV_OBJECT_DELETED", dup29);
+      
+      var select12 = linear_select([
+      	msg35,
+      	msg36,
+      ]);
+      
+      var part7 = match("MESSAGE#36:GNRL_EV_VIRUS_FOUND:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^Virus '%{fld7}' detected in message from '%{from}' to '%{to}'.^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{virusname}", processor_chain([
+      	dup6,
+      	dup2,
+      	dup7,
+      	dup22,
+      	setc("event_description","Virus detected in email message"),
+      ]));
+      
+      var msg37 = msg("GNRL_EV_VIRUS_FOUND:01", part7);
+      
+      var part8 = match("MESSAGE#37:GNRL_EV_VIRUS_FOUND:03", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{fld18}^^%{virusname}^^%{username}^^%{fld22}", processor_chain([
+      	dup8,
+      	dup2,
+      	dup7,
+      	dup22,
+      ]));
+      
+      var msg38 = msg("GNRL_EV_VIRUS_FOUND:03", part8);
+      
+      var msg39 = msg("GNRL_EV_VIRUS_FOUND:02", dup29);
+      
+      var select13 = linear_select([
+      	msg37,
+      	msg38,
+      	msg39,
+      ]);
+      
+      var part9 = match("MESSAGE#39:GNRL_EV_VIRUS_OUTBREAK", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}", processor_chain([
+      	dup6,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var msg40 = msg("GNRL_EV_VIRUS_OUTBREAK", part9);
+      
+      var part10 = match("MESSAGE#40:GNRL_EV_ATTACK_DETECTED:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{threat_name}^^%{protocol}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([
+      	dup5,
+      	dup9,
+      	dup10,
+      	dup11,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var msg41 = msg("GNRL_EV_ATTACK_DETECTED:01", part10);
+      
+      var part11 = match("MESSAGE#41:GNRL_EV_ATTACK_DETECTED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}", processor_chain([
+      	dup6,
+      	dup9,
+      	dup10,
+      	dup11,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var msg42 = msg("GNRL_EV_ATTACK_DETECTED", part11);
+      
+      var select14 = linear_select([
+      	msg41,
+      	msg42,
+      ]);
+      
+      var msg43 = msg("KLEVP_GroupTaskSyncState:01", dup30);
+      
+      var msg44 = msg("KLEVP_GroupTaskSyncState", dup31);
+      
+      var select15 = linear_select([
+      	msg43,
+      	msg44,
+      ]);
+      
+      var msg45 = msg("KLPRCI_TaskState:01", dup30);
+      
+      var msg46 = msg("KLPRCI_TaskState", dup31);
+      
+      var select16 = linear_select([
+      	msg45,
+      	msg46,
+      ]);
+      
+      var msg47 = msg("KLSRV_EV_LICENSE_CHECK_90", dup32);
+      
+      var msg48 = msg("KLNAG_EV_INV_APP_UNINSTALLED", dup32);
+      
+      var msg49 = msg("KLNAG_EV_DEVICE_ARRIVAL", dup32);
+      
+      var msg50 = msg("KLNAG_EV_DEVICE_REMOVE", dup32);
+      
+      var msg51 = msg("FSEE_AKPLUGIN_CRITICAL_PATCHES_AVAILABLE", dup31);
+      
+      var part12 = match("MESSAGE#51:HTTP:Object_Infected/2", "nwparser.p0", "%{}'%{obj_name}' is infected with '%{virusname}'(Database date: %{fld14}, %{p0}");
+      
+      var all1 = all_match({
+      	processors: [
+      		dup12,
+      		dup23,
+      		part12,
+      		dup24,
+      		dup17,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup18,
+      		dup19,
+      		dup20,
+      	]),
+      });
+      
+      var msg52 = msg("HTTP:Object_Infected", all1);
+      
+      var part13 = match("MESSAGE#52:HTTP:Object_Scanning_Error/2", "nwparser.p0", "%{}'%{obj_name}' scanning resulted in an error (Database date: %{fld14}, %{p0}");
+      
+      var all2 = all_match({
+      	processors: [
+      		dup12,
+      		dup23,
+      		part13,
+      		dup24,
+      		dup17,
+      	],
+      	on_success: processor_chain([
+      		dup4,
+      		dup18,
+      		dup19,
+      		dup20,
+      	]),
+      });
+      
+      var msg53 = msg("HTTP:Object_Scanning_Error", all2);
+      
+      var part14 = match("MESSAGE#53:HTTP:Object_Scanned_And_Clean/2", "nwparser.p0", "%{}'%{obj_name}' has been scanned and flagged as clean(Database date: %{fld14}, %{p0}");
+      
+      var all3 = all_match({
+      	processors: [
+      		dup12,
+      		dup23,
+      		part14,
+      		dup24,
+      		dup17,
+      	],
+      	on_success: processor_chain([
+      		dup8,
+      		dup18,
+      		dup19,
+      		dup20,
+      	]),
+      });
+      
+      var msg54 = msg("HTTP:Object_Scanned_And_Clean", all3);
+      
+      var part15 = match("MESSAGE#54:HTTP:Object_Not_Scanned_01/2", "nwparser.p0", "%{}'%{obj_name}' has not been scanned as defined by the policy as %{policyname->} %{fld17->} ( %{p0}");
+      
+      var all4 = all_match({
+      	processors: [
+      		dup12,
+      		dup23,
+      		part15,
+      		dup24,
+      		dup17,
+      	],
+      	on_success: processor_chain([
+      		dup8,
+      		dup18,
+      		dup19,
+      		dup20,
+      	]),
+      });
+      
+      var msg55 = msg("HTTP:Object_Not_Scanned_01", all4);
+      
+      var part16 = match("MESSAGE#55:HTTP:Object_Not_Scanned_02/2", "nwparser.p0", "%{}'%{obj_name}' has not been scanned as defined by the policy ( %{p0}");
+      
+      var all5 = all_match({
+      	processors: [
+      		dup12,
+      		dup23,
+      		part16,
+      		dup24,
+      		dup17,
+      	],
+      	on_success: processor_chain([
+      		dup8,
+      		dup18,
+      		dup19,
+      		dup20,
+      	]),
+      });
+      
+      var msg56 = msg("HTTP:Object_Not_Scanned_02", all5);
+      
+      var part17 = match("MESSAGE#57:HTTP:01/2", "nwparser.p0", "%{}'%{obj_name}");
+      
+      var all6 = all_match({
+      	processors: [
+      		dup12,
+      		dup23,
+      		part17,
+      	],
+      	on_success: processor_chain([
+      		dup8,
+      		dup18,
+      		dup19,
+      		dup20,
+      	]),
+      });
+      
+      var msg57 = msg("HTTP:01", all6);
+      
+      var select17 = linear_select([
+      	msg52,
+      	msg53,
+      	msg54,
+      	msg55,
+      	msg56,
+      	msg57,
+      ]);
+      
+      var msg58 = msg("KLSRV_EV_LICENSE_CHECK_MORE_110", dup30);
+      
+      var msg59 = msg("000000ce", dup33);
+      
+      var msg60 = msg("000000d4", dup33);
+      
+      var msg61 = msg("000000d5", dup25);
+      
+      var msg62 = msg("000000d8", dup25);
+      
+      var msg63 = msg("000000da", dup25);
+      
+      var msg64 = msg("000000db", dup34);
+      
+      var msg65 = msg("000000d6", dup25);
+      
+      var msg66 = msg("000000de", dup34);
+      
+      var part18 = match("MESSAGE#66:000000e1", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([
+      	setc("eventcategory","1606000000"),
+      	dup2,
+      	dup22,
+      ]));
+      
+      var msg67 = msg("000000e1", part18);
+      
+      var msg68 = msg("0000012f", dup25);
+      
+      var msg69 = msg("00000134", dup34);
+      
+      var msg70 = msg("00000143", dup34);
+      
+      var msg71 = msg("00000141", dup25);
+      
+      var msg72 = msg("00000353", dup25);
+      
+      var msg73 = msg("00000354", dup25);
+      
+      var msg74 = msg("000003fb", dup34);
+      
+      var msg75 = msg("000003fd", dup25);
+      
+      var msg76 = msg("000000cc", dup25);
+      
+      var part19 = match("MESSAGE#76:000000e2", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{fld7}^^%{fld8}^^%{fld15}^^", processor_chain([
+      	dup1,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var msg77 = msg("000000e2", part19);
+      
+      var msg78 = msg("KLSRV_EV_LICENSE_SRV_LIMITED_MODE", dup35);
+      
+      var part20 = match("MESSAGE#78:KSNPROXY_STOPPED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{fld5}^^%{fld7}^^%{fld8}^^", processor_chain([
+      	setc("eventcategory","1801030000"),
+      	dup2,
+      	dup22,
+      ]));
+      
+      var msg79 = msg("KSNPROXY_STOPPED", part20);
+      
+      var part21 = match("MESSAGE#79:KLSRV_UPD_BASES_UPDATED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{fld5}^^%{fld7}^^%{fld8}^^", processor_chain([
+      	dup1,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var msg80 = msg("KLSRV_UPD_BASES_UPDATED", part21);
+      
+      var part22 = match("MESSAGE#80:FSEE_AKPLUGIN_OBJECT_NOT_PROCESSED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^Object not scanned. Reason: %{event_description->} Object name: %{filename}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var msg81 = msg("FSEE_AKPLUGIN_OBJECT_NOT_PROCESSED", part22);
+      
+      var part23 = match("MESSAGE#81:KLNAG_EV_INV_APP_INSTALLED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{fld5}^^%{fld7}^^%{product}^^%{version}^^%{fld8}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var msg82 = msg("KLNAG_EV_INV_APP_INSTALLED", part23);
+      
+      var part24 = match("MESSAGE#82:GNRL_EV_LICENSE_EXPIRATION", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info->} User: %{username->} Component: %{fld5}Result\\Description: %{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^", processor_chain([
+      	dup1,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var msg83 = msg("GNRL_EV_LICENSE_EXPIRATION", part24);
+      
+      var part25 = match("MESSAGE#83:KSNPROXY_STARTED_CON_CHK_FAILED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{fld5}^^%{fld7}^^%{fld8}^^", processor_chain([
+      	setc("eventcategory","1703000000"),
+      	dup2,
+      	dup22,
+      ]));
+      
+      var msg84 = msg("KSNPROXY_STARTED_CON_CHK_FAILED", part25);
+      
+      var part26 = match("MESSAGE#84:000003f8", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_description}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^Event type:%{event_type->} Result: %{fld23->} Object: %{obj_name->} Object\\Path: %{url->} User:%{username->} Update ID: %{fld51}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var msg85 = msg("000003f8", part26);
+      
+      var msg86 = msg("FSEE_AKPLUGIN_AVBASES_CORRUPTED", dup35);
+      
+      var part27 = match("MESSAGE#86:GNRL_EV_OBJECT_BLOCKED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{fld19}^^%{virusname}^^%{username}^^%{fld18}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup7,
+      	dup22,
+      ]));
+      
+      var msg87 = msg("GNRL_EV_OBJECT_BLOCKED", part27);
+      
+      var part28 = match("MESSAGE#87:0000014d", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var msg88 = msg("0000014d", part28);
+      
+      var part29 = match("MESSAGE#88:000003f7/0", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_description}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^Event type:%{event_type->} Result: %{result->} %{p0}");
+      
+      var part30 = match("MESSAGE#88:000003f7/1_0", "nwparser.p0", "Object: %{obj_name->} Object\\Path: %{url->} User:%{username}(%{privilege})%{p0}");
+      
+      var part31 = match("MESSAGE#88:000003f7/1_1", "nwparser.p0", "User:%{username}(%{privilege})%{p0}");
+      
+      var select18 = linear_select([
+      	part30,
+      	part31,
+      ]);
+      
+      var part32 = match("MESSAGE#88:000003f7/2", "nwparser.p0", "%{}Release date: %{fld23}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}");
+      
+      var all7 = all_match({
+      	processors: [
+      		part29,
+      		select18,
+      		part32,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup22,
+      	]),
+      });
+      
+      var msg89 = msg("000003f7", all7);
+      
+      var part33 = match("MESSAGE#89:FSEE_AKPLUGIN_OBJECT_NOT_ISOLATED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^Object not quarantined. Reason: %{event_description}^^%{context}^^%{product}^^%{version}^^%{filename}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var msg90 = msg("FSEE_AKPLUGIN_OBJECT_NOT_ISOLATED", part33);
+      
+      var chain1 = processor_chain([
+      	select1,
+      	msgid_select({
+      		"000000cc": msg76,
+      		"000000ce": msg59,
+      		"000000d4": msg60,
+      		"000000d5": msg61,
+      		"000000d6": msg65,
+      		"000000d8": msg62,
+      		"000000da": msg63,
+      		"000000db": msg64,
+      		"000000de": msg66,
+      		"000000e1": msg67,
+      		"000000e2": msg77,
+      		"0000012f": msg68,
+      		"00000134": msg69,
+      		"00000141": msg71,
+      		"00000143": msg70,
+      		"0000014d": msg88,
+      		"00000353": msg72,
+      		"00000354": msg73,
+      		"000003f7": msg89,
+      		"000003f8": msg85,
+      		"000003fb": msg74,
+      		"000003fd": msg75,
+      		"00010009": msg20,
+      		"00010013": msg21,
+      		"00020006": msg22,
+      		"00020007": msg23,
+      		"00020008": msg24,
+      		"00030006": msg25,
+      		"00030015": msg26,
+      		"00040007": msg27,
+      		"00040008": msg28,
+      		"FSEE_AKPLUGIN_AVBASES_CORRUPTED": msg86,
+      		"FSEE_AKPLUGIN_CRITICAL_PATCHES_AVAILABLE": msg51,
+      		"FSEE_AKPLUGIN_OBJECT_NOT_ISOLATED": msg90,
+      		"FSEE_AKPLUGIN_OBJECT_NOT_PROCESSED": msg81,
+      		"GNRL_EV_ATTACK_DETECTED": select14,
+      		"GNRL_EV_LICENSE_EXPIRATION": msg83,
+      		"GNRL_EV_OBJECT_BLOCKED": msg87,
+      		"GNRL_EV_OBJECT_CURED": select10,
+      		"GNRL_EV_OBJECT_DELETED": select12,
+      		"GNRL_EV_OBJECT_NOTCURED": select11,
+      		"GNRL_EV_SUSPICIOUS_OBJECT_FOUND": select9,
+      		"GNRL_EV_VIRUS_FOUND": select13,
+      		"GNRL_EV_VIRUS_OUTBREAK": msg40,
+      		"HTTP": select17,
+      		"KLAUD_EV_ADMGROUP_CHANGED": select7,
+      		"KLAUD_EV_OBJECTMODIFY": select5,
+      		"KLAUD_EV_SERVERCONNECT": select8,
+      		"KLAUD_EV_TASK_STATE_CHANGED": select6,
+      		"KLEVP_GroupTaskSyncState": select15,
+      		"KLNAG_EV_DEVICE_ARRIVAL": msg49,
+      		"KLNAG_EV_DEVICE_REMOVE": msg50,
+      		"KLNAG_EV_INV_APP_INSTALLED": msg82,
+      		"KLNAG_EV_INV_APP_UNINSTALLED": msg48,
+      		"KLPRCI_TaskState": select16,
+      		"KLSRV_EVENT_HOSTS_NEW_DETECTED": select2,
+      		"KLSRV_EVENT_HOSTS_NOT_VISIBLE": msg3,
+      		"KLSRV_EV_LICENSE_CHECK_90": msg47,
+      		"KLSRV_EV_LICENSE_CHECK_MORE_110": msg58,
+      		"KLSRV_EV_LICENSE_SRV_LIMITED_MODE": msg78,
+      		"KLSRV_HOST_MOVED_WITH_RULE_EX": msg9,
+      		"KLSRV_HOST_OUT_CONTROL": msg10,
+      		"KLSRV_HOST_STATUS_CRITICAL": select4,
+      		"KLSRV_HOST_STATUS_WARNING": select3,
+      		"KLSRV_INVISIBLE_HOSTS_REMOVED": msg11,
+      		"KLSRV_RUNTIME_ERROR": msg6,
+      		"KLSRV_UPD_BASES_UPDATED": msg80,
+      		"KSNPROXY_STARTED_CON_CHK_FAILED": msg84,
+      		"KSNPROXY_STOPPED": msg79,
+      	}),
+      ]);
+      
+      var part34 = match("MESSAGE#51:HTTP:Object_Infected/0", "nwparser.payload", "%{fld11->} %{fld12->} %{fld13->} %{protocol->} %{p0}");
+      
+      var part35 = match("MESSAGE#51:HTTP:Object_Infected/1_0", "nwparser.p0", "object %{p0}");
+      
+      var part36 = match("MESSAGE#51:HTTP:Object_Infected/1_1", "nwparser.p0", "Object %{p0}");
+      
+      var part37 = match("MESSAGE#51:HTTP:Object_Infected/3_0", "nwparser.p0", "Client's %{p0}");
+      
+      var part38 = match("MESSAGE#51:HTTP:Object_Infected/3_1", "nwparser.p0", "client's %{p0}");
+      
+      var part39 = match("MESSAGE#51:HTTP:Object_Infected/4", "nwparser.p0", "%{}address: %{hostip})");
+      
+      var select19 = linear_select([
+      	dup13,
+      	dup14,
+      ]);
+      
+      var select20 = linear_select([
+      	dup15,
+      	dup16,
+      ]);
+      
+      var part40 = match("MESSAGE#0:KLSRV_EVENT_HOSTS_NEW_DETECTED:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var part41 = match("MESSAGE#1:KLSRV_EVENT_HOSTS_NEW_DETECTED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var part42 = match("MESSAGE#11:KLAUD_EV_OBJECTMODIFY:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{username}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([
+      	dup5,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var part43 = match("MESSAGE#12:KLAUD_EV_OBJECTMODIFY", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{username}^^%{fld18}", processor_chain([
+      	dup5,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var part44 = match("MESSAGE#31:GNRL_EV_OBJECT_CURED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{virusname}", processor_chain([
+      	dup6,
+      	dup2,
+      	dup7,
+      	dup22,
+      ]));
+      
+      var part45 = match("MESSAGE#42:KLEVP_GroupTaskSyncState:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([
+      	dup5,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var part46 = match("MESSAGE#43:KLEVP_GroupTaskSyncState", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}", processor_chain([
+      	dup5,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var part47 = match("MESSAGE#46:KLSRV_EV_LICENSE_CHECK_90", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}", processor_chain([
+      	dup5,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var part48 = match("MESSAGE#58:000000ce", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([
+      	dup21,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var part49 = match("MESSAGE#63:000000db", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([
+      	dup8,
+      	dup2,
+      	dup22,
+      ]));
+      
+      var part50 = match("MESSAGE#77:KLSRV_EV_LICENSE_SRV_LIMITED_MODE", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^", processor_chain([
+      	dup1,
+      	dup2,
+      	dup22,
+      ]));
+      
+- community_id:
+- add_locale: ~
+- add_fields:
+    target: ''
+    fields:
+        ecs.version: 1.5.0
diff --git a/packages/kaspersky/0.1.0/dataset/av/elasticsearch/ingest_pipeline/default.yml b/packages/kaspersky/0.1.0/dataset/av/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 0000000000..963dec7e27
--- /dev/null
+++ b/packages/kaspersky/0.1.0/dataset/av/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,55 @@
+---
+description: Pipeline for Kaspersky Anti-Virus
+
+processors:
+  # User agent
+  - user_agent:
+        field: user_agent.original
+        ignore_missing: true
+  # IP Geolocation Lookup
+  - geoip:
+        field: source.ip
+        target_field: source.geo
+        ignore_missing: true
+  - geoip:
+        field: destination.ip
+        target_field: destination.geo
+        ignore_missing: true
+
+  # IP Autonomous System (AS) Lookup
+  - geoip:
+        database_file: GeoLite2-ASN.mmdb
+        field: source.ip
+        target_field: source.as
+        properties:
+            - asn
+            - organization_name
+        ignore_missing: true
+  - geoip:
+        database_file: GeoLite2-ASN.mmdb
+        field: destination.ip
+        target_field: destination.as
+        properties:
+            - asn
+            - organization_name
+        ignore_missing: true
+  - rename:
+        field: source.as.asn
+        target_field: source.as.number
+        ignore_missing: true
+  - rename:
+        field: source.as.organization_name
+        target_field: source.as.organization.name
+        ignore_missing: true
+  - rename:
+        field: destination.as.asn
+        target_field: destination.as.number
+        ignore_missing: true
+  - rename:
+        field: destination.as.organization_name
+        target_field: destination.as.organization.name
+        ignore_missing: true
+on_failure:
+  - append:
+        field: error.message
+        value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/kaspersky/0.1.0/dataset/av/fields/base-fields.yml b/packages/kaspersky/0.1.0/dataset/av/fields/base-fields.yml
new file mode 100644
index 0000000000..b294eaf20e
--- /dev/null
+++ b/packages/kaspersky/0.1.0/dataset/av/fields/base-fields.yml
@@ -0,0 +1,26 @@
+- name: datastream.type
+  type: constant_keyword
+  description: Datastream type.
+- name: datastream.dataset
+  type: constant_keyword
+  description: Datastream dataset.
+- name: datastream.namespace
+  type: constant_keyword
+  description: Datastream namespace.
+
+- name: dataset.type
+  type: constant_keyword
+  description: >
+    Dataset type.
+- name: dataset.name
+  type: constant_keyword
+  description: >
+    Dataset name.
+- name: dataset.namespace
+  type: constant_keyword
+  description: >
+    Dataset namespace.
+- name: "@timestamp"
+  type: date
+  description: >
+    Event timestamp.
diff --git a/packages/kaspersky/0.1.0/dataset/av/fields/ecs.yml b/packages/kaspersky/0.1.0/dataset/av/fields/ecs.yml
new file mode 100644
index 0000000000..92af91c339
--- /dev/null
+++ b/packages/kaspersky/0.1.0/dataset/av/fields/ecs.yml
@@ -0,0 +1,836 @@
+- name: log
+  type: group
+  fields:
+  - name: original
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'This is the original log message and contains the full log message
+      before splitting it up in multiple parts.
+
+      In contrast to the `message` field which can contain an extracted part of the
+      log message, this field contains the original, full log message. It can have
+      already some modifications applied like encoding or new lines removed to clean
+      up the log message.
+
+      This field is not indexed and doc_values are disabled so it can''t be queried
+      but the value can be retrieved from `_source`.'
+    example: Sep 19 08:26:10 localhost My log
+  - name: level
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Original log level of the log event.
+
+      If the source of the event provides a log level or textual severity, this is
+      the one that goes in `log.level`. If your source doesn''t specify one, you may
+      put your event transport''s severity here (e.g. Syslog severity).
+
+      Some examples are `warn`, `err`, `i`, `informational`.'
+    example: error
+  - name: syslog
+    type: group
+    fields:
+    - name: priority
+      level: extended
+      type: long
+      format: string
+      description: 'Syslog numeric priority of the event, if available.
+
+        According to RFCs 5424 and 3164, the priority is 8 * facility + severity.
+        This number is therefore expected to contain a value between 0 and 191.'
+      example: 135
+    - name: facility
+      type: group
+      fields:
+      - name: code
+        level: extended
+        type: long
+        format: string
+        description: 'The Syslog numeric facility of the log event, if available.
+
+          According to RFCs 5424 and 3164, this value should be an integer between
+          0 and 23.'
+        example: 23
+    - name: severity
+      type: group
+      fields:
+      - name: code
+        level: extended
+        type: long
+        description: 'The Syslog numeric severity of the log event, if available.
+
+          If the event source publishing via Syslog provides a different numeric severity
+          value (e.g. firewall, IDS), your source''s numeric severity should go to
+          `event.severity`. If the event source does not specify a distinct severity,
+          you can optionally copy the Syslog severity to `event.severity`.'
+        example: 3
+- name: event
+  type: group
+  fields:
+  - name: code
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Identification code for this event, if one exists.
+
+      Some event sources use event codes to identify messages unambiguously, regardless
+      of message language or wording adjustments over time. An example of this is
+      the Windows Event ID.'
+    example: 4648
+  - name: action
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'The action captured by the event.
+
+      This describes the information in the event. It is more specific than `event.category`.
+      Examples are `group-add`, `process-started`, `file-created`. The value is normally
+      defined by the implementer.'
+    example: user-password-change
+  - name: outcome
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'This is one of four ECS Categorization Fields, and indicates the
+      lowest level in the ECS category hierarchy.
+
+      `event.outcome` simply denotes whether the event represents a success or a failure
+      from the perspective of the entity that produced the event.
+
+      Note that when a single transaction is described in multiple events, each event
+      may populate different values of `event.outcome`, according to their perspective.
+
+      Also note that in the case of a compound event (a single event that contains
+      multiple logical events), this field should be populated with the value that
+      best captures the overall success or failure from the perspective of the event
+      producer.
+
+      Further note that not all events will have an associated outcome. For example,
+      this field is generally not populated for metric events, events with `event.type:info`,
+      or any events for which an outcome does not make logical sense.'
+    example: success
+  - name: category
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'This is one of four ECS Categorization Fields, and indicates the
+      second level in the ECS category hierarchy.
+
+      `event.category` represents the "big buckets" of ECS categories. For example,
+      filtering on `event.category:process` yields all events relating to process
+      activity. This field is closely related to `event.type`, which is used as a
+      subcategory.
+
+      This field is an array. This will allow proper categorization of some events
+      that fall in multiple categories.'
+    example: authentication
+  - name: timezone
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'This field should be populated when the event''s timestamp does
+      not include timezone information already (e.g. default Syslog timestamps). It''s
+      optional otherwise.
+
+      Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated
+      (e.g. "EST") or an HH:mm differential (e.g. "-05:00").'
+- name: '@timestamp'
+  level: core
+  required: true
+  type: date
+  description: 'Date/time when the event originated.
+
+    This is the date/time extracted from the event, typically representing when the
+    event was generated by the source.
+
+    If the event source has no original timestamp, this value is typically populated
+    by the first time the event was received by the pipeline.
+
+    Required field for all events.'
+  example: '2016-05-23T08:05:34.853Z'
+- name: user
+  type: group
+  fields:
+  - name: name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: Short name or login of the user.
+    example: albert
+  - name: full_name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: User's full name, if available.
+    example: Albert Einstein
+  - name: domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Name of the directory the user is a member of.
+
+      For example, an LDAP or Active Directory domain name.'
+  - name: id
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Unique identifiers of the user.
+- name: message
+  level: core
+  type: text
+  description: 'For log events the message field contains the log message, optimized
+    for viewing in a log viewer.
+
+    For structured logs without an original message field, other fields can be concatenated
+    to form a human-readable summary of the event.
+
+    If multiple messages exist, they can be combined into one message.'
+  example: Hello World
+- name: source
+  type: group
+  fields:
+  - name: ip
+    level: core
+    type: ip
+    description: 'IP address of the source.
+
+      Can be one or multiple IPv4 or IPv6 addresses.'
+  - name: port
+    level: core
+    type: long
+    format: string
+    description: Port of the source.
+  - name: address
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Some event source addresses are defined ambiguously. The event will
+      sometimes list an IP, a domain or a unix socket.  You should always store the
+      raw address in the `.address` field.
+
+      Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+      is.'
+  - name: mac
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: MAC address of the source.
+  - name: bytes
+    level: core
+    type: long
+    format: bytes
+    description: Bytes sent from the source to the destination.
+    example: 184
+  - name: nat
+    type: group
+    fields:
+    - name: ip
+      level: extended
+      type: ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+    - name: port
+      level: extended
+      type: long
+      format: string
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+  - name: domain
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Source domain.
+  - name: geo
+    type: group
+    fields:
+    - name: country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+    - name: location
+      type: group
+      fields:
+      - type: double
+        name: lat
+      - type: double
+        name: lon
+    - name: city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+- name: host
+  type: group
+  fields:
+  - name: name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Name of the host.
+
+      It can contain what `hostname` returns on Unix systems, the fully qualified
+      domain name, or a name specified by the user. The sender decides which value
+      to use.'
+  - name: ip
+    level: core
+    type: ip
+    description: Host ip addresses.
+  - name: hostname
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Hostname of the host.
+
+      It normally contains what the `hostname` command returns on the host machine.'
+  - name: mac
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Host mac addresses.
+- name: destination
+  type: group
+  fields:
+  - name: ip
+    level: core
+    type: ip
+    description: 'IP address of the destination.
+
+      Can be one or multiple IPv4 or IPv6 addresses.'
+  - name: port
+    level: core
+    type: long
+    format: string
+    description: Port of the destination.
+  - name: address
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Some event destination addresses are defined ambiguously. The event
+      will sometimes list an IP, a domain or a unix socket.  You should always store
+      the raw address in the `.address` field.
+
+      Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+      is.'
+  - name: bytes
+    level: core
+    type: long
+    format: bytes
+    description: Bytes sent from the destination to the source.
+    example: 184
+  - name: mac
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: MAC address of the destination.
+  - name: nat
+    type: group
+    fields:
+    - name: ip
+      level: extended
+      type: ip
+      description: 'Translated ip of destination based NAT sessions (e.g. internet
+        to private DMZ)
+
+        Typically used with load balancers, firewalls, or routers.'
+    - name: port
+      level: extended
+      type: long
+      format: string
+      description: 'Port the source session is translated to by NAT Device.
+
+        Typically used with load balancers, firewalls, or routers.'
+  - name: domain
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Destination domain.
+  - name: geo
+    type: group
+    fields:
+    - name: country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+    - name: location
+      type: group
+      fields:
+      - type: double
+        name: lat
+      - type: double
+        name: lon
+    - name: city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+- name: network
+  type: group
+  fields:
+  - name: protocol
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'L7 Network protocol name. ex. http, lumberjack, transport protocol.
+
+      The field value must be normalized to lowercase for querying. See the documentation
+      section "Implementing ECS".'
+    example: http
+  - name: application
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'A name given to an application level protocol. This can be arbitrarily
+      assigned for things like microservices, but also apply to things like skype,
+      icq, facebook, twitter. This would be used in situations where the vendor or
+      service can be decoded such as from the source/dest IP owners, ports, or wire
+      format.
+
+      The field value must be normalized to lowercase for querying. See the documentation
+      section "Implementing ECS".'
+    example: aim
+  - name: interface
+    type: group
+    fields:
+    - type: keyword
+      name: name
+  - name: bytes
+    level: core
+    type: long
+    format: bytes
+    description: 'Total bytes transferred in both directions.
+
+      If `source.bytes` and `destination.bytes` are known, `network.bytes` is their
+      sum.'
+    example: 368
+  - name: direction
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: "Direction of the network traffic.\nRecommended values are:\n  *\
+      \ inbound\n  * outbound\n  * internal\n  * external\n  * unknown\n\nWhen mapping\
+      \ events from a host-based monitoring context, populate this field from the\
+      \ host's point of view.\nWhen mapping events from a network or perimeter-based\
+      \ monitoring context, populate this field from the point of view of your network\
+      \ perimeter."
+    example: inbound
+  - name: packets
+    level: core
+    type: long
+    description: 'Total packets transferred in both directions.
+
+      If `source.packets` and `destination.packets` are known, `network.packets` is
+      their sum.'
+    example: 24
+  - name: forwarded_ip
+    level: core
+    type: ip
+    description: Host IP address when the source IP address is the proxy.
+    example: 192.1.1.2
+- name: observer
+  type: group
+  fields:
+  - name: version
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Observer version.
+  - name: product
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: The product name of the observer.
+    example: s200
+  - name: ingress
+    type: group
+    fields:
+    - name: interface
+      type: group
+      fields:
+      - name: name
+        level: extended
+        type: keyword
+        ignore_above: 1024
+        description: Interface name as reported by the system.
+        example: eth0
+        default_field: false
+  - name: egress
+    type: group
+    fields:
+    - name: interface
+      type: group
+      fields:
+      - name: name
+        level: extended
+        type: keyword
+        ignore_above: 1024
+        description: Interface name as reported by the system.
+        example: eth0
+        default_field: false
+- name: file
+  type: group
+  fields:
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: Name of the file including the extension, without the directory.
+    example: example.png
+  - name: directory
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: Directory where the file is located. It should include the drive
+      letter, when appropriate.
+    example: /home/alice
+  - name: size
+    level: extended
+    type: long
+    description: 'File size in bytes.
+
+      Only relevant when `file.type` is "file".'
+    example: 16384
+  - name: type
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: File type (file, dir, or symlink).
+    example: file
+  - name: extension
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: File extension.
+    example: png
+  - name: path
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: Full path to the file, including the file name. It should include
+      the drive letter, when appropriate.
+    example: /home/alice/example.png
+  - name: attributes
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Array of file attributes.
+
+      Attributes names will vary by platform. Here''s a non-exhaustive list of values
+      that are expected in this field: archive, compressed, directory, encrypted,
+      execute, hidden, read, readonly, system, write.'
+    example: '["readonly", "system"]'
+    default_field: false
+- name: url
+  type: group
+  fields:
+  - name: original
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: 'Unmodified original url as seen in the event source.
+
+      Note that in network monitoring, the observed URL may be a full URL, whereas
+      in access logs, the URL is often just represented as a path.
+
+      This field is meant to represent the URL as it was observed, complete or not.'
+    example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
+  - name: query
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'The query field describes the query string of the request, such
+      as "q=elasticsearch".
+
+      The `?` is excluded from the query string. If a URL contains no `?`, there is
+      no query field. If there is a `?` but no query, the query field exists with
+      an empty string. The `exists` query can be used to differentiate between the
+      two cases.'
+  - name: domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Domain of the url, such as "www.elastic.co".
+
+      In some cases a URL may refer to an IP and/or port directly, without a domain
+      name. In this case, the IP address would go to the `domain` field.'
+    example: www.elastic.co
+  - name: path
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: Path of the request, such as "/search".
+  - name: top_level_domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'The effective top level domain (eTLD), also known as the domain
+      suffix, is the last part of the domain name. For example, the top level domain
+      for google.com is "com".
+
+      This value can be determined precisely with a list like the public suffix list
+      (http://publicsuffix.org). Trying to approximate this by simply taking the last
+      label will not work well for effective TLDs such as "co.uk".'
+    example: co.uk
+  - name: registered_domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'The highest registered url domain, stripped of the subdomain.
+
+      For example, the registered domain for "foo.google.com" is "google.com".
+
+      This value can be determined precisely with a list like the public suffix list
+      (http://publicsuffix.org). Trying to approximate this by simply taking the last
+      two labels will not work well for TLDs such as "co.uk".'
+    example: google.com
+- name: service
+  type: group
+  fields:
+  - name: name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Name of the service data is collected from.
+
+      The name of the service is normally user given. This allows for distributed
+      services that run on multiple hosts to correlate the related instances based
+      on the name.
+
+      In the case of Elasticsearch the `service.name` could contain the cluster name.
+      For Beats the `service.name` is by default a copy of the `service.type` field
+      if no name is specified.'
+    example: elasticsearch-metrics
+- name: server
+  type: group
+  fields:
+  - name: domain
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Server domain.
+- name: process
+  type: group
+  fields:
+  - name: pid
+    level: core
+    type: long
+    format: string
+    description: Process id.
+    example: 4242
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: 'Process name.
+
+      Sometimes called program name or similar.'
+    example: ssh
+  - name: ppid
+    level: extended
+    type: long
+    format: string
+    description: Parent process' pid.
+    example: 4241
+  - name: parent
+    type: group
+    fields:
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      default_field: false
+    - name: title
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      default_field: false
+  - name: title
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: 'Process title.
+
+      The proctitle, some times the same as process name. Can also be different: for
+      example a browser setting its title to the web page currently opened.'
+- name: rule
+  type: group
+  fields:
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: The name of the rule or signature generating the event.
+    example: BLOCK_DNS_over_TLS
+    default_field: false
+- name: user_agent
+  type: group
+  fields:
+  - name: original
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+    description: Unparsed user_agent string.
+    example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15
+      (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
+- name: http
+  type: group
+  fields:
+  - name: response
+    type: group
+    fields:
+    - name: body
+      type: group
+      fields:
+      - name: content
+        level: extended
+        type: keyword
+        ignore_above: 1024
+        multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+        description: The full HTTP response body.
+        example: Hello world
+  - name: request
+    type: group
+    fields:
+    - name: referrer
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Referrer for this HTTP request.
+      example: https://blog.example.com/
+    - name: method
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'HTTP request method.
+
+        The field value must be normalized to lowercase for querying. See the documentation
+        section "Implementing ECS".'
+      example: get, post, put
+- name: geo
+  type: group
+  fields:
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'User-defined description of a location, at the level of granularity
+      they care about.
+
+      Could be the name of their data centers, the floor number, if this describes
+      a local physical entity, city names.
+
+      Not typically used in automated geolocation.'
+    example: boston-dc
+  - name: country_name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Country name.
+    example: Canada
+  - name: city_name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: City name.
+    example: Montreal
+  - name: region_name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Region name.
+    example: Quebec
+- name: dns
+  type: group
+  fields:
+  - name: question
+    type: group
+    fields:
+    - name: type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The type of record being queried.
+      example: AAAA
+  - name: answers
+    type: group
+    fields:
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The domain name to which this resource record pertains.
+
+        If a chain of CNAME is being resolved, each answer''s `name` should be the
+        one that corresponds with the answer''s `data`. It should not simply be the
+        original `question.name` repeated.'
+      example: www.google.com
+    - name: type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The type of data contained in this resource record.
+      example: CNAME
diff --git a/packages/kaspersky/0.1.0/dataset/av/fields/fields.yml b/packages/kaspersky/0.1.0/dataset/av/fields/fields.yml
new file mode 100644
index 0000000000..2abc947fe7
--- /dev/null
+++ b/packages/kaspersky/0.1.0/dataset/av/fields/fields.yml
@@ -0,0 +1,1939 @@
+- name: rsa
+  type: group
+  fields:
+  - name: internal
+    type: group
+    fields:
+    - name: msg
+      type: keyword
+      description: This key is used to capture the raw message that comes into the
+        Log Decoder
+    - name: messageid
+      type: keyword
+    - name: event_desc
+      type: keyword
+    - name: message
+      type: keyword
+      description: This key captures the contents of instant messages
+    - name: time
+      type: date
+      description: This is the time at which a session hits a NetWitness Decoder.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness.
+    - name: level
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: msg_id
+      type: keyword
+      description: This is the Message ID1 value that identifies the exact log parser
+        definition which parses a particular log session. This key should never be
+        used to parse Meta data from a session (Logs/Packets) Directly, this is a
+        Reserved key in NetWitness
+    - name: msg_vid
+      type: keyword
+      description: This is the Message ID2 value that identifies the exact log parser
+        definition which parses a particular log session. This key should never be
+        used to parse Meta data from a session (Logs/Packets) Directly, this is a
+        Reserved key in NetWitness
+    - name: data
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: obj_server
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: obj_val
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: resource
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: obj_id
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: statement
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: audit_class
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: entry
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: hcode
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: inode
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: resource_class
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: dead
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: feed_desc
+      type: keyword
+      description: This is used to capture the description of the feed. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: feed_name
+      type: keyword
+      description: This is used to capture the name of the feed. This key should never
+        be used to parse Meta data from a session (Logs/Packets) Directly, this is
+        a Reserved key in NetWitness
+    - name: cid
+      type: keyword
+      description: This is the unique identifier used to identify a NetWitness Concentrator.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: device_class
+      type: keyword
+      description: This is the Classification of the Log Event Source under a predefined
+        fixed set of Event Source Classifications. This key should never be used to
+        parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
+        key in NetWitness
+    - name: device_group
+      type: keyword
+      description: This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_host
+      type: keyword
+      description: This is the Hostname of the log Event Source sending the logs to
+        NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_ip
+      type: ip
+      description: This is the IPv4 address of the Log Event Source sending the logs
+        to NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_ipv6
+      type: ip
+      description: This is the IPv6 address of the Log Event Source sending the logs
+        to NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_type
+      type: keyword
+      description: This is the name of the log parser which parsed a given session.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: device_type_id
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: did
+      type: keyword
+      description: This is the unique identifier used to identify a NetWitness Decoder.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: entropy_req
+      type: long
+      description: This key is only used by the Entropy Parser, the Meta Type can
+        be either UInt16 or Float32 based on the configuration
+    - name: entropy_res
+      type: long
+      description: This key is only used by the Entropy Parser, the Meta Type can
+        be either UInt16 or Float32 based on the configuration
+    - name: event_name
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: feed_category
+      type: keyword
+      description: This is used to capture the category of the feed. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: forward_ip
+      type: ip
+      description: This key should be used to capture the IPV4 address of a relay
+        system which forwarded the events from the original system to NetWitness.
+    - name: forward_ipv6
+      type: ip
+      description: This key is used to capture the IPV6 address of a relay system
+        which forwarded the events from the original system to NetWitness. This key
+        should never be used to parse Meta data from a session (Logs/Packets) Directly,
+        this is a Reserved key in NetWitness
+    - name: header_id
+      type: keyword
+      description: This is the Header ID value that identifies the exact log parser
+        header definition that parses a particular log session. This key should never
+        be used to parse Meta data from a session (Logs/Packets) Directly, this is
+        a Reserved key in NetWitness
+    - name: lc_cid
+      type: keyword
+      description: This is a unique Identifier of a Log Collector. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: lc_ctime
+      type: date
+      description: This is the time at which a log is collected in a NetWitness Log
+        Collector. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: mcb_req
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        request is simply which byte for each side (0 thru 255) was seen the most
+    - name: mcb_res
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        response is simply which byte for each side (0 thru 255) was seen the most
+    - name: mcbc_req
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        count is the number of times the most common byte (above) was seen in the
+        session streams
+    - name: mcbc_res
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        count is the number of times the most common byte (above) was seen in the
+        session streams
+    - name: medium
+      type: long
+      description: "This key is used to identify if it\u2019s a log/packet session\
+        \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
+        \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
+        \ 32 = log, 33 = correlation session, &lt; 32 is packet session"
+    - name: node_name
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: nwe_callback_id
+      type: keyword
+      description: This key denotes that event is endpoint related
+    - name: parse_error
+      type: keyword
+      description: This is a special key that stores any Meta key validation error
+        found while parsing a log session. This key should never be used to parse
+        Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
+        NetWitness
+    - name: payload_req
+      type: long
+      description: This key is only used by the Entropy Parser, the payload size metrics
+        are the payload sizes of each session side at the time of parsing. However,
+        in order to keep
+    - name: payload_res
+      type: long
+      description: This key is only used by the Entropy Parser, the payload size metrics
+        are the payload sizes of each session side at the time of parsing. However,
+        in order to keep
+    - name: process_vid_dst
+      type: keyword
+      description: Endpoint generates and uses a unique virtual ID to identify any
+        similar group of process. This ID represents the target process.
+    - name: process_vid_src
+      type: keyword
+      description: Endpoint generates and uses a unique virtual ID to identify any
+        similar group of process. This ID represents the source process.
+    - name: rid
+      type: long
+      description: This is a special ID of the Remote Session created by NetWitness
+        Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: session_split
+      type: keyword
+      description: This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: site
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: size
+      type: long
+      description: This is the size of the session as seen by the NetWitness Decoder.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: sourcefile
+      type: keyword
+      description: This is the name of the log file or PCAPs that can be imported
+        into NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: ubc_req
+      type: long
+      description: This key is only used by the Entropy Parser, Unique byte count
+        is the number of unique bytes seen in each stream. 256 would mean all byte
+        values of 0 thru 255 were seen at least once
+    - name: ubc_res
+      type: long
+      description: This key is only used by the Entropy Parser, Unique byte count
+        is the number of unique bytes seen in each stream. 256 would mean all byte
+        values of 0 thru 255 were seen at least once
+    - name: word
+      type: keyword
+      description: This is used by the Word Parsing technology to capture the first
+        5 character of every word in an unparsed log
+  - name: time
+    type: group
+    fields:
+    - name: event_time
+      type: date
+      description: This key is used to capture the time mentioned in a raw session
+        that represents the actual time an event occured in a standard normalized
+        form
+    - name: duration_time
+      type: double
+      description: This key is used to capture the normalized duration/lifetime in
+        seconds.
+    - name: event_time_str
+      type: keyword
+      description: This key is used to capture the incomplete time mentioned in a
+        session as a string
+    - name: starttime
+      type: date
+      description: This key is used to capture the Start time mentioned in a session
+        in a standard form
+    - name: month
+      type: keyword
+    - name: day
+      type: keyword
+    - name: endtime
+      type: date
+      description: This key is used to capture the End time mentioned in a session
+        in a standard form
+    - name: timezone
+      type: keyword
+      description: This key is used to capture the timezone of the Event Time
+    - name: duration_str
+      type: keyword
+      description: A text string version of the duration
+    - name: date
+      type: keyword
+    - name: year
+      type: keyword
+    - name: recorded_time
+      type: date
+      description: The event time as recorded by the system the event is collected
+        from. The usage scenario is a multi-tier application where the management
+        layer of the system records it's own timestamp at the time of collection from
+        its child nodes. Must be in timestamp format.
+    - name: datetime
+      type: keyword
+    - name: effective_time
+      type: date
+      description: This key is the effective time referenced by an individual event
+        in a Standard Timestamp format
+    - name: expire_time
+      type: date
+      description: This key is the timestamp that explicitly refers to an expiration.
+    - name: process_time
+      type: keyword
+      description: Deprecated, use duration.time
+    - name: hour
+      type: keyword
+    - name: min
+      type: keyword
+    - name: timestamp
+      type: keyword
+    - name: event_queue_time
+      type: date
+      description: This key is the Time that the event was queued.
+    - name: p_time1
+      type: keyword
+    - name: tzone
+      type: keyword
+    - name: eventtime
+      type: keyword
+    - name: gmtdate
+      type: keyword
+    - name: gmttime
+      type: keyword
+    - name: p_date
+      type: keyword
+    - name: p_month
+      type: keyword
+    - name: p_time
+      type: keyword
+    - name: p_time2
+      type: keyword
+    - name: p_year
+      type: keyword
+    - name: expire_time_str
+      type: keyword
+      description: This key is used to capture incomplete timestamp that explicitly
+        refers to an expiration.
+    - name: stamp
+      type: date
+      description: Deprecated key defined only in table map.
+  - name: misc
+    type: group
+    fields:
+    - name: action
+      type: keyword
+    - name: result
+      type: keyword
+      description: This key is used to capture the outcome/result string value of
+        an action in a session.
+    - name: severity
+      type: keyword
+      description: This key is used to capture the severity given the session
+    - name: event_type
+      type: keyword
+      description: This key captures the event category type as specified by the event
+        source.
+    - name: reference_id
+      type: keyword
+      description: This key is used to capture an event id from the session directly
+    - name: version
+      type: keyword
+      description: This key captures Version of the application or OS which is generating
+        the event.
+    - name: disposition
+      type: keyword
+      description: This key captures the The end state of an action.
+    - name: result_code
+      type: keyword
+      description: This key is used to capture the outcome/result numeric value of
+        an action in a session
+    - name: category
+      type: keyword
+      description: This key is used to capture the category of an event given by the
+        vendor in the session
+    - name: obj_name
+      type: keyword
+      description: This is used to capture name of object
+    - name: obj_type
+      type: keyword
+      description: This is used to capture type of object
+    - name: event_source
+      type: keyword
+      description: "This key captures Source of the event that\u2019s not a hostname"
+    - name: log_session_id
+      type: keyword
+      description: This key is used to capture a sessionid from the session directly
+    - name: group
+      type: keyword
+      description: This key captures the Group Name value
+    - name: policy_name
+      type: keyword
+      description: This key is used to capture the Policy Name only.
+    - name: rule_name
+      type: keyword
+      description: This key captures the Rule Name
+    - name: context
+      type: keyword
+      description: This key captures Information which adds additional context to
+        the event.
+    - name: change_new
+      type: keyword
+      description: "This key is used to capture the new values of the attribute that\u2019\
+        s changing in a session"
+    - name: space
+      type: keyword
+    - name: client
+      type: keyword
+      description: This key is used to capture only the name of the client application
+        requesting resources of the server. See the user.agent meta key for capture
+        of the specific user agent identifier or browser identification string.
+    - name: msgIdPart1
+      type: keyword
+    - name: msgIdPart2
+      type: keyword
+    - name: change_old
+      type: keyword
+      description: "This key is used to capture the old value of the attribute that\u2019\
+        s changing in a session"
+    - name: operation_id
+      type: keyword
+      description: An alert number or operation number. The values should be unique
+        and non-repeating.
+    - name: event_state
+      type: keyword
+      description: This key captures the current state of the object/item referenced
+        within the event. Describing an on-going event.
+    - name: group_object
+      type: keyword
+      description: This key captures a collection/grouping of entities. Specific usage
+    - name: node
+      type: keyword
+      description: Common use case is the node name within a cluster. The cluster
+        name is reflected by the host name.
+    - name: rule
+      type: keyword
+      description: This key captures the Rule number
+    - name: device_name
+      type: keyword
+      description: 'This is used to capture name of the Device associated with the
+        node Like: a physical disk, printer, etc'
+    - name: param
+      type: keyword
+      description: This key is the parameters passed as part of a command or application,
+        etc.
+    - name: change_attrib
+      type: keyword
+      description: "This key is used to capture the name of the attribute that\u2019\
+        s changing in a session"
+    - name: event_computer
+      type: keyword
+      description: This key is a windows only concept, where this key is used to capture
+        fully qualified domain name in a windows log.
+    - name: reference_id1
+      type: keyword
+      description: This key is for Linked ID to be used as an addition to "reference.id"
+    - name: event_log
+      type: keyword
+      description: This key captures the Name of the event log
+    - name: OS
+      type: keyword
+      description: This key captures the Name of the Operating System
+    - name: terminal
+      type: keyword
+      description: This key captures the Terminal Names only
+    - name: msgIdPart3
+      type: keyword
+    - name: filter
+      type: keyword
+      description: This key captures Filter used to reduce result set
+    - name: serial_number
+      type: keyword
+      description: This key is the Serial number associated with a physical asset.
+    - name: checksum
+      type: keyword
+      description: This key is used to capture the checksum or hash of the entity
+        such as a file or process. Checksum should be used over checksum.src or checksum.dst
+        when it is unclear whether the entity is a source or target of an action.
+    - name: event_user
+      type: keyword
+      description: This key is a windows only concept, where this key is used to capture
+        combination of domain name and username in a windows log.
+    - name: virusname
+      type: keyword
+      description: This key captures the name of the virus
+    - name: content_type
+      type: keyword
+      description: This key is used to capture Content Type only.
+    - name: group_id
+      type: keyword
+      description: This key captures Group ID Number (related to the group name)
+    - name: policy_id
+      type: keyword
+      description: This key is used to capture the Policy ID only, this should be
+        a numeric value, use policy.name otherwise
+    - name: vsys
+      type: keyword
+      description: This key captures Virtual System Name
+    - name: connection_id
+      type: keyword
+      description: This key captures the Connection ID
+    - name: reference_id2
+      type: keyword
+      description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
+        or "reference.id1" value but should not be used unless the other two variables
+        are in play.
+    - name: sensor
+      type: keyword
+      description: This key captures Name of the sensor. Typically used in IDS/IPS
+        based devices
+    - name: sig_id
+      type: long
+      description: This key captures IDS/IPS Int Signature ID
+    - name: port_name
+      type: keyword
+      description: 'This key is used for Physical or logical port connection but does
+        NOT include a network port. (Example: Printer port name).'
+    - name: rule_group
+      type: keyword
+      description: This key captures the Rule group name
+    - name: risk_num
+      type: double
+      description: This key captures a Numeric Risk value
+    - name: trigger_val
+      type: keyword
+      description: This key captures the Value of the trigger or threshold condition.
+    - name: log_session_id1
+      type: keyword
+      description: This key is used to capture a Linked (Related) Session ID from
+        the session directly
+    - name: comp_version
+      type: keyword
+      description: This key captures the Version level of a sub-component of a product.
+    - name: content_version
+      type: keyword
+      description: This key captures Version level of a signature or database content.
+    - name: hardware_id
+      type: keyword
+      description: This key is used to capture unique identifier for a device or system
+        (NOT a Mac address)
+    - name: risk
+      type: keyword
+      description: This key captures the non-numeric risk value
+    - name: event_id
+      type: keyword
+    - name: reason
+      type: keyword
+    - name: status
+      type: keyword
+    - name: mail_id
+      type: keyword
+      description: This key is used to capture the mailbox id/name
+    - name: rule_uid
+      type: keyword
+      description: This key is the Unique Identifier for a rule.
+    - name: trigger_desc
+      type: keyword
+      description: This key captures the Description of the trigger or threshold condition.
+    - name: inout
+      type: keyword
+    - name: p_msgid
+      type: keyword
+    - name: data_type
+      type: keyword
+    - name: msgIdPart4
+      type: keyword
+    - name: error
+      type: keyword
+      description: This key captures All non successful Error codes or responses
+    - name: index
+      type: keyword
+    - name: listnum
+      type: keyword
+      description: This key is used to capture listname or listnumber, primarily for
+        collecting access-list
+    - name: ntype
+      type: keyword
+    - name: observed_val
+      type: keyword
+      description: This key captures the Value observed (from the perspective of the
+        device generating the log).
+    - name: policy_value
+      type: keyword
+      description: This key captures the contents of the policy. This contains details
+        about the policy
+    - name: pool_name
+      type: keyword
+      description: This key captures the name of a resource pool
+    - name: rule_template
+      type: keyword
+      description: A default set of parameters which are overlayed onto a rule (or
+        rulename) which efffectively constitutes a template
+    - name: count
+      type: keyword
+    - name: number
+      type: keyword
+    - name: sigcat
+      type: keyword
+    - name: type
+      type: keyword
+    - name: comments
+      type: keyword
+      description: Comment information provided in the log message
+    - name: doc_number
+      type: long
+      description: This key captures File Identification number
+    - name: expected_val
+      type: keyword
+      description: This key captures the Value expected (from the perspective of the
+        device generating the log).
+    - name: job_num
+      type: keyword
+      description: This key captures the Job Number
+    - name: spi_dst
+      type: keyword
+      description: Destination SPI Index
+    - name: spi_src
+      type: keyword
+      description: Source SPI Index
+    - name: code
+      type: keyword
+    - name: agent_id
+      type: keyword
+      description: This key is used to capture agent id
+    - name: message_body
+      type: keyword
+      description: This key captures the The contents of the message body.
+    - name: phone
+      type: keyword
+    - name: sig_id_str
+      type: keyword
+      description: This key captures a string object of the sigid variable.
+    - name: cmd
+      type: keyword
+    - name: misc
+      type: keyword
+    - name: name
+      type: keyword
+    - name: cpu
+      type: long
+      description: This key is the CPU time used in the execution of the event being
+        recorded.
+    - name: event_desc
+      type: keyword
+      description: This key is used to capture a description of an event available
+        directly or inferred
+    - name: sig_id1
+      type: long
+      description: This key captures IDS/IPS Int Signature ID. This must be linked
+        to the sig.id
+    - name: im_buddyid
+      type: keyword
+    - name: im_client
+      type: keyword
+    - name: im_userid
+      type: keyword
+    - name: pid
+      type: keyword
+    - name: priority
+      type: keyword
+    - name: context_subject
+      type: keyword
+      description: This key is to be used in an audit context where the subject is
+        the object being identified
+    - name: context_target
+      type: keyword
+    - name: cve
+      type: keyword
+      description: This key captures CVE (Common Vulnerabilities and Exposures) -
+        an identifier for known information security vulnerabilities.
+    - name: fcatnum
+      type: keyword
+      description: This key captures Filter Category Number. Legacy Usage
+    - name: library
+      type: keyword
+      description: This key is used to capture library information in mainframe devices
+    - name: parent_node
+      type: keyword
+      description: This key captures the Parent Node Name. Must be related to node
+        variable.
+    - name: risk_info
+      type: keyword
+      description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: tcp_flags
+      type: long
+      description: This key is captures the TCP flags set in any packet of session
+    - name: tos
+      type: long
+      description: This key describes the type of service
+    - name: vm_target
+      type: keyword
+      description: VMWare Target **VMWARE** only varaible.
+    - name: workspace
+      type: keyword
+      description: This key captures Workspace Description
+    - name: command
+      type: keyword
+    - name: event_category
+      type: keyword
+    - name: facilityname
+      type: keyword
+    - name: forensic_info
+      type: keyword
+    - name: jobname
+      type: keyword
+    - name: mode
+      type: keyword
+    - name: policy
+      type: keyword
+    - name: policy_waiver
+      type: keyword
+    - name: second
+      type: keyword
+    - name: space1
+      type: keyword
+    - name: subcategory
+      type: keyword
+    - name: tbdstr2
+      type: keyword
+    - name: alert_id
+      type: keyword
+      description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: checksum_dst
+      type: keyword
+      description: This key is used to capture the checksum or hash of the the target
+        entity such as a process or file.
+    - name: checksum_src
+      type: keyword
+      description: This key is used to capture the checksum or hash of the source
+        entity such as a file or process.
+    - name: fresult
+      type: long
+      description: This key captures the Filter Result
+    - name: payload_dst
+      type: keyword
+      description: This key is used to capture destination payload
+    - name: payload_src
+      type: keyword
+      description: This key is used to capture source payload
+    - name: pool_id
+      type: keyword
+      description: This key captures the identifier (typically numeric field) of a
+        resource pool
+    - name: process_id_val
+      type: keyword
+      description: This key is a failure key for Process ID when it is not an integer
+        value
+    - name: risk_num_comm
+      type: double
+      description: This key captures Risk Number Community
+    - name: risk_num_next
+      type: double
+      description: This key captures Risk Number NextGen
+    - name: risk_num_sand
+      type: double
+      description: This key captures Risk Number SandBox
+    - name: risk_num_static
+      type: double
+      description: This key captures Risk Number Static
+    - name: risk_suspicious
+      type: keyword
+      description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: risk_warning
+      type: keyword
+      description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: snmp_oid
+      type: keyword
+      description: SNMP Object Identifier
+    - name: sql
+      type: keyword
+      description: This key captures the SQL query
+    - name: vuln_ref
+      type: keyword
+      description: This key captures the Vulnerability Reference details
+    - name: acl_id
+      type: keyword
+    - name: acl_op
+      type: keyword
+    - name: acl_pos
+      type: keyword
+    - name: acl_table
+      type: keyword
+    - name: admin
+      type: keyword
+    - name: alarm_id
+      type: keyword
+    - name: alarmname
+      type: keyword
+    - name: app_id
+      type: keyword
+    - name: audit
+      type: keyword
+    - name: audit_object
+      type: keyword
+    - name: auditdata
+      type: keyword
+    - name: benchmark
+      type: keyword
+    - name: bypass
+      type: keyword
+    - name: cache
+      type: keyword
+    - name: cache_hit
+      type: keyword
+    - name: cefversion
+      type: keyword
+    - name: cfg_attr
+      type: keyword
+    - name: cfg_obj
+      type: keyword
+    - name: cfg_path
+      type: keyword
+    - name: changes
+      type: keyword
+    - name: client_ip
+      type: keyword
+    - name: clustermembers
+      type: keyword
+    - name: cn_acttimeout
+      type: keyword
+    - name: cn_asn_src
+      type: keyword
+    - name: cn_bgpv4nxthop
+      type: keyword
+    - name: cn_ctr_dst_code
+      type: keyword
+    - name: cn_dst_tos
+      type: keyword
+    - name: cn_dst_vlan
+      type: keyword
+    - name: cn_engine_id
+      type: keyword
+    - name: cn_engine_type
+      type: keyword
+    - name: cn_f_switch
+      type: keyword
+    - name: cn_flowsampid
+      type: keyword
+    - name: cn_flowsampintv
+      type: keyword
+    - name: cn_flowsampmode
+      type: keyword
+    - name: cn_inacttimeout
+      type: keyword
+    - name: cn_inpermbyts
+      type: keyword
+    - name: cn_inpermpckts
+      type: keyword
+    - name: cn_invalid
+      type: keyword
+    - name: cn_ip_proto_ver
+      type: keyword
+    - name: cn_ipv4_ident
+      type: keyword
+    - name: cn_l_switch
+      type: keyword
+    - name: cn_log_did
+      type: keyword
+    - name: cn_log_rid
+      type: keyword
+    - name: cn_max_ttl
+      type: keyword
+    - name: cn_maxpcktlen
+      type: keyword
+    - name: cn_min_ttl
+      type: keyword
+    - name: cn_minpcktlen
+      type: keyword
+    - name: cn_mpls_lbl_1
+      type: keyword
+    - name: cn_mpls_lbl_10
+      type: keyword
+    - name: cn_mpls_lbl_2
+      type: keyword
+    - name: cn_mpls_lbl_3
+      type: keyword
+    - name: cn_mpls_lbl_4
+      type: keyword
+    - name: cn_mpls_lbl_5
+      type: keyword
+    - name: cn_mpls_lbl_6
+      type: keyword
+    - name: cn_mpls_lbl_7
+      type: keyword
+    - name: cn_mpls_lbl_8
+      type: keyword
+    - name: cn_mpls_lbl_9
+      type: keyword
+    - name: cn_mplstoplabel
+      type: keyword
+    - name: cn_mplstoplabip
+      type: keyword
+    - name: cn_mul_dst_byt
+      type: keyword
+    - name: cn_mul_dst_pks
+      type: keyword
+    - name: cn_muligmptype
+      type: keyword
+    - name: cn_sampalgo
+      type: keyword
+    - name: cn_sampint
+      type: keyword
+    - name: cn_seqctr
+      type: keyword
+    - name: cn_spackets
+      type: keyword
+    - name: cn_src_tos
+      type: keyword
+    - name: cn_src_vlan
+      type: keyword
+    - name: cn_sysuptime
+      type: keyword
+    - name: cn_template_id
+      type: keyword
+    - name: cn_totbytsexp
+      type: keyword
+    - name: cn_totflowexp
+      type: keyword
+    - name: cn_totpcktsexp
+      type: keyword
+    - name: cn_unixnanosecs
+      type: keyword
+    - name: cn_v6flowlabel
+      type: keyword
+    - name: cn_v6optheaders
+      type: keyword
+    - name: comp_class
+      type: keyword
+    - name: comp_name
+      type: keyword
+    - name: comp_rbytes
+      type: keyword
+    - name: comp_sbytes
+      type: keyword
+    - name: cpu_data
+      type: keyword
+    - name: criticality
+      type: keyword
+    - name: cs_agency_dst
+      type: keyword
+    - name: cs_analyzedby
+      type: keyword
+    - name: cs_av_other
+      type: keyword
+    - name: cs_av_primary
+      type: keyword
+    - name: cs_av_secondary
+      type: keyword
+    - name: cs_bgpv6nxthop
+      type: keyword
+    - name: cs_bit9status
+      type: keyword
+    - name: cs_context
+      type: keyword
+    - name: cs_control
+      type: keyword
+    - name: cs_data
+      type: keyword
+    - name: cs_datecret
+      type: keyword
+    - name: cs_dst_tld
+      type: keyword
+    - name: cs_eth_dst_ven
+      type: keyword
+    - name: cs_eth_src_ven
+      type: keyword
+    - name: cs_event_uuid
+      type: keyword
+    - name: cs_filetype
+      type: keyword
+    - name: cs_fld
+      type: keyword
+    - name: cs_if_desc
+      type: keyword
+    - name: cs_if_name
+      type: keyword
+    - name: cs_ip_next_hop
+      type: keyword
+    - name: cs_ipv4dstpre
+      type: keyword
+    - name: cs_ipv4srcpre
+      type: keyword
+    - name: cs_lifetime
+      type: keyword
+    - name: cs_log_medium
+      type: keyword
+    - name: cs_loginname
+      type: keyword
+    - name: cs_modulescore
+      type: keyword
+    - name: cs_modulesign
+      type: keyword
+    - name: cs_opswatresult
+      type: keyword
+    - name: cs_payload
+      type: keyword
+    - name: cs_registrant
+      type: keyword
+    - name: cs_registrar
+      type: keyword
+    - name: cs_represult
+      type: keyword
+    - name: cs_rpayload
+      type: keyword
+    - name: cs_sampler_name
+      type: keyword
+    - name: cs_sourcemodule
+      type: keyword
+    - name: cs_streams
+      type: keyword
+    - name: cs_targetmodule
+      type: keyword
+    - name: cs_v6nxthop
+      type: keyword
+    - name: cs_whois_server
+      type: keyword
+    - name: cs_yararesult
+      type: keyword
+    - name: description
+      type: keyword
+    - name: devvendor
+      type: keyword
+    - name: distance
+      type: keyword
+    - name: dstburb
+      type: keyword
+    - name: edomain
+      type: keyword
+    - name: edomaub
+      type: keyword
+    - name: euid
+      type: keyword
+    - name: facility
+      type: keyword
+    - name: finterface
+      type: keyword
+    - name: flags
+      type: keyword
+    - name: gaddr
+      type: keyword
+    - name: id3
+      type: keyword
+    - name: im_buddyname
+      type: keyword
+    - name: im_croomid
+      type: keyword
+    - name: im_croomtype
+      type: keyword
+    - name: im_members
+      type: keyword
+    - name: im_username
+      type: keyword
+    - name: ipkt
+      type: keyword
+    - name: ipscat
+      type: keyword
+    - name: ipspri
+      type: keyword
+    - name: latitude
+      type: keyword
+    - name: linenum
+      type: keyword
+    - name: list_name
+      type: keyword
+    - name: load_data
+      type: keyword
+    - name: location_floor
+      type: keyword
+    - name: location_mark
+      type: keyword
+    - name: log_id
+      type: keyword
+    - name: log_type
+      type: keyword
+    - name: logid
+      type: keyword
+    - name: logip
+      type: keyword
+    - name: logname
+      type: keyword
+    - name: longitude
+      type: keyword
+    - name: lport
+      type: keyword
+    - name: mbug_data
+      type: keyword
+    - name: misc_name
+      type: keyword
+    - name: msg_type
+      type: keyword
+    - name: msgid
+      type: keyword
+    - name: netsessid
+      type: keyword
+    - name: num
+      type: keyword
+    - name: number1
+      type: keyword
+    - name: number2
+      type: keyword
+    - name: nwwn
+      type: keyword
+    - name: object
+      type: keyword
+    - name: operation
+      type: keyword
+    - name: opkt
+      type: keyword
+    - name: orig_from
+      type: keyword
+    - name: owner_id
+      type: keyword
+    - name: p_action
+      type: keyword
+    - name: p_filter
+      type: keyword
+    - name: p_group_object
+      type: keyword
+    - name: p_id
+      type: keyword
+    - name: p_msgid1
+      type: keyword
+    - name: p_msgid2
+      type: keyword
+    - name: p_result1
+      type: keyword
+    - name: password_chg
+      type: keyword
+    - name: password_expire
+      type: keyword
+    - name: permgranted
+      type: keyword
+    - name: permwanted
+      type: keyword
+    - name: pgid
+      type: keyword
+    - name: policyUUID
+      type: keyword
+    - name: prog_asp_num
+      type: keyword
+    - name: program
+      type: keyword
+    - name: real_data
+      type: keyword
+    - name: rec_asp_device
+      type: keyword
+    - name: rec_asp_num
+      type: keyword
+    - name: rec_library
+      type: keyword
+    - name: recordnum
+      type: keyword
+    - name: ruid
+      type: keyword
+    - name: sburb
+      type: keyword
+    - name: sdomain_fld
+      type: keyword
+    - name: sec
+      type: keyword
+    - name: sensorname
+      type: keyword
+    - name: seqnum
+      type: keyword
+    - name: session
+      type: keyword
+    - name: sessiontype
+      type: keyword
+    - name: sigUUID
+      type: keyword
+    - name: spi
+      type: keyword
+    - name: srcburb
+      type: keyword
+    - name: srcdom
+      type: keyword
+    - name: srcservice
+      type: keyword
+    - name: state
+      type: keyword
+    - name: status1
+      type: keyword
+    - name: svcno
+      type: keyword
+    - name: system
+      type: keyword
+    - name: tbdstr1
+      type: keyword
+    - name: tgtdom
+      type: keyword
+    - name: tgtdomain
+      type: keyword
+    - name: threshold
+      type: keyword
+    - name: type1
+      type: keyword
+    - name: udb_class
+      type: keyword
+    - name: url_fld
+      type: keyword
+    - name: user_div
+      type: keyword
+    - name: userid
+      type: keyword
+    - name: username_fld
+      type: keyword
+    - name: utcstamp
+      type: keyword
+    - name: v_instafname
+      type: keyword
+    - name: virt_data
+      type: keyword
+    - name: vpnid
+      type: keyword
+    - name: autorun_type
+      type: keyword
+      description: This is used to capture Auto Run type
+    - name: cc_number
+      type: long
+      description: Valid Credit Card Numbers only
+    - name: content
+      type: keyword
+      description: This key captures the content type from protocol headers
+    - name: ein_number
+      type: long
+      description: Employee Identification Numbers only
+    - name: found
+      type: keyword
+      description: This is used to capture the results of regex match
+    - name: language
+      type: keyword
+      description: This is used to capture list of languages the client support and
+        what it prefers
+    - name: lifetime
+      type: long
+      description: This key is used to capture the session lifetime in seconds.
+    - name: link
+      type: keyword
+      description: This key is used to link the sessions together. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: match
+      type: keyword
+      description: This key is for regex match name from search.ini
+    - name: param_dst
+      type: keyword
+      description: This key captures the command line/launch argument of the target
+        process or file
+    - name: param_src
+      type: keyword
+      description: This key captures source parameter
+    - name: search_text
+      type: keyword
+      description: This key captures the Search Text used
+    - name: sig_name
+      type: keyword
+      description: This key is used to capture the Signature Name only.
+    - name: snmp_value
+      type: keyword
+      description: SNMP set request value
+    - name: streams
+      type: long
+      description: This key captures number of streams in session
+  - name: db
+    type: group
+    fields:
+    - name: index
+      type: keyword
+      description: This key captures IndexID of the index.
+    - name: instance
+      type: keyword
+      description: This key is used to capture the database server instance name
+    - name: database
+      type: keyword
+      description: This key is used to capture the name of a database or an instance
+        as seen in a session
+    - name: transact_id
+      type: keyword
+      description: This key captures the SQL transantion ID of the current session
+    - name: permissions
+      type: keyword
+      description: This key captures permission or privilege level assigned to a resource.
+    - name: table_name
+      type: keyword
+      description: This key is used to capture the table name
+    - name: db_id
+      type: keyword
+      description: This key is used to capture the unique identifier for a database
+    - name: db_pid
+      type: long
+      description: This key captures the process id of a connection with database
+        server
+    - name: lread
+      type: long
+      description: This key is used for the number of logical reads
+    - name: lwrite
+      type: long
+      description: This key is used for the number of logical writes
+    - name: pread
+      type: long
+      description: This key is used for the number of physical writes
+  - name: network
+    type: group
+    fields:
+    - name: alias_host
+      type: keyword
+      description: This key should be used when the source or destination context
+        of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
+        that isnt ad.computer.
+    - name: domain
+      type: keyword
+    - name: host_dst
+      type: keyword
+      description: "This key should only be used when it\u2019s a Destination Hostname"
+    - name: network_service
+      type: keyword
+      description: This is used to capture layer 7 protocols/service names
+    - name: interface
+      type: keyword
+      description: This key should be used when the source or destination context
+        of an interface is not clear
+    - name: network_port
+      type: long
+      description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
+        used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
+    - name: eth_host
+      type: keyword
+      description: Deprecated, use alias.mac
+    - name: sinterface
+      type: keyword
+      description: "This key should only be used when it\u2019s a Source Interface"
+    - name: dinterface
+      type: keyword
+      description: "This key should only be used when it\u2019s a Destination Interface"
+    - name: vlan
+      type: long
+      description: This key should only be used to capture the ID of the Virtual LAN
+    - name: zone_src
+      type: keyword
+      description: "This key should only be used when it\u2019s a Source Zone."
+    - name: zone
+      type: keyword
+      description: This key should be used when the source or destination context
+        of a Zone is not clear
+    - name: zone_dst
+      type: keyword
+      description: "This key should only be used when it\u2019s a Destination Zone."
+    - name: gateway
+      type: keyword
+      description: This key is used to capture the IP Address of the gateway
+    - name: icmp_type
+      type: long
+      description: This key is used to capture the ICMP type only
+    - name: mask
+      type: keyword
+      description: This key is used to capture the device network IPmask.
+    - name: icmp_code
+      type: long
+      description: This key is used to capture the ICMP code only
+    - name: protocol_detail
+      type: keyword
+      description: This key should be used to capture additional protocol information
+    - name: dmask
+      type: keyword
+      description: This key is used for Destionation Device network mask
+    - name: port
+      type: long
+      description: This key should only be used to capture a Network Port when the
+        directionality is not clear
+    - name: smask
+      type: keyword
+      description: This key is used for capturing source Network Mask
+    - name: netname
+      type: keyword
+      description: This key is used to capture the network name associated with an
+        IP range. This is configured by the end user.
+    - name: paddr
+      type: ip
+      description: Deprecated
+    - name: faddr
+      type: keyword
+    - name: lhost
+      type: keyword
+    - name: origin
+      type: keyword
+    - name: remote_domain_id
+      type: keyword
+    - name: addr
+      type: keyword
+    - name: dns_a_record
+      type: keyword
+    - name: dns_ptr_record
+      type: keyword
+    - name: fhost
+      type: keyword
+    - name: fport
+      type: keyword
+    - name: laddr
+      type: keyword
+    - name: linterface
+      type: keyword
+    - name: phost
+      type: keyword
+    - name: ad_computer_dst
+      type: keyword
+      description: Deprecated, use host.dst
+    - name: eth_type
+      type: long
+      description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
+        Only
+    - name: ip_proto
+      type: long
+      description: This key should be used to capture the Protocol number, all the
+        protocol nubers are converted into string in UI
+    - name: dns_cname_record
+      type: keyword
+    - name: dns_id
+      type: keyword
+    - name: dns_opcode
+      type: keyword
+    - name: dns_resp
+      type: keyword
+    - name: dns_type
+      type: keyword
+    - name: domain1
+      type: keyword
+    - name: host_type
+      type: keyword
+    - name: packet_length
+      type: keyword
+    - name: host_orig
+      type: keyword
+      description: This is used to capture the original hostname in case of a Forwarding
+        Agent or a Proxy in between.
+    - name: rpayload
+      type: keyword
+      description: This key is used to capture the total number of payload bytes seen
+        in the retransmitted packets.
+    - name: vlan_name
+      type: keyword
+      description: This key should only be used to capture the name of the Virtual
+        LAN
+  - name: investigations
+    type: group
+    fields:
+    - name: ec_activity
+      type: keyword
+      description: This key captures the particular event activity(Ex:Logoff)
+    - name: ec_theme
+      type: keyword
+      description: This key captures the Theme of a particular Event(Ex:Authentication)
+    - name: ec_subject
+      type: keyword
+      description: This key captures the Subject of a particular Event(Ex:User)
+    - name: ec_outcome
+      type: keyword
+      description: This key captures the outcome of a particular Event(Ex:Success)
+    - name: event_cat
+      type: long
+      description: This key captures the Event category number
+    - name: event_cat_name
+      type: keyword
+      description: This key captures the event category name corresponding to the
+        event cat code
+    - name: event_vcat
+      type: keyword
+      description: This is a vendor supplied category. This should be used in situations
+        where the vendor has adopted their own event_category taxonomy.
+    - name: analysis_file
+      type: keyword
+      description: This is used to capture all indicators used in a File Analysis.
+        This key should be used to capture an analysis of a file
+    - name: analysis_service
+      type: keyword
+      description: This is used to capture all indicators used in a Service Analysis.
+        This key should be used to capture an analysis of a service
+    - name: analysis_session
+      type: keyword
+      description: This is used to capture all indicators used for a Session Analysis.
+        This key should be used to capture an analysis of a session
+    - name: boc
+      type: keyword
+      description: This is used to capture behaviour of compromise
+    - name: eoc
+      type: keyword
+      description: This is used to capture Enablers of Compromise
+    - name: inv_category
+      type: keyword
+      description: This used to capture investigation category
+    - name: inv_context
+      type: keyword
+      description: This used to capture investigation context
+    - name: ioc
+      type: keyword
+      description: This is key capture indicator of compromise
+  - name: counters
+    type: group
+    fields:
+    - name: dclass_c1
+      type: long
+      description: This is a generic counter key that should be used with the label
+        dclass.c1.str only
+    - name: dclass_c2
+      type: long
+      description: This is a generic counter key that should be used with the label
+        dclass.c2.str only
+    - name: event_counter
+      type: long
+      description: This is used to capture the number of times an event repeated
+    - name: dclass_r1
+      type: keyword
+      description: This is a generic ratio key that should be used with the label
+        dclass.r1.str only
+    - name: dclass_c3
+      type: long
+      description: This is a generic counter key that should be used with the label
+        dclass.c3.str only
+    - name: dclass_c1_str
+      type: keyword
+      description: This is a generic counter string key that should be used with the
+        label dclass.c1 only
+    - name: dclass_c2_str
+      type: keyword
+      description: This is a generic counter string key that should be used with the
+        label dclass.c2 only
+    - name: dclass_r1_str
+      type: keyword
+      description: This is a generic ratio string key that should be used with the
+        label dclass.r1 only
+    - name: dclass_r2
+      type: keyword
+      description: This is a generic ratio key that should be used with the label
+        dclass.r2.str only
+    - name: dclass_c3_str
+      type: keyword
+      description: This is a generic counter string key that should be used with the
+        label dclass.c3 only
+    - name: dclass_r3
+      type: keyword
+      description: This is a generic ratio key that should be used with the label
+        dclass.r3.str only
+    - name: dclass_r2_str
+      type: keyword
+      description: This is a generic ratio string key that should be used with the
+        label dclass.r2 only
+    - name: dclass_r3_str
+      type: keyword
+      description: This is a generic ratio string key that should be used with the
+        label dclass.r3 only
+  - name: identity
+    type: group
+    fields:
+    - name: auth_method
+      type: keyword
+      description: This key is used to capture authentication methods used only
+    - name: user_role
+      type: keyword
+      description: This key is used to capture the Role of a user only
+    - name: dn
+      type: keyword
+      description: X.500 (LDAP) Distinguished Name
+    - name: logon_type
+      type: keyword
+      description: This key is used to capture the type of logon method used.
+    - name: profile
+      type: keyword
+      description: This key is used to capture the user profile
+    - name: accesses
+      type: keyword
+      description: This key is used to capture actual privileges used in accessing
+        an object
+    - name: realm
+      type: keyword
+      description: Radius realm or similar grouping of accounts
+    - name: user_sid_dst
+      type: keyword
+      description: This key captures Destination User Session ID
+    - name: dn_src
+      type: keyword
+      description: An X.500 (LDAP) Distinguished name that is used in a context that
+        indicates a Source dn
+    - name: org
+      type: keyword
+      description: This key captures the User organization
+    - name: dn_dst
+      type: keyword
+      description: An X.500 (LDAP) Distinguished name that used in a context that
+        indicates a Destination dn
+    - name: firstname
+      type: keyword
+      description: This key is for First Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: lastname
+      type: keyword
+      description: This key is for Last Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: user_dept
+      type: keyword
+      description: User's Department Names only
+    - name: user_sid_src
+      type: keyword
+      description: This key captures Source User Session ID
+    - name: federated_sp
+      type: keyword
+      description: This key is the Federated Service Provider. This is the application
+        requesting authentication.
+    - name: federated_idp
+      type: keyword
+      description: This key is the federated Identity Provider. This is the server
+        providing the authentication.
+    - name: logon_type_desc
+      type: keyword
+      description: This key is used to capture the textual description of an integer
+        logon type as stored in the meta key 'logon.type'.
+    - name: middlename
+      type: keyword
+      description: This key is for Middle Names only, this is used for Healthcare
+        predominantly to capture Patients information
+    - name: password
+      type: keyword
+      description: This key is for Passwords seen in any session, plain text or encrypted
+    - name: host_role
+      type: keyword
+      description: This key should only be used to capture the role of a Host Machine
+    - name: ldap
+      type: keyword
+      description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
+        t have a clear query or response context"
+    - name: ldap_query
+      type: keyword
+      description: This key is the Search criteria from an LDAP search
+    - name: ldap_response
+      type: keyword
+      description: This key is to capture Results from an LDAP search
+    - name: owner
+      type: keyword
+      description: This is used to capture username the process or service is running
+        as, the author of the task
+    - name: service_account
+      type: keyword
+      description: This key is a windows specific key, used for capturing name of
+        the account a service (referenced in the event) is running under. Legacy Usage
+  - name: email
+    type: group
+    fields:
+    - name: email_dst
+      type: keyword
+      description: This key is used to capture the Destination email address only,
+        when the destination context is not clear use email
+    - name: email_src
+      type: keyword
+      description: This key is used to capture the source email address only, when
+        the source context is not clear use email
+    - name: subject
+      type: keyword
+      description: This key is used to capture the subject string from an Email only.
+    - name: email
+      type: keyword
+      description: This key is used to capture a generic email address where the source
+        or destination context is not clear
+    - name: trans_from
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: trans_to
+      type: keyword
+      description: Deprecated key defined only in table map.
+  - name: file
+    type: group
+    fields:
+    - name: privilege
+      type: keyword
+      description: Deprecated, use permissions
+    - name: attachment
+      type: keyword
+      description: This key captures the attachment file name
+    - name: filesystem
+      type: keyword
+    - name: binary
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: filename_dst
+      type: keyword
+      description: This is used to capture name of the file targeted by the action
+    - name: filename_src
+      type: keyword
+      description: This is used to capture name of the parent filename, the file which
+        performed the action
+    - name: filename_tmp
+      type: keyword
+    - name: directory_dst
+      type: keyword
+      description: <span>This key is used to capture the directory of the target process
+        or file</span>
+    - name: directory_src
+      type: keyword
+      description: This key is used to capture the directory of the source process
+        or file
+    - name: file_entropy
+      type: double
+      description: This is used to capture entropy vale of a file
+    - name: file_vendor
+      type: keyword
+      description: This is used to capture Company name of file located in version_info
+    - name: task_name
+      type: keyword
+      description: This is used to capture name of the task
+  - name: web
+    type: group
+    fields:
+    - name: fqdn
+      type: keyword
+      description: Fully Qualified Domain Names
+    - name: web_cookie
+      type: keyword
+      description: This key is used to capture the Web cookies specifically.
+    - name: alias_host
+      type: keyword
+    - name: reputation_num
+      type: double
+      description: Reputation Number of an entity. Typically used for Web Domains
+    - name: web_ref_domain
+      type: keyword
+      description: Web referer's domain
+    - name: web_ref_query
+      type: keyword
+      description: This key captures Web referer's query portion of the URL
+    - name: remote_domain
+      type: keyword
+    - name: web_ref_page
+      type: keyword
+      description: This key captures Web referer's page information
+    - name: web_ref_root
+      type: keyword
+      description: Web referer's root URL path
+    - name: cn_asn_dst
+      type: keyword
+    - name: cn_rpackets
+      type: keyword
+    - name: urlpage
+      type: keyword
+    - name: urlroot
+      type: keyword
+    - name: p_url
+      type: keyword
+    - name: p_user_agent
+      type: keyword
+    - name: p_web_cookie
+      type: keyword
+    - name: p_web_method
+      type: keyword
+    - name: p_web_referer
+      type: keyword
+    - name: web_extension_tmp
+      type: keyword
+    - name: web_page
+      type: keyword
+  - name: threat
+    type: group
+    fields:
+    - name: threat_category
+      type: keyword
+      description: This key captures Threat Name/Threat Category/Categorization of
+        alert
+    - name: threat_desc
+      type: keyword
+      description: This key is used to capture the threat description from the session
+        directly or inferred
+    - name: alert
+      type: keyword
+      description: This key is used to capture name of the alert
+    - name: threat_source
+      type: keyword
+      description: This key is used to capture source of the threat
+  - name: crypto
+    type: group
+    fields:
+    - name: crypto
+      type: keyword
+      description: This key is used to capture the Encryption Type or Encryption Key
+        only
+    - name: cipher_src
+      type: keyword
+      description: This key is for Source (Client) Cipher
+    - name: cert_subject
+      type: keyword
+      description: This key is used to capture the Certificate organization only
+    - name: peer
+      type: keyword
+      description: This key is for Encryption peer's IP Address
+    - name: cipher_size_src
+      type: long
+      description: This key captures Source (Client) Cipher Size
+    - name: ike
+      type: keyword
+      description: IKE negotiation phase.
+    - name: scheme
+      type: keyword
+      description: This key captures the Encryption scheme used
+    - name: peer_id
+      type: keyword
+      description: "This key is for Encryption peer\u2019s identity"
+    - name: sig_type
+      type: keyword
+      description: This key captures the Signature Type
+    - name: cert_issuer
+      type: keyword
+    - name: cert_host_name
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: cert_error
+      type: keyword
+      description: This key captures the Certificate Error String
+    - name: cipher_dst
+      type: keyword
+      description: This key is for Destination (Server) Cipher
+    - name: cipher_size_dst
+      type: long
+      description: This key captures Destination (Server) Cipher Size
+    - name: ssl_ver_src
+      type: keyword
+      description: Deprecated, use version
+    - name: d_certauth
+      type: keyword
+    - name: s_certauth
+      type: keyword
+    - name: ike_cookie1
+      type: keyword
+      description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
+    - name: ike_cookie2
+      type: keyword
+      description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
+    - name: cert_checksum
+      type: keyword
+    - name: cert_host_cat
+      type: keyword
+      description: This key is used for the hostname category value of a certificate
+    - name: cert_serial
+      type: keyword
+      description: This key is used to capture the Certificate serial number only
+    - name: cert_status
+      type: keyword
+      description: This key captures Certificate validation status
+    - name: ssl_ver_dst
+      type: keyword
+      description: Deprecated, use version
+    - name: cert_keysize
+      type: keyword
+    - name: cert_username
+      type: keyword
+    - name: https_insact
+      type: keyword
+    - name: https_valid
+      type: keyword
+    - name: cert_ca
+      type: keyword
+      description: This key is used to capture the Certificate signing authority only
+    - name: cert_common
+      type: keyword
+      description: This key is used to capture the Certificate common name only
+  - name: wireless
+    type: group
+    fields:
+    - name: wlan_ssid
+      type: keyword
+      description: This key is used to capture the ssid of a Wireless Session
+    - name: access_point
+      type: keyword
+      description: This key is used to capture the access point name.
+    - name: wlan_channel
+      type: long
+      description: This is used to capture the channel names
+    - name: wlan_name
+      type: keyword
+      description: This key captures either WLAN number/name
+  - name: storage
+    type: group
+    fields:
+    - name: disk_volume
+      type: keyword
+      description: A unique name assigned to logical units (volumes) within a physical
+        disk
+    - name: lun
+      type: keyword
+      description: Logical Unit Number.This key is a very useful concept in Storage.
+    - name: pwwn
+      type: keyword
+      description: This uniquely identifies a port on a HBA.
+  - name: physical
+    type: group
+    fields:
+    - name: org_dst
+      type: keyword
+      description: This is used to capture the destination organization based on the
+        GEOPIP Maxmind database.
+    - name: org_src
+      type: keyword
+      description: This is used to capture the source organization based on the GEOPIP
+        Maxmind database.
+  - name: healthcare
+    type: group
+    fields:
+    - name: patient_fname
+      type: keyword
+      description: This key is for First Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: patient_id
+      type: keyword
+      description: This key captures the unique ID for a patient
+    - name: patient_lname
+      type: keyword
+      description: This key is for Last Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: patient_mname
+      type: keyword
+      description: This key is for Middle Names only, this is used for Healthcare
+        predominantly to capture Patients information
+  - name: endpoint
+    type: group
+    fields:
+    - name: host_state
+      type: keyword
+      description: This key is used to capture the current state of the machine, such
+        as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
+        disabled</strong> and so on
+    - name: registry_key
+      type: keyword
+      description: This key captures the path to the registry key
+    - name: registry_value
+      type: keyword
+      description: This key captures values or decorators used within a registry entry
diff --git a/packages/kaspersky/0.1.0/dataset/av/manifest.yml b/packages/kaspersky/0.1.0/dataset/av/manifest.yml
new file mode 100644
index 0000000000..65431a71a9
--- /dev/null
+++ b/packages/kaspersky/0.1.0/dataset/av/manifest.yml
@@ -0,0 +1,155 @@
+title: Kaspersky Anti-Virus logs
+release: experimental
+type: logs
+streams:
+- input: udp
+  title: Kaspersky Anti-Virus logs
+  description: Collect Kaspersky Anti-Virus logs
+  template_path: udp.yml.hbs
+  vars:
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - kaspersky-av
+      - forwarded
+  - name: udp_host
+    type: text
+    title: UDP host to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: localhost
+  - name: udp_port
+    type: integer
+    title: UDP port to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: 9513
+  - name: tz_offset
+    type: text
+    title: Timezone offset (+HH:mm format)
+    required: false
+    show_user: true
+    default: "local"
+  - name: rsa_fields
+    type: bool
+    title: Add non-ECS fields
+    required: false
+    show_user: true
+    default: true
+  - name: keep_raw_fields
+    type: bool
+    title: Keep raw parser fields
+    required: false
+    show_user: false
+    default: false
+  - name: debug
+    type: bool
+    title: Enable debug logging
+    required: false
+    show_user: false
+    default: false
+
+- input: tcp
+  title: Kaspersky Anti-Virus logs
+  description: Collect Kaspersky Anti-Virus logs
+  template_path: tcp.yml.hbs
+  vars:
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - kaspersky-av
+      - forwarded
+  - name: tcp_host
+    type: text
+    title: TCP host to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: localhost
+  - name: tcp_port
+    type: integer
+    title: TCP port to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: 9513
+  - name: tz_offset
+    type: text
+    title: Timezone offset (+HH:mm format)
+    required: false
+    show_user: true
+    default: "local"
+  - name: rsa_fields
+    type: bool
+    title: Add non-ECS fields
+    required: false
+    show_user: true
+    default: true
+  - name: keep_raw_fields
+    type: bool
+    title: Keep raw parser fields
+    required: false
+    show_user: false
+    default: false
+  - name: debug
+    type: bool
+    title: Enable debug logging
+    required: false
+    show_user: false
+    default: false
+
+- input: file
+  title: Kaspersky Anti-Virus logs
+  description: Collect Kaspersky Anti-Virus logs from file
+  vars:
+  - name: paths
+    type: text
+    title: Paths
+    multi: true
+    required: true
+    show_user: true
+    default:
+      - /var/log/kaspersky-av.log
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - kaspersky-av
+      - forwarded
+  - name: tz_offset
+    type: text
+    title: Timezone offset (+HH:mm format)
+    required: false
+    show_user: true
+    default: "local"
+  - name: rsa_fields
+    type: bool
+    title: Add non-ECS fields
+    required: false
+    show_user: true
+    default: true
+  - name: keep_raw_fields
+    type: bool
+    title: Keep raw parser fields
+    required: false
+    show_user: false
+    default: false
+  - name: debug
+    type: bool
+    title: Enable debug logging
+    required: false
+    show_user: false
+    default: false
diff --git a/packages/kaspersky/0.1.0/docs/README.md b/packages/kaspersky/0.1.0/docs/README.md
new file mode 100644
index 0000000000..5a78793495
--- /dev/null
+++ b/packages/kaspersky/0.1.0/docs/README.md
@@ -0,0 +1,780 @@
+# Kaspersky integration
+
+This integration is for Kaspersky device's logs. It includes the following
+datasets for receiving logs over syslog or read from a file:
+- `av` dataset: supports Kaspersky Anti-Virus logs.
+
+### Av
+
+The `av` dataset collects Kaspersky Anti-Virus logs.
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
+| dataset.name | Dataset name. | constant_keyword |
+| dataset.namespace | Dataset namespace. | constant_keyword |
+| dataset.type | Dataset type. | constant_keyword |
+| datastream.dataset | Datastream dataset. | constant_keyword |
+| datastream.namespace | Datastream namespace. | constant_keyword |
+| datastream.type | Datastream type. | constant_keyword |
+| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| destination.bytes | Bytes sent from the destination to the source. | long |
+| destination.domain | Destination domain. | keyword |
+| destination.geo.city_name | City name. | keyword |
+| destination.geo.country_name | Country name. | keyword |
+| destination.geo.location.lat |  | double |
+| destination.geo.location.lon |  | double |
+| destination.ip | IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses. | ip |
+| destination.mac | MAC address of the destination. | keyword |
+| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip |
+| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long |
+| destination.port | Port of the destination. | long |
+| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword |
+| dns.answers.type | The type of data contained in this resource record. | keyword |
+| dns.question.type | The type of record being queried. | keyword |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword |
+| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword |
+| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword |
+| file.extension | File extension. | keyword |
+| file.name | Name of the file including the extension, without the directory. | keyword |
+| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword |
+| file.size | File size in bytes. Only relevant when `file.type` is "file". | long |
+| file.type | File type (file, dir, or symlink). | keyword |
+| geo.city_name | City name. | keyword |
+| geo.country_name | Country name. | keyword |
+| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| geo.region_name | Region name. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| http.request.method | HTTP request method. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| http.request.referrer | Referrer for this HTTP request. | keyword |
+| http.response.body.content | The full HTTP response body. | keyword |
+| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword |
+| log.original | This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. | keyword |
+| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long |
+| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. | long |
+| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text |
+| network.application | A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long |
+| network.direction | Direction of the network traffic. Recommended values are: * inbound * outbound * internal * external * unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view. When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. | keyword |
+| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip |
+| network.interface.name |  | keyword |
+| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long |
+| network.protocol | L7 Network protocol name. ex. http, lumberjack, transport protocol. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| observer.egress.interface.name | Interface name as reported by the system. | keyword |
+| observer.ingress.interface.name | Interface name as reported by the system. | keyword |
+| observer.product | The product name of the observer. | keyword |
+| observer.version | Observer version. | keyword |
+| process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.parent.name | Process name. Sometimes called program name or similar. | keyword |
+| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword |
+| process.pid | Process id. | long |
+| process.ppid | Parent process' pid. | long |
+| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword |
+| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long |
+| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword |
+| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long |
+| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword |
+| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long |
+| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword |
+| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword |
+| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword |
+| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword |
+| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword |
+| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword |
+| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword |
+| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long |
+| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword |
+| rsa.crypto.cert_checksum |  | keyword |
+| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword |
+| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword |
+| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword |
+| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword |
+| rsa.crypto.cert_issuer |  | keyword |
+| rsa.crypto.cert_keysize |  | keyword |
+| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword |
+| rsa.crypto.cert_status | This key captures Certificate validation status | keyword |
+| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword |
+| rsa.crypto.cert_username |  | keyword |
+| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword |
+| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long |
+| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long |
+| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword |
+| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword |
+| rsa.crypto.d_certauth |  | keyword |
+| rsa.crypto.https_insact |  | keyword |
+| rsa.crypto.https_valid |  | keyword |
+| rsa.crypto.ike | IKE negotiation phase. | keyword |
+| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword |
+| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword |
+| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword |
+| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword |
+| rsa.crypto.s_certauth |  | keyword |
+| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword |
+| rsa.crypto.sig_type | This key captures the Signature Type | keyword |
+| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword |
+| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword |
+| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword |
+| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword |
+| rsa.db.db_pid | This key captures the process id of a connection with database server | long |
+| rsa.db.index | This key captures IndexID of the index. | keyword |
+| rsa.db.instance | This key is used to capture the database server instance name | keyword |
+| rsa.db.lread | This key is used for the number of logical reads | long |
+| rsa.db.lwrite | This key is used for the number of logical writes | long |
+| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword |
+| rsa.db.pread | This key is used for the number of physical writes | long |
+| rsa.db.table_name | This key is used to capture the table name | keyword |
+| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword |
+| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword |
+| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword |
+| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword |
+| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword |
+| rsa.email.trans_from | Deprecated key defined only in table map. | keyword |
+| rsa.email.trans_to | Deprecated key defined only in table map. | keyword |
+| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall disabled</strong> and so on | keyword |
+| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword |
+| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword |
+| rsa.file.attachment | This key captures the attachment file name | keyword |
+| rsa.file.binary | Deprecated key defined only in table map. | keyword |
+| rsa.file.directory_dst | <span>This key is used to capture the directory of the target process or file</span> | keyword |
+| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword |
+| rsa.file.file_entropy | This is used to capture entropy vale of a file | double |
+| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword |
+| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword |
+| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword |
+| rsa.file.filename_tmp |  | keyword |
+| rsa.file.filesystem |  | keyword |
+| rsa.file.privilege | Deprecated, use permissions | keyword |
+| rsa.file.task_name | This is used to capture name of the task | keyword |
+| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword |
+| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword |
+| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword |
+| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword |
+| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword |
+| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword |
+| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword |
+| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword |
+| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword |
+| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword |
+| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword |
+| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword |
+| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword |
+| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword |
+| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.org | This key captures the User organization | keyword |
+| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword |
+| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword |
+| rsa.identity.profile | This key is used to capture the user profile | keyword |
+| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword |
+| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword |
+| rsa.identity.user_dept | User's Department Names only | keyword |
+| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword |
+| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword |
+| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword |
+| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword |
+| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.data | Deprecated key defined only in table map. | keyword |
+| rsa.internal.dead | Deprecated key defined only in table map. | long |
+| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_type_id | Deprecated key defined only in table map. | long |
+| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long |
+| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long |
+| rsa.internal.entry | Deprecated key defined only in table map. | keyword |
+| rsa.internal.event_desc |  | keyword |
+| rsa.internal.event_name | Deprecated key defined only in table map. | keyword |
+| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip |
+| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.hcode | Deprecated key defined only in table map. | keyword |
+| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.inode | Deprecated key defined only in table map. | long |
+| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date |
+| rsa.internal.level | Deprecated key defined only in table map. | long |
+| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long |
+| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long |
+| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long |
+| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long |
+| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, &lt; 32 is packet session | long |
+| rsa.internal.message | This key captures the contents of instant messages | keyword |
+| rsa.internal.messageid |  | keyword |
+| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword |
+| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.node_name | Deprecated key defined only in table map. | keyword |
+| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword |
+| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword |
+| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword |
+| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword |
+| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long |
+| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long |
+| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword |
+| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword |
+| rsa.internal.resource | Deprecated key defined only in table map. | keyword |
+| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword |
+| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long |
+| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.site | Deprecated key defined only in table map. | keyword |
+| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long |
+| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.statement | Deprecated key defined only in table map. | keyword |
+| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date |
+| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long |
+| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long |
+| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword |
+| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword |
+| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword |
+| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword |
+| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword |
+| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword |
+| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword |
+| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword |
+| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword |
+| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword |
+| rsa.investigations.event_cat | This key captures the Event category number | long |
+| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword |
+| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword |
+| rsa.investigations.inv_category | This used to capture investigation category | keyword |
+| rsa.investigations.inv_context | This used to capture investigation context | keyword |
+| rsa.investigations.ioc | This is key capture indicator of compromise | keyword |
+| rsa.misc.OS | This key captures the Name of the Operating System | keyword |
+| rsa.misc.acl_id |  | keyword |
+| rsa.misc.acl_op |  | keyword |
+| rsa.misc.acl_pos |  | keyword |
+| rsa.misc.acl_table |  | keyword |
+| rsa.misc.action |  | keyword |
+| rsa.misc.admin |  | keyword |
+| rsa.misc.agent_id | This key is used to capture agent id | keyword |
+| rsa.misc.alarm_id |  | keyword |
+| rsa.misc.alarmname |  | keyword |
+| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.app_id |  | keyword |
+| rsa.misc.audit |  | keyword |
+| rsa.misc.audit_object |  | keyword |
+| rsa.misc.auditdata |  | keyword |
+| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword |
+| rsa.misc.benchmark |  | keyword |
+| rsa.misc.bypass |  | keyword |
+| rsa.misc.cache |  | keyword |
+| rsa.misc.cache_hit |  | keyword |
+| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword |
+| rsa.misc.cc_number | Valid Credit Card Numbers only | long |
+| rsa.misc.cefversion |  | keyword |
+| rsa.misc.cfg_attr |  | keyword |
+| rsa.misc.cfg_obj |  | keyword |
+| rsa.misc.cfg_path |  | keyword |
+| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword |
+| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword |
+| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword |
+| rsa.misc.changes |  | keyword |
+| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword |
+| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword |
+| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword |
+| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword |
+| rsa.misc.client_ip |  | keyword |
+| rsa.misc.clustermembers |  | keyword |
+| rsa.misc.cmd |  | keyword |
+| rsa.misc.cn_acttimeout |  | keyword |
+| rsa.misc.cn_asn_src |  | keyword |
+| rsa.misc.cn_bgpv4nxthop |  | keyword |
+| rsa.misc.cn_ctr_dst_code |  | keyword |
+| rsa.misc.cn_dst_tos |  | keyword |
+| rsa.misc.cn_dst_vlan |  | keyword |
+| rsa.misc.cn_engine_id |  | keyword |
+| rsa.misc.cn_engine_type |  | keyword |
+| rsa.misc.cn_f_switch |  | keyword |
+| rsa.misc.cn_flowsampid |  | keyword |
+| rsa.misc.cn_flowsampintv |  | keyword |
+| rsa.misc.cn_flowsampmode |  | keyword |
+| rsa.misc.cn_inacttimeout |  | keyword |
+| rsa.misc.cn_inpermbyts |  | keyword |
+| rsa.misc.cn_inpermpckts |  | keyword |
+| rsa.misc.cn_invalid |  | keyword |
+| rsa.misc.cn_ip_proto_ver |  | keyword |
+| rsa.misc.cn_ipv4_ident |  | keyword |
+| rsa.misc.cn_l_switch |  | keyword |
+| rsa.misc.cn_log_did |  | keyword |
+| rsa.misc.cn_log_rid |  | keyword |
+| rsa.misc.cn_max_ttl |  | keyword |
+| rsa.misc.cn_maxpcktlen |  | keyword |
+| rsa.misc.cn_min_ttl |  | keyword |
+| rsa.misc.cn_minpcktlen |  | keyword |
+| rsa.misc.cn_mpls_lbl_1 |  | keyword |
+| rsa.misc.cn_mpls_lbl_10 |  | keyword |
+| rsa.misc.cn_mpls_lbl_2 |  | keyword |
+| rsa.misc.cn_mpls_lbl_3 |  | keyword |
+| rsa.misc.cn_mpls_lbl_4 |  | keyword |
+| rsa.misc.cn_mpls_lbl_5 |  | keyword |
+| rsa.misc.cn_mpls_lbl_6 |  | keyword |
+| rsa.misc.cn_mpls_lbl_7 |  | keyword |
+| rsa.misc.cn_mpls_lbl_8 |  | keyword |
+| rsa.misc.cn_mpls_lbl_9 |  | keyword |
+| rsa.misc.cn_mplstoplabel |  | keyword |
+| rsa.misc.cn_mplstoplabip |  | keyword |
+| rsa.misc.cn_mul_dst_byt |  | keyword |
+| rsa.misc.cn_mul_dst_pks |  | keyword |
+| rsa.misc.cn_muligmptype |  | keyword |
+| rsa.misc.cn_sampalgo |  | keyword |
+| rsa.misc.cn_sampint |  | keyword |
+| rsa.misc.cn_seqctr |  | keyword |
+| rsa.misc.cn_spackets |  | keyword |
+| rsa.misc.cn_src_tos |  | keyword |
+| rsa.misc.cn_src_vlan |  | keyword |
+| rsa.misc.cn_sysuptime |  | keyword |
+| rsa.misc.cn_template_id |  | keyword |
+| rsa.misc.cn_totbytsexp |  | keyword |
+| rsa.misc.cn_totflowexp |  | keyword |
+| rsa.misc.cn_totpcktsexp |  | keyword |
+| rsa.misc.cn_unixnanosecs |  | keyword |
+| rsa.misc.cn_v6flowlabel |  | keyword |
+| rsa.misc.cn_v6optheaders |  | keyword |
+| rsa.misc.code |  | keyword |
+| rsa.misc.command |  | keyword |
+| rsa.misc.comments | Comment information provided in the log message | keyword |
+| rsa.misc.comp_class |  | keyword |
+| rsa.misc.comp_name |  | keyword |
+| rsa.misc.comp_rbytes |  | keyword |
+| rsa.misc.comp_sbytes |  | keyword |
+| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword |
+| rsa.misc.connection_id | This key captures the Connection ID | keyword |
+| rsa.misc.content | This key captures the content type from protocol headers | keyword |
+| rsa.misc.content_type | This key is used to capture Content Type only. | keyword |
+| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword |
+| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword |
+| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword |
+| rsa.misc.context_target |  | keyword |
+| rsa.misc.count |  | keyword |
+| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long |
+| rsa.misc.cpu_data |  | keyword |
+| rsa.misc.criticality |  | keyword |
+| rsa.misc.cs_agency_dst |  | keyword |
+| rsa.misc.cs_analyzedby |  | keyword |
+| rsa.misc.cs_av_other |  | keyword |
+| rsa.misc.cs_av_primary |  | keyword |
+| rsa.misc.cs_av_secondary |  | keyword |
+| rsa.misc.cs_bgpv6nxthop |  | keyword |
+| rsa.misc.cs_bit9status |  | keyword |
+| rsa.misc.cs_context |  | keyword |
+| rsa.misc.cs_control |  | keyword |
+| rsa.misc.cs_data |  | keyword |
+| rsa.misc.cs_datecret |  | keyword |
+| rsa.misc.cs_dst_tld |  | keyword |
+| rsa.misc.cs_eth_dst_ven |  | keyword |
+| rsa.misc.cs_eth_src_ven |  | keyword |
+| rsa.misc.cs_event_uuid |  | keyword |
+| rsa.misc.cs_filetype |  | keyword |
+| rsa.misc.cs_fld |  | keyword |
+| rsa.misc.cs_if_desc |  | keyword |
+| rsa.misc.cs_if_name |  | keyword |
+| rsa.misc.cs_ip_next_hop |  | keyword |
+| rsa.misc.cs_ipv4dstpre |  | keyword |
+| rsa.misc.cs_ipv4srcpre |  | keyword |
+| rsa.misc.cs_lifetime |  | keyword |
+| rsa.misc.cs_log_medium |  | keyword |
+| rsa.misc.cs_loginname |  | keyword |
+| rsa.misc.cs_modulescore |  | keyword |
+| rsa.misc.cs_modulesign |  | keyword |
+| rsa.misc.cs_opswatresult |  | keyword |
+| rsa.misc.cs_payload |  | keyword |
+| rsa.misc.cs_registrant |  | keyword |
+| rsa.misc.cs_registrar |  | keyword |
+| rsa.misc.cs_represult |  | keyword |
+| rsa.misc.cs_rpayload |  | keyword |
+| rsa.misc.cs_sampler_name |  | keyword |
+| rsa.misc.cs_sourcemodule |  | keyword |
+| rsa.misc.cs_streams |  | keyword |
+| rsa.misc.cs_targetmodule |  | keyword |
+| rsa.misc.cs_v6nxthop |  | keyword |
+| rsa.misc.cs_whois_server |  | keyword |
+| rsa.misc.cs_yararesult |  | keyword |
+| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword |
+| rsa.misc.data_type |  | keyword |
+| rsa.misc.description |  | keyword |
+| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword |
+| rsa.misc.devvendor |  | keyword |
+| rsa.misc.disposition | This key captures the The end state of an action. | keyword |
+| rsa.misc.distance |  | keyword |
+| rsa.misc.doc_number | This key captures File Identification number | long |
+| rsa.misc.dstburb |  | keyword |
+| rsa.misc.edomain |  | keyword |
+| rsa.misc.edomaub |  | keyword |
+| rsa.misc.ein_number | Employee Identification Numbers only | long |
+| rsa.misc.error | This key captures All non successful Error codes or responses | keyword |
+| rsa.misc.euid |  | keyword |
+| rsa.misc.event_category |  | keyword |
+| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword |
+| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword |
+| rsa.misc.event_id |  | keyword |
+| rsa.misc.event_log | This key captures the Name of the event log | keyword |
+| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword |
+| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword |
+| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword |
+| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword |
+| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword |
+| rsa.misc.facility |  | keyword |
+| rsa.misc.facilityname |  | keyword |
+| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword |
+| rsa.misc.filter | This key captures Filter used to reduce result set | keyword |
+| rsa.misc.finterface |  | keyword |
+| rsa.misc.flags |  | keyword |
+| rsa.misc.forensic_info |  | keyword |
+| rsa.misc.found | This is used to capture the results of regex match | keyword |
+| rsa.misc.fresult | This key captures the Filter Result | long |
+| rsa.misc.gaddr |  | keyword |
+| rsa.misc.group | This key captures the Group Name value | keyword |
+| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword |
+| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword |
+| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword |
+| rsa.misc.id3 |  | keyword |
+| rsa.misc.im_buddyid |  | keyword |
+| rsa.misc.im_buddyname |  | keyword |
+| rsa.misc.im_client |  | keyword |
+| rsa.misc.im_croomid |  | keyword |
+| rsa.misc.im_croomtype |  | keyword |
+| rsa.misc.im_members |  | keyword |
+| rsa.misc.im_userid |  | keyword |
+| rsa.misc.im_username |  | keyword |
+| rsa.misc.index |  | keyword |
+| rsa.misc.inout |  | keyword |
+| rsa.misc.ipkt |  | keyword |
+| rsa.misc.ipscat |  | keyword |
+| rsa.misc.ipspri |  | keyword |
+| rsa.misc.job_num | This key captures the Job Number | keyword |
+| rsa.misc.jobname |  | keyword |
+| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword |
+| rsa.misc.latitude |  | keyword |
+| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword |
+| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long |
+| rsa.misc.linenum |  | keyword |
+| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.misc.list_name |  | keyword |
+| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword |
+| rsa.misc.load_data |  | keyword |
+| rsa.misc.location_floor |  | keyword |
+| rsa.misc.location_mark |  | keyword |
+| rsa.misc.log_id |  | keyword |
+| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword |
+| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword |
+| rsa.misc.log_type |  | keyword |
+| rsa.misc.logid |  | keyword |
+| rsa.misc.logip |  | keyword |
+| rsa.misc.logname |  | keyword |
+| rsa.misc.longitude |  | keyword |
+| rsa.misc.lport |  | keyword |
+| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword |
+| rsa.misc.match | This key is for regex match name from search.ini | keyword |
+| rsa.misc.mbug_data |  | keyword |
+| rsa.misc.message_body | This key captures the The contents of the message body. | keyword |
+| rsa.misc.misc |  | keyword |
+| rsa.misc.misc_name |  | keyword |
+| rsa.misc.mode |  | keyword |
+| rsa.misc.msgIdPart1 |  | keyword |
+| rsa.misc.msgIdPart2 |  | keyword |
+| rsa.misc.msgIdPart3 |  | keyword |
+| rsa.misc.msgIdPart4 |  | keyword |
+| rsa.misc.msg_type |  | keyword |
+| rsa.misc.msgid |  | keyword |
+| rsa.misc.name |  | keyword |
+| rsa.misc.netsessid |  | keyword |
+| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword |
+| rsa.misc.ntype |  | keyword |
+| rsa.misc.num |  | keyword |
+| rsa.misc.number |  | keyword |
+| rsa.misc.number1 |  | keyword |
+| rsa.misc.number2 |  | keyword |
+| rsa.misc.nwwn |  | keyword |
+| rsa.misc.obj_name | This is used to capture name of object | keyword |
+| rsa.misc.obj_type | This is used to capture type of object | keyword |
+| rsa.misc.object |  | keyword |
+| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword |
+| rsa.misc.operation |  | keyword |
+| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword |
+| rsa.misc.opkt |  | keyword |
+| rsa.misc.orig_from |  | keyword |
+| rsa.misc.owner_id |  | keyword |
+| rsa.misc.p_action |  | keyword |
+| rsa.misc.p_filter |  | keyword |
+| rsa.misc.p_group_object |  | keyword |
+| rsa.misc.p_id |  | keyword |
+| rsa.misc.p_msgid |  | keyword |
+| rsa.misc.p_msgid1 |  | keyword |
+| rsa.misc.p_msgid2 |  | keyword |
+| rsa.misc.p_result1 |  | keyword |
+| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword |
+| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword |
+| rsa.misc.param_src | This key captures source parameter | keyword |
+| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword |
+| rsa.misc.password_chg |  | keyword |
+| rsa.misc.password_expire |  | keyword |
+| rsa.misc.payload_dst | This key is used to capture destination payload | keyword |
+| rsa.misc.payload_src | This key is used to capture source payload | keyword |
+| rsa.misc.permgranted |  | keyword |
+| rsa.misc.permwanted |  | keyword |
+| rsa.misc.pgid |  | keyword |
+| rsa.misc.phone |  | keyword |
+| rsa.misc.pid |  | keyword |
+| rsa.misc.policy |  | keyword |
+| rsa.misc.policyUUID |  | keyword |
+| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword |
+| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword |
+| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword |
+| rsa.misc.policy_waiver |  | keyword |
+| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword |
+| rsa.misc.pool_name | This key captures the name of a resource pool | keyword |
+| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword |
+| rsa.misc.priority |  | keyword |
+| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword |
+| rsa.misc.prog_asp_num |  | keyword |
+| rsa.misc.program |  | keyword |
+| rsa.misc.real_data |  | keyword |
+| rsa.misc.reason |  | keyword |
+| rsa.misc.rec_asp_device |  | keyword |
+| rsa.misc.rec_asp_num |  | keyword |
+| rsa.misc.rec_library |  | keyword |
+| rsa.misc.recordnum |  | keyword |
+| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword |
+| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword |
+| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword |
+| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword |
+| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword |
+| rsa.misc.risk | This key captures the non-numeric risk value | keyword |
+| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.risk_num | This key captures a Numeric Risk value | double |
+| rsa.misc.risk_num_comm | This key captures Risk Number Community | double |
+| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double |
+| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double |
+| rsa.misc.risk_num_static | This key captures Risk Number Static | double |
+| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.ruid |  | keyword |
+| rsa.misc.rule | This key captures the Rule number | keyword |
+| rsa.misc.rule_group | This key captures the Rule group name | keyword |
+| rsa.misc.rule_name | This key captures the Rule Name | keyword |
+| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword |
+| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword |
+| rsa.misc.sburb |  | keyword |
+| rsa.misc.sdomain_fld |  | keyword |
+| rsa.misc.search_text | This key captures the Search Text used | keyword |
+| rsa.misc.sec |  | keyword |
+| rsa.misc.second |  | keyword |
+| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword |
+| rsa.misc.sensorname |  | keyword |
+| rsa.misc.seqnum |  | keyword |
+| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword |
+| rsa.misc.session |  | keyword |
+| rsa.misc.sessiontype |  | keyword |
+| rsa.misc.severity | This key is used to capture the severity given the session | keyword |
+| rsa.misc.sigUUID |  | keyword |
+| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long |
+| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long |
+| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword |
+| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword |
+| rsa.misc.sigcat |  | keyword |
+| rsa.misc.snmp_oid | SNMP Object Identifier | keyword |
+| rsa.misc.snmp_value | SNMP set request value | keyword |
+| rsa.misc.space |  | keyword |
+| rsa.misc.space1 |  | keyword |
+| rsa.misc.spi |  | keyword |
+| rsa.misc.spi_dst | Destination SPI Index | keyword |
+| rsa.misc.spi_src | Source SPI Index | keyword |
+| rsa.misc.sql | This key captures the SQL query | keyword |
+| rsa.misc.srcburb |  | keyword |
+| rsa.misc.srcdom |  | keyword |
+| rsa.misc.srcservice |  | keyword |
+| rsa.misc.state |  | keyword |
+| rsa.misc.status |  | keyword |
+| rsa.misc.status1 |  | keyword |
+| rsa.misc.streams | This key captures number of streams in session | long |
+| rsa.misc.subcategory |  | keyword |
+| rsa.misc.svcno |  | keyword |
+| rsa.misc.system |  | keyword |
+| rsa.misc.tbdstr1 |  | keyword |
+| rsa.misc.tbdstr2 |  | keyword |
+| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long |
+| rsa.misc.terminal | This key captures the Terminal Names only | keyword |
+| rsa.misc.tgtdom |  | keyword |
+| rsa.misc.tgtdomain |  | keyword |
+| rsa.misc.threshold |  | keyword |
+| rsa.misc.tos | This key describes the type of service | long |
+| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword |
+| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword |
+| rsa.misc.type |  | keyword |
+| rsa.misc.type1 |  | keyword |
+| rsa.misc.udb_class |  | keyword |
+| rsa.misc.url_fld |  | keyword |
+| rsa.misc.user_div |  | keyword |
+| rsa.misc.userid |  | keyword |
+| rsa.misc.username_fld |  | keyword |
+| rsa.misc.utcstamp |  | keyword |
+| rsa.misc.v_instafname |  | keyword |
+| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword |
+| rsa.misc.virt_data |  | keyword |
+| rsa.misc.virusname | This key captures the name of the virus | keyword |
+| rsa.misc.vm_target | VMWare Target **VMWARE** only varaible. | keyword |
+| rsa.misc.vpnid |  | keyword |
+| rsa.misc.vsys | This key captures Virtual System Name | keyword |
+| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword |
+| rsa.misc.workspace | This key captures Workspace Description | keyword |
+| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword |
+| rsa.network.addr |  | keyword |
+| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword |
+| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword |
+| rsa.network.dmask | This key is used for Destionation Device network mask | keyword |
+| rsa.network.dns_a_record |  | keyword |
+| rsa.network.dns_cname_record |  | keyword |
+| rsa.network.dns_id |  | keyword |
+| rsa.network.dns_opcode |  | keyword |
+| rsa.network.dns_ptr_record |  | keyword |
+| rsa.network.dns_resp |  | keyword |
+| rsa.network.dns_type |  | keyword |
+| rsa.network.domain |  | keyword |
+| rsa.network.domain1 |  | keyword |
+| rsa.network.eth_host | Deprecated, use alias.mac | keyword |
+| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long |
+| rsa.network.faddr |  | keyword |
+| rsa.network.fhost |  | keyword |
+| rsa.network.fport |  | keyword |
+| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword |
+| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword |
+| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword |
+| rsa.network.host_type |  | keyword |
+| rsa.network.icmp_code | This key is used to capture the ICMP code only | long |
+| rsa.network.icmp_type | This key is used to capture the ICMP type only | long |
+| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword |
+| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long |
+| rsa.network.laddr |  | keyword |
+| rsa.network.lhost |  | keyword |
+| rsa.network.linterface |  | keyword |
+| rsa.network.mask | This key is used to capture the device network IPmask. | keyword |
+| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword |
+| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long |
+| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword |
+| rsa.network.origin |  | keyword |
+| rsa.network.packet_length |  | keyword |
+| rsa.network.paddr | Deprecated | ip |
+| rsa.network.phost |  | keyword |
+| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long |
+| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword |
+| rsa.network.remote_domain_id |  | keyword |
+| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword |
+| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword |
+| rsa.network.smask | This key is used for capturing source Network Mask | keyword |
+| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long |
+| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword |
+| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword |
+| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword |
+| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword |
+| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword |
+| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword |
+| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword |
+| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword |
+| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword |
+| rsa.threat.alert | This key is used to capture name of the alert | keyword |
+| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword |
+| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword |
+| rsa.threat.threat_source | This key is used to capture source of the threat | keyword |
+| rsa.time.date |  | keyword |
+| rsa.time.datetime |  | keyword |
+| rsa.time.day |  | keyword |
+| rsa.time.duration_str | A text string version of the duration | keyword |
+| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double |
+| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date |
+| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date |
+| rsa.time.event_queue_time | This key is the Time that the event was queued. | date |
+| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date |
+| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword |
+| rsa.time.eventtime |  | keyword |
+| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date |
+| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword |
+| rsa.time.gmtdate |  | keyword |
+| rsa.time.gmttime |  | keyword |
+| rsa.time.hour |  | keyword |
+| rsa.time.min |  | keyword |
+| rsa.time.month |  | keyword |
+| rsa.time.p_date |  | keyword |
+| rsa.time.p_month |  | keyword |
+| rsa.time.p_time |  | keyword |
+| rsa.time.p_time1 |  | keyword |
+| rsa.time.p_time2 |  | keyword |
+| rsa.time.p_year |  | keyword |
+| rsa.time.process_time | Deprecated, use duration.time | keyword |
+| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date |
+| rsa.time.stamp | Deprecated key defined only in table map. | date |
+| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date |
+| rsa.time.timestamp |  | keyword |
+| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword |
+| rsa.time.tzone |  | keyword |
+| rsa.time.year |  | keyword |
+| rsa.web.alias_host |  | keyword |
+| rsa.web.cn_asn_dst |  | keyword |
+| rsa.web.cn_rpackets |  | keyword |
+| rsa.web.fqdn | Fully Qualified Domain Names | keyword |
+| rsa.web.p_url |  | keyword |
+| rsa.web.p_user_agent |  | keyword |
+| rsa.web.p_web_cookie |  | keyword |
+| rsa.web.p_web_method |  | keyword |
+| rsa.web.p_web_referer |  | keyword |
+| rsa.web.remote_domain |  | keyword |
+| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double |
+| rsa.web.urlpage |  | keyword |
+| rsa.web.urlroot |  | keyword |
+| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword |
+| rsa.web.web_extension_tmp |  | keyword |
+| rsa.web.web_page |  | keyword |
+| rsa.web.web_ref_domain | Web referer's domain | keyword |
+| rsa.web.web_ref_page | This key captures Web referer's page information | keyword |
+| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword |
+| rsa.web.web_ref_root | Web referer's root URL path | keyword |
+| rsa.wireless.access_point | This key is used to capture the access point name. | keyword |
+| rsa.wireless.wlan_channel | This is used to capture the channel names | long |
+| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword |
+| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword |
+| rule.name | The name of the rule or signature generating the event. | keyword |
+| server.domain | Server domain. | keyword |
+| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword |
+| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.bytes | Bytes sent from the source to the destination. | long |
+| source.domain | Source domain. | keyword |
+| source.geo.city_name | City name. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location.lat |  | double |
+| source.geo.location.lon |  | double |
+| source.ip | IP address of the source. Can be one or multiple IPv4 or IPv6 addresses. | ip |
+| source.mac | MAC address of the source. | keyword |
+| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip |
+| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long |
+| source.port | Port of the source. | long |
+| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. | keyword |
+| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | keyword |
+| url.path | Path of the request, such as "/search". | keyword |
+| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword |
+| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.google.com" is "google.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword |
+| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword |
+| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| user.full_name | User's full name, if available. | keyword |
+| user.id | Unique identifiers of the user. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user_agent.original | Unparsed user_agent string. | keyword |
diff --git a/packages/kaspersky/0.1.0/img/logo.svg b/packages/kaspersky/0.1.0/img/logo.svg
new file mode 100644
index 0000000000..fd01b44f12
--- /dev/null
+++ b/packages/kaspersky/0.1.0/img/logo.svg
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Generator: Adobe Illustrator 23.0.3, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 633 131" style="enable-background:new 0 0 633 131;" xml:space="preserve">
+<style type="text/css">
+	.st0{fill:#009982;}
+</style>
+<path class="st0" d="M285.3,65.2c0,23.4-14.3,34.5-32.2,34.5h-10.9V85.6h10.1c10.8,0,18-5.8,18-20.5c0-14.5-6.8-21.7-18.3-21.7
+	c-11.1,0-19,6.8-19,21.4v58.8H218V31.2h14.9v8h2.1c5-6.7,12.3-9.7,20-9.7C271.5,29.5,285.3,41.5,285.3,65.2z M187.3,59.1l-9.9-1
+	c-7.8-0.7-11.9-2.8-11.9-7.4c0-5.4,5.3-8.5,12.8-8.5c7.8,0,12.8,3.7,13.2,8.9h14.3c-0.6-13.4-10.9-21.6-27.4-21.6
+	c-16.6,0-27.8,8.8-27.8,21.7c0,10.8,6.8,17.8,22.3,19.3l10.1,1c6.1,0.6,10.2,1.8,10.2,7.7c0,5.3-3.8,9.1-13.9,9.1
+	c-9.3,0-13.9-4.2-15.5-9.9h-15.5c1.5,12.9,12.4,22.9,31,22.9c17.5,0,28.8-9.2,28.8-22.9C208,66.5,200.1,60.3,187.3,59.1z M343,78.5
+	c-2.3,5.4-7.9,9.4-15.9,9.4c-10.9,0-19-7.1-19-22.4c0-14.6,7.5-22.7,19.2-22.7c10.4,0,16.3,6.2,16.9,15.6h-26.8v10.8h41.5v-7.1
+	c0-19.7-13.1-32.5-31.7-32.5c-17.3,0-33.9,11.8-33.9,35.9c0,24.1,16.6,35.9,33.9,35.9c15.8,0,27.2-9.8,30.7-22.9H343z M107.9,29.5
+	c-16.3,0-28.5,8.5-30,21.6h16c1.1-4.8,5.5-8.4,13.9-8.4c10.8,0,14.3,5.7,14.3,12.6v23.4c-6.1,7-13.2,10.2-20.3,10.2
+	c-7.4,0-12.5-3.6-12.5-9.9c0-6.1,4-9.9,11.6-9.9h11.9V58.4h-12.4c-17,0-26.6,8.5-26.6,21.6c0,12.2,9.2,21.4,24.4,21.4
+	c8.5,0,16-3.4,21.6-7.5h2.1v5.8h14.9V54C137.2,37.1,125.7,29.5,107.9,29.5z M6.8,99.7h14.9V6H6.8V99.7z M69.4,31.2H51.2L29.5,59.8
+	v8.9l22.3,31h18.5L44.1,64.2L69.4,31.2z M608.5,31.2l-12.2,27.1c-3,6.5-5.8,12.9-6.7,17.2h-2.1c-0.9-4.3-3.8-10.5-6.8-17l-12.2-27.3
+	H552l28.7,61.5l-14.2,31h15.9L625,31.2H608.5z M548.7,31.2h-18.2l-21.7,28.5v8.9l22.3,31h18.5l-26.1-35.5L548.7,31.2z M455.3,59.1
+	l-9.9-1c-7.8-0.7-11.9-2.8-11.9-7.4c0-5.4,5.3-8.5,12.8-8.5c7.8,0,12.8,3.7,13.2,8.9h14.3c-0.6-13.4-10.9-21.6-27.4-21.6
+	c-16.6,0-27.8,8.8-27.8,21.7c0,10.8,6.8,17.8,22.3,19.3l10.1,1c6.1,0.6,10.2,1.8,10.2,7.7c0,5.3-3.8,9.1-13.9,9.1
+	c-9.3,0-13.9-4.2-15.5-9.9h-15.5c1.5,12.9,12.4,22.9,31,22.9c17.5,0,28.8-9.2,28.8-22.9C476.1,66.5,468.1,60.3,455.3,59.1z
+	 M486.1,99.7H501V6h-14.9V99.7z M387.7,39.2h-2.1v-8h-14.9v68.5h14.9V63.9c0-12.2,5.6-19.3,16.8-19.3h9.4V29.5h-5.5
+	C396,29.5,391.6,33.4,387.7,39.2z"/>
+</svg>
diff --git a/packages/kaspersky/0.1.0/manifest.yml b/packages/kaspersky/0.1.0/manifest.yml
new file mode 100644
index 0000000000..aa49bfa860
--- /dev/null
+++ b/packages/kaspersky/0.1.0/manifest.yml
@@ -0,0 +1,36 @@
+format_version: 1.0.0
+name: kaspersky
+title: Kaspersky Anti-Virus
+version: 0.1.0
+description: Kaspersky Anti-Virus Integration
+categories: ["security"]
+release: experimental
+removable: true
+license: basic
+type: integration
+conditions:
+    kibana:
+        version: '>=7.9.0'
+    elasticsearch:
+        version: '>=7.9.0'
+config_templates:
+- name: av
+  title: Kaspersky Anti-Virus
+  description: Collect Kaspersky Anti-Virus logs from syslog or a file.
+  inputs:
+      - type: udp
+        title: Collect logs from Kaspersky Anti-Virus via UDP
+        description: Collecting syslog from Kaspersky Anti-Virus via UDP
+      - type: tcp
+        title: Collect logs from Kaspersky Anti-Virus via TCP
+        description: Collecting syslog from Kaspersky Anti-Virus via TCP
+      - type: file
+        title: Collect logs from Kaspersky Anti-Virus via file
+        description: Collecting syslog from Kaspersky Anti-Virus via file.
+# No icon
+icons:
+ - src: /img/logo.svg
+   title: Kaspersky Anti-Virus logo
+   size: 32x32
+   type: image/svg+xml
+
diff --git a/packages/netscout/0.1.0/dataset/sightline/agent/stream/stream.yml.hbs b/packages/netscout/0.1.0/dataset/sightline/agent/stream/stream.yml.hbs
new file mode 100644
index 0000000000..fc9bf187cf
--- /dev/null
+++ b/packages/netscout/0.1.0/dataset/sightline/agent/stream/stream.yml.hbs
@@ -0,0 +1,3401 @@
+paths:
+{{#each paths as |path i|}}
+  - {{path}}
+{{/each}}
+exclude_files: [".gz$"]
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "Netscout"
+        product: "Arbor"
+        type: "DDOS"
+publisher_pipeline.disable_host: true
+
+processors:
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.error(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(populate_fields);
+      	builder.Add(restore_flags);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var dup1 = match("HEADER#0:0001/0", "message", "%{hmonth->} %{hday->} %{htime->} %{hdata}: %{p0}");
+      
+      var dup2 = match("HEADER#1:0002/1_0", "nwparser.p0", "high %{p0}");
+      
+      var dup3 = match("HEADER#1:0002/1_1", "nwparser.p0", "low %{p0}");
+      
+      var dup4 = call({
+      	dest: "nwparser.messageid",
+      	fn: STRCAT,
+      	args: [
+      		field("msgIdPart1"),
+      		constant("_"),
+      		field("msgIdPart2"),
+      	],
+      });
+      
+      var dup5 = match("HEADER#2:0008/2", "nwparser.p0", "%{} %{p0}");
+      
+      var dup6 = match("HEADER#2:0008/3_0", "nwparser.p0", "jitter %{p0}");
+      
+      var dup7 = match("HEADER#2:0008/3_1", "nwparser.p0", "loss %{p0}");
+      
+      var dup8 = match("HEADER#2:0008/3_2", "nwparser.p0", "bps %{p0}");
+      
+      var dup9 = match("HEADER#2:0008/3_3", "nwparser.p0", "pps %{p0}");
+      
+      var dup10 = match("HEADER#3:0003/4", "nwparser.p0", "%{} %{msgIdPart1->} %{msgIdPart2->} %{payload}");
+      
+      var dup11 = call({
+      	dest: "nwparser.payload",
+      	fn: STRCAT,
+      	args: [
+      		field("messageid"),
+      		constant(" "),
+      		field("payload"),
+      	],
+      });
+      
+      var dup12 = setc("eventcategory","1801010000");
+      
+      var dup13 = setf("msg","$MSG");
+      
+      var dup14 = date_time({
+      	dest: "starttime",
+      	args: ["fld15","fld16","fld17","fld18","fld19","fld20"],
+      	fmts: [
+      		[dW,dM,dD,dH,dT,dS],
+      	],
+      });
+      
+      var dup15 = setc("eventcategory","1801020000");
+      
+      var dup16 = date_time({
+      	dest: "endtime",
+      	args: ["fld15","fld16","fld17","fld18","fld19","fld20"],
+      	fmts: [
+      		[dW,dM,dD,dH,dT,dS],
+      	],
+      });
+      
+      var dup17 = setc("eventcategory","1607000000");
+      
+      var dup18 = setc("eventcategory","1605000000");
+      
+      var dup19 = setc("eventcategory","1701000000");
+      
+      var dup20 = setc("eventcategory","1603010000");
+      
+      var dup21 = match("MESSAGE#19:mitigation:TMS_Start/1_0", "nwparser.p0", "%{fld21}, %{p0}");
+      
+      var dup22 = match("MESSAGE#19:mitigation:TMS_Start/1_1", "nwparser.p0", ", %{p0}");
+      
+      var dup23 = match("MESSAGE#19:mitigation:TMS_Start/2", "nwparser.p0", "%{}leader %{parent_node}");
+      
+      var dup24 = setc("eventcategory","1502020000");
+      
+      var dup25 = setc("event_type","TMS mitigation");
+      
+      var dup26 = setc("disposition","ongoing");
+      
+      var dup27 = setc("disposition","done");
+      
+      var dup28 = setc("event_type","Third party mitigation");
+      
+      var dup29 = setc("event_type","Blackhole mitigation");
+      
+      var dup30 = setc("event_type","Flowspec mitigation");
+      
+      var dup31 = match("MESSAGE#39:anomaly:Resource_Info:01/1_0", "nwparser.p0", "%{fld21->} duration %{p0}");
+      
+      var dup32 = match("MESSAGE#39:anomaly:Resource_Info:01/1_1", "nwparser.p0", "duration %{p0}");
+      
+      var dup33 = match("MESSAGE#39:anomaly:Resource_Info:01/2", "nwparser.p0", "%{} %{duration->} percent %{fld3->} rate %{fld4->} rateUnit %{fld5->} protocol %{protocol->} flags %{fld6->} url %{url}, %{info}");
+      
+      var dup34 = setc("eventcategory","1002000000");
+      
+      var dup35 = setc("signame","Bandwidth");
+      
+      var dup36 = date_time({
+      	dest: "starttime",
+      	args: ["fld15","fld16","fld17","fld18","fld19","fld20"],
+      	fmts: [
+      		[dW,dM,dD,dN,dU,dO],
+      	],
+      });
+      
+      var dup37 = match("MESSAGE#40:anomaly:Resource_Info:02/2", "nwparser.p0", "%{} %{duration->} percent %{fld3->} rate %{fld4->} rateUnit %{fld5->} protocol %{protocol->} flags %{fld6->} url %{url}");
+      
+      var dup38 = date_time({
+      	dest: "starttime",
+      	args: ["fld2","fld3"],
+      	fmts: [
+      		[dW,dc("-"),dM,dc("-"),dF,dZ],
+      	],
+      });
+      
+      var dup39 = linear_select([
+      	dup2,
+      	dup3,
+      ]);
+      
+      var dup40 = linear_select([
+      	dup6,
+      	dup7,
+      	dup8,
+      	dup9,
+      ]);
+      
+      var dup41 = match("MESSAGE#2:BGP:Down", "nwparser.payload", "%{protocol->} down for router %{node}, leader %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([
+      	dup12,
+      	dup13,
+      	dup14,
+      ]));
+      
+      var dup42 = match("MESSAGE#3:BGP:Restored", "nwparser.payload", "%{protocol->} restored for router %{node}, leader %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([
+      	dup15,
+      	dup13,
+      	dup16,
+      ]));
+      
+      var dup43 = linear_select([
+      	dup21,
+      	dup22,
+      ]);
+      
+      var dup44 = linear_select([
+      	dup31,
+      	dup32,
+      ]);
+      
+      var part1 = match("HEADER#0:0001/1_0", "nwparser.p0", "TMS %{p0}");
+      
+      var part2 = match("HEADER#0:0001/1_1", "nwparser.p0", "Third party %{p0}");
+      
+      var part3 = match("HEADER#0:0001/1_2", "nwparser.p0", "Blackhole %{p0}");
+      
+      var part4 = match("HEADER#0:0001/1_3", "nwparser.p0", "Flowspec %{p0}");
+      
+      var select1 = linear_select([
+      	part1,
+      	part2,
+      	part3,
+      	part4,
+      ]);
+      
+      var part5 = match("HEADER#0:0001/2", "nwparser.p0", "%{} %{messageid->} %{payload}");
+      
+      var all1 = all_match({
+      	processors: [
+      		dup1,
+      		select1,
+      		part5,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","0001"),
+      	]),
+      });
+      
+      var part6 = match("HEADER#1:0002/2", "nwparser.p0", "%{}interface %{msgIdPart1->} %{msgIdPart2->} %{payload}");
+      
+      var all2 = all_match({
+      	processors: [
+      		dup1,
+      		dup39,
+      		part6,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","0002"),
+      		dup4,
+      	]),
+      });
+      
+      var part7 = match("HEADER#2:0008/4", "nwparser.p0", "%{} %{msgIdPart1->} %{hfld1->} for service %{payload}");
+      
+      var all3 = all_match({
+      	processors: [
+      		dup1,
+      		dup39,
+      		dup5,
+      		dup40,
+      		part7,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","0008"),
+      		call({
+      			dest: "nwparser.messageid",
+      			fn: STRCAT,
+      			args: [
+      				constant("usage_"),
+      				field("msgIdPart1"),
+      			],
+      		}),
+      	]),
+      });
+      
+      var all4 = all_match({
+      	processors: [
+      		dup1,
+      		dup39,
+      		dup5,
+      		dup40,
+      		dup10,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","0003"),
+      		dup4,
+      	]),
+      });
+      
+      var part8 = match("HEADER#4:0004/1_2", "nwparser.p0", "High %{p0}");
+      
+      var select2 = linear_select([
+      	dup2,
+      	dup3,
+      	part8,
+      ]);
+      
+      var all5 = all_match({
+      	processors: [
+      		dup1,
+      		select2,
+      		dup10,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","0004"),
+      		dup4,
+      	]),
+      });
+      
+      var hdr1 = match("HEADER#5:0005", "message", "%{hmonth->} %{hday->} %{htime->} pfsp: The %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0005"),
+      	dup11,
+      ]));
+      
+      var hdr2 = match("HEADER#6:0006", "message", "%{hmonth->} %{hday->} %{htime->} pfsp: Alert %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0006"),
+      	dup11,
+      ]));
+      
+      var hdr3 = match("HEADER#7:0007", "message", "%{hmonth->} %{hday->} %{htime->} pfsp: %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0007"),
+      	dup11,
+      ]));
+      
+      var hdr4 = match("HEADER#8:0010", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1}: %{msgIdPart1->} %{msgIdPart2}: %{payload}", processor_chain([
+      	setc("header_id","0010"),
+      	dup4,
+      ]));
+      
+      var hdr5 = match("HEADER#9:0009", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1}: %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0009"),
+      ]));
+      
+      var select3 = linear_select([
+      	all1,
+      	all2,
+      	all3,
+      	all4,
+      	all5,
+      	hdr1,
+      	hdr2,
+      	hdr3,
+      	hdr4,
+      	hdr5,
+      ]);
+      
+      var part9 = match("MESSAGE#0:Flow:Down", "nwparser.payload", "Flow down for router %{node}, leader %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([
+      	dup12,
+      	dup13,
+      	dup14,
+      ]));
+      
+      var msg1 = msg("Flow:Down", part9);
+      
+      var part10 = match("MESSAGE#1:Flow:Restored", "nwparser.payload", "Flow restored for router %{node}, leader %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([
+      	dup15,
+      	dup13,
+      	dup16,
+      ]));
+      
+      var msg2 = msg("Flow:Restored", part10);
+      
+      var select4 = linear_select([
+      	msg1,
+      	msg2,
+      ]);
+      
+      var msg3 = msg("BGP:Down", dup41);
+      
+      var msg4 = msg("BGP:Restored", dup42);
+      
+      var part11 = match("MESSAGE#4:BGP:Instability", "nwparser.payload", "%{protocol->} instability router %{node->} threshold %{fld25->} (%{fld1}) observed %{trigger_val->} (%{fld2})", processor_chain([
+      	dup17,
+      	dup13,
+      ]));
+      
+      var msg5 = msg("BGP:Instability", part11);
+      
+      var part12 = match("MESSAGE#5:BGP:Instability_Ended", "nwparser.payload", "%{protocol->} Instability for router %{node->} ended", processor_chain([
+      	dup18,
+      	dup13,
+      ]));
+      
+      var msg6 = msg("BGP:Instability_Ended", part12);
+      
+      var part13 = match("MESSAGE#6:BGP:Hijack", "nwparser.payload", "%{protocol->} Hijack local_prefix %{fld26->} router %{node->} bgp_prefix %{fld27->} bgp_attributes %{event_description}", processor_chain([
+      	setc("eventcategory","1002050000"),
+      	dup13,
+      ]));
+      
+      var msg7 = msg("BGP:Hijack", part13);
+      
+      var part14 = match("MESSAGE#7:BGP:Hijack_Done", "nwparser.payload", "%{protocol->} Hijack for prefix %{fld26->} router %{node->} done", processor_chain([
+      	dup18,
+      	dup13,
+      ]));
+      
+      var msg8 = msg("BGP:Hijack_Done", part14);
+      
+      var part15 = match("MESSAGE#8:BGP:Trap", "nwparser.payload", "%{protocol->} Trap %{node}: Prefix %{fld5->} %{fld6->} %{event_description}", processor_chain([
+      	dup19,
+      	dup13,
+      ]));
+      
+      var msg9 = msg("BGP:Trap", part15);
+      
+      var select5 = linear_select([
+      	msg3,
+      	msg4,
+      	msg5,
+      	msg6,
+      	msg7,
+      	msg8,
+      	msg9,
+      ]);
+      
+      var part16 = match("MESSAGE#9:Device:Unreachable", "nwparser.payload", "Device %{node->} unreachable by controller %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20}", processor_chain([
+      	dup12,
+      	dup13,
+      	dup14,
+      ]));
+      
+      var msg10 = msg("Device:Unreachable", part16);
+      
+      var part17 = match("MESSAGE#10:Device:Reachable", "nwparser.payload", "Device %{node->} reachable again by controller %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([
+      	dup15,
+      	dup13,
+      	dup16,
+      ]));
+      
+      var msg11 = msg("Device:Reachable", part17);
+      
+      var select6 = linear_select([
+      	msg10,
+      	msg11,
+      ]);
+      
+      var part18 = match("MESSAGE#11:Hardware:Failure", "nwparser.payload", "Hardware failure on %{node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} GMT: %{event_description}", processor_chain([
+      	dup20,
+      	dup13,
+      	dup14,
+      ]));
+      
+      var msg12 = msg("Hardware:Failure", part18);
+      
+      var part19 = match("MESSAGE#12:Hardware:Failure_Done", "nwparser.payload", "Hardware failure on %{node->} done at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21->} GMT: %{event_description}", processor_chain([
+      	dup18,
+      	dup13,
+      	dup16,
+      ]));
+      
+      var msg13 = msg("Hardware:Failure_Done", part19);
+      
+      var select7 = linear_select([
+      	msg12,
+      	msg13,
+      ]);
+      
+      var msg14 = msg("SNMP:Down", dup41);
+      
+      var msg15 = msg("SNMP:Restored", dup42);
+      
+      var select8 = linear_select([
+      	msg14,
+      	msg15,
+      ]);
+      
+      var part20 = match("MESSAGE#15:configuration", "nwparser.payload", "configuration was changed on leader %{parent_node->} to version %{version->} by %{administrator}", processor_chain([
+      	dup19,
+      	dup13,
+      	setc("event_description","Configuration changed"),
+      ]));
+      
+      var msg16 = msg("configuration", part20);
+      
+      var part21 = match("MESSAGE#16:Autoclassification", "nwparser.payload", "Autoclassification was restarted on %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21->} by %{administrator}", processor_chain([
+      	dup19,
+      	dup13,
+      	setc("event_description","Autoclassification restarted"),
+      	dup14,
+      ]));
+      
+      var msg17 = msg("Autoclassification", part21);
+      
+      var part22 = match("MESSAGE#17:GRE:Down", "nwparser.payload", "GRE tunnel down for destination %{daddr}, leader %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([
+      	dup12,
+      	dup13,
+      	dup14,
+      ]));
+      
+      var msg18 = msg("GRE:Down", part22);
+      
+      var part23 = match("MESSAGE#18:GRE:Restored", "nwparser.payload", "GRE tunnel restored for destination %{daddr}, leader %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([
+      	setc("eventcategory","1801020100"),
+      	dup13,
+      	dup16,
+      ]));
+      
+      var msg19 = msg("GRE:Restored", part23);
+      
+      var select9 = linear_select([
+      	msg18,
+      	msg19,
+      ]);
+      
+      var part24 = match("MESSAGE#19:mitigation:TMS_Start/0", "nwparser.payload", "pfsp: TMS mitigation %{policyname->} started at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}");
+      
+      var all6 = all_match({
+      	processors: [
+      		part24,
+      		dup43,
+      		dup23,
+      	],
+      	on_success: processor_chain([
+      		dup24,
+      		dup13,
+      		dup25,
+      		dup26,
+      		dup14,
+      	]),
+      });
+      
+      var msg20 = msg("mitigation:TMS_Start", all6);
+      
+      var part25 = match("MESSAGE#20:mitigation:TMS_Stop/0", "nwparser.payload", "pfsp: TMS mitigation %{policyname->} stopped at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}");
+      
+      var all7 = all_match({
+      	processors: [
+      		part25,
+      		dup43,
+      		dup23,
+      	],
+      	on_success: processor_chain([
+      		dup24,
+      		dup13,
+      		dup25,
+      		dup27,
+      		dup16,
+      	]),
+      });
+      
+      var msg21 = msg("mitigation:TMS_Stop", all7);
+      
+      var part26 = match("MESSAGE#21:mitigation:Thirdparty_Start/0", "nwparser.payload", "pfsp: Third party mitigation %{node->} started at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}");
+      
+      var all8 = all_match({
+      	processors: [
+      		part26,
+      		dup43,
+      		dup23,
+      	],
+      	on_success: processor_chain([
+      		dup24,
+      		dup13,
+      		dup28,
+      		dup26,
+      		dup14,
+      	]),
+      });
+      
+      var msg22 = msg("mitigation:Thirdparty_Start", all8);
+      
+      var part27 = match("MESSAGE#22:mitigation:Thirdparty_Stop/0", "nwparser.payload", "pfsp: Third party mitigation %{node->} stopped at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}");
+      
+      var all9 = all_match({
+      	processors: [
+      		part27,
+      		dup43,
+      		dup23,
+      	],
+      	on_success: processor_chain([
+      		dup24,
+      		dup13,
+      		dup28,
+      		dup27,
+      	]),
+      });
+      
+      var msg23 = msg("mitigation:Thirdparty_Stop", all9);
+      
+      var part28 = match("MESSAGE#23:mitigation:Blackhole_Start/0", "nwparser.payload", "pfsp: Blackhole mitigation %{node->} started at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}");
+      
+      var all10 = all_match({
+      	processors: [
+      		part28,
+      		dup43,
+      		dup23,
+      	],
+      	on_success: processor_chain([
+      		dup24,
+      		dup13,
+      		dup29,
+      		dup26,
+      		dup14,
+      	]),
+      });
+      
+      var msg24 = msg("mitigation:Blackhole_Start", all10);
+      
+      var part29 = match("MESSAGE#24:mitigation:Blackhole_Stop/0", "nwparser.payload", "pfsp: Blackhole mitigation %{node->} stopped at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}");
+      
+      var all11 = all_match({
+      	processors: [
+      		part29,
+      		dup43,
+      		dup23,
+      	],
+      	on_success: processor_chain([
+      		dup24,
+      		dup13,
+      		dup29,
+      		dup27,
+      	]),
+      });
+      
+      var msg25 = msg("mitigation:Blackhole_Stop", all11);
+      
+      var part30 = match("MESSAGE#25:mitigation:Flowspec_Start/0", "nwparser.payload", "pfsp: Flowspec mitigation %{node->} started at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}");
+      
+      var all12 = all_match({
+      	processors: [
+      		part30,
+      		dup43,
+      		dup23,
+      	],
+      	on_success: processor_chain([
+      		dup24,
+      		dup13,
+      		dup30,
+      		dup26,
+      		dup14,
+      	]),
+      });
+      
+      var msg26 = msg("mitigation:Flowspec_Start", all12);
+      
+      var part31 = match("MESSAGE#26:mitigation:Flowspec_Stop/0", "nwparser.payload", "pfsp: Flowspec mitigation %{node->} stopped at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}");
+      
+      var all13 = all_match({
+      	processors: [
+      		part31,
+      		dup43,
+      		dup23,
+      	],
+      	on_success: processor_chain([
+      		dup24,
+      		dup13,
+      		dup30,
+      		dup27,
+      	]),
+      });
+      
+      var msg27 = msg("mitigation:Flowspec_Stop", all13);
+      
+      var select10 = linear_select([
+      	msg20,
+      	msg21,
+      	msg22,
+      	msg23,
+      	msg24,
+      	msg25,
+      	msg26,
+      	msg27,
+      ]);
+      
+      var part32 = match("MESSAGE#27:TMS:Fault_Cleared", "nwparser.payload", "TMS '%{event_description}' fault for resource '%{resource}' on TMS %{node->} cleared", processor_chain([
+      	dup18,
+      	dup13,
+      	setc("event_type","Fault Cleared"),
+      ]));
+      
+      var msg28 = msg("TMS:Fault_Cleared", part32);
+      
+      var part33 = match("MESSAGE#28:TMS:Fault", "nwparser.payload", "TMS '%{event_description}' fault for resource '%{resource}' on TMS %{node}", processor_chain([
+      	dup20,
+      	dup13,
+      	setc("event_type","Fault Occured"),
+      ]));
+      
+      var msg29 = msg("TMS:Fault", part33);
+      
+      var select11 = linear_select([
+      	msg28,
+      	msg29,
+      ]);
+      
+      var part34 = match("MESSAGE#29:usage_alert:Interface", "nwparser.payload", "pfsp: %{trigger_desc->} interface usage alert %{fld1->} for router %{node->} interface \"%{interface}\" speed %{fld2->} threshold %{fld25->} observed %{trigger_val->} pct %{fld3}", processor_chain([
+      	dup17,
+      	dup13,
+      ]));
+      
+      var msg30 = msg("usage_alert:Interface", part34);
+      
+      var part35 = match("MESSAGE#30:usage_alert:Interface_Done", "nwparser.payload", "pfsp: %{trigger_desc->} interface usage alert %{fld1->} done for router %{node->} interface \"%{interface}\"", processor_chain([
+      	dup18,
+      	dup13,
+      ]));
+      
+      var msg31 = msg("usage_alert:Interface_Done", part35);
+      
+      var part36 = match("MESSAGE#31:usage_alert:Fingerprint_Threshold", "nwparser.payload", "pfsp: %{trigger_desc->} usage alert %{fld1->} for fingerprint %{policyname->} threshold %{fld25->} observed %{trigger_val}", processor_chain([
+      	dup17,
+      	dup13,
+      ]));
+      
+      var msg32 = msg("usage_alert:Fingerprint_Threshold", part36);
+      
+      var part37 = match("MESSAGE#32:usage_alert:Fingerprint_Threshold_Done", "nwparser.payload", "pfsp: %{trigger_desc->} usage alert %{fld1->} for fingerprint %{policyname->} done", processor_chain([
+      	dup18,
+      	dup13,
+      ]));
+      
+      var msg33 = msg("usage_alert:Fingerprint_Threshold_Done", part37);
+      
+      var part38 = match("MESSAGE#33:usage_alert:Service_Threshold", "nwparser.payload", "pfsp: %{trigger_desc->} %{fld1->} usage alert %{fld2->} for service %{service}, %{application->} threshold %{fld25->} observed %{trigger_val}", processor_chain([
+      	dup17,
+      	dup13,
+      ]));
+      
+      var msg34 = msg("usage_alert:Service_Threshold", part38);
+      
+      var part39 = match("MESSAGE#34:usage_alert:Service_Threshold_Done", "nwparser.payload", "pfsp: %{trigger_desc->} %{fld1->} alert %{fld2->} for service %{service->} done", processor_chain([
+      	dup18,
+      	dup13,
+      ]));
+      
+      var msg35 = msg("usage_alert:Service_Threshold_Done", part39);
+      
+      var part40 = match("MESSAGE#35:usage_alert:ManagedObject_Threshold", "nwparser.payload", "pfsp: %{trigger_desc->} usage alert %{fld1->} for %{category->} %{fld2->} threshold %{fld25->} observed %{trigger_val}", processor_chain([
+      	dup17,
+      	dup13,
+      ]));
+      
+      var msg36 = msg("usage_alert:ManagedObject_Threshold", part40);
+      
+      var part41 = match("MESSAGE#36:usage_alert:ManagedObject_Threshold_Done", "nwparser.payload", "pfsp: %{trigger_desc->} usage alert %{fld1->} for %{fld3->} %{fld4->} done", processor_chain([
+      	dup18,
+      	dup13,
+      ]));
+      
+      var msg37 = msg("usage_alert:ManagedObject_Threshold_Done", part41);
+      
+      var select12 = linear_select([
+      	msg30,
+      	msg31,
+      	msg32,
+      	msg33,
+      	msg34,
+      	msg35,
+      	msg36,
+      	msg37,
+      ]);
+      
+      var part42 = match("MESSAGE#37:Test", "nwparser.payload", "Test syslog message%{}", processor_chain([
+      	dup18,
+      	dup13,
+      ]));
+      
+      var msg38 = msg("Test", part42);
+      
+      var part43 = match("MESSAGE#38:script/0", "nwparser.payload", "script %{node->} ran at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}");
+      
+      var all14 = all_match({
+      	processors: [
+      		part43,
+      		dup43,
+      		dup23,
+      	],
+      	on_success: processor_chain([
+      		dup24,
+      		dup13,
+      		setc("event_type","Script mitigation"),
+      		dup26,
+      		dup14,
+      	]),
+      });
+      
+      var msg39 = msg("script", all14);
+      
+      var part44 = match("MESSAGE#39:anomaly:Resource_Info:01/0", "nwparser.payload", "anomaly Bandwidth id %{event_id->} status %{disposition->} severity %{severity->} classification %{category->} impact %{fld10->} src %{daddr}/%{dport->} %{fld1->} dst %{saddr}/%{sport->} %{fld2->} start %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}");
+      
+      var all15 = all_match({
+      	processors: [
+      		part44,
+      		dup44,
+      		dup33,
+      	],
+      	on_success: processor_chain([
+      		dup34,
+      		dup13,
+      		dup35,
+      		dup36,
+      	]),
+      });
+      
+      var msg40 = msg("anomaly:Resource_Info:01", all15);
+      
+      var part45 = match("MESSAGE#40:anomaly:Resource_Info:02/0", "nwparser.payload", "anomaly Bandwidth id %{event_id->} status %{disposition->} severity %{severity->} classification %{category->} src %{daddr}/%{dport->} %{fld1->} dst %{saddr}/%{sport->} %{fld2->} start %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}");
+      
+      var all16 = all_match({
+      	processors: [
+      		part45,
+      		dup44,
+      		dup37,
+      	],
+      	on_success: processor_chain([
+      		dup34,
+      		dup13,
+      		dup35,
+      		dup36,
+      	]),
+      });
+      
+      var msg41 = msg("anomaly:Resource_Info:02", all16);
+      
+      var part46 = match("MESSAGE#41:anomaly:Resource_Info:03/0", "nwparser.payload", "anomaly %{signame->} id %{event_id->} status %{disposition->} severity %{severity->} classification %{category->} impact %{fld10->} src %{daddr}/%{dport->} %{fld1->} dst %{saddr}/%{sport->} %{fld2->} start %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}");
+      
+      var all17 = all_match({
+      	processors: [
+      		part46,
+      		dup44,
+      		dup33,
+      	],
+      	on_success: processor_chain([
+      		dup34,
+      		dup13,
+      		dup36,
+      	]),
+      });
+      
+      var msg42 = msg("anomaly:Resource_Info:03", all17);
+      
+      var part47 = match("MESSAGE#42:anomaly:Resource_Info:04/0", "nwparser.payload", "anomaly %{signame->} id %{event_id->} status %{disposition->} severity %{severity->} classification %{category->} src %{daddr}/%{dport->} %{fld1->} dst %{saddr}/%{sport->} %{fld2->} start %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}");
+      
+      var all18 = all_match({
+      	processors: [
+      		part47,
+      		dup44,
+      		dup37,
+      	],
+      	on_success: processor_chain([
+      		dup34,
+      		dup13,
+      		dup36,
+      	]),
+      });
+      
+      var msg43 = msg("anomaly:Resource_Info:04", all18);
+      
+      var part48 = match("MESSAGE#43:anomaly:Router_Info:01", "nwparser.payload", "anomaly Bandwidth id %{sigid->} status %{disposition->} severity %{severity->} classification %{category->} router %{fld6->} router_name %{node->} interface %{fld4->} interface_name \"%{interface}\" %{fld5}", processor_chain([
+      	dup34,
+      	dup13,
+      	dup35,
+      ]));
+      
+      var msg44 = msg("anomaly:Router_Info:01", part48);
+      
+      var part49 = match("MESSAGE#44:anomaly:Router_Info:02", "nwparser.payload", "anomaly %{signame->} id %{sigid->} status %{disposition->} severity %{severity->} classification %{category->} router %{fld6->} router_name %{node->} interface %{fld4->} interface_name \"%{interface}\" %{fld5}", processor_chain([
+      	dup34,
+      	dup13,
+      ]));
+      
+      var msg45 = msg("anomaly:Router_Info:02", part49);
+      
+      var select13 = linear_select([
+      	msg40,
+      	msg41,
+      	msg42,
+      	msg43,
+      	msg44,
+      	msg45,
+      ]);
+      
+      var part50 = match("MESSAGE#45:Peakflow:Unreachable", "nwparser.payload", "Peakflow device %{node->} unreachable by %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20}", processor_chain([
+      	dup12,
+      	dup13,
+      	dup14,
+      ]));
+      
+      var msg46 = msg("Peakflow:Unreachable", part50);
+      
+      var part51 = match("MESSAGE#46:Peakflow:Reachable", "nwparser.payload", "Peakflow device %{node->} reachable again by %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([
+      	dup15,
+      	dup13,
+      	dup16,
+      ]));
+      
+      var msg47 = msg("Peakflow:Reachable", part51);
+      
+      var select14 = linear_select([
+      	msg46,
+      	msg47,
+      ]);
+      
+      var part52 = match("MESSAGE#47:Host:Detection", "nwparser.payload", "Host Detection alert %{fld1}, start %{fld2->} %{fld3->} %{fld4}, duration %{duration}, stop %{fld5->} %{fld6->} %{fld7}, , importance %{severity}, managed_objects (%{fld8}), is now %{result}, (parent managed object %{fld9})", processor_chain([
+      	dup18,
+      	dup13,
+      	dup38,
+      	date_time({
+      		dest: "endtime",
+      		args: ["fld5","fld6"],
+      		fmts: [
+      			[dW,dc("-"),dM,dc("-"),dF,dZ],
+      		],
+      	}),
+      ]));
+      
+      var msg48 = msg("Host:Detection", part52);
+      
+      var part53 = match("MESSAGE#48:Host:Detection:01", "nwparser.payload", "Host Detection alert %{fld1}, start %{fld2->} %{fld3->} %{fld4}, duration %{duration}, direction %{direction}, host %{saddr}, signatures (%{signame}), impact %{fld5}, importance %{severity}, managed_objects (%{fld6}), (parent managed object %{fld7})", processor_chain([
+      	dup18,
+      	dup13,
+      	dup38,
+      ]));
+      
+      var msg49 = msg("Host:Detection:01", part53);
+      
+      var select15 = linear_select([
+      	msg48,
+      	msg49,
+      ]);
+      
+      var part54 = match("MESSAGE#49:Infrastructure", "nwparser.payload", "AIF license expiring cleared,URL: %{url}", processor_chain([
+      	dup18,
+      	dup13,
+      	setc("event_description","AIF license expiring cleared"),
+      ]));
+      
+      var msg50 = msg("Infrastructure", part54);
+      
+      var part55 = match("MESSAGE#50:Infrastructure:02", "nwparser.payload", "Hardware sensor detected a critical state. System Fan%{fld1}:%{fld2}Triggering value:%{fld3},URL:%{url}", processor_chain([
+      	dup18,
+      	dup13,
+      	setc("event_description","Hardware sensor detected a critical state"),
+      ]));
+      
+      var msg51 = msg("Infrastructure:02", part55);
+      
+      var part56 = match("MESSAGE#51:Infrastructure:01", "nwparser.payload", "AIF license expired cleared,URL: %{url}", processor_chain([
+      	dup18,
+      	dup13,
+      	setc("event_description","AIF license expired cleared"),
+      ]));
+      
+      var msg52 = msg("Infrastructure:01", part56);
+      
+      var select16 = linear_select([
+      	msg50,
+      	msg51,
+      	msg52,
+      ]);
+      
+      var part57 = match("MESSAGE#52:Blocked_Host", "nwparser.payload", "Blocked host%{saddr}at%{fld1}by Blocked Countries using%{protocol}destination%{daddr},URL:%{url}", processor_chain([
+      	setc("eventcategory","1803000000"),
+      	dup13,
+      ]));
+      
+      var msg53 = msg("Blocked_Host", part57);
+      
+      var part58 = match("MESSAGE#53:Change_Log", "nwparser.payload", "Username:%{username}, Subsystem:%{fld1}, Setting Type:%{fld2}, Message:%{fld3}", processor_chain([
+      	dup18,
+      	dup13,
+      ]));
+      
+      var msg54 = msg("Change_Log", part58);
+      
+      var part59 = match("MESSAGE#54:Protection_Mode", "nwparser.payload", "Changed protection mode to active for protection group%{group},URL:%{url}", processor_chain([
+      	dup18,
+      	dup13,
+      	setc("event_description","Changed protection mode to active for protection group"),
+      ]));
+      
+      var msg55 = msg("Protection_Mode", part59);
+      
+      var chain1 = processor_chain([
+      	select3,
+      	msgid_select({
+      		"Autoclassification": msg17,
+      		"BGP": select5,
+      		"Blocked_Host": msg53,
+      		"Change_Log": msg54,
+      		"Device": select6,
+      		"Flow": select4,
+      		"GRE": select9,
+      		"Hardware": select7,
+      		"Host": select15,
+      		"Infrastructure": select16,
+      		"Peakflow": select14,
+      		"Protection_Mode": msg55,
+      		"SNMP": select8,
+      		"TMS": select11,
+      		"Test": msg38,
+      		"anomaly": select13,
+      		"configuration": msg16,
+      		"mitigation": select10,
+      		"script": msg39,
+      		"usage_alert": select12,
+      	}),
+      ]);
+      
+      var hdr6 = match("HEADER#0:0001/0", "message", "%{hmonth->} %{hday->} %{htime->} %{hdata}: %{p0}");
+      
+      var part60 = match("HEADER#1:0002/1_0", "nwparser.p0", "high %{p0}");
+      
+      var part61 = match("HEADER#1:0002/1_1", "nwparser.p0", "low %{p0}");
+      
+      var part62 = match("HEADER#2:0008/2", "nwparser.p0", "%{} %{p0}");
+      
+      var part63 = match("HEADER#2:0008/3_0", "nwparser.p0", "jitter %{p0}");
+      
+      var part64 = match("HEADER#2:0008/3_1", "nwparser.p0", "loss %{p0}");
+      
+      var part65 = match("HEADER#2:0008/3_2", "nwparser.p0", "bps %{p0}");
+      
+      var part66 = match("HEADER#2:0008/3_3", "nwparser.p0", "pps %{p0}");
+      
+      var part67 = match("HEADER#3:0003/4", "nwparser.p0", "%{} %{msgIdPart1->} %{msgIdPart2->} %{payload}");
+      
+      var part68 = match("MESSAGE#19:mitigation:TMS_Start/1_0", "nwparser.p0", "%{fld21}, %{p0}");
+      
+      var part69 = match("MESSAGE#19:mitigation:TMS_Start/1_1", "nwparser.p0", ", %{p0}");
+      
+      var part70 = match("MESSAGE#19:mitigation:TMS_Start/2", "nwparser.p0", "%{}leader %{parent_node}");
+      
+      var part71 = match("MESSAGE#39:anomaly:Resource_Info:01/1_0", "nwparser.p0", "%{fld21->} duration %{p0}");
+      
+      var part72 = match("MESSAGE#39:anomaly:Resource_Info:01/1_1", "nwparser.p0", "duration %{p0}");
+      
+      var part73 = match("MESSAGE#39:anomaly:Resource_Info:01/2", "nwparser.p0", "%{} %{duration->} percent %{fld3->} rate %{fld4->} rateUnit %{fld5->} protocol %{protocol->} flags %{fld6->} url %{url}, %{info}");
+      
+      var part74 = match("MESSAGE#40:anomaly:Resource_Info:02/2", "nwparser.p0", "%{} %{duration->} percent %{fld3->} rate %{fld4->} rateUnit %{fld5->} protocol %{protocol->} flags %{fld6->} url %{url}");
+      
+      var select17 = linear_select([
+      	dup2,
+      	dup3,
+      ]);
+      
+      var select18 = linear_select([
+      	dup6,
+      	dup7,
+      	dup8,
+      	dup9,
+      ]);
+      
+      var part75 = match("MESSAGE#2:BGP:Down", "nwparser.payload", "%{protocol->} down for router %{node}, leader %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([
+      	dup12,
+      	dup13,
+      	dup14,
+      ]));
+      
+      var part76 = match("MESSAGE#3:BGP:Restored", "nwparser.payload", "%{protocol->} restored for router %{node}, leader %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([
+      	dup15,
+      	dup13,
+      	dup16,
+      ]));
+      
+      var select19 = linear_select([
+      	dup21,
+      	dup22,
+      ]);
+      
+      var select20 = linear_select([
+      	dup31,
+      	dup32,
+      ]);
+      
+- community_id:
+- add_locale: ~
+- add_fields:
+    target: ''
+    fields:
+        ecs.version: 1.5.0
diff --git a/packages/netscout/0.1.0/dataset/sightline/agent/stream/tcp.yml.hbs b/packages/netscout/0.1.0/dataset/sightline/agent/stream/tcp.yml.hbs
new file mode 100644
index 0000000000..cd96876f1b
--- /dev/null
+++ b/packages/netscout/0.1.0/dataset/sightline/agent/stream/tcp.yml.hbs
@@ -0,0 +1,3398 @@
+tcp:
+host: "{{tcp_host}}:{{tcp_port}}"
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "Netscout"
+        product: "Arbor"
+        type: "DDOS"
+publisher_pipeline.disable_host: true
+
+processors:
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.error(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(populate_fields);
+      	builder.Add(restore_flags);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var dup1 = match("HEADER#0:0001/0", "message", "%{hmonth->} %{hday->} %{htime->} %{hdata}: %{p0}");
+      
+      var dup2 = match("HEADER#1:0002/1_0", "nwparser.p0", "high %{p0}");
+      
+      var dup3 = match("HEADER#1:0002/1_1", "nwparser.p0", "low %{p0}");
+      
+      var dup4 = call({
+      	dest: "nwparser.messageid",
+      	fn: STRCAT,
+      	args: [
+      		field("msgIdPart1"),
+      		constant("_"),
+      		field("msgIdPart2"),
+      	],
+      });
+      
+      var dup5 = match("HEADER#2:0008/2", "nwparser.p0", "%{} %{p0}");
+      
+      var dup6 = match("HEADER#2:0008/3_0", "nwparser.p0", "jitter %{p0}");
+      
+      var dup7 = match("HEADER#2:0008/3_1", "nwparser.p0", "loss %{p0}");
+      
+      var dup8 = match("HEADER#2:0008/3_2", "nwparser.p0", "bps %{p0}");
+      
+      var dup9 = match("HEADER#2:0008/3_3", "nwparser.p0", "pps %{p0}");
+      
+      var dup10 = match("HEADER#3:0003/4", "nwparser.p0", "%{} %{msgIdPart1->} %{msgIdPart2->} %{payload}");
+      
+      var dup11 = call({
+      	dest: "nwparser.payload",
+      	fn: STRCAT,
+      	args: [
+      		field("messageid"),
+      		constant(" "),
+      		field("payload"),
+      	],
+      });
+      
+      var dup12 = setc("eventcategory","1801010000");
+      
+      var dup13 = setf("msg","$MSG");
+      
+      var dup14 = date_time({
+      	dest: "starttime",
+      	args: ["fld15","fld16","fld17","fld18","fld19","fld20"],
+      	fmts: [
+      		[dW,dM,dD,dH,dT,dS],
+      	],
+      });
+      
+      var dup15 = setc("eventcategory","1801020000");
+      
+      var dup16 = date_time({
+      	dest: "endtime",
+      	args: ["fld15","fld16","fld17","fld18","fld19","fld20"],
+      	fmts: [
+      		[dW,dM,dD,dH,dT,dS],
+      	],
+      });
+      
+      var dup17 = setc("eventcategory","1607000000");
+      
+      var dup18 = setc("eventcategory","1605000000");
+      
+      var dup19 = setc("eventcategory","1701000000");
+      
+      var dup20 = setc("eventcategory","1603010000");
+      
+      var dup21 = match("MESSAGE#19:mitigation:TMS_Start/1_0", "nwparser.p0", "%{fld21}, %{p0}");
+      
+      var dup22 = match("MESSAGE#19:mitigation:TMS_Start/1_1", "nwparser.p0", ", %{p0}");
+      
+      var dup23 = match("MESSAGE#19:mitigation:TMS_Start/2", "nwparser.p0", "%{}leader %{parent_node}");
+      
+      var dup24 = setc("eventcategory","1502020000");
+      
+      var dup25 = setc("event_type","TMS mitigation");
+      
+      var dup26 = setc("disposition","ongoing");
+      
+      var dup27 = setc("disposition","done");
+      
+      var dup28 = setc("event_type","Third party mitigation");
+      
+      var dup29 = setc("event_type","Blackhole mitigation");
+      
+      var dup30 = setc("event_type","Flowspec mitigation");
+      
+      var dup31 = match("MESSAGE#39:anomaly:Resource_Info:01/1_0", "nwparser.p0", "%{fld21->} duration %{p0}");
+      
+      var dup32 = match("MESSAGE#39:anomaly:Resource_Info:01/1_1", "nwparser.p0", "duration %{p0}");
+      
+      var dup33 = match("MESSAGE#39:anomaly:Resource_Info:01/2", "nwparser.p0", "%{} %{duration->} percent %{fld3->} rate %{fld4->} rateUnit %{fld5->} protocol %{protocol->} flags %{fld6->} url %{url}, %{info}");
+      
+      var dup34 = setc("eventcategory","1002000000");
+      
+      var dup35 = setc("signame","Bandwidth");
+      
+      var dup36 = date_time({
+      	dest: "starttime",
+      	args: ["fld15","fld16","fld17","fld18","fld19","fld20"],
+      	fmts: [
+      		[dW,dM,dD,dN,dU,dO],
+      	],
+      });
+      
+      var dup37 = match("MESSAGE#40:anomaly:Resource_Info:02/2", "nwparser.p0", "%{} %{duration->} percent %{fld3->} rate %{fld4->} rateUnit %{fld5->} protocol %{protocol->} flags %{fld6->} url %{url}");
+      
+      var dup38 = date_time({
+      	dest: "starttime",
+      	args: ["fld2","fld3"],
+      	fmts: [
+      		[dW,dc("-"),dM,dc("-"),dF,dZ],
+      	],
+      });
+      
+      var dup39 = linear_select([
+      	dup2,
+      	dup3,
+      ]);
+      
+      var dup40 = linear_select([
+      	dup6,
+      	dup7,
+      	dup8,
+      	dup9,
+      ]);
+      
+      var dup41 = match("MESSAGE#2:BGP:Down", "nwparser.payload", "%{protocol->} down for router %{node}, leader %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([
+      	dup12,
+      	dup13,
+      	dup14,
+      ]));
+      
+      var dup42 = match("MESSAGE#3:BGP:Restored", "nwparser.payload", "%{protocol->} restored for router %{node}, leader %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([
+      	dup15,
+      	dup13,
+      	dup16,
+      ]));
+      
+      var dup43 = linear_select([
+      	dup21,
+      	dup22,
+      ]);
+      
+      var dup44 = linear_select([
+      	dup31,
+      	dup32,
+      ]);
+      
+      var part1 = match("HEADER#0:0001/1_0", "nwparser.p0", "TMS %{p0}");
+      
+      var part2 = match("HEADER#0:0001/1_1", "nwparser.p0", "Third party %{p0}");
+      
+      var part3 = match("HEADER#0:0001/1_2", "nwparser.p0", "Blackhole %{p0}");
+      
+      var part4 = match("HEADER#0:0001/1_3", "nwparser.p0", "Flowspec %{p0}");
+      
+      var select1 = linear_select([
+      	part1,
+      	part2,
+      	part3,
+      	part4,
+      ]);
+      
+      var part5 = match("HEADER#0:0001/2", "nwparser.p0", "%{} %{messageid->} %{payload}");
+      
+      var all1 = all_match({
+      	processors: [
+      		dup1,
+      		select1,
+      		part5,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","0001"),
+      	]),
+      });
+      
+      var part6 = match("HEADER#1:0002/2", "nwparser.p0", "%{}interface %{msgIdPart1->} %{msgIdPart2->} %{payload}");
+      
+      var all2 = all_match({
+      	processors: [
+      		dup1,
+      		dup39,
+      		part6,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","0002"),
+      		dup4,
+      	]),
+      });
+      
+      var part7 = match("HEADER#2:0008/4", "nwparser.p0", "%{} %{msgIdPart1->} %{hfld1->} for service %{payload}");
+      
+      var all3 = all_match({
+      	processors: [
+      		dup1,
+      		dup39,
+      		dup5,
+      		dup40,
+      		part7,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","0008"),
+      		call({
+      			dest: "nwparser.messageid",
+      			fn: STRCAT,
+      			args: [
+      				constant("usage_"),
+      				field("msgIdPart1"),
+      			],
+      		}),
+      	]),
+      });
+      
+      var all4 = all_match({
+      	processors: [
+      		dup1,
+      		dup39,
+      		dup5,
+      		dup40,
+      		dup10,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","0003"),
+      		dup4,
+      	]),
+      });
+      
+      var part8 = match("HEADER#4:0004/1_2", "nwparser.p0", "High %{p0}");
+      
+      var select2 = linear_select([
+      	dup2,
+      	dup3,
+      	part8,
+      ]);
+      
+      var all5 = all_match({
+      	processors: [
+      		dup1,
+      		select2,
+      		dup10,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","0004"),
+      		dup4,
+      	]),
+      });
+      
+      var hdr1 = match("HEADER#5:0005", "message", "%{hmonth->} %{hday->} %{htime->} pfsp: The %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0005"),
+      	dup11,
+      ]));
+      
+      var hdr2 = match("HEADER#6:0006", "message", "%{hmonth->} %{hday->} %{htime->} pfsp: Alert %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0006"),
+      	dup11,
+      ]));
+      
+      var hdr3 = match("HEADER#7:0007", "message", "%{hmonth->} %{hday->} %{htime->} pfsp: %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0007"),
+      	dup11,
+      ]));
+      
+      var hdr4 = match("HEADER#8:0010", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1}: %{msgIdPart1->} %{msgIdPart2}: %{payload}", processor_chain([
+      	setc("header_id","0010"),
+      	dup4,
+      ]));
+      
+      var hdr5 = match("HEADER#9:0009", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1}: %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0009"),
+      ]));
+      
+      var select3 = linear_select([
+      	all1,
+      	all2,
+      	all3,
+      	all4,
+      	all5,
+      	hdr1,
+      	hdr2,
+      	hdr3,
+      	hdr4,
+      	hdr5,
+      ]);
+      
+      var part9 = match("MESSAGE#0:Flow:Down", "nwparser.payload", "Flow down for router %{node}, leader %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([
+      	dup12,
+      	dup13,
+      	dup14,
+      ]));
+      
+      var msg1 = msg("Flow:Down", part9);
+      
+      var part10 = match("MESSAGE#1:Flow:Restored", "nwparser.payload", "Flow restored for router %{node}, leader %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([
+      	dup15,
+      	dup13,
+      	dup16,
+      ]));
+      
+      var msg2 = msg("Flow:Restored", part10);
+      
+      var select4 = linear_select([
+      	msg1,
+      	msg2,
+      ]);
+      
+      var msg3 = msg("BGP:Down", dup41);
+      
+      var msg4 = msg("BGP:Restored", dup42);
+      
+      var part11 = match("MESSAGE#4:BGP:Instability", "nwparser.payload", "%{protocol->} instability router %{node->} threshold %{fld25->} (%{fld1}) observed %{trigger_val->} (%{fld2})", processor_chain([
+      	dup17,
+      	dup13,
+      ]));
+      
+      var msg5 = msg("BGP:Instability", part11);
+      
+      var part12 = match("MESSAGE#5:BGP:Instability_Ended", "nwparser.payload", "%{protocol->} Instability for router %{node->} ended", processor_chain([
+      	dup18,
+      	dup13,
+      ]));
+      
+      var msg6 = msg("BGP:Instability_Ended", part12);
+      
+      var part13 = match("MESSAGE#6:BGP:Hijack", "nwparser.payload", "%{protocol->} Hijack local_prefix %{fld26->} router %{node->} bgp_prefix %{fld27->} bgp_attributes %{event_description}", processor_chain([
+      	setc("eventcategory","1002050000"),
+      	dup13,
+      ]));
+      
+      var msg7 = msg("BGP:Hijack", part13);
+      
+      var part14 = match("MESSAGE#7:BGP:Hijack_Done", "nwparser.payload", "%{protocol->} Hijack for prefix %{fld26->} router %{node->} done", processor_chain([
+      	dup18,
+      	dup13,
+      ]));
+      
+      var msg8 = msg("BGP:Hijack_Done", part14);
+      
+      var part15 = match("MESSAGE#8:BGP:Trap", "nwparser.payload", "%{protocol->} Trap %{node}: Prefix %{fld5->} %{fld6->} %{event_description}", processor_chain([
+      	dup19,
+      	dup13,
+      ]));
+      
+      var msg9 = msg("BGP:Trap", part15);
+      
+      var select5 = linear_select([
+      	msg3,
+      	msg4,
+      	msg5,
+      	msg6,
+      	msg7,
+      	msg8,
+      	msg9,
+      ]);
+      
+      var part16 = match("MESSAGE#9:Device:Unreachable", "nwparser.payload", "Device %{node->} unreachable by controller %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20}", processor_chain([
+      	dup12,
+      	dup13,
+      	dup14,
+      ]));
+      
+      var msg10 = msg("Device:Unreachable", part16);
+      
+      var part17 = match("MESSAGE#10:Device:Reachable", "nwparser.payload", "Device %{node->} reachable again by controller %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([
+      	dup15,
+      	dup13,
+      	dup16,
+      ]));
+      
+      var msg11 = msg("Device:Reachable", part17);
+      
+      var select6 = linear_select([
+      	msg10,
+      	msg11,
+      ]);
+      
+      var part18 = match("MESSAGE#11:Hardware:Failure", "nwparser.payload", "Hardware failure on %{node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} GMT: %{event_description}", processor_chain([
+      	dup20,
+      	dup13,
+      	dup14,
+      ]));
+      
+      var msg12 = msg("Hardware:Failure", part18);
+      
+      var part19 = match("MESSAGE#12:Hardware:Failure_Done", "nwparser.payload", "Hardware failure on %{node->} done at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21->} GMT: %{event_description}", processor_chain([
+      	dup18,
+      	dup13,
+      	dup16,
+      ]));
+      
+      var msg13 = msg("Hardware:Failure_Done", part19);
+      
+      var select7 = linear_select([
+      	msg12,
+      	msg13,
+      ]);
+      
+      var msg14 = msg("SNMP:Down", dup41);
+      
+      var msg15 = msg("SNMP:Restored", dup42);
+      
+      var select8 = linear_select([
+      	msg14,
+      	msg15,
+      ]);
+      
+      var part20 = match("MESSAGE#15:configuration", "nwparser.payload", "configuration was changed on leader %{parent_node->} to version %{version->} by %{administrator}", processor_chain([
+      	dup19,
+      	dup13,
+      	setc("event_description","Configuration changed"),
+      ]));
+      
+      var msg16 = msg("configuration", part20);
+      
+      var part21 = match("MESSAGE#16:Autoclassification", "nwparser.payload", "Autoclassification was restarted on %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21->} by %{administrator}", processor_chain([
+      	dup19,
+      	dup13,
+      	setc("event_description","Autoclassification restarted"),
+      	dup14,
+      ]));
+      
+      var msg17 = msg("Autoclassification", part21);
+      
+      var part22 = match("MESSAGE#17:GRE:Down", "nwparser.payload", "GRE tunnel down for destination %{daddr}, leader %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([
+      	dup12,
+      	dup13,
+      	dup14,
+      ]));
+      
+      var msg18 = msg("GRE:Down", part22);
+      
+      var part23 = match("MESSAGE#18:GRE:Restored", "nwparser.payload", "GRE tunnel restored for destination %{daddr}, leader %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([
+      	setc("eventcategory","1801020100"),
+      	dup13,
+      	dup16,
+      ]));
+      
+      var msg19 = msg("GRE:Restored", part23);
+      
+      var select9 = linear_select([
+      	msg18,
+      	msg19,
+      ]);
+      
+      var part24 = match("MESSAGE#19:mitigation:TMS_Start/0", "nwparser.payload", "pfsp: TMS mitigation %{policyname->} started at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}");
+      
+      var all6 = all_match({
+      	processors: [
+      		part24,
+      		dup43,
+      		dup23,
+      	],
+      	on_success: processor_chain([
+      		dup24,
+      		dup13,
+      		dup25,
+      		dup26,
+      		dup14,
+      	]),
+      });
+      
+      var msg20 = msg("mitigation:TMS_Start", all6);
+      
+      var part25 = match("MESSAGE#20:mitigation:TMS_Stop/0", "nwparser.payload", "pfsp: TMS mitigation %{policyname->} stopped at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}");
+      
+      var all7 = all_match({
+      	processors: [
+      		part25,
+      		dup43,
+      		dup23,
+      	],
+      	on_success: processor_chain([
+      		dup24,
+      		dup13,
+      		dup25,
+      		dup27,
+      		dup16,
+      	]),
+      });
+      
+      var msg21 = msg("mitigation:TMS_Stop", all7);
+      
+      var part26 = match("MESSAGE#21:mitigation:Thirdparty_Start/0", "nwparser.payload", "pfsp: Third party mitigation %{node->} started at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}");
+      
+      var all8 = all_match({
+      	processors: [
+      		part26,
+      		dup43,
+      		dup23,
+      	],
+      	on_success: processor_chain([
+      		dup24,
+      		dup13,
+      		dup28,
+      		dup26,
+      		dup14,
+      	]),
+      });
+      
+      var msg22 = msg("mitigation:Thirdparty_Start", all8);
+      
+      var part27 = match("MESSAGE#22:mitigation:Thirdparty_Stop/0", "nwparser.payload", "pfsp: Third party mitigation %{node->} stopped at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}");
+      
+      var all9 = all_match({
+      	processors: [
+      		part27,
+      		dup43,
+      		dup23,
+      	],
+      	on_success: processor_chain([
+      		dup24,
+      		dup13,
+      		dup28,
+      		dup27,
+      	]),
+      });
+      
+      var msg23 = msg("mitigation:Thirdparty_Stop", all9);
+      
+      var part28 = match("MESSAGE#23:mitigation:Blackhole_Start/0", "nwparser.payload", "pfsp: Blackhole mitigation %{node->} started at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}");
+      
+      var all10 = all_match({
+      	processors: [
+      		part28,
+      		dup43,
+      		dup23,
+      	],
+      	on_success: processor_chain([
+      		dup24,
+      		dup13,
+      		dup29,
+      		dup26,
+      		dup14,
+      	]),
+      });
+      
+      var msg24 = msg("mitigation:Blackhole_Start", all10);
+      
+      var part29 = match("MESSAGE#24:mitigation:Blackhole_Stop/0", "nwparser.payload", "pfsp: Blackhole mitigation %{node->} stopped at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}");
+      
+      var all11 = all_match({
+      	processors: [
+      		part29,
+      		dup43,
+      		dup23,
+      	],
+      	on_success: processor_chain([
+      		dup24,
+      		dup13,
+      		dup29,
+      		dup27,
+      	]),
+      });
+      
+      var msg25 = msg("mitigation:Blackhole_Stop", all11);
+      
+      var part30 = match("MESSAGE#25:mitigation:Flowspec_Start/0", "nwparser.payload", "pfsp: Flowspec mitigation %{node->} started at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}");
+      
+      var all12 = all_match({
+      	processors: [
+      		part30,
+      		dup43,
+      		dup23,
+      	],
+      	on_success: processor_chain([
+      		dup24,
+      		dup13,
+      		dup30,
+      		dup26,
+      		dup14,
+      	]),
+      });
+      
+      var msg26 = msg("mitigation:Flowspec_Start", all12);
+      
+      var part31 = match("MESSAGE#26:mitigation:Flowspec_Stop/0", "nwparser.payload", "pfsp: Flowspec mitigation %{node->} stopped at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}");
+      
+      var all13 = all_match({
+      	processors: [
+      		part31,
+      		dup43,
+      		dup23,
+      	],
+      	on_success: processor_chain([
+      		dup24,
+      		dup13,
+      		dup30,
+      		dup27,
+      	]),
+      });
+      
+      var msg27 = msg("mitigation:Flowspec_Stop", all13);
+      
+      var select10 = linear_select([
+      	msg20,
+      	msg21,
+      	msg22,
+      	msg23,
+      	msg24,
+      	msg25,
+      	msg26,
+      	msg27,
+      ]);
+      
+      var part32 = match("MESSAGE#27:TMS:Fault_Cleared", "nwparser.payload", "TMS '%{event_description}' fault for resource '%{resource}' on TMS %{node->} cleared", processor_chain([
+      	dup18,
+      	dup13,
+      	setc("event_type","Fault Cleared"),
+      ]));
+      
+      var msg28 = msg("TMS:Fault_Cleared", part32);
+      
+      var part33 = match("MESSAGE#28:TMS:Fault", "nwparser.payload", "TMS '%{event_description}' fault for resource '%{resource}' on TMS %{node}", processor_chain([
+      	dup20,
+      	dup13,
+      	setc("event_type","Fault Occured"),
+      ]));
+      
+      var msg29 = msg("TMS:Fault", part33);
+      
+      var select11 = linear_select([
+      	msg28,
+      	msg29,
+      ]);
+      
+      var part34 = match("MESSAGE#29:usage_alert:Interface", "nwparser.payload", "pfsp: %{trigger_desc->} interface usage alert %{fld1->} for router %{node->} interface \"%{interface}\" speed %{fld2->} threshold %{fld25->} observed %{trigger_val->} pct %{fld3}", processor_chain([
+      	dup17,
+      	dup13,
+      ]));
+      
+      var msg30 = msg("usage_alert:Interface", part34);
+      
+      var part35 = match("MESSAGE#30:usage_alert:Interface_Done", "nwparser.payload", "pfsp: %{trigger_desc->} interface usage alert %{fld1->} done for router %{node->} interface \"%{interface}\"", processor_chain([
+      	dup18,
+      	dup13,
+      ]));
+      
+      var msg31 = msg("usage_alert:Interface_Done", part35);
+      
+      var part36 = match("MESSAGE#31:usage_alert:Fingerprint_Threshold", "nwparser.payload", "pfsp: %{trigger_desc->} usage alert %{fld1->} for fingerprint %{policyname->} threshold %{fld25->} observed %{trigger_val}", processor_chain([
+      	dup17,
+      	dup13,
+      ]));
+      
+      var msg32 = msg("usage_alert:Fingerprint_Threshold", part36);
+      
+      var part37 = match("MESSAGE#32:usage_alert:Fingerprint_Threshold_Done", "nwparser.payload", "pfsp: %{trigger_desc->} usage alert %{fld1->} for fingerprint %{policyname->} done", processor_chain([
+      	dup18,
+      	dup13,
+      ]));
+      
+      var msg33 = msg("usage_alert:Fingerprint_Threshold_Done", part37);
+      
+      var part38 = match("MESSAGE#33:usage_alert:Service_Threshold", "nwparser.payload", "pfsp: %{trigger_desc->} %{fld1->} usage alert %{fld2->} for service %{service}, %{application->} threshold %{fld25->} observed %{trigger_val}", processor_chain([
+      	dup17,
+      	dup13,
+      ]));
+      
+      var msg34 = msg("usage_alert:Service_Threshold", part38);
+      
+      var part39 = match("MESSAGE#34:usage_alert:Service_Threshold_Done", "nwparser.payload", "pfsp: %{trigger_desc->} %{fld1->} alert %{fld2->} for service %{service->} done", processor_chain([
+      	dup18,
+      	dup13,
+      ]));
+      
+      var msg35 = msg("usage_alert:Service_Threshold_Done", part39);
+      
+      var part40 = match("MESSAGE#35:usage_alert:ManagedObject_Threshold", "nwparser.payload", "pfsp: %{trigger_desc->} usage alert %{fld1->} for %{category->} %{fld2->} threshold %{fld25->} observed %{trigger_val}", processor_chain([
+      	dup17,
+      	dup13,
+      ]));
+      
+      var msg36 = msg("usage_alert:ManagedObject_Threshold", part40);
+      
+      var part41 = match("MESSAGE#36:usage_alert:ManagedObject_Threshold_Done", "nwparser.payload", "pfsp: %{trigger_desc->} usage alert %{fld1->} for %{fld3->} %{fld4->} done", processor_chain([
+      	dup18,
+      	dup13,
+      ]));
+      
+      var msg37 = msg("usage_alert:ManagedObject_Threshold_Done", part41);
+      
+      var select12 = linear_select([
+      	msg30,
+      	msg31,
+      	msg32,
+      	msg33,
+      	msg34,
+      	msg35,
+      	msg36,
+      	msg37,
+      ]);
+      
+      var part42 = match("MESSAGE#37:Test", "nwparser.payload", "Test syslog message%{}", processor_chain([
+      	dup18,
+      	dup13,
+      ]));
+      
+      var msg38 = msg("Test", part42);
+      
+      var part43 = match("MESSAGE#38:script/0", "nwparser.payload", "script %{node->} ran at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}");
+      
+      var all14 = all_match({
+      	processors: [
+      		part43,
+      		dup43,
+      		dup23,
+      	],
+      	on_success: processor_chain([
+      		dup24,
+      		dup13,
+      		setc("event_type","Script mitigation"),
+      		dup26,
+      		dup14,
+      	]),
+      });
+      
+      var msg39 = msg("script", all14);
+      
+      var part44 = match("MESSAGE#39:anomaly:Resource_Info:01/0", "nwparser.payload", "anomaly Bandwidth id %{event_id->} status %{disposition->} severity %{severity->} classification %{category->} impact %{fld10->} src %{daddr}/%{dport->} %{fld1->} dst %{saddr}/%{sport->} %{fld2->} start %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}");
+      
+      var all15 = all_match({
+      	processors: [
+      		part44,
+      		dup44,
+      		dup33,
+      	],
+      	on_success: processor_chain([
+      		dup34,
+      		dup13,
+      		dup35,
+      		dup36,
+      	]),
+      });
+      
+      var msg40 = msg("anomaly:Resource_Info:01", all15);
+      
+      var part45 = match("MESSAGE#40:anomaly:Resource_Info:02/0", "nwparser.payload", "anomaly Bandwidth id %{event_id->} status %{disposition->} severity %{severity->} classification %{category->} src %{daddr}/%{dport->} %{fld1->} dst %{saddr}/%{sport->} %{fld2->} start %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}");
+      
+      var all16 = all_match({
+      	processors: [
+      		part45,
+      		dup44,
+      		dup37,
+      	],
+      	on_success: processor_chain([
+      		dup34,
+      		dup13,
+      		dup35,
+      		dup36,
+      	]),
+      });
+      
+      var msg41 = msg("anomaly:Resource_Info:02", all16);
+      
+      var part46 = match("MESSAGE#41:anomaly:Resource_Info:03/0", "nwparser.payload", "anomaly %{signame->} id %{event_id->} status %{disposition->} severity %{severity->} classification %{category->} impact %{fld10->} src %{daddr}/%{dport->} %{fld1->} dst %{saddr}/%{sport->} %{fld2->} start %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}");
+      
+      var all17 = all_match({
+      	processors: [
+      		part46,
+      		dup44,
+      		dup33,
+      	],
+      	on_success: processor_chain([
+      		dup34,
+      		dup13,
+      		dup36,
+      	]),
+      });
+      
+      var msg42 = msg("anomaly:Resource_Info:03", all17);
+      
+      var part47 = match("MESSAGE#42:anomaly:Resource_Info:04/0", "nwparser.payload", "anomaly %{signame->} id %{event_id->} status %{disposition->} severity %{severity->} classification %{category->} src %{daddr}/%{dport->} %{fld1->} dst %{saddr}/%{sport->} %{fld2->} start %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}");
+      
+      var all18 = all_match({
+      	processors: [
+      		part47,
+      		dup44,
+      		dup37,
+      	],
+      	on_success: processor_chain([
+      		dup34,
+      		dup13,
+      		dup36,
+      	]),
+      });
+      
+      var msg43 = msg("anomaly:Resource_Info:04", all18);
+      
+      var part48 = match("MESSAGE#43:anomaly:Router_Info:01", "nwparser.payload", "anomaly Bandwidth id %{sigid->} status %{disposition->} severity %{severity->} classification %{category->} router %{fld6->} router_name %{node->} interface %{fld4->} interface_name \"%{interface}\" %{fld5}", processor_chain([
+      	dup34,
+      	dup13,
+      	dup35,
+      ]));
+      
+      var msg44 = msg("anomaly:Router_Info:01", part48);
+      
+      var part49 = match("MESSAGE#44:anomaly:Router_Info:02", "nwparser.payload", "anomaly %{signame->} id %{sigid->} status %{disposition->} severity %{severity->} classification %{category->} router %{fld6->} router_name %{node->} interface %{fld4->} interface_name \"%{interface}\" %{fld5}", processor_chain([
+      	dup34,
+      	dup13,
+      ]));
+      
+      var msg45 = msg("anomaly:Router_Info:02", part49);
+      
+      var select13 = linear_select([
+      	msg40,
+      	msg41,
+      	msg42,
+      	msg43,
+      	msg44,
+      	msg45,
+      ]);
+      
+      var part50 = match("MESSAGE#45:Peakflow:Unreachable", "nwparser.payload", "Peakflow device %{node->} unreachable by %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20}", processor_chain([
+      	dup12,
+      	dup13,
+      	dup14,
+      ]));
+      
+      var msg46 = msg("Peakflow:Unreachable", part50);
+      
+      var part51 = match("MESSAGE#46:Peakflow:Reachable", "nwparser.payload", "Peakflow device %{node->} reachable again by %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([
+      	dup15,
+      	dup13,
+      	dup16,
+      ]));
+      
+      var msg47 = msg("Peakflow:Reachable", part51);
+      
+      var select14 = linear_select([
+      	msg46,
+      	msg47,
+      ]);
+      
+      var part52 = match("MESSAGE#47:Host:Detection", "nwparser.payload", "Host Detection alert %{fld1}, start %{fld2->} %{fld3->} %{fld4}, duration %{duration}, stop %{fld5->} %{fld6->} %{fld7}, , importance %{severity}, managed_objects (%{fld8}), is now %{result}, (parent managed object %{fld9})", processor_chain([
+      	dup18,
+      	dup13,
+      	dup38,
+      	date_time({
+      		dest: "endtime",
+      		args: ["fld5","fld6"],
+      		fmts: [
+      			[dW,dc("-"),dM,dc("-"),dF,dZ],
+      		],
+      	}),
+      ]));
+      
+      var msg48 = msg("Host:Detection", part52);
+      
+      var part53 = match("MESSAGE#48:Host:Detection:01", "nwparser.payload", "Host Detection alert %{fld1}, start %{fld2->} %{fld3->} %{fld4}, duration %{duration}, direction %{direction}, host %{saddr}, signatures (%{signame}), impact %{fld5}, importance %{severity}, managed_objects (%{fld6}), (parent managed object %{fld7})", processor_chain([
+      	dup18,
+      	dup13,
+      	dup38,
+      ]));
+      
+      var msg49 = msg("Host:Detection:01", part53);
+      
+      var select15 = linear_select([
+      	msg48,
+      	msg49,
+      ]);
+      
+      var part54 = match("MESSAGE#49:Infrastructure", "nwparser.payload", "AIF license expiring cleared,URL: %{url}", processor_chain([
+      	dup18,
+      	dup13,
+      	setc("event_description","AIF license expiring cleared"),
+      ]));
+      
+      var msg50 = msg("Infrastructure", part54);
+      
+      var part55 = match("MESSAGE#50:Infrastructure:02", "nwparser.payload", "Hardware sensor detected a critical state. System Fan%{fld1}:%{fld2}Triggering value:%{fld3},URL:%{url}", processor_chain([
+      	dup18,
+      	dup13,
+      	setc("event_description","Hardware sensor detected a critical state"),
+      ]));
+      
+      var msg51 = msg("Infrastructure:02", part55);
+      
+      var part56 = match("MESSAGE#51:Infrastructure:01", "nwparser.payload", "AIF license expired cleared,URL: %{url}", processor_chain([
+      	dup18,
+      	dup13,
+      	setc("event_description","AIF license expired cleared"),
+      ]));
+      
+      var msg52 = msg("Infrastructure:01", part56);
+      
+      var select16 = linear_select([
+      	msg50,
+      	msg51,
+      	msg52,
+      ]);
+      
+      var part57 = match("MESSAGE#52:Blocked_Host", "nwparser.payload", "Blocked host%{saddr}at%{fld1}by Blocked Countries using%{protocol}destination%{daddr},URL:%{url}", processor_chain([
+      	setc("eventcategory","1803000000"),
+      	dup13,
+      ]));
+      
+      var msg53 = msg("Blocked_Host", part57);
+      
+      var part58 = match("MESSAGE#53:Change_Log", "nwparser.payload", "Username:%{username}, Subsystem:%{fld1}, Setting Type:%{fld2}, Message:%{fld3}", processor_chain([
+      	dup18,
+      	dup13,
+      ]));
+      
+      var msg54 = msg("Change_Log", part58);
+      
+      var part59 = match("MESSAGE#54:Protection_Mode", "nwparser.payload", "Changed protection mode to active for protection group%{group},URL:%{url}", processor_chain([
+      	dup18,
+      	dup13,
+      	setc("event_description","Changed protection mode to active for protection group"),
+      ]));
+      
+      var msg55 = msg("Protection_Mode", part59);
+      
+      var chain1 = processor_chain([
+      	select3,
+      	msgid_select({
+      		"Autoclassification": msg17,
+      		"BGP": select5,
+      		"Blocked_Host": msg53,
+      		"Change_Log": msg54,
+      		"Device": select6,
+      		"Flow": select4,
+      		"GRE": select9,
+      		"Hardware": select7,
+      		"Host": select15,
+      		"Infrastructure": select16,
+      		"Peakflow": select14,
+      		"Protection_Mode": msg55,
+      		"SNMP": select8,
+      		"TMS": select11,
+      		"Test": msg38,
+      		"anomaly": select13,
+      		"configuration": msg16,
+      		"mitigation": select10,
+      		"script": msg39,
+      		"usage_alert": select12,
+      	}),
+      ]);
+      
+      var hdr6 = match("HEADER#0:0001/0", "message", "%{hmonth->} %{hday->} %{htime->} %{hdata}: %{p0}");
+      
+      var part60 = match("HEADER#1:0002/1_0", "nwparser.p0", "high %{p0}");
+      
+      var part61 = match("HEADER#1:0002/1_1", "nwparser.p0", "low %{p0}");
+      
+      var part62 = match("HEADER#2:0008/2", "nwparser.p0", "%{} %{p0}");
+      
+      var part63 = match("HEADER#2:0008/3_0", "nwparser.p0", "jitter %{p0}");
+      
+      var part64 = match("HEADER#2:0008/3_1", "nwparser.p0", "loss %{p0}");
+      
+      var part65 = match("HEADER#2:0008/3_2", "nwparser.p0", "bps %{p0}");
+      
+      var part66 = match("HEADER#2:0008/3_3", "nwparser.p0", "pps %{p0}");
+      
+      var part67 = match("HEADER#3:0003/4", "nwparser.p0", "%{} %{msgIdPart1->} %{msgIdPart2->} %{payload}");
+      
+      var part68 = match("MESSAGE#19:mitigation:TMS_Start/1_0", "nwparser.p0", "%{fld21}, %{p0}");
+      
+      var part69 = match("MESSAGE#19:mitigation:TMS_Start/1_1", "nwparser.p0", ", %{p0}");
+      
+      var part70 = match("MESSAGE#19:mitigation:TMS_Start/2", "nwparser.p0", "%{}leader %{parent_node}");
+      
+      var part71 = match("MESSAGE#39:anomaly:Resource_Info:01/1_0", "nwparser.p0", "%{fld21->} duration %{p0}");
+      
+      var part72 = match("MESSAGE#39:anomaly:Resource_Info:01/1_1", "nwparser.p0", "duration %{p0}");
+      
+      var part73 = match("MESSAGE#39:anomaly:Resource_Info:01/2", "nwparser.p0", "%{} %{duration->} percent %{fld3->} rate %{fld4->} rateUnit %{fld5->} protocol %{protocol->} flags %{fld6->} url %{url}, %{info}");
+      
+      var part74 = match("MESSAGE#40:anomaly:Resource_Info:02/2", "nwparser.p0", "%{} %{duration->} percent %{fld3->} rate %{fld4->} rateUnit %{fld5->} protocol %{protocol->} flags %{fld6->} url %{url}");
+      
+      var select17 = linear_select([
+      	dup2,
+      	dup3,
+      ]);
+      
+      var select18 = linear_select([
+      	dup6,
+      	dup7,
+      	dup8,
+      	dup9,
+      ]);
+      
+      var part75 = match("MESSAGE#2:BGP:Down", "nwparser.payload", "%{protocol->} down for router %{node}, leader %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([
+      	dup12,
+      	dup13,
+      	dup14,
+      ]));
+      
+      var part76 = match("MESSAGE#3:BGP:Restored", "nwparser.payload", "%{protocol->} restored for router %{node}, leader %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([
+      	dup15,
+      	dup13,
+      	dup16,
+      ]));
+      
+      var select19 = linear_select([
+      	dup21,
+      	dup22,
+      ]);
+      
+      var select20 = linear_select([
+      	dup31,
+      	dup32,
+      ]);
+      
+- community_id:
+- add_locale: ~
+- add_fields:
+    target: ''
+    fields:
+        ecs.version: 1.5.0
diff --git a/packages/netscout/0.1.0/dataset/sightline/agent/stream/udp.yml.hbs b/packages/netscout/0.1.0/dataset/sightline/agent/stream/udp.yml.hbs
new file mode 100644
index 0000000000..3ea02d097f
--- /dev/null
+++ b/packages/netscout/0.1.0/dataset/sightline/agent/stream/udp.yml.hbs
@@ -0,0 +1,3398 @@
+udp:
+host: "{{udp_host}}:{{udp_port}}"
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "Netscout"
+        product: "Arbor"
+        type: "DDOS"
+publisher_pipeline.disable_host: true
+
+processors:
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.error(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(populate_fields);
+      	builder.Add(restore_flags);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var dup1 = match("HEADER#0:0001/0", "message", "%{hmonth->} %{hday->} %{htime->} %{hdata}: %{p0}");
+      
+      var dup2 = match("HEADER#1:0002/1_0", "nwparser.p0", "high %{p0}");
+      
+      var dup3 = match("HEADER#1:0002/1_1", "nwparser.p0", "low %{p0}");
+      
+      var dup4 = call({
+      	dest: "nwparser.messageid",
+      	fn: STRCAT,
+      	args: [
+      		field("msgIdPart1"),
+      		constant("_"),
+      		field("msgIdPart2"),
+      	],
+      });
+      
+      var dup5 = match("HEADER#2:0008/2", "nwparser.p0", "%{} %{p0}");
+      
+      var dup6 = match("HEADER#2:0008/3_0", "nwparser.p0", "jitter %{p0}");
+      
+      var dup7 = match("HEADER#2:0008/3_1", "nwparser.p0", "loss %{p0}");
+      
+      var dup8 = match("HEADER#2:0008/3_2", "nwparser.p0", "bps %{p0}");
+      
+      var dup9 = match("HEADER#2:0008/3_3", "nwparser.p0", "pps %{p0}");
+      
+      var dup10 = match("HEADER#3:0003/4", "nwparser.p0", "%{} %{msgIdPart1->} %{msgIdPart2->} %{payload}");
+      
+      var dup11 = call({
+      	dest: "nwparser.payload",
+      	fn: STRCAT,
+      	args: [
+      		field("messageid"),
+      		constant(" "),
+      		field("payload"),
+      	],
+      });
+      
+      var dup12 = setc("eventcategory","1801010000");
+      
+      var dup13 = setf("msg","$MSG");
+      
+      var dup14 = date_time({
+      	dest: "starttime",
+      	args: ["fld15","fld16","fld17","fld18","fld19","fld20"],
+      	fmts: [
+      		[dW,dM,dD,dH,dT,dS],
+      	],
+      });
+      
+      var dup15 = setc("eventcategory","1801020000");
+      
+      var dup16 = date_time({
+      	dest: "endtime",
+      	args: ["fld15","fld16","fld17","fld18","fld19","fld20"],
+      	fmts: [
+      		[dW,dM,dD,dH,dT,dS],
+      	],
+      });
+      
+      var dup17 = setc("eventcategory","1607000000");
+      
+      var dup18 = setc("eventcategory","1605000000");
+      
+      var dup19 = setc("eventcategory","1701000000");
+      
+      var dup20 = setc("eventcategory","1603010000");
+      
+      var dup21 = match("MESSAGE#19:mitigation:TMS_Start/1_0", "nwparser.p0", "%{fld21}, %{p0}");
+      
+      var dup22 = match("MESSAGE#19:mitigation:TMS_Start/1_1", "nwparser.p0", ", %{p0}");
+      
+      var dup23 = match("MESSAGE#19:mitigation:TMS_Start/2", "nwparser.p0", "%{}leader %{parent_node}");
+      
+      var dup24 = setc("eventcategory","1502020000");
+      
+      var dup25 = setc("event_type","TMS mitigation");
+      
+      var dup26 = setc("disposition","ongoing");
+      
+      var dup27 = setc("disposition","done");
+      
+      var dup28 = setc("event_type","Third party mitigation");
+      
+      var dup29 = setc("event_type","Blackhole mitigation");
+      
+      var dup30 = setc("event_type","Flowspec mitigation");
+      
+      var dup31 = match("MESSAGE#39:anomaly:Resource_Info:01/1_0", "nwparser.p0", "%{fld21->} duration %{p0}");
+      
+      var dup32 = match("MESSAGE#39:anomaly:Resource_Info:01/1_1", "nwparser.p0", "duration %{p0}");
+      
+      var dup33 = match("MESSAGE#39:anomaly:Resource_Info:01/2", "nwparser.p0", "%{} %{duration->} percent %{fld3->} rate %{fld4->} rateUnit %{fld5->} protocol %{protocol->} flags %{fld6->} url %{url}, %{info}");
+      
+      var dup34 = setc("eventcategory","1002000000");
+      
+      var dup35 = setc("signame","Bandwidth");
+      
+      var dup36 = date_time({
+      	dest: "starttime",
+      	args: ["fld15","fld16","fld17","fld18","fld19","fld20"],
+      	fmts: [
+      		[dW,dM,dD,dN,dU,dO],
+      	],
+      });
+      
+      var dup37 = match("MESSAGE#40:anomaly:Resource_Info:02/2", "nwparser.p0", "%{} %{duration->} percent %{fld3->} rate %{fld4->} rateUnit %{fld5->} protocol %{protocol->} flags %{fld6->} url %{url}");
+      
+      var dup38 = date_time({
+      	dest: "starttime",
+      	args: ["fld2","fld3"],
+      	fmts: [
+      		[dW,dc("-"),dM,dc("-"),dF,dZ],
+      	],
+      });
+      
+      var dup39 = linear_select([
+      	dup2,
+      	dup3,
+      ]);
+      
+      var dup40 = linear_select([
+      	dup6,
+      	dup7,
+      	dup8,
+      	dup9,
+      ]);
+      
+      var dup41 = match("MESSAGE#2:BGP:Down", "nwparser.payload", "%{protocol->} down for router %{node}, leader %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([
+      	dup12,
+      	dup13,
+      	dup14,
+      ]));
+      
+      var dup42 = match("MESSAGE#3:BGP:Restored", "nwparser.payload", "%{protocol->} restored for router %{node}, leader %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([
+      	dup15,
+      	dup13,
+      	dup16,
+      ]));
+      
+      var dup43 = linear_select([
+      	dup21,
+      	dup22,
+      ]);
+      
+      var dup44 = linear_select([
+      	dup31,
+      	dup32,
+      ]);
+      
+      var part1 = match("HEADER#0:0001/1_0", "nwparser.p0", "TMS %{p0}");
+      
+      var part2 = match("HEADER#0:0001/1_1", "nwparser.p0", "Third party %{p0}");
+      
+      var part3 = match("HEADER#0:0001/1_2", "nwparser.p0", "Blackhole %{p0}");
+      
+      var part4 = match("HEADER#0:0001/1_3", "nwparser.p0", "Flowspec %{p0}");
+      
+      var select1 = linear_select([
+      	part1,
+      	part2,
+      	part3,
+      	part4,
+      ]);
+      
+      var part5 = match("HEADER#0:0001/2", "nwparser.p0", "%{} %{messageid->} %{payload}");
+      
+      var all1 = all_match({
+      	processors: [
+      		dup1,
+      		select1,
+      		part5,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","0001"),
+      	]),
+      });
+      
+      var part6 = match("HEADER#1:0002/2", "nwparser.p0", "%{}interface %{msgIdPart1->} %{msgIdPart2->} %{payload}");
+      
+      var all2 = all_match({
+      	processors: [
+      		dup1,
+      		dup39,
+      		part6,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","0002"),
+      		dup4,
+      	]),
+      });
+      
+      var part7 = match("HEADER#2:0008/4", "nwparser.p0", "%{} %{msgIdPart1->} %{hfld1->} for service %{payload}");
+      
+      var all3 = all_match({
+      	processors: [
+      		dup1,
+      		dup39,
+      		dup5,
+      		dup40,
+      		part7,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","0008"),
+      		call({
+      			dest: "nwparser.messageid",
+      			fn: STRCAT,
+      			args: [
+      				constant("usage_"),
+      				field("msgIdPart1"),
+      			],
+      		}),
+      	]),
+      });
+      
+      var all4 = all_match({
+      	processors: [
+      		dup1,
+      		dup39,
+      		dup5,
+      		dup40,
+      		dup10,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","0003"),
+      		dup4,
+      	]),
+      });
+      
+      var part8 = match("HEADER#4:0004/1_2", "nwparser.p0", "High %{p0}");
+      
+      var select2 = linear_select([
+      	dup2,
+      	dup3,
+      	part8,
+      ]);
+      
+      var all5 = all_match({
+      	processors: [
+      		dup1,
+      		select2,
+      		dup10,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","0004"),
+      		dup4,
+      	]),
+      });
+      
+      var hdr1 = match("HEADER#5:0005", "message", "%{hmonth->} %{hday->} %{htime->} pfsp: The %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0005"),
+      	dup11,
+      ]));
+      
+      var hdr2 = match("HEADER#6:0006", "message", "%{hmonth->} %{hday->} %{htime->} pfsp: Alert %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0006"),
+      	dup11,
+      ]));
+      
+      var hdr3 = match("HEADER#7:0007", "message", "%{hmonth->} %{hday->} %{htime->} pfsp: %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0007"),
+      	dup11,
+      ]));
+      
+      var hdr4 = match("HEADER#8:0010", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1}: %{msgIdPart1->} %{msgIdPart2}: %{payload}", processor_chain([
+      	setc("header_id","0010"),
+      	dup4,
+      ]));
+      
+      var hdr5 = match("HEADER#9:0009", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1}: %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0009"),
+      ]));
+      
+      var select3 = linear_select([
+      	all1,
+      	all2,
+      	all3,
+      	all4,
+      	all5,
+      	hdr1,
+      	hdr2,
+      	hdr3,
+      	hdr4,
+      	hdr5,
+      ]);
+      
+      var part9 = match("MESSAGE#0:Flow:Down", "nwparser.payload", "Flow down for router %{node}, leader %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([
+      	dup12,
+      	dup13,
+      	dup14,
+      ]));
+      
+      var msg1 = msg("Flow:Down", part9);
+      
+      var part10 = match("MESSAGE#1:Flow:Restored", "nwparser.payload", "Flow restored for router %{node}, leader %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([
+      	dup15,
+      	dup13,
+      	dup16,
+      ]));
+      
+      var msg2 = msg("Flow:Restored", part10);
+      
+      var select4 = linear_select([
+      	msg1,
+      	msg2,
+      ]);
+      
+      var msg3 = msg("BGP:Down", dup41);
+      
+      var msg4 = msg("BGP:Restored", dup42);
+      
+      var part11 = match("MESSAGE#4:BGP:Instability", "nwparser.payload", "%{protocol->} instability router %{node->} threshold %{fld25->} (%{fld1}) observed %{trigger_val->} (%{fld2})", processor_chain([
+      	dup17,
+      	dup13,
+      ]));
+      
+      var msg5 = msg("BGP:Instability", part11);
+      
+      var part12 = match("MESSAGE#5:BGP:Instability_Ended", "nwparser.payload", "%{protocol->} Instability for router %{node->} ended", processor_chain([
+      	dup18,
+      	dup13,
+      ]));
+      
+      var msg6 = msg("BGP:Instability_Ended", part12);
+      
+      var part13 = match("MESSAGE#6:BGP:Hijack", "nwparser.payload", "%{protocol->} Hijack local_prefix %{fld26->} router %{node->} bgp_prefix %{fld27->} bgp_attributes %{event_description}", processor_chain([
+      	setc("eventcategory","1002050000"),
+      	dup13,
+      ]));
+      
+      var msg7 = msg("BGP:Hijack", part13);
+      
+      var part14 = match("MESSAGE#7:BGP:Hijack_Done", "nwparser.payload", "%{protocol->} Hijack for prefix %{fld26->} router %{node->} done", processor_chain([
+      	dup18,
+      	dup13,
+      ]));
+      
+      var msg8 = msg("BGP:Hijack_Done", part14);
+      
+      var part15 = match("MESSAGE#8:BGP:Trap", "nwparser.payload", "%{protocol->} Trap %{node}: Prefix %{fld5->} %{fld6->} %{event_description}", processor_chain([
+      	dup19,
+      	dup13,
+      ]));
+      
+      var msg9 = msg("BGP:Trap", part15);
+      
+      var select5 = linear_select([
+      	msg3,
+      	msg4,
+      	msg5,
+      	msg6,
+      	msg7,
+      	msg8,
+      	msg9,
+      ]);
+      
+      var part16 = match("MESSAGE#9:Device:Unreachable", "nwparser.payload", "Device %{node->} unreachable by controller %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20}", processor_chain([
+      	dup12,
+      	dup13,
+      	dup14,
+      ]));
+      
+      var msg10 = msg("Device:Unreachable", part16);
+      
+      var part17 = match("MESSAGE#10:Device:Reachable", "nwparser.payload", "Device %{node->} reachable again by controller %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([
+      	dup15,
+      	dup13,
+      	dup16,
+      ]));
+      
+      var msg11 = msg("Device:Reachable", part17);
+      
+      var select6 = linear_select([
+      	msg10,
+      	msg11,
+      ]);
+      
+      var part18 = match("MESSAGE#11:Hardware:Failure", "nwparser.payload", "Hardware failure on %{node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} GMT: %{event_description}", processor_chain([
+      	dup20,
+      	dup13,
+      	dup14,
+      ]));
+      
+      var msg12 = msg("Hardware:Failure", part18);
+      
+      var part19 = match("MESSAGE#12:Hardware:Failure_Done", "nwparser.payload", "Hardware failure on %{node->} done at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21->} GMT: %{event_description}", processor_chain([
+      	dup18,
+      	dup13,
+      	dup16,
+      ]));
+      
+      var msg13 = msg("Hardware:Failure_Done", part19);
+      
+      var select7 = linear_select([
+      	msg12,
+      	msg13,
+      ]);
+      
+      var msg14 = msg("SNMP:Down", dup41);
+      
+      var msg15 = msg("SNMP:Restored", dup42);
+      
+      var select8 = linear_select([
+      	msg14,
+      	msg15,
+      ]);
+      
+      var part20 = match("MESSAGE#15:configuration", "nwparser.payload", "configuration was changed on leader %{parent_node->} to version %{version->} by %{administrator}", processor_chain([
+      	dup19,
+      	dup13,
+      	setc("event_description","Configuration changed"),
+      ]));
+      
+      var msg16 = msg("configuration", part20);
+      
+      var part21 = match("MESSAGE#16:Autoclassification", "nwparser.payload", "Autoclassification was restarted on %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21->} by %{administrator}", processor_chain([
+      	dup19,
+      	dup13,
+      	setc("event_description","Autoclassification restarted"),
+      	dup14,
+      ]));
+      
+      var msg17 = msg("Autoclassification", part21);
+      
+      var part22 = match("MESSAGE#17:GRE:Down", "nwparser.payload", "GRE tunnel down for destination %{daddr}, leader %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([
+      	dup12,
+      	dup13,
+      	dup14,
+      ]));
+      
+      var msg18 = msg("GRE:Down", part22);
+      
+      var part23 = match("MESSAGE#18:GRE:Restored", "nwparser.payload", "GRE tunnel restored for destination %{daddr}, leader %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([
+      	setc("eventcategory","1801020100"),
+      	dup13,
+      	dup16,
+      ]));
+      
+      var msg19 = msg("GRE:Restored", part23);
+      
+      var select9 = linear_select([
+      	msg18,
+      	msg19,
+      ]);
+      
+      var part24 = match("MESSAGE#19:mitigation:TMS_Start/0", "nwparser.payload", "pfsp: TMS mitigation %{policyname->} started at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}");
+      
+      var all6 = all_match({
+      	processors: [
+      		part24,
+      		dup43,
+      		dup23,
+      	],
+      	on_success: processor_chain([
+      		dup24,
+      		dup13,
+      		dup25,
+      		dup26,
+      		dup14,
+      	]),
+      });
+      
+      var msg20 = msg("mitigation:TMS_Start", all6);
+      
+      var part25 = match("MESSAGE#20:mitigation:TMS_Stop/0", "nwparser.payload", "pfsp: TMS mitigation %{policyname->} stopped at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}");
+      
+      var all7 = all_match({
+      	processors: [
+      		part25,
+      		dup43,
+      		dup23,
+      	],
+      	on_success: processor_chain([
+      		dup24,
+      		dup13,
+      		dup25,
+      		dup27,
+      		dup16,
+      	]),
+      });
+      
+      var msg21 = msg("mitigation:TMS_Stop", all7);
+      
+      var part26 = match("MESSAGE#21:mitigation:Thirdparty_Start/0", "nwparser.payload", "pfsp: Third party mitigation %{node->} started at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}");
+      
+      var all8 = all_match({
+      	processors: [
+      		part26,
+      		dup43,
+      		dup23,
+      	],
+      	on_success: processor_chain([
+      		dup24,
+      		dup13,
+      		dup28,
+      		dup26,
+      		dup14,
+      	]),
+      });
+      
+      var msg22 = msg("mitigation:Thirdparty_Start", all8);
+      
+      var part27 = match("MESSAGE#22:mitigation:Thirdparty_Stop/0", "nwparser.payload", "pfsp: Third party mitigation %{node->} stopped at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}");
+      
+      var all9 = all_match({
+      	processors: [
+      		part27,
+      		dup43,
+      		dup23,
+      	],
+      	on_success: processor_chain([
+      		dup24,
+      		dup13,
+      		dup28,
+      		dup27,
+      	]),
+      });
+      
+      var msg23 = msg("mitigation:Thirdparty_Stop", all9);
+      
+      var part28 = match("MESSAGE#23:mitigation:Blackhole_Start/0", "nwparser.payload", "pfsp: Blackhole mitigation %{node->} started at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}");
+      
+      var all10 = all_match({
+      	processors: [
+      		part28,
+      		dup43,
+      		dup23,
+      	],
+      	on_success: processor_chain([
+      		dup24,
+      		dup13,
+      		dup29,
+      		dup26,
+      		dup14,
+      	]),
+      });
+      
+      var msg24 = msg("mitigation:Blackhole_Start", all10);
+      
+      var part29 = match("MESSAGE#24:mitigation:Blackhole_Stop/0", "nwparser.payload", "pfsp: Blackhole mitigation %{node->} stopped at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}");
+      
+      var all11 = all_match({
+      	processors: [
+      		part29,
+      		dup43,
+      		dup23,
+      	],
+      	on_success: processor_chain([
+      		dup24,
+      		dup13,
+      		dup29,
+      		dup27,
+      	]),
+      });
+      
+      var msg25 = msg("mitigation:Blackhole_Stop", all11);
+      
+      var part30 = match("MESSAGE#25:mitigation:Flowspec_Start/0", "nwparser.payload", "pfsp: Flowspec mitigation %{node->} started at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}");
+      
+      var all12 = all_match({
+      	processors: [
+      		part30,
+      		dup43,
+      		dup23,
+      	],
+      	on_success: processor_chain([
+      		dup24,
+      		dup13,
+      		dup30,
+      		dup26,
+      		dup14,
+      	]),
+      });
+      
+      var msg26 = msg("mitigation:Flowspec_Start", all12);
+      
+      var part31 = match("MESSAGE#26:mitigation:Flowspec_Stop/0", "nwparser.payload", "pfsp: Flowspec mitigation %{node->} stopped at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}");
+      
+      var all13 = all_match({
+      	processors: [
+      		part31,
+      		dup43,
+      		dup23,
+      	],
+      	on_success: processor_chain([
+      		dup24,
+      		dup13,
+      		dup30,
+      		dup27,
+      	]),
+      });
+      
+      var msg27 = msg("mitigation:Flowspec_Stop", all13);
+      
+      var select10 = linear_select([
+      	msg20,
+      	msg21,
+      	msg22,
+      	msg23,
+      	msg24,
+      	msg25,
+      	msg26,
+      	msg27,
+      ]);
+      
+      var part32 = match("MESSAGE#27:TMS:Fault_Cleared", "nwparser.payload", "TMS '%{event_description}' fault for resource '%{resource}' on TMS %{node->} cleared", processor_chain([
+      	dup18,
+      	dup13,
+      	setc("event_type","Fault Cleared"),
+      ]));
+      
+      var msg28 = msg("TMS:Fault_Cleared", part32);
+      
+      var part33 = match("MESSAGE#28:TMS:Fault", "nwparser.payload", "TMS '%{event_description}' fault for resource '%{resource}' on TMS %{node}", processor_chain([
+      	dup20,
+      	dup13,
+      	setc("event_type","Fault Occured"),
+      ]));
+      
+      var msg29 = msg("TMS:Fault", part33);
+      
+      var select11 = linear_select([
+      	msg28,
+      	msg29,
+      ]);
+      
+      var part34 = match("MESSAGE#29:usage_alert:Interface", "nwparser.payload", "pfsp: %{trigger_desc->} interface usage alert %{fld1->} for router %{node->} interface \"%{interface}\" speed %{fld2->} threshold %{fld25->} observed %{trigger_val->} pct %{fld3}", processor_chain([
+      	dup17,
+      	dup13,
+      ]));
+      
+      var msg30 = msg("usage_alert:Interface", part34);
+      
+      var part35 = match("MESSAGE#30:usage_alert:Interface_Done", "nwparser.payload", "pfsp: %{trigger_desc->} interface usage alert %{fld1->} done for router %{node->} interface \"%{interface}\"", processor_chain([
+      	dup18,
+      	dup13,
+      ]));
+      
+      var msg31 = msg("usage_alert:Interface_Done", part35);
+      
+      var part36 = match("MESSAGE#31:usage_alert:Fingerprint_Threshold", "nwparser.payload", "pfsp: %{trigger_desc->} usage alert %{fld1->} for fingerprint %{policyname->} threshold %{fld25->} observed %{trigger_val}", processor_chain([
+      	dup17,
+      	dup13,
+      ]));
+      
+      var msg32 = msg("usage_alert:Fingerprint_Threshold", part36);
+      
+      var part37 = match("MESSAGE#32:usage_alert:Fingerprint_Threshold_Done", "nwparser.payload", "pfsp: %{trigger_desc->} usage alert %{fld1->} for fingerprint %{policyname->} done", processor_chain([
+      	dup18,
+      	dup13,
+      ]));
+      
+      var msg33 = msg("usage_alert:Fingerprint_Threshold_Done", part37);
+      
+      var part38 = match("MESSAGE#33:usage_alert:Service_Threshold", "nwparser.payload", "pfsp: %{trigger_desc->} %{fld1->} usage alert %{fld2->} for service %{service}, %{application->} threshold %{fld25->} observed %{trigger_val}", processor_chain([
+      	dup17,
+      	dup13,
+      ]));
+      
+      var msg34 = msg("usage_alert:Service_Threshold", part38);
+      
+      var part39 = match("MESSAGE#34:usage_alert:Service_Threshold_Done", "nwparser.payload", "pfsp: %{trigger_desc->} %{fld1->} alert %{fld2->} for service %{service->} done", processor_chain([
+      	dup18,
+      	dup13,
+      ]));
+      
+      var msg35 = msg("usage_alert:Service_Threshold_Done", part39);
+      
+      var part40 = match("MESSAGE#35:usage_alert:ManagedObject_Threshold", "nwparser.payload", "pfsp: %{trigger_desc->} usage alert %{fld1->} for %{category->} %{fld2->} threshold %{fld25->} observed %{trigger_val}", processor_chain([
+      	dup17,
+      	dup13,
+      ]));
+      
+      var msg36 = msg("usage_alert:ManagedObject_Threshold", part40);
+      
+      var part41 = match("MESSAGE#36:usage_alert:ManagedObject_Threshold_Done", "nwparser.payload", "pfsp: %{trigger_desc->} usage alert %{fld1->} for %{fld3->} %{fld4->} done", processor_chain([
+      	dup18,
+      	dup13,
+      ]));
+      
+      var msg37 = msg("usage_alert:ManagedObject_Threshold_Done", part41);
+      
+      var select12 = linear_select([
+      	msg30,
+      	msg31,
+      	msg32,
+      	msg33,
+      	msg34,
+      	msg35,
+      	msg36,
+      	msg37,
+      ]);
+      
+      var part42 = match("MESSAGE#37:Test", "nwparser.payload", "Test syslog message%{}", processor_chain([
+      	dup18,
+      	dup13,
+      ]));
+      
+      var msg38 = msg("Test", part42);
+      
+      var part43 = match("MESSAGE#38:script/0", "nwparser.payload", "script %{node->} ran at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}");
+      
+      var all14 = all_match({
+      	processors: [
+      		part43,
+      		dup43,
+      		dup23,
+      	],
+      	on_success: processor_chain([
+      		dup24,
+      		dup13,
+      		setc("event_type","Script mitigation"),
+      		dup26,
+      		dup14,
+      	]),
+      });
+      
+      var msg39 = msg("script", all14);
+      
+      var part44 = match("MESSAGE#39:anomaly:Resource_Info:01/0", "nwparser.payload", "anomaly Bandwidth id %{event_id->} status %{disposition->} severity %{severity->} classification %{category->} impact %{fld10->} src %{daddr}/%{dport->} %{fld1->} dst %{saddr}/%{sport->} %{fld2->} start %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}");
+      
+      var all15 = all_match({
+      	processors: [
+      		part44,
+      		dup44,
+      		dup33,
+      	],
+      	on_success: processor_chain([
+      		dup34,
+      		dup13,
+      		dup35,
+      		dup36,
+      	]),
+      });
+      
+      var msg40 = msg("anomaly:Resource_Info:01", all15);
+      
+      var part45 = match("MESSAGE#40:anomaly:Resource_Info:02/0", "nwparser.payload", "anomaly Bandwidth id %{event_id->} status %{disposition->} severity %{severity->} classification %{category->} src %{daddr}/%{dport->} %{fld1->} dst %{saddr}/%{sport->} %{fld2->} start %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}");
+      
+      var all16 = all_match({
+      	processors: [
+      		part45,
+      		dup44,
+      		dup37,
+      	],
+      	on_success: processor_chain([
+      		dup34,
+      		dup13,
+      		dup35,
+      		dup36,
+      	]),
+      });
+      
+      var msg41 = msg("anomaly:Resource_Info:02", all16);
+      
+      var part46 = match("MESSAGE#41:anomaly:Resource_Info:03/0", "nwparser.payload", "anomaly %{signame->} id %{event_id->} status %{disposition->} severity %{severity->} classification %{category->} impact %{fld10->} src %{daddr}/%{dport->} %{fld1->} dst %{saddr}/%{sport->} %{fld2->} start %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}");
+      
+      var all17 = all_match({
+      	processors: [
+      		part46,
+      		dup44,
+      		dup33,
+      	],
+      	on_success: processor_chain([
+      		dup34,
+      		dup13,
+      		dup36,
+      	]),
+      });
+      
+      var msg42 = msg("anomaly:Resource_Info:03", all17);
+      
+      var part47 = match("MESSAGE#42:anomaly:Resource_Info:04/0", "nwparser.payload", "anomaly %{signame->} id %{event_id->} status %{disposition->} severity %{severity->} classification %{category->} src %{daddr}/%{dport->} %{fld1->} dst %{saddr}/%{sport->} %{fld2->} start %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}");
+      
+      var all18 = all_match({
+      	processors: [
+      		part47,
+      		dup44,
+      		dup37,
+      	],
+      	on_success: processor_chain([
+      		dup34,
+      		dup13,
+      		dup36,
+      	]),
+      });
+      
+      var msg43 = msg("anomaly:Resource_Info:04", all18);
+      
+      var part48 = match("MESSAGE#43:anomaly:Router_Info:01", "nwparser.payload", "anomaly Bandwidth id %{sigid->} status %{disposition->} severity %{severity->} classification %{category->} router %{fld6->} router_name %{node->} interface %{fld4->} interface_name \"%{interface}\" %{fld5}", processor_chain([
+      	dup34,
+      	dup13,
+      	dup35,
+      ]));
+      
+      var msg44 = msg("anomaly:Router_Info:01", part48);
+      
+      var part49 = match("MESSAGE#44:anomaly:Router_Info:02", "nwparser.payload", "anomaly %{signame->} id %{sigid->} status %{disposition->} severity %{severity->} classification %{category->} router %{fld6->} router_name %{node->} interface %{fld4->} interface_name \"%{interface}\" %{fld5}", processor_chain([
+      	dup34,
+      	dup13,
+      ]));
+      
+      var msg45 = msg("anomaly:Router_Info:02", part49);
+      
+      var select13 = linear_select([
+      	msg40,
+      	msg41,
+      	msg42,
+      	msg43,
+      	msg44,
+      	msg45,
+      ]);
+      
+      var part50 = match("MESSAGE#45:Peakflow:Unreachable", "nwparser.payload", "Peakflow device %{node->} unreachable by %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20}", processor_chain([
+      	dup12,
+      	dup13,
+      	dup14,
+      ]));
+      
+      var msg46 = msg("Peakflow:Unreachable", part50);
+      
+      var part51 = match("MESSAGE#46:Peakflow:Reachable", "nwparser.payload", "Peakflow device %{node->} reachable again by %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([
+      	dup15,
+      	dup13,
+      	dup16,
+      ]));
+      
+      var msg47 = msg("Peakflow:Reachable", part51);
+      
+      var select14 = linear_select([
+      	msg46,
+      	msg47,
+      ]);
+      
+      var part52 = match("MESSAGE#47:Host:Detection", "nwparser.payload", "Host Detection alert %{fld1}, start %{fld2->} %{fld3->} %{fld4}, duration %{duration}, stop %{fld5->} %{fld6->} %{fld7}, , importance %{severity}, managed_objects (%{fld8}), is now %{result}, (parent managed object %{fld9})", processor_chain([
+      	dup18,
+      	dup13,
+      	dup38,
+      	date_time({
+      		dest: "endtime",
+      		args: ["fld5","fld6"],
+      		fmts: [
+      			[dW,dc("-"),dM,dc("-"),dF,dZ],
+      		],
+      	}),
+      ]));
+      
+      var msg48 = msg("Host:Detection", part52);
+      
+      var part53 = match("MESSAGE#48:Host:Detection:01", "nwparser.payload", "Host Detection alert %{fld1}, start %{fld2->} %{fld3->} %{fld4}, duration %{duration}, direction %{direction}, host %{saddr}, signatures (%{signame}), impact %{fld5}, importance %{severity}, managed_objects (%{fld6}), (parent managed object %{fld7})", processor_chain([
+      	dup18,
+      	dup13,
+      	dup38,
+      ]));
+      
+      var msg49 = msg("Host:Detection:01", part53);
+      
+      var select15 = linear_select([
+      	msg48,
+      	msg49,
+      ]);
+      
+      var part54 = match("MESSAGE#49:Infrastructure", "nwparser.payload", "AIF license expiring cleared,URL: %{url}", processor_chain([
+      	dup18,
+      	dup13,
+      	setc("event_description","AIF license expiring cleared"),
+      ]));
+      
+      var msg50 = msg("Infrastructure", part54);
+      
+      var part55 = match("MESSAGE#50:Infrastructure:02", "nwparser.payload", "Hardware sensor detected a critical state. System Fan%{fld1}:%{fld2}Triggering value:%{fld3},URL:%{url}", processor_chain([
+      	dup18,
+      	dup13,
+      	setc("event_description","Hardware sensor detected a critical state"),
+      ]));
+      
+      var msg51 = msg("Infrastructure:02", part55);
+      
+      var part56 = match("MESSAGE#51:Infrastructure:01", "nwparser.payload", "AIF license expired cleared,URL: %{url}", processor_chain([
+      	dup18,
+      	dup13,
+      	setc("event_description","AIF license expired cleared"),
+      ]));
+      
+      var msg52 = msg("Infrastructure:01", part56);
+      
+      var select16 = linear_select([
+      	msg50,
+      	msg51,
+      	msg52,
+      ]);
+      
+      var part57 = match("MESSAGE#52:Blocked_Host", "nwparser.payload", "Blocked host%{saddr}at%{fld1}by Blocked Countries using%{protocol}destination%{daddr},URL:%{url}", processor_chain([
+      	setc("eventcategory","1803000000"),
+      	dup13,
+      ]));
+      
+      var msg53 = msg("Blocked_Host", part57);
+      
+      var part58 = match("MESSAGE#53:Change_Log", "nwparser.payload", "Username:%{username}, Subsystem:%{fld1}, Setting Type:%{fld2}, Message:%{fld3}", processor_chain([
+      	dup18,
+      	dup13,
+      ]));
+      
+      var msg54 = msg("Change_Log", part58);
+      
+      var part59 = match("MESSAGE#54:Protection_Mode", "nwparser.payload", "Changed protection mode to active for protection group%{group},URL:%{url}", processor_chain([
+      	dup18,
+      	dup13,
+      	setc("event_description","Changed protection mode to active for protection group"),
+      ]));
+      
+      var msg55 = msg("Protection_Mode", part59);
+      
+      var chain1 = processor_chain([
+      	select3,
+      	msgid_select({
+      		"Autoclassification": msg17,
+      		"BGP": select5,
+      		"Blocked_Host": msg53,
+      		"Change_Log": msg54,
+      		"Device": select6,
+      		"Flow": select4,
+      		"GRE": select9,
+      		"Hardware": select7,
+      		"Host": select15,
+      		"Infrastructure": select16,
+      		"Peakflow": select14,
+      		"Protection_Mode": msg55,
+      		"SNMP": select8,
+      		"TMS": select11,
+      		"Test": msg38,
+      		"anomaly": select13,
+      		"configuration": msg16,
+      		"mitigation": select10,
+      		"script": msg39,
+      		"usage_alert": select12,
+      	}),
+      ]);
+      
+      var hdr6 = match("HEADER#0:0001/0", "message", "%{hmonth->} %{hday->} %{htime->} %{hdata}: %{p0}");
+      
+      var part60 = match("HEADER#1:0002/1_0", "nwparser.p0", "high %{p0}");
+      
+      var part61 = match("HEADER#1:0002/1_1", "nwparser.p0", "low %{p0}");
+      
+      var part62 = match("HEADER#2:0008/2", "nwparser.p0", "%{} %{p0}");
+      
+      var part63 = match("HEADER#2:0008/3_0", "nwparser.p0", "jitter %{p0}");
+      
+      var part64 = match("HEADER#2:0008/3_1", "nwparser.p0", "loss %{p0}");
+      
+      var part65 = match("HEADER#2:0008/3_2", "nwparser.p0", "bps %{p0}");
+      
+      var part66 = match("HEADER#2:0008/3_3", "nwparser.p0", "pps %{p0}");
+      
+      var part67 = match("HEADER#3:0003/4", "nwparser.p0", "%{} %{msgIdPart1->} %{msgIdPart2->} %{payload}");
+      
+      var part68 = match("MESSAGE#19:mitigation:TMS_Start/1_0", "nwparser.p0", "%{fld21}, %{p0}");
+      
+      var part69 = match("MESSAGE#19:mitigation:TMS_Start/1_1", "nwparser.p0", ", %{p0}");
+      
+      var part70 = match("MESSAGE#19:mitigation:TMS_Start/2", "nwparser.p0", "%{}leader %{parent_node}");
+      
+      var part71 = match("MESSAGE#39:anomaly:Resource_Info:01/1_0", "nwparser.p0", "%{fld21->} duration %{p0}");
+      
+      var part72 = match("MESSAGE#39:anomaly:Resource_Info:01/1_1", "nwparser.p0", "duration %{p0}");
+      
+      var part73 = match("MESSAGE#39:anomaly:Resource_Info:01/2", "nwparser.p0", "%{} %{duration->} percent %{fld3->} rate %{fld4->} rateUnit %{fld5->} protocol %{protocol->} flags %{fld6->} url %{url}, %{info}");
+      
+      var part74 = match("MESSAGE#40:anomaly:Resource_Info:02/2", "nwparser.p0", "%{} %{duration->} percent %{fld3->} rate %{fld4->} rateUnit %{fld5->} protocol %{protocol->} flags %{fld6->} url %{url}");
+      
+      var select17 = linear_select([
+      	dup2,
+      	dup3,
+      ]);
+      
+      var select18 = linear_select([
+      	dup6,
+      	dup7,
+      	dup8,
+      	dup9,
+      ]);
+      
+      var part75 = match("MESSAGE#2:BGP:Down", "nwparser.payload", "%{protocol->} down for router %{node}, leader %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([
+      	dup12,
+      	dup13,
+      	dup14,
+      ]));
+      
+      var part76 = match("MESSAGE#3:BGP:Restored", "nwparser.payload", "%{protocol->} restored for router %{node}, leader %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([
+      	dup15,
+      	dup13,
+      	dup16,
+      ]));
+      
+      var select19 = linear_select([
+      	dup21,
+      	dup22,
+      ]);
+      
+      var select20 = linear_select([
+      	dup31,
+      	dup32,
+      ]);
+      
+- community_id:
+- add_locale: ~
+- add_fields:
+    target: ''
+    fields:
+        ecs.version: 1.5.0
diff --git a/packages/netscout/0.1.0/dataset/sightline/elasticsearch/ingest_pipeline/default.yml b/packages/netscout/0.1.0/dataset/sightline/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 0000000000..66f9ab7bcc
--- /dev/null
+++ b/packages/netscout/0.1.0/dataset/sightline/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,55 @@
+---
+description: Pipeline for Arbor Peakflow SP
+
+processors:
+  # User agent
+  - user_agent:
+        field: user_agent.original
+        ignore_missing: true
+  # IP Geolocation Lookup
+  - geoip:
+        field: source.ip
+        target_field: source.geo
+        ignore_missing: true
+  - geoip:
+        field: destination.ip
+        target_field: destination.geo
+        ignore_missing: true
+
+  # IP Autonomous System (AS) Lookup
+  - geoip:
+        database_file: GeoLite2-ASN.mmdb
+        field: source.ip
+        target_field: source.as
+        properties:
+            - asn
+            - organization_name
+        ignore_missing: true
+  - geoip:
+        database_file: GeoLite2-ASN.mmdb
+        field: destination.ip
+        target_field: destination.as
+        properties:
+            - asn
+            - organization_name
+        ignore_missing: true
+  - rename:
+        field: source.as.asn
+        target_field: source.as.number
+        ignore_missing: true
+  - rename:
+        field: source.as.organization_name
+        target_field: source.as.organization.name
+        ignore_missing: true
+  - rename:
+        field: destination.as.asn
+        target_field: destination.as.number
+        ignore_missing: true
+  - rename:
+        field: destination.as.organization_name
+        target_field: destination.as.organization.name
+        ignore_missing: true
+on_failure:
+  - append:
+        field: error.message
+        value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/netscout/0.1.0/dataset/sightline/fields/base-fields.yml b/packages/netscout/0.1.0/dataset/sightline/fields/base-fields.yml
new file mode 100644
index 0000000000..b294eaf20e
--- /dev/null
+++ b/packages/netscout/0.1.0/dataset/sightline/fields/base-fields.yml
@@ -0,0 +1,26 @@
+- name: datastream.type
+  type: constant_keyword
+  description: Datastream type.
+- name: datastream.dataset
+  type: constant_keyword
+  description: Datastream dataset.
+- name: datastream.namespace
+  type: constant_keyword
+  description: Datastream namespace.
+
+- name: dataset.type
+  type: constant_keyword
+  description: >
+    Dataset type.
+- name: dataset.name
+  type: constant_keyword
+  description: >
+    Dataset name.
+- name: dataset.namespace
+  type: constant_keyword
+  description: >
+    Dataset namespace.
+- name: "@timestamp"
+  type: date
+  description: >
+    Event timestamp.
diff --git a/packages/netscout/0.1.0/dataset/sightline/fields/ecs.yml b/packages/netscout/0.1.0/dataset/sightline/fields/ecs.yml
new file mode 100644
index 0000000000..92af91c339
--- /dev/null
+++ b/packages/netscout/0.1.0/dataset/sightline/fields/ecs.yml
@@ -0,0 +1,836 @@
+- name: log
+  type: group
+  fields:
+  - name: original
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'This is the original log message and contains the full log message
+      before splitting it up in multiple parts.
+
+      In contrast to the `message` field which can contain an extracted part of the
+      log message, this field contains the original, full log message. It can have
+      already some modifications applied like encoding or new lines removed to clean
+      up the log message.
+
+      This field is not indexed and doc_values are disabled so it can''t be queried
+      but the value can be retrieved from `_source`.'
+    example: Sep 19 08:26:10 localhost My log
+  - name: level
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Original log level of the log event.
+
+      If the source of the event provides a log level or textual severity, this is
+      the one that goes in `log.level`. If your source doesn''t specify one, you may
+      put your event transport''s severity here (e.g. Syslog severity).
+
+      Some examples are `warn`, `err`, `i`, `informational`.'
+    example: error
+  - name: syslog
+    type: group
+    fields:
+    - name: priority
+      level: extended
+      type: long
+      format: string
+      description: 'Syslog numeric priority of the event, if available.
+
+        According to RFCs 5424 and 3164, the priority is 8 * facility + severity.
+        This number is therefore expected to contain a value between 0 and 191.'
+      example: 135
+    - name: facility
+      type: group
+      fields:
+      - name: code
+        level: extended
+        type: long
+        format: string
+        description: 'The Syslog numeric facility of the log event, if available.
+
+          According to RFCs 5424 and 3164, this value should be an integer between
+          0 and 23.'
+        example: 23
+    - name: severity
+      type: group
+      fields:
+      - name: code
+        level: extended
+        type: long
+        description: 'The Syslog numeric severity of the log event, if available.
+
+          If the event source publishing via Syslog provides a different numeric severity
+          value (e.g. firewall, IDS), your source''s numeric severity should go to
+          `event.severity`. If the event source does not specify a distinct severity,
+          you can optionally copy the Syslog severity to `event.severity`.'
+        example: 3
+- name: event
+  type: group
+  fields:
+  - name: code
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Identification code for this event, if one exists.
+
+      Some event sources use event codes to identify messages unambiguously, regardless
+      of message language or wording adjustments over time. An example of this is
+      the Windows Event ID.'
+    example: 4648
+  - name: action
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'The action captured by the event.
+
+      This describes the information in the event. It is more specific than `event.category`.
+      Examples are `group-add`, `process-started`, `file-created`. The value is normally
+      defined by the implementer.'
+    example: user-password-change
+  - name: outcome
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'This is one of four ECS Categorization Fields, and indicates the
+      lowest level in the ECS category hierarchy.
+
+      `event.outcome` simply denotes whether the event represents a success or a failure
+      from the perspective of the entity that produced the event.
+
+      Note that when a single transaction is described in multiple events, each event
+      may populate different values of `event.outcome`, according to their perspective.
+
+      Also note that in the case of a compound event (a single event that contains
+      multiple logical events), this field should be populated with the value that
+      best captures the overall success or failure from the perspective of the event
+      producer.
+
+      Further note that not all events will have an associated outcome. For example,
+      this field is generally not populated for metric events, events with `event.type:info`,
+      or any events for which an outcome does not make logical sense.'
+    example: success
+  - name: category
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'This is one of four ECS Categorization Fields, and indicates the
+      second level in the ECS category hierarchy.
+
+      `event.category` represents the "big buckets" of ECS categories. For example,
+      filtering on `event.category:process` yields all events relating to process
+      activity. This field is closely related to `event.type`, which is used as a
+      subcategory.
+
+      This field is an array. This will allow proper categorization of some events
+      that fall in multiple categories.'
+    example: authentication
+  - name: timezone
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'This field should be populated when the event''s timestamp does
+      not include timezone information already (e.g. default Syslog timestamps). It''s
+      optional otherwise.
+
+      Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated
+      (e.g. "EST") or an HH:mm differential (e.g. "-05:00").'
+- name: '@timestamp'
+  level: core
+  required: true
+  type: date
+  description: 'Date/time when the event originated.
+
+    This is the date/time extracted from the event, typically representing when the
+    event was generated by the source.
+
+    If the event source has no original timestamp, this value is typically populated
+    by the first time the event was received by the pipeline.
+
+    Required field for all events.'
+  example: '2016-05-23T08:05:34.853Z'
+- name: user
+  type: group
+  fields:
+  - name: name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: Short name or login of the user.
+    example: albert
+  - name: full_name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: User's full name, if available.
+    example: Albert Einstein
+  - name: domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Name of the directory the user is a member of.
+
+      For example, an LDAP or Active Directory domain name.'
+  - name: id
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Unique identifiers of the user.
+- name: message
+  level: core
+  type: text
+  description: 'For log events the message field contains the log message, optimized
+    for viewing in a log viewer.
+
+    For structured logs without an original message field, other fields can be concatenated
+    to form a human-readable summary of the event.
+
+    If multiple messages exist, they can be combined into one message.'
+  example: Hello World
+- name: source
+  type: group
+  fields:
+  - name: ip
+    level: core
+    type: ip
+    description: 'IP address of the source.
+
+      Can be one or multiple IPv4 or IPv6 addresses.'
+  - name: port
+    level: core
+    type: long
+    format: string
+    description: Port of the source.
+  - name: address
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Some event source addresses are defined ambiguously. The event will
+      sometimes list an IP, a domain or a unix socket.  You should always store the
+      raw address in the `.address` field.
+
+      Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+      is.'
+  - name: mac
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: MAC address of the source.
+  - name: bytes
+    level: core
+    type: long
+    format: bytes
+    description: Bytes sent from the source to the destination.
+    example: 184
+  - name: nat
+    type: group
+    fields:
+    - name: ip
+      level: extended
+      type: ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+    - name: port
+      level: extended
+      type: long
+      format: string
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+  - name: domain
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Source domain.
+  - name: geo
+    type: group
+    fields:
+    - name: country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+    - name: location
+      type: group
+      fields:
+      - type: double
+        name: lat
+      - type: double
+        name: lon
+    - name: city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+- name: host
+  type: group
+  fields:
+  - name: name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Name of the host.
+
+      It can contain what `hostname` returns on Unix systems, the fully qualified
+      domain name, or a name specified by the user. The sender decides which value
+      to use.'
+  - name: ip
+    level: core
+    type: ip
+    description: Host ip addresses.
+  - name: hostname
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Hostname of the host.
+
+      It normally contains what the `hostname` command returns on the host machine.'
+  - name: mac
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Host mac addresses.
+- name: destination
+  type: group
+  fields:
+  - name: ip
+    level: core
+    type: ip
+    description: 'IP address of the destination.
+
+      Can be one or multiple IPv4 or IPv6 addresses.'
+  - name: port
+    level: core
+    type: long
+    format: string
+    description: Port of the destination.
+  - name: address
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Some event destination addresses are defined ambiguously. The event
+      will sometimes list an IP, a domain or a unix socket.  You should always store
+      the raw address in the `.address` field.
+
+      Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+      is.'
+  - name: bytes
+    level: core
+    type: long
+    format: bytes
+    description: Bytes sent from the destination to the source.
+    example: 184
+  - name: mac
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: MAC address of the destination.
+  - name: nat
+    type: group
+    fields:
+    - name: ip
+      level: extended
+      type: ip
+      description: 'Translated ip of destination based NAT sessions (e.g. internet
+        to private DMZ)
+
+        Typically used with load balancers, firewalls, or routers.'
+    - name: port
+      level: extended
+      type: long
+      format: string
+      description: 'Port the source session is translated to by NAT Device.
+
+        Typically used with load balancers, firewalls, or routers.'
+  - name: domain
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Destination domain.
+  - name: geo
+    type: group
+    fields:
+    - name: country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+    - name: location
+      type: group
+      fields:
+      - type: double
+        name: lat
+      - type: double
+        name: lon
+    - name: city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+- name: network
+  type: group
+  fields:
+  - name: protocol
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'L7 Network protocol name. ex. http, lumberjack, transport protocol.
+
+      The field value must be normalized to lowercase for querying. See the documentation
+      section "Implementing ECS".'
+    example: http
+  - name: application
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'A name given to an application level protocol. This can be arbitrarily
+      assigned for things like microservices, but also apply to things like skype,
+      icq, facebook, twitter. This would be used in situations where the vendor or
+      service can be decoded such as from the source/dest IP owners, ports, or wire
+      format.
+
+      The field value must be normalized to lowercase for querying. See the documentation
+      section "Implementing ECS".'
+    example: aim
+  - name: interface
+    type: group
+    fields:
+    - type: keyword
+      name: name
+  - name: bytes
+    level: core
+    type: long
+    format: bytes
+    description: 'Total bytes transferred in both directions.
+
+      If `source.bytes` and `destination.bytes` are known, `network.bytes` is their
+      sum.'
+    example: 368
+  - name: direction
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: "Direction of the network traffic.\nRecommended values are:\n  *\
+      \ inbound\n  * outbound\n  * internal\n  * external\n  * unknown\n\nWhen mapping\
+      \ events from a host-based monitoring context, populate this field from the\
+      \ host's point of view.\nWhen mapping events from a network or perimeter-based\
+      \ monitoring context, populate this field from the point of view of your network\
+      \ perimeter."
+    example: inbound
+  - name: packets
+    level: core
+    type: long
+    description: 'Total packets transferred in both directions.
+
+      If `source.packets` and `destination.packets` are known, `network.packets` is
+      their sum.'
+    example: 24
+  - name: forwarded_ip
+    level: core
+    type: ip
+    description: Host IP address when the source IP address is the proxy.
+    example: 192.1.1.2
+- name: observer
+  type: group
+  fields:
+  - name: version
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Observer version.
+  - name: product
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: The product name of the observer.
+    example: s200
+  - name: ingress
+    type: group
+    fields:
+    - name: interface
+      type: group
+      fields:
+      - name: name
+        level: extended
+        type: keyword
+        ignore_above: 1024
+        description: Interface name as reported by the system.
+        example: eth0
+        default_field: false
+  - name: egress
+    type: group
+    fields:
+    - name: interface
+      type: group
+      fields:
+      - name: name
+        level: extended
+        type: keyword
+        ignore_above: 1024
+        description: Interface name as reported by the system.
+        example: eth0
+        default_field: false
+- name: file
+  type: group
+  fields:
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: Name of the file including the extension, without the directory.
+    example: example.png
+  - name: directory
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: Directory where the file is located. It should include the drive
+      letter, when appropriate.
+    example: /home/alice
+  - name: size
+    level: extended
+    type: long
+    description: 'File size in bytes.
+
+      Only relevant when `file.type` is "file".'
+    example: 16384
+  - name: type
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: File type (file, dir, or symlink).
+    example: file
+  - name: extension
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: File extension.
+    example: png
+  - name: path
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: Full path to the file, including the file name. It should include
+      the drive letter, when appropriate.
+    example: /home/alice/example.png
+  - name: attributes
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Array of file attributes.
+
+      Attributes names will vary by platform. Here''s a non-exhaustive list of values
+      that are expected in this field: archive, compressed, directory, encrypted,
+      execute, hidden, read, readonly, system, write.'
+    example: '["readonly", "system"]'
+    default_field: false
+- name: url
+  type: group
+  fields:
+  - name: original
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: 'Unmodified original url as seen in the event source.
+
+      Note that in network monitoring, the observed URL may be a full URL, whereas
+      in access logs, the URL is often just represented as a path.
+
+      This field is meant to represent the URL as it was observed, complete or not.'
+    example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
+  - name: query
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'The query field describes the query string of the request, such
+      as "q=elasticsearch".
+
+      The `?` is excluded from the query string. If a URL contains no `?`, there is
+      no query field. If there is a `?` but no query, the query field exists with
+      an empty string. The `exists` query can be used to differentiate between the
+      two cases.'
+  - name: domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Domain of the url, such as "www.elastic.co".
+
+      In some cases a URL may refer to an IP and/or port directly, without a domain
+      name. In this case, the IP address would go to the `domain` field.'
+    example: www.elastic.co
+  - name: path
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: Path of the request, such as "/search".
+  - name: top_level_domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'The effective top level domain (eTLD), also known as the domain
+      suffix, is the last part of the domain name. For example, the top level domain
+      for google.com is "com".
+
+      This value can be determined precisely with a list like the public suffix list
+      (http://publicsuffix.org). Trying to approximate this by simply taking the last
+      label will not work well for effective TLDs such as "co.uk".'
+    example: co.uk
+  - name: registered_domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'The highest registered url domain, stripped of the subdomain.
+
+      For example, the registered domain for "foo.google.com" is "google.com".
+
+      This value can be determined precisely with a list like the public suffix list
+      (http://publicsuffix.org). Trying to approximate this by simply taking the last
+      two labels will not work well for TLDs such as "co.uk".'
+    example: google.com
+- name: service
+  type: group
+  fields:
+  - name: name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Name of the service data is collected from.
+
+      The name of the service is normally user given. This allows for distributed
+      services that run on multiple hosts to correlate the related instances based
+      on the name.
+
+      In the case of Elasticsearch the `service.name` could contain the cluster name.
+      For Beats the `service.name` is by default a copy of the `service.type` field
+      if no name is specified.'
+    example: elasticsearch-metrics
+- name: server
+  type: group
+  fields:
+  - name: domain
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Server domain.
+- name: process
+  type: group
+  fields:
+  - name: pid
+    level: core
+    type: long
+    format: string
+    description: Process id.
+    example: 4242
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: 'Process name.
+
+      Sometimes called program name or similar.'
+    example: ssh
+  - name: ppid
+    level: extended
+    type: long
+    format: string
+    description: Parent process' pid.
+    example: 4241
+  - name: parent
+    type: group
+    fields:
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      default_field: false
+    - name: title
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      default_field: false
+  - name: title
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: 'Process title.
+
+      The proctitle, some times the same as process name. Can also be different: for
+      example a browser setting its title to the web page currently opened.'
+- name: rule
+  type: group
+  fields:
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: The name of the rule or signature generating the event.
+    example: BLOCK_DNS_over_TLS
+    default_field: false
+- name: user_agent
+  type: group
+  fields:
+  - name: original
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+    description: Unparsed user_agent string.
+    example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15
+      (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
+- name: http
+  type: group
+  fields:
+  - name: response
+    type: group
+    fields:
+    - name: body
+      type: group
+      fields:
+      - name: content
+        level: extended
+        type: keyword
+        ignore_above: 1024
+        multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+        description: The full HTTP response body.
+        example: Hello world
+  - name: request
+    type: group
+    fields:
+    - name: referrer
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Referrer for this HTTP request.
+      example: https://blog.example.com/
+    - name: method
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'HTTP request method.
+
+        The field value must be normalized to lowercase for querying. See the documentation
+        section "Implementing ECS".'
+      example: get, post, put
+- name: geo
+  type: group
+  fields:
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'User-defined description of a location, at the level of granularity
+      they care about.
+
+      Could be the name of their data centers, the floor number, if this describes
+      a local physical entity, city names.
+
+      Not typically used in automated geolocation.'
+    example: boston-dc
+  - name: country_name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Country name.
+    example: Canada
+  - name: city_name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: City name.
+    example: Montreal
+  - name: region_name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Region name.
+    example: Quebec
+- name: dns
+  type: group
+  fields:
+  - name: question
+    type: group
+    fields:
+    - name: type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The type of record being queried.
+      example: AAAA
+  - name: answers
+    type: group
+    fields:
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The domain name to which this resource record pertains.
+
+        If a chain of CNAME is being resolved, each answer''s `name` should be the
+        one that corresponds with the answer''s `data`. It should not simply be the
+        original `question.name` repeated.'
+      example: www.google.com
+    - name: type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The type of data contained in this resource record.
+      example: CNAME
diff --git a/packages/netscout/0.1.0/dataset/sightline/fields/fields.yml b/packages/netscout/0.1.0/dataset/sightline/fields/fields.yml
new file mode 100644
index 0000000000..2abc947fe7
--- /dev/null
+++ b/packages/netscout/0.1.0/dataset/sightline/fields/fields.yml
@@ -0,0 +1,1939 @@
+- name: rsa
+  type: group
+  fields:
+  - name: internal
+    type: group
+    fields:
+    - name: msg
+      type: keyword
+      description: This key is used to capture the raw message that comes into the
+        Log Decoder
+    - name: messageid
+      type: keyword
+    - name: event_desc
+      type: keyword
+    - name: message
+      type: keyword
+      description: This key captures the contents of instant messages
+    - name: time
+      type: date
+      description: This is the time at which a session hits a NetWitness Decoder.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness.
+    - name: level
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: msg_id
+      type: keyword
+      description: This is the Message ID1 value that identifies the exact log parser
+        definition which parses a particular log session. This key should never be
+        used to parse Meta data from a session (Logs/Packets) Directly, this is a
+        Reserved key in NetWitness
+    - name: msg_vid
+      type: keyword
+      description: This is the Message ID2 value that identifies the exact log parser
+        definition which parses a particular log session. This key should never be
+        used to parse Meta data from a session (Logs/Packets) Directly, this is a
+        Reserved key in NetWitness
+    - name: data
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: obj_server
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: obj_val
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: resource
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: obj_id
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: statement
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: audit_class
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: entry
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: hcode
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: inode
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: resource_class
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: dead
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: feed_desc
+      type: keyword
+      description: This is used to capture the description of the feed. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: feed_name
+      type: keyword
+      description: This is used to capture the name of the feed. This key should never
+        be used to parse Meta data from a session (Logs/Packets) Directly, this is
+        a Reserved key in NetWitness
+    - name: cid
+      type: keyword
+      description: This is the unique identifier used to identify a NetWitness Concentrator.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: device_class
+      type: keyword
+      description: This is the Classification of the Log Event Source under a predefined
+        fixed set of Event Source Classifications. This key should never be used to
+        parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
+        key in NetWitness
+    - name: device_group
+      type: keyword
+      description: This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_host
+      type: keyword
+      description: This is the Hostname of the log Event Source sending the logs to
+        NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_ip
+      type: ip
+      description: This is the IPv4 address of the Log Event Source sending the logs
+        to NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_ipv6
+      type: ip
+      description: This is the IPv6 address of the Log Event Source sending the logs
+        to NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_type
+      type: keyword
+      description: This is the name of the log parser which parsed a given session.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: device_type_id
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: did
+      type: keyword
+      description: This is the unique identifier used to identify a NetWitness Decoder.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: entropy_req
+      type: long
+      description: This key is only used by the Entropy Parser, the Meta Type can
+        be either UInt16 or Float32 based on the configuration
+    - name: entropy_res
+      type: long
+      description: This key is only used by the Entropy Parser, the Meta Type can
+        be either UInt16 or Float32 based on the configuration
+    - name: event_name
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: feed_category
+      type: keyword
+      description: This is used to capture the category of the feed. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: forward_ip
+      type: ip
+      description: This key should be used to capture the IPV4 address of a relay
+        system which forwarded the events from the original system to NetWitness.
+    - name: forward_ipv6
+      type: ip
+      description: This key is used to capture the IPV6 address of a relay system
+        which forwarded the events from the original system to NetWitness. This key
+        should never be used to parse Meta data from a session (Logs/Packets) Directly,
+        this is a Reserved key in NetWitness
+    - name: header_id
+      type: keyword
+      description: This is the Header ID value that identifies the exact log parser
+        header definition that parses a particular log session. This key should never
+        be used to parse Meta data from a session (Logs/Packets) Directly, this is
+        a Reserved key in NetWitness
+    - name: lc_cid
+      type: keyword
+      description: This is a unique Identifier of a Log Collector. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: lc_ctime
+      type: date
+      description: This is the time at which a log is collected in a NetWitness Log
+        Collector. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: mcb_req
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        request is simply which byte for each side (0 thru 255) was seen the most
+    - name: mcb_res
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        response is simply which byte for each side (0 thru 255) was seen the most
+    - name: mcbc_req
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        count is the number of times the most common byte (above) was seen in the
+        session streams
+    - name: mcbc_res
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        count is the number of times the most common byte (above) was seen in the
+        session streams
+    - name: medium
+      type: long
+      description: "This key is used to identify if it\u2019s a log/packet session\
+        \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
+        \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
+        \ 32 = log, 33 = correlation session, &lt; 32 is packet session"
+    - name: node_name
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: nwe_callback_id
+      type: keyword
+      description: This key denotes that event is endpoint related
+    - name: parse_error
+      type: keyword
+      description: This is a special key that stores any Meta key validation error
+        found while parsing a log session. This key should never be used to parse
+        Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
+        NetWitness
+    - name: payload_req
+      type: long
+      description: This key is only used by the Entropy Parser, the payload size metrics
+        are the payload sizes of each session side at the time of parsing. However,
+        in order to keep
+    - name: payload_res
+      type: long
+      description: This key is only used by the Entropy Parser, the payload size metrics
+        are the payload sizes of each session side at the time of parsing. However,
+        in order to keep
+    - name: process_vid_dst
+      type: keyword
+      description: Endpoint generates and uses a unique virtual ID to identify any
+        similar group of process. This ID represents the target process.
+    - name: process_vid_src
+      type: keyword
+      description: Endpoint generates and uses a unique virtual ID to identify any
+        similar group of process. This ID represents the source process.
+    - name: rid
+      type: long
+      description: This is a special ID of the Remote Session created by NetWitness
+        Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: session_split
+      type: keyword
+      description: This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: site
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: size
+      type: long
+      description: This is the size of the session as seen by the NetWitness Decoder.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: sourcefile
+      type: keyword
+      description: This is the name of the log file or PCAPs that can be imported
+        into NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: ubc_req
+      type: long
+      description: This key is only used by the Entropy Parser, Unique byte count
+        is the number of unique bytes seen in each stream. 256 would mean all byte
+        values of 0 thru 255 were seen at least once
+    - name: ubc_res
+      type: long
+      description: This key is only used by the Entropy Parser, Unique byte count
+        is the number of unique bytes seen in each stream. 256 would mean all byte
+        values of 0 thru 255 were seen at least once
+    - name: word
+      type: keyword
+      description: This is used by the Word Parsing technology to capture the first
+        5 character of every word in an unparsed log
+  - name: time
+    type: group
+    fields:
+    - name: event_time
+      type: date
+      description: This key is used to capture the time mentioned in a raw session
+        that represents the actual time an event occured in a standard normalized
+        form
+    - name: duration_time
+      type: double
+      description: This key is used to capture the normalized duration/lifetime in
+        seconds.
+    - name: event_time_str
+      type: keyword
+      description: This key is used to capture the incomplete time mentioned in a
+        session as a string
+    - name: starttime
+      type: date
+      description: This key is used to capture the Start time mentioned in a session
+        in a standard form
+    - name: month
+      type: keyword
+    - name: day
+      type: keyword
+    - name: endtime
+      type: date
+      description: This key is used to capture the End time mentioned in a session
+        in a standard form
+    - name: timezone
+      type: keyword
+      description: This key is used to capture the timezone of the Event Time
+    - name: duration_str
+      type: keyword
+      description: A text string version of the duration
+    - name: date
+      type: keyword
+    - name: year
+      type: keyword
+    - name: recorded_time
+      type: date
+      description: The event time as recorded by the system the event is collected
+        from. The usage scenario is a multi-tier application where the management
+        layer of the system records it's own timestamp at the time of collection from
+        its child nodes. Must be in timestamp format.
+    - name: datetime
+      type: keyword
+    - name: effective_time
+      type: date
+      description: This key is the effective time referenced by an individual event
+        in a Standard Timestamp format
+    - name: expire_time
+      type: date
+      description: This key is the timestamp that explicitly refers to an expiration.
+    - name: process_time
+      type: keyword
+      description: Deprecated, use duration.time
+    - name: hour
+      type: keyword
+    - name: min
+      type: keyword
+    - name: timestamp
+      type: keyword
+    - name: event_queue_time
+      type: date
+      description: This key is the Time that the event was queued.
+    - name: p_time1
+      type: keyword
+    - name: tzone
+      type: keyword
+    - name: eventtime
+      type: keyword
+    - name: gmtdate
+      type: keyword
+    - name: gmttime
+      type: keyword
+    - name: p_date
+      type: keyword
+    - name: p_month
+      type: keyword
+    - name: p_time
+      type: keyword
+    - name: p_time2
+      type: keyword
+    - name: p_year
+      type: keyword
+    - name: expire_time_str
+      type: keyword
+      description: This key is used to capture incomplete timestamp that explicitly
+        refers to an expiration.
+    - name: stamp
+      type: date
+      description: Deprecated key defined only in table map.
+  - name: misc
+    type: group
+    fields:
+    - name: action
+      type: keyword
+    - name: result
+      type: keyword
+      description: This key is used to capture the outcome/result string value of
+        an action in a session.
+    - name: severity
+      type: keyword
+      description: This key is used to capture the severity given the session
+    - name: event_type
+      type: keyword
+      description: This key captures the event category type as specified by the event
+        source.
+    - name: reference_id
+      type: keyword
+      description: This key is used to capture an event id from the session directly
+    - name: version
+      type: keyword
+      description: This key captures Version of the application or OS which is generating
+        the event.
+    - name: disposition
+      type: keyword
+      description: This key captures the The end state of an action.
+    - name: result_code
+      type: keyword
+      description: This key is used to capture the outcome/result numeric value of
+        an action in a session
+    - name: category
+      type: keyword
+      description: This key is used to capture the category of an event given by the
+        vendor in the session
+    - name: obj_name
+      type: keyword
+      description: This is used to capture name of object
+    - name: obj_type
+      type: keyword
+      description: This is used to capture type of object
+    - name: event_source
+      type: keyword
+      description: "This key captures Source of the event that\u2019s not a hostname"
+    - name: log_session_id
+      type: keyword
+      description: This key is used to capture a sessionid from the session directly
+    - name: group
+      type: keyword
+      description: This key captures the Group Name value
+    - name: policy_name
+      type: keyword
+      description: This key is used to capture the Policy Name only.
+    - name: rule_name
+      type: keyword
+      description: This key captures the Rule Name
+    - name: context
+      type: keyword
+      description: This key captures Information which adds additional context to
+        the event.
+    - name: change_new
+      type: keyword
+      description: "This key is used to capture the new values of the attribute that\u2019\
+        s changing in a session"
+    - name: space
+      type: keyword
+    - name: client
+      type: keyword
+      description: This key is used to capture only the name of the client application
+        requesting resources of the server. See the user.agent meta key for capture
+        of the specific user agent identifier or browser identification string.
+    - name: msgIdPart1
+      type: keyword
+    - name: msgIdPart2
+      type: keyword
+    - name: change_old
+      type: keyword
+      description: "This key is used to capture the old value of the attribute that\u2019\
+        s changing in a session"
+    - name: operation_id
+      type: keyword
+      description: An alert number or operation number. The values should be unique
+        and non-repeating.
+    - name: event_state
+      type: keyword
+      description: This key captures the current state of the object/item referenced
+        within the event. Describing an on-going event.
+    - name: group_object
+      type: keyword
+      description: This key captures a collection/grouping of entities. Specific usage
+    - name: node
+      type: keyword
+      description: Common use case is the node name within a cluster. The cluster
+        name is reflected by the host name.
+    - name: rule
+      type: keyword
+      description: This key captures the Rule number
+    - name: device_name
+      type: keyword
+      description: 'This is used to capture name of the Device associated with the
+        node Like: a physical disk, printer, etc'
+    - name: param
+      type: keyword
+      description: This key is the parameters passed as part of a command or application,
+        etc.
+    - name: change_attrib
+      type: keyword
+      description: "This key is used to capture the name of the attribute that\u2019\
+        s changing in a session"
+    - name: event_computer
+      type: keyword
+      description: This key is a windows only concept, where this key is used to capture
+        fully qualified domain name in a windows log.
+    - name: reference_id1
+      type: keyword
+      description: This key is for Linked ID to be used as an addition to "reference.id"
+    - name: event_log
+      type: keyword
+      description: This key captures the Name of the event log
+    - name: OS
+      type: keyword
+      description: This key captures the Name of the Operating System
+    - name: terminal
+      type: keyword
+      description: This key captures the Terminal Names only
+    - name: msgIdPart3
+      type: keyword
+    - name: filter
+      type: keyword
+      description: This key captures Filter used to reduce result set
+    - name: serial_number
+      type: keyword
+      description: This key is the Serial number associated with a physical asset.
+    - name: checksum
+      type: keyword
+      description: This key is used to capture the checksum or hash of the entity
+        such as a file or process. Checksum should be used over checksum.src or checksum.dst
+        when it is unclear whether the entity is a source or target of an action.
+    - name: event_user
+      type: keyword
+      description: This key is a windows only concept, where this key is used to capture
+        combination of domain name and username in a windows log.
+    - name: virusname
+      type: keyword
+      description: This key captures the name of the virus
+    - name: content_type
+      type: keyword
+      description: This key is used to capture Content Type only.
+    - name: group_id
+      type: keyword
+      description: This key captures Group ID Number (related to the group name)
+    - name: policy_id
+      type: keyword
+      description: This key is used to capture the Policy ID only, this should be
+        a numeric value, use policy.name otherwise
+    - name: vsys
+      type: keyword
+      description: This key captures Virtual System Name
+    - name: connection_id
+      type: keyword
+      description: This key captures the Connection ID
+    - name: reference_id2
+      type: keyword
+      description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
+        or "reference.id1" value but should not be used unless the other two variables
+        are in play.
+    - name: sensor
+      type: keyword
+      description: This key captures Name of the sensor. Typically used in IDS/IPS
+        based devices
+    - name: sig_id
+      type: long
+      description: This key captures IDS/IPS Int Signature ID
+    - name: port_name
+      type: keyword
+      description: 'This key is used for Physical or logical port connection but does
+        NOT include a network port. (Example: Printer port name).'
+    - name: rule_group
+      type: keyword
+      description: This key captures the Rule group name
+    - name: risk_num
+      type: double
+      description: This key captures a Numeric Risk value
+    - name: trigger_val
+      type: keyword
+      description: This key captures the Value of the trigger or threshold condition.
+    - name: log_session_id1
+      type: keyword
+      description: This key is used to capture a Linked (Related) Session ID from
+        the session directly
+    - name: comp_version
+      type: keyword
+      description: This key captures the Version level of a sub-component of a product.
+    - name: content_version
+      type: keyword
+      description: This key captures Version level of a signature or database content.
+    - name: hardware_id
+      type: keyword
+      description: This key is used to capture unique identifier for a device or system
+        (NOT a Mac address)
+    - name: risk
+      type: keyword
+      description: This key captures the non-numeric risk value
+    - name: event_id
+      type: keyword
+    - name: reason
+      type: keyword
+    - name: status
+      type: keyword
+    - name: mail_id
+      type: keyword
+      description: This key is used to capture the mailbox id/name
+    - name: rule_uid
+      type: keyword
+      description: This key is the Unique Identifier for a rule.
+    - name: trigger_desc
+      type: keyword
+      description: This key captures the Description of the trigger or threshold condition.
+    - name: inout
+      type: keyword
+    - name: p_msgid
+      type: keyword
+    - name: data_type
+      type: keyword
+    - name: msgIdPart4
+      type: keyword
+    - name: error
+      type: keyword
+      description: This key captures All non successful Error codes or responses
+    - name: index
+      type: keyword
+    - name: listnum
+      type: keyword
+      description: This key is used to capture listname or listnumber, primarily for
+        collecting access-list
+    - name: ntype
+      type: keyword
+    - name: observed_val
+      type: keyword
+      description: This key captures the Value observed (from the perspective of the
+        device generating the log).
+    - name: policy_value
+      type: keyword
+      description: This key captures the contents of the policy. This contains details
+        about the policy
+    - name: pool_name
+      type: keyword
+      description: This key captures the name of a resource pool
+    - name: rule_template
+      type: keyword
+      description: A default set of parameters which are overlayed onto a rule (or
+        rulename) which efffectively constitutes a template
+    - name: count
+      type: keyword
+    - name: number
+      type: keyword
+    - name: sigcat
+      type: keyword
+    - name: type
+      type: keyword
+    - name: comments
+      type: keyword
+      description: Comment information provided in the log message
+    - name: doc_number
+      type: long
+      description: This key captures File Identification number
+    - name: expected_val
+      type: keyword
+      description: This key captures the Value expected (from the perspective of the
+        device generating the log).
+    - name: job_num
+      type: keyword
+      description: This key captures the Job Number
+    - name: spi_dst
+      type: keyword
+      description: Destination SPI Index
+    - name: spi_src
+      type: keyword
+      description: Source SPI Index
+    - name: code
+      type: keyword
+    - name: agent_id
+      type: keyword
+      description: This key is used to capture agent id
+    - name: message_body
+      type: keyword
+      description: This key captures the The contents of the message body.
+    - name: phone
+      type: keyword
+    - name: sig_id_str
+      type: keyword
+      description: This key captures a string object of the sigid variable.
+    - name: cmd
+      type: keyword
+    - name: misc
+      type: keyword
+    - name: name
+      type: keyword
+    - name: cpu
+      type: long
+      description: This key is the CPU time used in the execution of the event being
+        recorded.
+    - name: event_desc
+      type: keyword
+      description: This key is used to capture a description of an event available
+        directly or inferred
+    - name: sig_id1
+      type: long
+      description: This key captures IDS/IPS Int Signature ID. This must be linked
+        to the sig.id
+    - name: im_buddyid
+      type: keyword
+    - name: im_client
+      type: keyword
+    - name: im_userid
+      type: keyword
+    - name: pid
+      type: keyword
+    - name: priority
+      type: keyword
+    - name: context_subject
+      type: keyword
+      description: This key is to be used in an audit context where the subject is
+        the object being identified
+    - name: context_target
+      type: keyword
+    - name: cve
+      type: keyword
+      description: This key captures CVE (Common Vulnerabilities and Exposures) -
+        an identifier for known information security vulnerabilities.
+    - name: fcatnum
+      type: keyword
+      description: This key captures Filter Category Number. Legacy Usage
+    - name: library
+      type: keyword
+      description: This key is used to capture library information in mainframe devices
+    - name: parent_node
+      type: keyword
+      description: This key captures the Parent Node Name. Must be related to node
+        variable.
+    - name: risk_info
+      type: keyword
+      description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: tcp_flags
+      type: long
+      description: This key is captures the TCP flags set in any packet of session
+    - name: tos
+      type: long
+      description: This key describes the type of service
+    - name: vm_target
+      type: keyword
+      description: VMWare Target **VMWARE** only varaible.
+    - name: workspace
+      type: keyword
+      description: This key captures Workspace Description
+    - name: command
+      type: keyword
+    - name: event_category
+      type: keyword
+    - name: facilityname
+      type: keyword
+    - name: forensic_info
+      type: keyword
+    - name: jobname
+      type: keyword
+    - name: mode
+      type: keyword
+    - name: policy
+      type: keyword
+    - name: policy_waiver
+      type: keyword
+    - name: second
+      type: keyword
+    - name: space1
+      type: keyword
+    - name: subcategory
+      type: keyword
+    - name: tbdstr2
+      type: keyword
+    - name: alert_id
+      type: keyword
+      description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: checksum_dst
+      type: keyword
+      description: This key is used to capture the checksum or hash of the the target
+        entity such as a process or file.
+    - name: checksum_src
+      type: keyword
+      description: This key is used to capture the checksum or hash of the source
+        entity such as a file or process.
+    - name: fresult
+      type: long
+      description: This key captures the Filter Result
+    - name: payload_dst
+      type: keyword
+      description: This key is used to capture destination payload
+    - name: payload_src
+      type: keyword
+      description: This key is used to capture source payload
+    - name: pool_id
+      type: keyword
+      description: This key captures the identifier (typically numeric field) of a
+        resource pool
+    - name: process_id_val
+      type: keyword
+      description: This key is a failure key for Process ID when it is not an integer
+        value
+    - name: risk_num_comm
+      type: double
+      description: This key captures Risk Number Community
+    - name: risk_num_next
+      type: double
+      description: This key captures Risk Number NextGen
+    - name: risk_num_sand
+      type: double
+      description: This key captures Risk Number SandBox
+    - name: risk_num_static
+      type: double
+      description: This key captures Risk Number Static
+    - name: risk_suspicious
+      type: keyword
+      description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: risk_warning
+      type: keyword
+      description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: snmp_oid
+      type: keyword
+      description: SNMP Object Identifier
+    - name: sql
+      type: keyword
+      description: This key captures the SQL query
+    - name: vuln_ref
+      type: keyword
+      description: This key captures the Vulnerability Reference details
+    - name: acl_id
+      type: keyword
+    - name: acl_op
+      type: keyword
+    - name: acl_pos
+      type: keyword
+    - name: acl_table
+      type: keyword
+    - name: admin
+      type: keyword
+    - name: alarm_id
+      type: keyword
+    - name: alarmname
+      type: keyword
+    - name: app_id
+      type: keyword
+    - name: audit
+      type: keyword
+    - name: audit_object
+      type: keyword
+    - name: auditdata
+      type: keyword
+    - name: benchmark
+      type: keyword
+    - name: bypass
+      type: keyword
+    - name: cache
+      type: keyword
+    - name: cache_hit
+      type: keyword
+    - name: cefversion
+      type: keyword
+    - name: cfg_attr
+      type: keyword
+    - name: cfg_obj
+      type: keyword
+    - name: cfg_path
+      type: keyword
+    - name: changes
+      type: keyword
+    - name: client_ip
+      type: keyword
+    - name: clustermembers
+      type: keyword
+    - name: cn_acttimeout
+      type: keyword
+    - name: cn_asn_src
+      type: keyword
+    - name: cn_bgpv4nxthop
+      type: keyword
+    - name: cn_ctr_dst_code
+      type: keyword
+    - name: cn_dst_tos
+      type: keyword
+    - name: cn_dst_vlan
+      type: keyword
+    - name: cn_engine_id
+      type: keyword
+    - name: cn_engine_type
+      type: keyword
+    - name: cn_f_switch
+      type: keyword
+    - name: cn_flowsampid
+      type: keyword
+    - name: cn_flowsampintv
+      type: keyword
+    - name: cn_flowsampmode
+      type: keyword
+    - name: cn_inacttimeout
+      type: keyword
+    - name: cn_inpermbyts
+      type: keyword
+    - name: cn_inpermpckts
+      type: keyword
+    - name: cn_invalid
+      type: keyword
+    - name: cn_ip_proto_ver
+      type: keyword
+    - name: cn_ipv4_ident
+      type: keyword
+    - name: cn_l_switch
+      type: keyword
+    - name: cn_log_did
+      type: keyword
+    - name: cn_log_rid
+      type: keyword
+    - name: cn_max_ttl
+      type: keyword
+    - name: cn_maxpcktlen
+      type: keyword
+    - name: cn_min_ttl
+      type: keyword
+    - name: cn_minpcktlen
+      type: keyword
+    - name: cn_mpls_lbl_1
+      type: keyword
+    - name: cn_mpls_lbl_10
+      type: keyword
+    - name: cn_mpls_lbl_2
+      type: keyword
+    - name: cn_mpls_lbl_3
+      type: keyword
+    - name: cn_mpls_lbl_4
+      type: keyword
+    - name: cn_mpls_lbl_5
+      type: keyword
+    - name: cn_mpls_lbl_6
+      type: keyword
+    - name: cn_mpls_lbl_7
+      type: keyword
+    - name: cn_mpls_lbl_8
+      type: keyword
+    - name: cn_mpls_lbl_9
+      type: keyword
+    - name: cn_mplstoplabel
+      type: keyword
+    - name: cn_mplstoplabip
+      type: keyword
+    - name: cn_mul_dst_byt
+      type: keyword
+    - name: cn_mul_dst_pks
+      type: keyword
+    - name: cn_muligmptype
+      type: keyword
+    - name: cn_sampalgo
+      type: keyword
+    - name: cn_sampint
+      type: keyword
+    - name: cn_seqctr
+      type: keyword
+    - name: cn_spackets
+      type: keyword
+    - name: cn_src_tos
+      type: keyword
+    - name: cn_src_vlan
+      type: keyword
+    - name: cn_sysuptime
+      type: keyword
+    - name: cn_template_id
+      type: keyword
+    - name: cn_totbytsexp
+      type: keyword
+    - name: cn_totflowexp
+      type: keyword
+    - name: cn_totpcktsexp
+      type: keyword
+    - name: cn_unixnanosecs
+      type: keyword
+    - name: cn_v6flowlabel
+      type: keyword
+    - name: cn_v6optheaders
+      type: keyword
+    - name: comp_class
+      type: keyword
+    - name: comp_name
+      type: keyword
+    - name: comp_rbytes
+      type: keyword
+    - name: comp_sbytes
+      type: keyword
+    - name: cpu_data
+      type: keyword
+    - name: criticality
+      type: keyword
+    - name: cs_agency_dst
+      type: keyword
+    - name: cs_analyzedby
+      type: keyword
+    - name: cs_av_other
+      type: keyword
+    - name: cs_av_primary
+      type: keyword
+    - name: cs_av_secondary
+      type: keyword
+    - name: cs_bgpv6nxthop
+      type: keyword
+    - name: cs_bit9status
+      type: keyword
+    - name: cs_context
+      type: keyword
+    - name: cs_control
+      type: keyword
+    - name: cs_data
+      type: keyword
+    - name: cs_datecret
+      type: keyword
+    - name: cs_dst_tld
+      type: keyword
+    - name: cs_eth_dst_ven
+      type: keyword
+    - name: cs_eth_src_ven
+      type: keyword
+    - name: cs_event_uuid
+      type: keyword
+    - name: cs_filetype
+      type: keyword
+    - name: cs_fld
+      type: keyword
+    - name: cs_if_desc
+      type: keyword
+    - name: cs_if_name
+      type: keyword
+    - name: cs_ip_next_hop
+      type: keyword
+    - name: cs_ipv4dstpre
+      type: keyword
+    - name: cs_ipv4srcpre
+      type: keyword
+    - name: cs_lifetime
+      type: keyword
+    - name: cs_log_medium
+      type: keyword
+    - name: cs_loginname
+      type: keyword
+    - name: cs_modulescore
+      type: keyword
+    - name: cs_modulesign
+      type: keyword
+    - name: cs_opswatresult
+      type: keyword
+    - name: cs_payload
+      type: keyword
+    - name: cs_registrant
+      type: keyword
+    - name: cs_registrar
+      type: keyword
+    - name: cs_represult
+      type: keyword
+    - name: cs_rpayload
+      type: keyword
+    - name: cs_sampler_name
+      type: keyword
+    - name: cs_sourcemodule
+      type: keyword
+    - name: cs_streams
+      type: keyword
+    - name: cs_targetmodule
+      type: keyword
+    - name: cs_v6nxthop
+      type: keyword
+    - name: cs_whois_server
+      type: keyword
+    - name: cs_yararesult
+      type: keyword
+    - name: description
+      type: keyword
+    - name: devvendor
+      type: keyword
+    - name: distance
+      type: keyword
+    - name: dstburb
+      type: keyword
+    - name: edomain
+      type: keyword
+    - name: edomaub
+      type: keyword
+    - name: euid
+      type: keyword
+    - name: facility
+      type: keyword
+    - name: finterface
+      type: keyword
+    - name: flags
+      type: keyword
+    - name: gaddr
+      type: keyword
+    - name: id3
+      type: keyword
+    - name: im_buddyname
+      type: keyword
+    - name: im_croomid
+      type: keyword
+    - name: im_croomtype
+      type: keyword
+    - name: im_members
+      type: keyword
+    - name: im_username
+      type: keyword
+    - name: ipkt
+      type: keyword
+    - name: ipscat
+      type: keyword
+    - name: ipspri
+      type: keyword
+    - name: latitude
+      type: keyword
+    - name: linenum
+      type: keyword
+    - name: list_name
+      type: keyword
+    - name: load_data
+      type: keyword
+    - name: location_floor
+      type: keyword
+    - name: location_mark
+      type: keyword
+    - name: log_id
+      type: keyword
+    - name: log_type
+      type: keyword
+    - name: logid
+      type: keyword
+    - name: logip
+      type: keyword
+    - name: logname
+      type: keyword
+    - name: longitude
+      type: keyword
+    - name: lport
+      type: keyword
+    - name: mbug_data
+      type: keyword
+    - name: misc_name
+      type: keyword
+    - name: msg_type
+      type: keyword
+    - name: msgid
+      type: keyword
+    - name: netsessid
+      type: keyword
+    - name: num
+      type: keyword
+    - name: number1
+      type: keyword
+    - name: number2
+      type: keyword
+    - name: nwwn
+      type: keyword
+    - name: object
+      type: keyword
+    - name: operation
+      type: keyword
+    - name: opkt
+      type: keyword
+    - name: orig_from
+      type: keyword
+    - name: owner_id
+      type: keyword
+    - name: p_action
+      type: keyword
+    - name: p_filter
+      type: keyword
+    - name: p_group_object
+      type: keyword
+    - name: p_id
+      type: keyword
+    - name: p_msgid1
+      type: keyword
+    - name: p_msgid2
+      type: keyword
+    - name: p_result1
+      type: keyword
+    - name: password_chg
+      type: keyword
+    - name: password_expire
+      type: keyword
+    - name: permgranted
+      type: keyword
+    - name: permwanted
+      type: keyword
+    - name: pgid
+      type: keyword
+    - name: policyUUID
+      type: keyword
+    - name: prog_asp_num
+      type: keyword
+    - name: program
+      type: keyword
+    - name: real_data
+      type: keyword
+    - name: rec_asp_device
+      type: keyword
+    - name: rec_asp_num
+      type: keyword
+    - name: rec_library
+      type: keyword
+    - name: recordnum
+      type: keyword
+    - name: ruid
+      type: keyword
+    - name: sburb
+      type: keyword
+    - name: sdomain_fld
+      type: keyword
+    - name: sec
+      type: keyword
+    - name: sensorname
+      type: keyword
+    - name: seqnum
+      type: keyword
+    - name: session
+      type: keyword
+    - name: sessiontype
+      type: keyword
+    - name: sigUUID
+      type: keyword
+    - name: spi
+      type: keyword
+    - name: srcburb
+      type: keyword
+    - name: srcdom
+      type: keyword
+    - name: srcservice
+      type: keyword
+    - name: state
+      type: keyword
+    - name: status1
+      type: keyword
+    - name: svcno
+      type: keyword
+    - name: system
+      type: keyword
+    - name: tbdstr1
+      type: keyword
+    - name: tgtdom
+      type: keyword
+    - name: tgtdomain
+      type: keyword
+    - name: threshold
+      type: keyword
+    - name: type1
+      type: keyword
+    - name: udb_class
+      type: keyword
+    - name: url_fld
+      type: keyword
+    - name: user_div
+      type: keyword
+    - name: userid
+      type: keyword
+    - name: username_fld
+      type: keyword
+    - name: utcstamp
+      type: keyword
+    - name: v_instafname
+      type: keyword
+    - name: virt_data
+      type: keyword
+    - name: vpnid
+      type: keyword
+    - name: autorun_type
+      type: keyword
+      description: This is used to capture Auto Run type
+    - name: cc_number
+      type: long
+      description: Valid Credit Card Numbers only
+    - name: content
+      type: keyword
+      description: This key captures the content type from protocol headers
+    - name: ein_number
+      type: long
+      description: Employee Identification Numbers only
+    - name: found
+      type: keyword
+      description: This is used to capture the results of regex match
+    - name: language
+      type: keyword
+      description: This is used to capture list of languages the client support and
+        what it prefers
+    - name: lifetime
+      type: long
+      description: This key is used to capture the session lifetime in seconds.
+    - name: link
+      type: keyword
+      description: This key is used to link the sessions together. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: match
+      type: keyword
+      description: This key is for regex match name from search.ini
+    - name: param_dst
+      type: keyword
+      description: This key captures the command line/launch argument of the target
+        process or file
+    - name: param_src
+      type: keyword
+      description: This key captures source parameter
+    - name: search_text
+      type: keyword
+      description: This key captures the Search Text used
+    - name: sig_name
+      type: keyword
+      description: This key is used to capture the Signature Name only.
+    - name: snmp_value
+      type: keyword
+      description: SNMP set request value
+    - name: streams
+      type: long
+      description: This key captures number of streams in session
+  - name: db
+    type: group
+    fields:
+    - name: index
+      type: keyword
+      description: This key captures IndexID of the index.
+    - name: instance
+      type: keyword
+      description: This key is used to capture the database server instance name
+    - name: database
+      type: keyword
+      description: This key is used to capture the name of a database or an instance
+        as seen in a session
+    - name: transact_id
+      type: keyword
+      description: This key captures the SQL transantion ID of the current session
+    - name: permissions
+      type: keyword
+      description: This key captures permission or privilege level assigned to a resource.
+    - name: table_name
+      type: keyword
+      description: This key is used to capture the table name
+    - name: db_id
+      type: keyword
+      description: This key is used to capture the unique identifier for a database
+    - name: db_pid
+      type: long
+      description: This key captures the process id of a connection with database
+        server
+    - name: lread
+      type: long
+      description: This key is used for the number of logical reads
+    - name: lwrite
+      type: long
+      description: This key is used for the number of logical writes
+    - name: pread
+      type: long
+      description: This key is used for the number of physical writes
+  - name: network
+    type: group
+    fields:
+    - name: alias_host
+      type: keyword
+      description: This key should be used when the source or destination context
+        of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
+        that isnt ad.computer.
+    - name: domain
+      type: keyword
+    - name: host_dst
+      type: keyword
+      description: "This key should only be used when it\u2019s a Destination Hostname"
+    - name: network_service
+      type: keyword
+      description: This is used to capture layer 7 protocols/service names
+    - name: interface
+      type: keyword
+      description: This key should be used when the source or destination context
+        of an interface is not clear
+    - name: network_port
+      type: long
+      description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
+        used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
+    - name: eth_host
+      type: keyword
+      description: Deprecated, use alias.mac
+    - name: sinterface
+      type: keyword
+      description: "This key should only be used when it\u2019s a Source Interface"
+    - name: dinterface
+      type: keyword
+      description: "This key should only be used when it\u2019s a Destination Interface"
+    - name: vlan
+      type: long
+      description: This key should only be used to capture the ID of the Virtual LAN
+    - name: zone_src
+      type: keyword
+      description: "This key should only be used when it\u2019s a Source Zone."
+    - name: zone
+      type: keyword
+      description: This key should be used when the source or destination context
+        of a Zone is not clear
+    - name: zone_dst
+      type: keyword
+      description: "This key should only be used when it\u2019s a Destination Zone."
+    - name: gateway
+      type: keyword
+      description: This key is used to capture the IP Address of the gateway
+    - name: icmp_type
+      type: long
+      description: This key is used to capture the ICMP type only
+    - name: mask
+      type: keyword
+      description: This key is used to capture the device network IPmask.
+    - name: icmp_code
+      type: long
+      description: This key is used to capture the ICMP code only
+    - name: protocol_detail
+      type: keyword
+      description: This key should be used to capture additional protocol information
+    - name: dmask
+      type: keyword
+      description: This key is used for Destionation Device network mask
+    - name: port
+      type: long
+      description: This key should only be used to capture a Network Port when the
+        directionality is not clear
+    - name: smask
+      type: keyword
+      description: This key is used for capturing source Network Mask
+    - name: netname
+      type: keyword
+      description: This key is used to capture the network name associated with an
+        IP range. This is configured by the end user.
+    - name: paddr
+      type: ip
+      description: Deprecated
+    - name: faddr
+      type: keyword
+    - name: lhost
+      type: keyword
+    - name: origin
+      type: keyword
+    - name: remote_domain_id
+      type: keyword
+    - name: addr
+      type: keyword
+    - name: dns_a_record
+      type: keyword
+    - name: dns_ptr_record
+      type: keyword
+    - name: fhost
+      type: keyword
+    - name: fport
+      type: keyword
+    - name: laddr
+      type: keyword
+    - name: linterface
+      type: keyword
+    - name: phost
+      type: keyword
+    - name: ad_computer_dst
+      type: keyword
+      description: Deprecated, use host.dst
+    - name: eth_type
+      type: long
+      description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
+        Only
+    - name: ip_proto
+      type: long
+      description: This key should be used to capture the Protocol number, all the
+        protocol nubers are converted into string in UI
+    - name: dns_cname_record
+      type: keyword
+    - name: dns_id
+      type: keyword
+    - name: dns_opcode
+      type: keyword
+    - name: dns_resp
+      type: keyword
+    - name: dns_type
+      type: keyword
+    - name: domain1
+      type: keyword
+    - name: host_type
+      type: keyword
+    - name: packet_length
+      type: keyword
+    - name: host_orig
+      type: keyword
+      description: This is used to capture the original hostname in case of a Forwarding
+        Agent or a Proxy in between.
+    - name: rpayload
+      type: keyword
+      description: This key is used to capture the total number of payload bytes seen
+        in the retransmitted packets.
+    - name: vlan_name
+      type: keyword
+      description: This key should only be used to capture the name of the Virtual
+        LAN
+  - name: investigations
+    type: group
+    fields:
+    - name: ec_activity
+      type: keyword
+      description: This key captures the particular event activity(Ex:Logoff)
+    - name: ec_theme
+      type: keyword
+      description: This key captures the Theme of a particular Event(Ex:Authentication)
+    - name: ec_subject
+      type: keyword
+      description: This key captures the Subject of a particular Event(Ex:User)
+    - name: ec_outcome
+      type: keyword
+      description: This key captures the outcome of a particular Event(Ex:Success)
+    - name: event_cat
+      type: long
+      description: This key captures the Event category number
+    - name: event_cat_name
+      type: keyword
+      description: This key captures the event category name corresponding to the
+        event cat code
+    - name: event_vcat
+      type: keyword
+      description: This is a vendor supplied category. This should be used in situations
+        where the vendor has adopted their own event_category taxonomy.
+    - name: analysis_file
+      type: keyword
+      description: This is used to capture all indicators used in a File Analysis.
+        This key should be used to capture an analysis of a file
+    - name: analysis_service
+      type: keyword
+      description: This is used to capture all indicators used in a Service Analysis.
+        This key should be used to capture an analysis of a service
+    - name: analysis_session
+      type: keyword
+      description: This is used to capture all indicators used for a Session Analysis.
+        This key should be used to capture an analysis of a session
+    - name: boc
+      type: keyword
+      description: This is used to capture behaviour of compromise
+    - name: eoc
+      type: keyword
+      description: This is used to capture Enablers of Compromise
+    - name: inv_category
+      type: keyword
+      description: This used to capture investigation category
+    - name: inv_context
+      type: keyword
+      description: This used to capture investigation context
+    - name: ioc
+      type: keyword
+      description: This is key capture indicator of compromise
+  - name: counters
+    type: group
+    fields:
+    - name: dclass_c1
+      type: long
+      description: This is a generic counter key that should be used with the label
+        dclass.c1.str only
+    - name: dclass_c2
+      type: long
+      description: This is a generic counter key that should be used with the label
+        dclass.c2.str only
+    - name: event_counter
+      type: long
+      description: This is used to capture the number of times an event repeated
+    - name: dclass_r1
+      type: keyword
+      description: This is a generic ratio key that should be used with the label
+        dclass.r1.str only
+    - name: dclass_c3
+      type: long
+      description: This is a generic counter key that should be used with the label
+        dclass.c3.str only
+    - name: dclass_c1_str
+      type: keyword
+      description: This is a generic counter string key that should be used with the
+        label dclass.c1 only
+    - name: dclass_c2_str
+      type: keyword
+      description: This is a generic counter string key that should be used with the
+        label dclass.c2 only
+    - name: dclass_r1_str
+      type: keyword
+      description: This is a generic ratio string key that should be used with the
+        label dclass.r1 only
+    - name: dclass_r2
+      type: keyword
+      description: This is a generic ratio key that should be used with the label
+        dclass.r2.str only
+    - name: dclass_c3_str
+      type: keyword
+      description: This is a generic counter string key that should be used with the
+        label dclass.c3 only
+    - name: dclass_r3
+      type: keyword
+      description: This is a generic ratio key that should be used with the label
+        dclass.r3.str only
+    - name: dclass_r2_str
+      type: keyword
+      description: This is a generic ratio string key that should be used with the
+        label dclass.r2 only
+    - name: dclass_r3_str
+      type: keyword
+      description: This is a generic ratio string key that should be used with the
+        label dclass.r3 only
+  - name: identity
+    type: group
+    fields:
+    - name: auth_method
+      type: keyword
+      description: This key is used to capture authentication methods used only
+    - name: user_role
+      type: keyword
+      description: This key is used to capture the Role of a user only
+    - name: dn
+      type: keyword
+      description: X.500 (LDAP) Distinguished Name
+    - name: logon_type
+      type: keyword
+      description: This key is used to capture the type of logon method used.
+    - name: profile
+      type: keyword
+      description: This key is used to capture the user profile
+    - name: accesses
+      type: keyword
+      description: This key is used to capture actual privileges used in accessing
+        an object
+    - name: realm
+      type: keyword
+      description: Radius realm or similar grouping of accounts
+    - name: user_sid_dst
+      type: keyword
+      description: This key captures Destination User Session ID
+    - name: dn_src
+      type: keyword
+      description: An X.500 (LDAP) Distinguished name that is used in a context that
+        indicates a Source dn
+    - name: org
+      type: keyword
+      description: This key captures the User organization
+    - name: dn_dst
+      type: keyword
+      description: An X.500 (LDAP) Distinguished name that used in a context that
+        indicates a Destination dn
+    - name: firstname
+      type: keyword
+      description: This key is for First Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: lastname
+      type: keyword
+      description: This key is for Last Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: user_dept
+      type: keyword
+      description: User's Department Names only
+    - name: user_sid_src
+      type: keyword
+      description: This key captures Source User Session ID
+    - name: federated_sp
+      type: keyword
+      description: This key is the Federated Service Provider. This is the application
+        requesting authentication.
+    - name: federated_idp
+      type: keyword
+      description: This key is the federated Identity Provider. This is the server
+        providing the authentication.
+    - name: logon_type_desc
+      type: keyword
+      description: This key is used to capture the textual description of an integer
+        logon type as stored in the meta key 'logon.type'.
+    - name: middlename
+      type: keyword
+      description: This key is for Middle Names only, this is used for Healthcare
+        predominantly to capture Patients information
+    - name: password
+      type: keyword
+      description: This key is for Passwords seen in any session, plain text or encrypted
+    - name: host_role
+      type: keyword
+      description: This key should only be used to capture the role of a Host Machine
+    - name: ldap
+      type: keyword
+      description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
+        t have a clear query or response context"
+    - name: ldap_query
+      type: keyword
+      description: This key is the Search criteria from an LDAP search
+    - name: ldap_response
+      type: keyword
+      description: This key is to capture Results from an LDAP search
+    - name: owner
+      type: keyword
+      description: This is used to capture username the process or service is running
+        as, the author of the task
+    - name: service_account
+      type: keyword
+      description: This key is a windows specific key, used for capturing name of
+        the account a service (referenced in the event) is running under. Legacy Usage
+  - name: email
+    type: group
+    fields:
+    - name: email_dst
+      type: keyword
+      description: This key is used to capture the Destination email address only,
+        when the destination context is not clear use email
+    - name: email_src
+      type: keyword
+      description: This key is used to capture the source email address only, when
+        the source context is not clear use email
+    - name: subject
+      type: keyword
+      description: This key is used to capture the subject string from an Email only.
+    - name: email
+      type: keyword
+      description: This key is used to capture a generic email address where the source
+        or destination context is not clear
+    - name: trans_from
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: trans_to
+      type: keyword
+      description: Deprecated key defined only in table map.
+  - name: file
+    type: group
+    fields:
+    - name: privilege
+      type: keyword
+      description: Deprecated, use permissions
+    - name: attachment
+      type: keyword
+      description: This key captures the attachment file name
+    - name: filesystem
+      type: keyword
+    - name: binary
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: filename_dst
+      type: keyword
+      description: This is used to capture name of the file targeted by the action
+    - name: filename_src
+      type: keyword
+      description: This is used to capture name of the parent filename, the file which
+        performed the action
+    - name: filename_tmp
+      type: keyword
+    - name: directory_dst
+      type: keyword
+      description: <span>This key is used to capture the directory of the target process
+        or file</span>
+    - name: directory_src
+      type: keyword
+      description: This key is used to capture the directory of the source process
+        or file
+    - name: file_entropy
+      type: double
+      description: This is used to capture entropy vale of a file
+    - name: file_vendor
+      type: keyword
+      description: This is used to capture Company name of file located in version_info
+    - name: task_name
+      type: keyword
+      description: This is used to capture name of the task
+  - name: web
+    type: group
+    fields:
+    - name: fqdn
+      type: keyword
+      description: Fully Qualified Domain Names
+    - name: web_cookie
+      type: keyword
+      description: This key is used to capture the Web cookies specifically.
+    - name: alias_host
+      type: keyword
+    - name: reputation_num
+      type: double
+      description: Reputation Number of an entity. Typically used for Web Domains
+    - name: web_ref_domain
+      type: keyword
+      description: Web referer's domain
+    - name: web_ref_query
+      type: keyword
+      description: This key captures Web referer's query portion of the URL
+    - name: remote_domain
+      type: keyword
+    - name: web_ref_page
+      type: keyword
+      description: This key captures Web referer's page information
+    - name: web_ref_root
+      type: keyword
+      description: Web referer's root URL path
+    - name: cn_asn_dst
+      type: keyword
+    - name: cn_rpackets
+      type: keyword
+    - name: urlpage
+      type: keyword
+    - name: urlroot
+      type: keyword
+    - name: p_url
+      type: keyword
+    - name: p_user_agent
+      type: keyword
+    - name: p_web_cookie
+      type: keyword
+    - name: p_web_method
+      type: keyword
+    - name: p_web_referer
+      type: keyword
+    - name: web_extension_tmp
+      type: keyword
+    - name: web_page
+      type: keyword
+  - name: threat
+    type: group
+    fields:
+    - name: threat_category
+      type: keyword
+      description: This key captures Threat Name/Threat Category/Categorization of
+        alert
+    - name: threat_desc
+      type: keyword
+      description: This key is used to capture the threat description from the session
+        directly or inferred
+    - name: alert
+      type: keyword
+      description: This key is used to capture name of the alert
+    - name: threat_source
+      type: keyword
+      description: This key is used to capture source of the threat
+  - name: crypto
+    type: group
+    fields:
+    - name: crypto
+      type: keyword
+      description: This key is used to capture the Encryption Type or Encryption Key
+        only
+    - name: cipher_src
+      type: keyword
+      description: This key is for Source (Client) Cipher
+    - name: cert_subject
+      type: keyword
+      description: This key is used to capture the Certificate organization only
+    - name: peer
+      type: keyword
+      description: This key is for Encryption peer's IP Address
+    - name: cipher_size_src
+      type: long
+      description: This key captures Source (Client) Cipher Size
+    - name: ike
+      type: keyword
+      description: IKE negotiation phase.
+    - name: scheme
+      type: keyword
+      description: This key captures the Encryption scheme used
+    - name: peer_id
+      type: keyword
+      description: "This key is for Encryption peer\u2019s identity"
+    - name: sig_type
+      type: keyword
+      description: This key captures the Signature Type
+    - name: cert_issuer
+      type: keyword
+    - name: cert_host_name
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: cert_error
+      type: keyword
+      description: This key captures the Certificate Error String
+    - name: cipher_dst
+      type: keyword
+      description: This key is for Destination (Server) Cipher
+    - name: cipher_size_dst
+      type: long
+      description: This key captures Destination (Server) Cipher Size
+    - name: ssl_ver_src
+      type: keyword
+      description: Deprecated, use version
+    - name: d_certauth
+      type: keyword
+    - name: s_certauth
+      type: keyword
+    - name: ike_cookie1
+      type: keyword
+      description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
+    - name: ike_cookie2
+      type: keyword
+      description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
+    - name: cert_checksum
+      type: keyword
+    - name: cert_host_cat
+      type: keyword
+      description: This key is used for the hostname category value of a certificate
+    - name: cert_serial
+      type: keyword
+      description: This key is used to capture the Certificate serial number only
+    - name: cert_status
+      type: keyword
+      description: This key captures Certificate validation status
+    - name: ssl_ver_dst
+      type: keyword
+      description: Deprecated, use version
+    - name: cert_keysize
+      type: keyword
+    - name: cert_username
+      type: keyword
+    - name: https_insact
+      type: keyword
+    - name: https_valid
+      type: keyword
+    - name: cert_ca
+      type: keyword
+      description: This key is used to capture the Certificate signing authority only
+    - name: cert_common
+      type: keyword
+      description: This key is used to capture the Certificate common name only
+  - name: wireless
+    type: group
+    fields:
+    - name: wlan_ssid
+      type: keyword
+      description: This key is used to capture the ssid of a Wireless Session
+    - name: access_point
+      type: keyword
+      description: This key is used to capture the access point name.
+    - name: wlan_channel
+      type: long
+      description: This is used to capture the channel names
+    - name: wlan_name
+      type: keyword
+      description: This key captures either WLAN number/name
+  - name: storage
+    type: group
+    fields:
+    - name: disk_volume
+      type: keyword
+      description: A unique name assigned to logical units (volumes) within a physical
+        disk
+    - name: lun
+      type: keyword
+      description: Logical Unit Number.This key is a very useful concept in Storage.
+    - name: pwwn
+      type: keyword
+      description: This uniquely identifies a port on a HBA.
+  - name: physical
+    type: group
+    fields:
+    - name: org_dst
+      type: keyword
+      description: This is used to capture the destination organization based on the
+        GEOPIP Maxmind database.
+    - name: org_src
+      type: keyword
+      description: This is used to capture the source organization based on the GEOPIP
+        Maxmind database.
+  - name: healthcare
+    type: group
+    fields:
+    - name: patient_fname
+      type: keyword
+      description: This key is for First Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: patient_id
+      type: keyword
+      description: This key captures the unique ID for a patient
+    - name: patient_lname
+      type: keyword
+      description: This key is for Last Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: patient_mname
+      type: keyword
+      description: This key is for Middle Names only, this is used for Healthcare
+        predominantly to capture Patients information
+  - name: endpoint
+    type: group
+    fields:
+    - name: host_state
+      type: keyword
+      description: This key is used to capture the current state of the machine, such
+        as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
+        disabled</strong> and so on
+    - name: registry_key
+      type: keyword
+      description: This key captures the path to the registry key
+    - name: registry_value
+      type: keyword
+      description: This key captures values or decorators used within a registry entry
diff --git a/packages/netscout/0.1.0/dataset/sightline/manifest.yml b/packages/netscout/0.1.0/dataset/sightline/manifest.yml
new file mode 100644
index 0000000000..42f7033841
--- /dev/null
+++ b/packages/netscout/0.1.0/dataset/sightline/manifest.yml
@@ -0,0 +1,155 @@
+title: Arbor Peakflow SP logs
+release: experimental
+type: logs
+streams:
+- input: udp
+  title: Arbor Peakflow SP logs
+  description: Collect Arbor Peakflow SP logs
+  template_path: udp.yml.hbs
+  vars:
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - netscout-sightline
+      - forwarded
+  - name: udp_host
+    type: text
+    title: UDP host to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: localhost
+  - name: udp_port
+    type: integer
+    title: UDP port to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: 9502
+  - name: tz_offset
+    type: text
+    title: Timezone offset (+HH:mm format)
+    required: false
+    show_user: true
+    default: "local"
+  - name: rsa_fields
+    type: bool
+    title: Add non-ECS fields
+    required: false
+    show_user: true
+    default: true
+  - name: keep_raw_fields
+    type: bool
+    title: Keep raw parser fields
+    required: false
+    show_user: false
+    default: false
+  - name: debug
+    type: bool
+    title: Enable debug logging
+    required: false
+    show_user: false
+    default: false
+
+- input: tcp
+  title: Arbor Peakflow SP logs
+  description: Collect Arbor Peakflow SP logs
+  template_path: tcp.yml.hbs
+  vars:
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - netscout-sightline
+      - forwarded
+  - name: tcp_host
+    type: text
+    title: TCP host to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: localhost
+  - name: tcp_port
+    type: integer
+    title: TCP port to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: 9502
+  - name: tz_offset
+    type: text
+    title: Timezone offset (+HH:mm format)
+    required: false
+    show_user: true
+    default: "local"
+  - name: rsa_fields
+    type: bool
+    title: Add non-ECS fields
+    required: false
+    show_user: true
+    default: true
+  - name: keep_raw_fields
+    type: bool
+    title: Keep raw parser fields
+    required: false
+    show_user: false
+    default: false
+  - name: debug
+    type: bool
+    title: Enable debug logging
+    required: false
+    show_user: false
+    default: false
+
+- input: file
+  title: Arbor Peakflow SP logs
+  description: Collect Arbor Peakflow SP logs from file
+  vars:
+  - name: paths
+    type: text
+    title: Paths
+    multi: true
+    required: true
+    show_user: true
+    default:
+      - /var/log/netscout-sightline.log
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - netscout-sightline
+      - forwarded
+  - name: tz_offset
+    type: text
+    title: Timezone offset (+HH:mm format)
+    required: false
+    show_user: true
+    default: "local"
+  - name: rsa_fields
+    type: bool
+    title: Add non-ECS fields
+    required: false
+    show_user: true
+    default: true
+  - name: keep_raw_fields
+    type: bool
+    title: Keep raw parser fields
+    required: false
+    show_user: false
+    default: false
+  - name: debug
+    type: bool
+    title: Enable debug logging
+    required: false
+    show_user: false
+    default: false
diff --git a/packages/netscout/0.1.0/docs/README.md b/packages/netscout/0.1.0/docs/README.md
new file mode 100644
index 0000000000..dd2ac7d729
--- /dev/null
+++ b/packages/netscout/0.1.0/docs/README.md
@@ -0,0 +1,780 @@
+# Netscout integration
+
+This integration is for Netscout device's logs. It includes the following
+datasets for receiving logs over syslog or read from a file:
+- `sightline` dataset: supports Arbor Peakflow SP logs.
+
+### Sightline
+
+The `sightline` dataset collects Arbor Peakflow SP logs.
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
+| dataset.name | Dataset name. | constant_keyword |
+| dataset.namespace | Dataset namespace. | constant_keyword |
+| dataset.type | Dataset type. | constant_keyword |
+| datastream.dataset | Datastream dataset. | constant_keyword |
+| datastream.namespace | Datastream namespace. | constant_keyword |
+| datastream.type | Datastream type. | constant_keyword |
+| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| destination.bytes | Bytes sent from the destination to the source. | long |
+| destination.domain | Destination domain. | keyword |
+| destination.geo.city_name | City name. | keyword |
+| destination.geo.country_name | Country name. | keyword |
+| destination.geo.location.lat |  | double |
+| destination.geo.location.lon |  | double |
+| destination.ip | IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses. | ip |
+| destination.mac | MAC address of the destination. | keyword |
+| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip |
+| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long |
+| destination.port | Port of the destination. | long |
+| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword |
+| dns.answers.type | The type of data contained in this resource record. | keyword |
+| dns.question.type | The type of record being queried. | keyword |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword |
+| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword |
+| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword |
+| file.extension | File extension. | keyword |
+| file.name | Name of the file including the extension, without the directory. | keyword |
+| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword |
+| file.size | File size in bytes. Only relevant when `file.type` is "file". | long |
+| file.type | File type (file, dir, or symlink). | keyword |
+| geo.city_name | City name. | keyword |
+| geo.country_name | Country name. | keyword |
+| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| geo.region_name | Region name. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| http.request.method | HTTP request method. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| http.request.referrer | Referrer for this HTTP request. | keyword |
+| http.response.body.content | The full HTTP response body. | keyword |
+| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword |
+| log.original | This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. | keyword |
+| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long |
+| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. | long |
+| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text |
+| network.application | A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long |
+| network.direction | Direction of the network traffic. Recommended values are: * inbound * outbound * internal * external * unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view. When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. | keyword |
+| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip |
+| network.interface.name |  | keyword |
+| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long |
+| network.protocol | L7 Network protocol name. ex. http, lumberjack, transport protocol. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| observer.egress.interface.name | Interface name as reported by the system. | keyword |
+| observer.ingress.interface.name | Interface name as reported by the system. | keyword |
+| observer.product | The product name of the observer. | keyword |
+| observer.version | Observer version. | keyword |
+| process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.parent.name | Process name. Sometimes called program name or similar. | keyword |
+| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword |
+| process.pid | Process id. | long |
+| process.ppid | Parent process' pid. | long |
+| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword |
+| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long |
+| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword |
+| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long |
+| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword |
+| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long |
+| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword |
+| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword |
+| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword |
+| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword |
+| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword |
+| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword |
+| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword |
+| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long |
+| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword |
+| rsa.crypto.cert_checksum |  | keyword |
+| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword |
+| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword |
+| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword |
+| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword |
+| rsa.crypto.cert_issuer |  | keyword |
+| rsa.crypto.cert_keysize |  | keyword |
+| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword |
+| rsa.crypto.cert_status | This key captures Certificate validation status | keyword |
+| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword |
+| rsa.crypto.cert_username |  | keyword |
+| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword |
+| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long |
+| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long |
+| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword |
+| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword |
+| rsa.crypto.d_certauth |  | keyword |
+| rsa.crypto.https_insact |  | keyword |
+| rsa.crypto.https_valid |  | keyword |
+| rsa.crypto.ike | IKE negotiation phase. | keyword |
+| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword |
+| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword |
+| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword |
+| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword |
+| rsa.crypto.s_certauth |  | keyword |
+| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword |
+| rsa.crypto.sig_type | This key captures the Signature Type | keyword |
+| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword |
+| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword |
+| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword |
+| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword |
+| rsa.db.db_pid | This key captures the process id of a connection with database server | long |
+| rsa.db.index | This key captures IndexID of the index. | keyword |
+| rsa.db.instance | This key is used to capture the database server instance name | keyword |
+| rsa.db.lread | This key is used for the number of logical reads | long |
+| rsa.db.lwrite | This key is used for the number of logical writes | long |
+| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword |
+| rsa.db.pread | This key is used for the number of physical writes | long |
+| rsa.db.table_name | This key is used to capture the table name | keyword |
+| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword |
+| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword |
+| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword |
+| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword |
+| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword |
+| rsa.email.trans_from | Deprecated key defined only in table map. | keyword |
+| rsa.email.trans_to | Deprecated key defined only in table map. | keyword |
+| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall disabled</strong> and so on | keyword |
+| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword |
+| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword |
+| rsa.file.attachment | This key captures the attachment file name | keyword |
+| rsa.file.binary | Deprecated key defined only in table map. | keyword |
+| rsa.file.directory_dst | <span>This key is used to capture the directory of the target process or file</span> | keyword |
+| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword |
+| rsa.file.file_entropy | This is used to capture entropy vale of a file | double |
+| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword |
+| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword |
+| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword |
+| rsa.file.filename_tmp |  | keyword |
+| rsa.file.filesystem |  | keyword |
+| rsa.file.privilege | Deprecated, use permissions | keyword |
+| rsa.file.task_name | This is used to capture name of the task | keyword |
+| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword |
+| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword |
+| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword |
+| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword |
+| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword |
+| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword |
+| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword |
+| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword |
+| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword |
+| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword |
+| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword |
+| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword |
+| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword |
+| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword |
+| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.org | This key captures the User organization | keyword |
+| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword |
+| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword |
+| rsa.identity.profile | This key is used to capture the user profile | keyword |
+| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword |
+| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword |
+| rsa.identity.user_dept | User's Department Names only | keyword |
+| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword |
+| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword |
+| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword |
+| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword |
+| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.data | Deprecated key defined only in table map. | keyword |
+| rsa.internal.dead | Deprecated key defined only in table map. | long |
+| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_type_id | Deprecated key defined only in table map. | long |
+| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long |
+| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long |
+| rsa.internal.entry | Deprecated key defined only in table map. | keyword |
+| rsa.internal.event_desc |  | keyword |
+| rsa.internal.event_name | Deprecated key defined only in table map. | keyword |
+| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip |
+| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.hcode | Deprecated key defined only in table map. | keyword |
+| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.inode | Deprecated key defined only in table map. | long |
+| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date |
+| rsa.internal.level | Deprecated key defined only in table map. | long |
+| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long |
+| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long |
+| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long |
+| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long |
+| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, &lt; 32 is packet session | long |
+| rsa.internal.message | This key captures the contents of instant messages | keyword |
+| rsa.internal.messageid |  | keyword |
+| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword |
+| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.node_name | Deprecated key defined only in table map. | keyword |
+| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword |
+| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword |
+| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword |
+| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword |
+| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long |
+| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long |
+| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword |
+| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword |
+| rsa.internal.resource | Deprecated key defined only in table map. | keyword |
+| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword |
+| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long |
+| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.site | Deprecated key defined only in table map. | keyword |
+| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long |
+| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.statement | Deprecated key defined only in table map. | keyword |
+| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date |
+| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long |
+| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long |
+| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword |
+| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword |
+| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword |
+| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword |
+| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword |
+| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword |
+| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword |
+| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword |
+| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword |
+| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword |
+| rsa.investigations.event_cat | This key captures the Event category number | long |
+| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword |
+| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword |
+| rsa.investigations.inv_category | This used to capture investigation category | keyword |
+| rsa.investigations.inv_context | This used to capture investigation context | keyword |
+| rsa.investigations.ioc | This is key capture indicator of compromise | keyword |
+| rsa.misc.OS | This key captures the Name of the Operating System | keyword |
+| rsa.misc.acl_id |  | keyword |
+| rsa.misc.acl_op |  | keyword |
+| rsa.misc.acl_pos |  | keyword |
+| rsa.misc.acl_table |  | keyword |
+| rsa.misc.action |  | keyword |
+| rsa.misc.admin |  | keyword |
+| rsa.misc.agent_id | This key is used to capture agent id | keyword |
+| rsa.misc.alarm_id |  | keyword |
+| rsa.misc.alarmname |  | keyword |
+| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.app_id |  | keyword |
+| rsa.misc.audit |  | keyword |
+| rsa.misc.audit_object |  | keyword |
+| rsa.misc.auditdata |  | keyword |
+| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword |
+| rsa.misc.benchmark |  | keyword |
+| rsa.misc.bypass |  | keyword |
+| rsa.misc.cache |  | keyword |
+| rsa.misc.cache_hit |  | keyword |
+| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword |
+| rsa.misc.cc_number | Valid Credit Card Numbers only | long |
+| rsa.misc.cefversion |  | keyword |
+| rsa.misc.cfg_attr |  | keyword |
+| rsa.misc.cfg_obj |  | keyword |
+| rsa.misc.cfg_path |  | keyword |
+| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword |
+| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword |
+| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword |
+| rsa.misc.changes |  | keyword |
+| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword |
+| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword |
+| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword |
+| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword |
+| rsa.misc.client_ip |  | keyword |
+| rsa.misc.clustermembers |  | keyword |
+| rsa.misc.cmd |  | keyword |
+| rsa.misc.cn_acttimeout |  | keyword |
+| rsa.misc.cn_asn_src |  | keyword |
+| rsa.misc.cn_bgpv4nxthop |  | keyword |
+| rsa.misc.cn_ctr_dst_code |  | keyword |
+| rsa.misc.cn_dst_tos |  | keyword |
+| rsa.misc.cn_dst_vlan |  | keyword |
+| rsa.misc.cn_engine_id |  | keyword |
+| rsa.misc.cn_engine_type |  | keyword |
+| rsa.misc.cn_f_switch |  | keyword |
+| rsa.misc.cn_flowsampid |  | keyword |
+| rsa.misc.cn_flowsampintv |  | keyword |
+| rsa.misc.cn_flowsampmode |  | keyword |
+| rsa.misc.cn_inacttimeout |  | keyword |
+| rsa.misc.cn_inpermbyts |  | keyword |
+| rsa.misc.cn_inpermpckts |  | keyword |
+| rsa.misc.cn_invalid |  | keyword |
+| rsa.misc.cn_ip_proto_ver |  | keyword |
+| rsa.misc.cn_ipv4_ident |  | keyword |
+| rsa.misc.cn_l_switch |  | keyword |
+| rsa.misc.cn_log_did |  | keyword |
+| rsa.misc.cn_log_rid |  | keyword |
+| rsa.misc.cn_max_ttl |  | keyword |
+| rsa.misc.cn_maxpcktlen |  | keyword |
+| rsa.misc.cn_min_ttl |  | keyword |
+| rsa.misc.cn_minpcktlen |  | keyword |
+| rsa.misc.cn_mpls_lbl_1 |  | keyword |
+| rsa.misc.cn_mpls_lbl_10 |  | keyword |
+| rsa.misc.cn_mpls_lbl_2 |  | keyword |
+| rsa.misc.cn_mpls_lbl_3 |  | keyword |
+| rsa.misc.cn_mpls_lbl_4 |  | keyword |
+| rsa.misc.cn_mpls_lbl_5 |  | keyword |
+| rsa.misc.cn_mpls_lbl_6 |  | keyword |
+| rsa.misc.cn_mpls_lbl_7 |  | keyword |
+| rsa.misc.cn_mpls_lbl_8 |  | keyword |
+| rsa.misc.cn_mpls_lbl_9 |  | keyword |
+| rsa.misc.cn_mplstoplabel |  | keyword |
+| rsa.misc.cn_mplstoplabip |  | keyword |
+| rsa.misc.cn_mul_dst_byt |  | keyword |
+| rsa.misc.cn_mul_dst_pks |  | keyword |
+| rsa.misc.cn_muligmptype |  | keyword |
+| rsa.misc.cn_sampalgo |  | keyword |
+| rsa.misc.cn_sampint |  | keyword |
+| rsa.misc.cn_seqctr |  | keyword |
+| rsa.misc.cn_spackets |  | keyword |
+| rsa.misc.cn_src_tos |  | keyword |
+| rsa.misc.cn_src_vlan |  | keyword |
+| rsa.misc.cn_sysuptime |  | keyword |
+| rsa.misc.cn_template_id |  | keyword |
+| rsa.misc.cn_totbytsexp |  | keyword |
+| rsa.misc.cn_totflowexp |  | keyword |
+| rsa.misc.cn_totpcktsexp |  | keyword |
+| rsa.misc.cn_unixnanosecs |  | keyword |
+| rsa.misc.cn_v6flowlabel |  | keyword |
+| rsa.misc.cn_v6optheaders |  | keyword |
+| rsa.misc.code |  | keyword |
+| rsa.misc.command |  | keyword |
+| rsa.misc.comments | Comment information provided in the log message | keyword |
+| rsa.misc.comp_class |  | keyword |
+| rsa.misc.comp_name |  | keyword |
+| rsa.misc.comp_rbytes |  | keyword |
+| rsa.misc.comp_sbytes |  | keyword |
+| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword |
+| rsa.misc.connection_id | This key captures the Connection ID | keyword |
+| rsa.misc.content | This key captures the content type from protocol headers | keyword |
+| rsa.misc.content_type | This key is used to capture Content Type only. | keyword |
+| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword |
+| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword |
+| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword |
+| rsa.misc.context_target |  | keyword |
+| rsa.misc.count |  | keyword |
+| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long |
+| rsa.misc.cpu_data |  | keyword |
+| rsa.misc.criticality |  | keyword |
+| rsa.misc.cs_agency_dst |  | keyword |
+| rsa.misc.cs_analyzedby |  | keyword |
+| rsa.misc.cs_av_other |  | keyword |
+| rsa.misc.cs_av_primary |  | keyword |
+| rsa.misc.cs_av_secondary |  | keyword |
+| rsa.misc.cs_bgpv6nxthop |  | keyword |
+| rsa.misc.cs_bit9status |  | keyword |
+| rsa.misc.cs_context |  | keyword |
+| rsa.misc.cs_control |  | keyword |
+| rsa.misc.cs_data |  | keyword |
+| rsa.misc.cs_datecret |  | keyword |
+| rsa.misc.cs_dst_tld |  | keyword |
+| rsa.misc.cs_eth_dst_ven |  | keyword |
+| rsa.misc.cs_eth_src_ven |  | keyword |
+| rsa.misc.cs_event_uuid |  | keyword |
+| rsa.misc.cs_filetype |  | keyword |
+| rsa.misc.cs_fld |  | keyword |
+| rsa.misc.cs_if_desc |  | keyword |
+| rsa.misc.cs_if_name |  | keyword |
+| rsa.misc.cs_ip_next_hop |  | keyword |
+| rsa.misc.cs_ipv4dstpre |  | keyword |
+| rsa.misc.cs_ipv4srcpre |  | keyword |
+| rsa.misc.cs_lifetime |  | keyword |
+| rsa.misc.cs_log_medium |  | keyword |
+| rsa.misc.cs_loginname |  | keyword |
+| rsa.misc.cs_modulescore |  | keyword |
+| rsa.misc.cs_modulesign |  | keyword |
+| rsa.misc.cs_opswatresult |  | keyword |
+| rsa.misc.cs_payload |  | keyword |
+| rsa.misc.cs_registrant |  | keyword |
+| rsa.misc.cs_registrar |  | keyword |
+| rsa.misc.cs_represult |  | keyword |
+| rsa.misc.cs_rpayload |  | keyword |
+| rsa.misc.cs_sampler_name |  | keyword |
+| rsa.misc.cs_sourcemodule |  | keyword |
+| rsa.misc.cs_streams |  | keyword |
+| rsa.misc.cs_targetmodule |  | keyword |
+| rsa.misc.cs_v6nxthop |  | keyword |
+| rsa.misc.cs_whois_server |  | keyword |
+| rsa.misc.cs_yararesult |  | keyword |
+| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword |
+| rsa.misc.data_type |  | keyword |
+| rsa.misc.description |  | keyword |
+| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword |
+| rsa.misc.devvendor |  | keyword |
+| rsa.misc.disposition | This key captures the The end state of an action. | keyword |
+| rsa.misc.distance |  | keyword |
+| rsa.misc.doc_number | This key captures File Identification number | long |
+| rsa.misc.dstburb |  | keyword |
+| rsa.misc.edomain |  | keyword |
+| rsa.misc.edomaub |  | keyword |
+| rsa.misc.ein_number | Employee Identification Numbers only | long |
+| rsa.misc.error | This key captures All non successful Error codes or responses | keyword |
+| rsa.misc.euid |  | keyword |
+| rsa.misc.event_category |  | keyword |
+| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword |
+| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword |
+| rsa.misc.event_id |  | keyword |
+| rsa.misc.event_log | This key captures the Name of the event log | keyword |
+| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword |
+| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword |
+| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword |
+| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword |
+| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword |
+| rsa.misc.facility |  | keyword |
+| rsa.misc.facilityname |  | keyword |
+| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword |
+| rsa.misc.filter | This key captures Filter used to reduce result set | keyword |
+| rsa.misc.finterface |  | keyword |
+| rsa.misc.flags |  | keyword |
+| rsa.misc.forensic_info |  | keyword |
+| rsa.misc.found | This is used to capture the results of regex match | keyword |
+| rsa.misc.fresult | This key captures the Filter Result | long |
+| rsa.misc.gaddr |  | keyword |
+| rsa.misc.group | This key captures the Group Name value | keyword |
+| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword |
+| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword |
+| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword |
+| rsa.misc.id3 |  | keyword |
+| rsa.misc.im_buddyid |  | keyword |
+| rsa.misc.im_buddyname |  | keyword |
+| rsa.misc.im_client |  | keyword |
+| rsa.misc.im_croomid |  | keyword |
+| rsa.misc.im_croomtype |  | keyword |
+| rsa.misc.im_members |  | keyword |
+| rsa.misc.im_userid |  | keyword |
+| rsa.misc.im_username |  | keyword |
+| rsa.misc.index |  | keyword |
+| rsa.misc.inout |  | keyword |
+| rsa.misc.ipkt |  | keyword |
+| rsa.misc.ipscat |  | keyword |
+| rsa.misc.ipspri |  | keyword |
+| rsa.misc.job_num | This key captures the Job Number | keyword |
+| rsa.misc.jobname |  | keyword |
+| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword |
+| rsa.misc.latitude |  | keyword |
+| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword |
+| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long |
+| rsa.misc.linenum |  | keyword |
+| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.misc.list_name |  | keyword |
+| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword |
+| rsa.misc.load_data |  | keyword |
+| rsa.misc.location_floor |  | keyword |
+| rsa.misc.location_mark |  | keyword |
+| rsa.misc.log_id |  | keyword |
+| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword |
+| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword |
+| rsa.misc.log_type |  | keyword |
+| rsa.misc.logid |  | keyword |
+| rsa.misc.logip |  | keyword |
+| rsa.misc.logname |  | keyword |
+| rsa.misc.longitude |  | keyword |
+| rsa.misc.lport |  | keyword |
+| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword |
+| rsa.misc.match | This key is for regex match name from search.ini | keyword |
+| rsa.misc.mbug_data |  | keyword |
+| rsa.misc.message_body | This key captures the The contents of the message body. | keyword |
+| rsa.misc.misc |  | keyword |
+| rsa.misc.misc_name |  | keyword |
+| rsa.misc.mode |  | keyword |
+| rsa.misc.msgIdPart1 |  | keyword |
+| rsa.misc.msgIdPart2 |  | keyword |
+| rsa.misc.msgIdPart3 |  | keyword |
+| rsa.misc.msgIdPart4 |  | keyword |
+| rsa.misc.msg_type |  | keyword |
+| rsa.misc.msgid |  | keyword |
+| rsa.misc.name |  | keyword |
+| rsa.misc.netsessid |  | keyword |
+| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword |
+| rsa.misc.ntype |  | keyword |
+| rsa.misc.num |  | keyword |
+| rsa.misc.number |  | keyword |
+| rsa.misc.number1 |  | keyword |
+| rsa.misc.number2 |  | keyword |
+| rsa.misc.nwwn |  | keyword |
+| rsa.misc.obj_name | This is used to capture name of object | keyword |
+| rsa.misc.obj_type | This is used to capture type of object | keyword |
+| rsa.misc.object |  | keyword |
+| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword |
+| rsa.misc.operation |  | keyword |
+| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword |
+| rsa.misc.opkt |  | keyword |
+| rsa.misc.orig_from |  | keyword |
+| rsa.misc.owner_id |  | keyword |
+| rsa.misc.p_action |  | keyword |
+| rsa.misc.p_filter |  | keyword |
+| rsa.misc.p_group_object |  | keyword |
+| rsa.misc.p_id |  | keyword |
+| rsa.misc.p_msgid |  | keyword |
+| rsa.misc.p_msgid1 |  | keyword |
+| rsa.misc.p_msgid2 |  | keyword |
+| rsa.misc.p_result1 |  | keyword |
+| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword |
+| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword |
+| rsa.misc.param_src | This key captures source parameter | keyword |
+| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword |
+| rsa.misc.password_chg |  | keyword |
+| rsa.misc.password_expire |  | keyword |
+| rsa.misc.payload_dst | This key is used to capture destination payload | keyword |
+| rsa.misc.payload_src | This key is used to capture source payload | keyword |
+| rsa.misc.permgranted |  | keyword |
+| rsa.misc.permwanted |  | keyword |
+| rsa.misc.pgid |  | keyword |
+| rsa.misc.phone |  | keyword |
+| rsa.misc.pid |  | keyword |
+| rsa.misc.policy |  | keyword |
+| rsa.misc.policyUUID |  | keyword |
+| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword |
+| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword |
+| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword |
+| rsa.misc.policy_waiver |  | keyword |
+| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword |
+| rsa.misc.pool_name | This key captures the name of a resource pool | keyword |
+| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword |
+| rsa.misc.priority |  | keyword |
+| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword |
+| rsa.misc.prog_asp_num |  | keyword |
+| rsa.misc.program |  | keyword |
+| rsa.misc.real_data |  | keyword |
+| rsa.misc.reason |  | keyword |
+| rsa.misc.rec_asp_device |  | keyword |
+| rsa.misc.rec_asp_num |  | keyword |
+| rsa.misc.rec_library |  | keyword |
+| rsa.misc.recordnum |  | keyword |
+| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword |
+| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword |
+| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword |
+| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword |
+| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword |
+| rsa.misc.risk | This key captures the non-numeric risk value | keyword |
+| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.risk_num | This key captures a Numeric Risk value | double |
+| rsa.misc.risk_num_comm | This key captures Risk Number Community | double |
+| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double |
+| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double |
+| rsa.misc.risk_num_static | This key captures Risk Number Static | double |
+| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.ruid |  | keyword |
+| rsa.misc.rule | This key captures the Rule number | keyword |
+| rsa.misc.rule_group | This key captures the Rule group name | keyword |
+| rsa.misc.rule_name | This key captures the Rule Name | keyword |
+| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword |
+| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword |
+| rsa.misc.sburb |  | keyword |
+| rsa.misc.sdomain_fld |  | keyword |
+| rsa.misc.search_text | This key captures the Search Text used | keyword |
+| rsa.misc.sec |  | keyword |
+| rsa.misc.second |  | keyword |
+| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword |
+| rsa.misc.sensorname |  | keyword |
+| rsa.misc.seqnum |  | keyword |
+| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword |
+| rsa.misc.session |  | keyword |
+| rsa.misc.sessiontype |  | keyword |
+| rsa.misc.severity | This key is used to capture the severity given the session | keyword |
+| rsa.misc.sigUUID |  | keyword |
+| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long |
+| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long |
+| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword |
+| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword |
+| rsa.misc.sigcat |  | keyword |
+| rsa.misc.snmp_oid | SNMP Object Identifier | keyword |
+| rsa.misc.snmp_value | SNMP set request value | keyword |
+| rsa.misc.space |  | keyword |
+| rsa.misc.space1 |  | keyword |
+| rsa.misc.spi |  | keyword |
+| rsa.misc.spi_dst | Destination SPI Index | keyword |
+| rsa.misc.spi_src | Source SPI Index | keyword |
+| rsa.misc.sql | This key captures the SQL query | keyword |
+| rsa.misc.srcburb |  | keyword |
+| rsa.misc.srcdom |  | keyword |
+| rsa.misc.srcservice |  | keyword |
+| rsa.misc.state |  | keyword |
+| rsa.misc.status |  | keyword |
+| rsa.misc.status1 |  | keyword |
+| rsa.misc.streams | This key captures number of streams in session | long |
+| rsa.misc.subcategory |  | keyword |
+| rsa.misc.svcno |  | keyword |
+| rsa.misc.system |  | keyword |
+| rsa.misc.tbdstr1 |  | keyword |
+| rsa.misc.tbdstr2 |  | keyword |
+| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long |
+| rsa.misc.terminal | This key captures the Terminal Names only | keyword |
+| rsa.misc.tgtdom |  | keyword |
+| rsa.misc.tgtdomain |  | keyword |
+| rsa.misc.threshold |  | keyword |
+| rsa.misc.tos | This key describes the type of service | long |
+| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword |
+| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword |
+| rsa.misc.type |  | keyword |
+| rsa.misc.type1 |  | keyword |
+| rsa.misc.udb_class |  | keyword |
+| rsa.misc.url_fld |  | keyword |
+| rsa.misc.user_div |  | keyword |
+| rsa.misc.userid |  | keyword |
+| rsa.misc.username_fld |  | keyword |
+| rsa.misc.utcstamp |  | keyword |
+| rsa.misc.v_instafname |  | keyword |
+| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword |
+| rsa.misc.virt_data |  | keyword |
+| rsa.misc.virusname | This key captures the name of the virus | keyword |
+| rsa.misc.vm_target | VMWare Target **VMWARE** only varaible. | keyword |
+| rsa.misc.vpnid |  | keyword |
+| rsa.misc.vsys | This key captures Virtual System Name | keyword |
+| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword |
+| rsa.misc.workspace | This key captures Workspace Description | keyword |
+| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword |
+| rsa.network.addr |  | keyword |
+| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword |
+| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword |
+| rsa.network.dmask | This key is used for Destionation Device network mask | keyword |
+| rsa.network.dns_a_record |  | keyword |
+| rsa.network.dns_cname_record |  | keyword |
+| rsa.network.dns_id |  | keyword |
+| rsa.network.dns_opcode |  | keyword |
+| rsa.network.dns_ptr_record |  | keyword |
+| rsa.network.dns_resp |  | keyword |
+| rsa.network.dns_type |  | keyword |
+| rsa.network.domain |  | keyword |
+| rsa.network.domain1 |  | keyword |
+| rsa.network.eth_host | Deprecated, use alias.mac | keyword |
+| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long |
+| rsa.network.faddr |  | keyword |
+| rsa.network.fhost |  | keyword |
+| rsa.network.fport |  | keyword |
+| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword |
+| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword |
+| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword |
+| rsa.network.host_type |  | keyword |
+| rsa.network.icmp_code | This key is used to capture the ICMP code only | long |
+| rsa.network.icmp_type | This key is used to capture the ICMP type only | long |
+| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword |
+| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long |
+| rsa.network.laddr |  | keyword |
+| rsa.network.lhost |  | keyword |
+| rsa.network.linterface |  | keyword |
+| rsa.network.mask | This key is used to capture the device network IPmask. | keyword |
+| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword |
+| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long |
+| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword |
+| rsa.network.origin |  | keyword |
+| rsa.network.packet_length |  | keyword |
+| rsa.network.paddr | Deprecated | ip |
+| rsa.network.phost |  | keyword |
+| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long |
+| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword |
+| rsa.network.remote_domain_id |  | keyword |
+| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword |
+| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword |
+| rsa.network.smask | This key is used for capturing source Network Mask | keyword |
+| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long |
+| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword |
+| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword |
+| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword |
+| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword |
+| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword |
+| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword |
+| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword |
+| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword |
+| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword |
+| rsa.threat.alert | This key is used to capture name of the alert | keyword |
+| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword |
+| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword |
+| rsa.threat.threat_source | This key is used to capture source of the threat | keyword |
+| rsa.time.date |  | keyword |
+| rsa.time.datetime |  | keyword |
+| rsa.time.day |  | keyword |
+| rsa.time.duration_str | A text string version of the duration | keyword |
+| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double |
+| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date |
+| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date |
+| rsa.time.event_queue_time | This key is the Time that the event was queued. | date |
+| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date |
+| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword |
+| rsa.time.eventtime |  | keyword |
+| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date |
+| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword |
+| rsa.time.gmtdate |  | keyword |
+| rsa.time.gmttime |  | keyword |
+| rsa.time.hour |  | keyword |
+| rsa.time.min |  | keyword |
+| rsa.time.month |  | keyword |
+| rsa.time.p_date |  | keyword |
+| rsa.time.p_month |  | keyword |
+| rsa.time.p_time |  | keyword |
+| rsa.time.p_time1 |  | keyword |
+| rsa.time.p_time2 |  | keyword |
+| rsa.time.p_year |  | keyword |
+| rsa.time.process_time | Deprecated, use duration.time | keyword |
+| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date |
+| rsa.time.stamp | Deprecated key defined only in table map. | date |
+| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date |
+| rsa.time.timestamp |  | keyword |
+| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword |
+| rsa.time.tzone |  | keyword |
+| rsa.time.year |  | keyword |
+| rsa.web.alias_host |  | keyword |
+| rsa.web.cn_asn_dst |  | keyword |
+| rsa.web.cn_rpackets |  | keyword |
+| rsa.web.fqdn | Fully Qualified Domain Names | keyword |
+| rsa.web.p_url |  | keyword |
+| rsa.web.p_user_agent |  | keyword |
+| rsa.web.p_web_cookie |  | keyword |
+| rsa.web.p_web_method |  | keyword |
+| rsa.web.p_web_referer |  | keyword |
+| rsa.web.remote_domain |  | keyword |
+| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double |
+| rsa.web.urlpage |  | keyword |
+| rsa.web.urlroot |  | keyword |
+| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword |
+| rsa.web.web_extension_tmp |  | keyword |
+| rsa.web.web_page |  | keyword |
+| rsa.web.web_ref_domain | Web referer's domain | keyword |
+| rsa.web.web_ref_page | This key captures Web referer's page information | keyword |
+| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword |
+| rsa.web.web_ref_root | Web referer's root URL path | keyword |
+| rsa.wireless.access_point | This key is used to capture the access point name. | keyword |
+| rsa.wireless.wlan_channel | This is used to capture the channel names | long |
+| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword |
+| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword |
+| rule.name | The name of the rule or signature generating the event. | keyword |
+| server.domain | Server domain. | keyword |
+| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword |
+| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.bytes | Bytes sent from the source to the destination. | long |
+| source.domain | Source domain. | keyword |
+| source.geo.city_name | City name. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location.lat |  | double |
+| source.geo.location.lon |  | double |
+| source.ip | IP address of the source. Can be one or multiple IPv4 or IPv6 addresses. | ip |
+| source.mac | MAC address of the source. | keyword |
+| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip |
+| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long |
+| source.port | Port of the source. | long |
+| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. | keyword |
+| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | keyword |
+| url.path | Path of the request, such as "/search". | keyword |
+| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword |
+| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.google.com" is "google.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword |
+| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword |
+| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| user.full_name | User's full name, if available. | keyword |
+| user.id | Unique identifiers of the user. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user_agent.original | Unparsed user_agent string. | keyword |
diff --git a/packages/netscout/0.1.0/img/logo.svg b/packages/netscout/0.1.0/img/logo.svg
new file mode 100644
index 0000000000..cbd25cd925
--- /dev/null
+++ b/packages/netscout/0.1.0/img/logo.svg
@@ -0,0 +1,7 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 431.438 59.8">
+  <path fill="#474a50" d="M43.83.005h-3.67c-2.2 0-3.42 1.22-3.42 3.42v36.578L11.81 2.285C10.918.655 9.694.005 7.74.005h-4.4C1.14.005 0 1.225 0 3.425V55.27c0 2.28 1.14 3.422 3.34 3.422h3.747c2.2 0 3.34-1.14 3.34-3.422V17.846l25.01 38.565c.897 1.63 2.2 2.29 3.992 2.29h4.4c2.19 0 3.42-1.14 3.42-3.42V3.43c0-2.2-1.23-3.42-3.42-3.42M93.8 49.65H69.26V33.242h17.36c2.2 0 3.422-1.14 3.422-3.42V27.54c0-2.2-1.222-3.34-3.42-3.34H69.26V9.047h23.235c2.2 0 3.42-1.14 3.42-3.34v-2.28c0-2.2-1.22-3.422-3.42-3.422H62.172c-2.2 0-3.34 1.22-3.34 3.42V55.27c0 2.28 1.14 3.422 3.34 3.422H93.8c2.198 0 3.42-1.14 3.42-3.422v-2.28c0-2.2-1.222-3.34-3.42-3.34M150.37.005h-41.55c-2.28 0-3.422 1.22-3.422 3.42v2.282c0 2.2 1.14 3.34 3.422 3.34h15.56V55.27c0 2.28 1.14 3.422 3.34 3.422h3.666c2.28 0 3.42-1.14 3.42-3.422V9.047h15.56c2.2 0 3.34-1.14 3.34-3.34v-2.28c0-2.2-1.14-3.422-3.34-3.422m19.644 16.21c0-3.91 3.42-6.516 8.797-6.516 4.48 0 7.658 1.79 10.02 3.17 1.712.89 3.422 1.22 4.644-1.14l1.47-2.69c.98-1.79.74-3.34-1.06-4.65C191.44 2.6 185.82 0 178.97 0c-10.994 0-19.47 6.6-19.47 16.78 0 18.006 26.968 15.725 26.968 26.72 0 3.913-3.26 6.6-8.635 6.6-5.7 0-9.856-2.93-11.73-4.234-2.036-1.14-3.42-1.06-4.725.73l-1.79 2.607c-1.63 2.2-.816 3.583.486 4.723 2.854 2.2 9.533 5.867 17.76 5.867 12.14 0 19.145-7.74 19.145-17.108 0-18.414-26.97-15.644-26.97-26.48m82.6 29.49c-1.3-1.87-2.93-1.87-4.72-.57-2.69 1.957-7.66 5.05-14.18 5.05-12.47 0-19.47-9.855-19.47-20.69 0-10.67 6.76-19.88 19.39-19.88 5.95 0 10.51 2.447 13.03 4.077 1.95 1.224 3.5 1.06 4.64-.813l1.46-2.37c1.14-1.79 1.06-3.42-.65-4.73-3.1-2.2-9.45-5.79-18.907-5.79-17.5.012-29.8 12.882-29.8 29.662 0 17.025 11.73 30.14 29.9 30.14 10.262 0 17.19-4.56 20.445-7.17 1.63-1.383 1.71-3.094.49-4.723l-1.63-2.2M372.04.007h-3.75c-2.2 0-3.34 1.22-3.34 3.42v34.54c0 7.82-5.13 12.22-12.87 12.22-7.74 0-12.79-4.4-12.79-12.22V3.428c0-2.2-1.14-3.42-3.422-3.42h-3.665c-2.2 0-3.34 1.22-3.34 3.42V38.05c0 12.952 9.286 21.75 23.298 21.75 13.93 0 23.22-8.798 23.22-21.75V3.425c0-2.2-1.14-3.42-3.34-3.42m56.06 0h-41.55c-2.28 0-3.42 1.22-3.42 3.42v2.282c0 2.2 1.14 3.34 3.42 3.34h15.56V55.27c0 2.28 1.14 3.422 3.34 3.422h3.67c2.29 0 3.43-1.14 3.43-3.422V9.047h15.56c2.2 0 3.34-1.14 3.34-3.34v-2.28c0-2.2-1.14-3.422-3.34-3.422"/>
+  <path fill="#80cc28" d="M289.56.005h-22.616c-2.66 0-4.814 2.155-4.814 4.813 0 2.66 2.155 4.814 4.814 4.814h21.558c-.086.008-.175.023-.262.032.436-.028.875-.047 1.32-.047 11.08 0 19.065 8.636 19.065 19.878 0 11.73-7.984 20.692-19.064 20.692-11.07 0-19.06-8.96-19.06-20.692 0-7.01 3.11-13.005 8.13-16.526-.07.05-.15.09-.22.15h-6.77c-2.19 0-4.02-1.48-4.6-3.49-4.65 5.2-7.35 12.14-7.35 19.86 0 17.02 12.38 30.3 29.898 30.3 17.52 0 29.9-13.28 29.9-30.31 0-16.54-12.38-29.49-29.9-29.49"/>
+  <path fill="#80cc28" d="M267.022 9.632l-.002.002s.003 0 .004-.002"/>
+  <path fill="#6a9e47" d="M271.624 13.12h6.775c.07-.053.15-.1.22-.15 2.71-1.9 5.97-3.075 9.61-3.306.08-.01.17-.024.26-.033h-21.48v.01l-.01.01c.58 2.01 2.41 3.49 4.6 3.49"/>
+  <path fill="#474a50" d="M426.556 54.325h.45c.524 0 .95-.174.95-.6 0-.375-.276-.626-.875-.626-.25 0-.42.02-.52.05v1.17zm-.026 2.326h-.95v-4.1c.375-.07.9-.12 1.575-.12.775 0 1.126.13 1.426.3.23.18.4.5.4.9 0 .45-.35.8-.85.95v.05c.4.15.63.45.75 1 .13.63.2.88.3 1.03h-1.02c-.12-.15-.2-.52-.32-1-.07-.45-.32-.65-.85-.65h-.45v1.65zm-2.525-2.15c0 1.83 1.35 3.28 3.2 3.28 1.8 0 3.126-1.45 3.126-3.25 0-1.82-1.32-3.3-3.15-3.3-1.82 0-3.17 1.48-3.17 3.28zm7.376 0c0 2.33-1.82 4.15-4.2 4.15-2.35 0-4.22-1.82-4.22-4.15 0-2.27 1.88-4.1 4.23-4.1 2.38 0 4.2 1.83 4.2 4.1"/>
+</svg>
diff --git a/packages/netscout/0.1.0/manifest.yml b/packages/netscout/0.1.0/manifest.yml
new file mode 100644
index 0000000000..1ecc15b584
--- /dev/null
+++ b/packages/netscout/0.1.0/manifest.yml
@@ -0,0 +1,36 @@
+format_version: 1.0.0
+name: netscout
+title: Arbor Peakflow SP
+version: 0.1.0
+description: Arbor Peakflow SP Integration
+categories: ["security"]
+release: experimental
+removable: true
+license: basic
+type: integration
+conditions:
+    kibana:
+        version: '>=7.9.0'
+    elasticsearch:
+        version: '>=7.9.0'
+config_templates:
+- name: sightline
+  title: Arbor Peakflow SP
+  description: Collect Arbor Peakflow SP logs from syslog or a file.
+  inputs:
+      - type: udp
+        title: Collect logs from Arbor Peakflow SP via UDP
+        description: Collecting syslog from Arbor Peakflow SP via UDP
+      - type: tcp
+        title: Collect logs from Arbor Peakflow SP via TCP
+        description: Collecting syslog from Arbor Peakflow SP via TCP
+      - type: file
+        title: Collect logs from Arbor Peakflow SP via file
+        description: Collecting syslog from Arbor Peakflow SP via file.
+# No icon
+icons:
+ - src: /img/logo.svg
+   title: Arbor Peakflow SP logo
+   size: 32x32
+   type: image/svg+xml
+
diff --git a/packages/radware/0.1.0/dataset/defensepro/agent/stream/stream.yml.hbs b/packages/radware/0.1.0/dataset/defensepro/agent/stream/stream.yml.hbs
new file mode 100644
index 0000000000..4822126ac1
--- /dev/null
+++ b/packages/radware/0.1.0/dataset/defensepro/agent/stream/stream.yml.hbs
@@ -0,0 +1,3284 @@
+paths:
+{{#each paths as |path i|}}
+  - {{path}}
+{{/each}}
+exclude_files: [".gz$"]
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "Radware"
+        product: "DefensePro"
+        type: "IDS"
+publisher_pipeline.disable_host: true
+
+processors:
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.error(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(populate_fields);
+      	builder.Add(restore_flags);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var dup1 = match("MESSAGE#0:Intrusions:01/0", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} %{id->} %{category->} \"%{event_type}\" %{protocol->} %{p0}");
+      
+      var dup2 = match("MESSAGE#0:Intrusions:01/1_0", "nwparser.p0", "%{saddr}:%{sport->} %{p0}");
+      
+      var dup3 = match("MESSAGE#0:Intrusions:01/1_1", "nwparser.p0", "%{saddr->} %{sport->} %{p0}");
+      
+      var dup4 = match("MESSAGE#0:Intrusions:01/2_0", "nwparser.p0", "%{daddr}:%{dport->} %{p0}");
+      
+      var dup5 = match("MESSAGE#0:Intrusions:01/2_1", "nwparser.p0", "%{daddr->} %{dport->} %{p0}");
+      
+      var dup6 = match("MESSAGE#0:Intrusions:01/3", "nwparser.p0", "%{interface->} %{context->} \"%{policyname}\" %{event_state->} %{packets->} %{dclass_counter1->} %{vlan->} %{fld15->} %{fld16->} %{risk->} %{p0}");
+      
+      var dup7 = match("MESSAGE#0:Intrusions:01/4_0", "nwparser.p0", "%{action->} %{sigid_string}");
+      
+      var dup8 = match("MESSAGE#0:Intrusions:01/4_1", "nwparser.p0", "%{action}");
+      
+      var dup9 = setc("eventcategory","1001000000");
+      
+      var dup10 = setc("ec_theme","TEV");
+      
+      var dup11 = setf("msg","$MSG");
+      
+      var dup12 = date_time({
+      	dest: "event_time",
+      	args: ["fld1","fld2"],
+      	fmts: [
+      		[dF,dc("-"),dG,dc("-"),dW,dN,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup13 = setc("dclass_counter1_string","Bandwidth in Kbps");
+      
+      var dup14 = match("MESSAGE#1:Intrusions:02/0", "nwparser.payload", "%{id->} %{category->} \\\"%{event_type}\\\" %{protocol->} %{p0}");
+      
+      var dup15 = match("MESSAGE#1:Intrusions:02/3", "nwparser.p0", "%{interface->} %{context->} \\\"%{policyname}\\\" %{event_state->} %{packets->} %{dclass_counter1->} %{fld1->} %{risk->} %{action->} %{vlan->} %{fld15->} %{fld16->} %{direction}");
+      
+      var dup16 = setc("eventcategory","1002000000");
+      
+      var dup17 = setc("ec_subject","NetworkComm");
+      
+      var dup18 = setc("ec_activity","Scan");
+      
+      var dup19 = setc("eventcategory","1401000000");
+      
+      var dup20 = setc("ec_subject","User");
+      
+      var dup21 = setc("ec_theme","ALM");
+      
+      var dup22 = setc("ec_activity","Modify");
+      
+      var dup23 = setc("ec_theme","Configuration");
+      
+      var dup24 = setc("eventcategory","1612000000");
+      
+      var dup25 = match("MESSAGE#22:Login:04/1_0", "nwparser.p0", "for user%{p0}");
+      
+      var dup26 = match("MESSAGE#22:Login:04/1_1", "nwparser.p0", "user%{p0}");
+      
+      var dup27 = match("MESSAGE#22:Login:04/2", "nwparser.p0", "%{} %{username->} via %{network_service->} (IP: %{saddr})%{p0}");
+      
+      var dup28 = match("MESSAGE#22:Login:04/3_0", "nwparser.p0", ": %{result}");
+      
+      var dup29 = match("MESSAGE#22:Login:04/3_1", "nwparser.p0", "%{result}");
+      
+      var dup30 = setc("eventcategory","1401030000");
+      
+      var dup31 = setc("ec_activity","Logon");
+      
+      var dup32 = setc("ec_theme","Authentication");
+      
+      var dup33 = setc("ec_outcome","Failure");
+      
+      var dup34 = setc("event_description","Login Failed");
+      
+      var dup35 = setc("ec_outcome","Error");
+      
+      var dup36 = setc("eventcategory","1603000000");
+      
+      var dup37 = setc("ec_theme","AccessControl");
+      
+      var dup38 = setc("eventcategory","1401060000");
+      
+      var dup39 = setc("ec_outcome","Success");
+      
+      var dup40 = setc("event_description","User logged in");
+      
+      var dup41 = linear_select([
+      	dup2,
+      	dup3,
+      ]);
+      
+      var dup42 = linear_select([
+      	dup4,
+      	dup5,
+      ]);
+      
+      var dup43 = linear_select([
+      	dup7,
+      	dup8,
+      ]);
+      
+      var dup44 = linear_select([
+      	dup25,
+      	dup26,
+      ]);
+      
+      var dup45 = linear_select([
+      	dup28,
+      	dup29,
+      ]);
+      
+      var dup46 = all_match({
+      	processors: [
+      		dup1,
+      		dup41,
+      		dup42,
+      		dup6,
+      		dup43,
+      	],
+      	on_success: processor_chain([
+      		dup9,
+      		dup10,
+      		dup11,
+      		dup12,
+      		dup13,
+      	]),
+      });
+      
+      var dup47 = all_match({
+      	processors: [
+      		dup14,
+      		dup41,
+      		dup42,
+      		dup15,
+      	],
+      	on_success: processor_chain([
+      		dup9,
+      		dup10,
+      		dup11,
+      		dup13,
+      	]),
+      });
+      
+      var dup48 = all_match({
+      	processors: [
+      		dup1,
+      		dup41,
+      		dup42,
+      		dup6,
+      		dup43,
+      	],
+      	on_success: processor_chain([
+      		dup16,
+      		dup10,
+      		dup11,
+      		dup12,
+      		dup13,
+      	]),
+      });
+      
+      var dup49 = all_match({
+      	processors: [
+      		dup14,
+      		dup41,
+      		dup42,
+      		dup15,
+      	],
+      	on_success: processor_chain([
+      		dup16,
+      		dup10,
+      		dup11,
+      		dup13,
+      	]),
+      });
+      
+      var hdr1 = match("HEADER#0:0001", "message", "%DefensePro %{hfld1->} %{hfld2->} %{hfld3->} %{messageid->} \\\"%{hfld4}\\\" %{payload}", processor_chain([
+      	setc("header_id","0001"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld3"),
+      			constant(" "),
+      			field("messageid"),
+      			constant(" \\\""),
+      			field("hfld4"),
+      			constant("\\\" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr2 = match("HEADER#1:0002", "message", "%DefensePro %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0002"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr3 = match("HEADER#2:0003", "message", "DefensePro: %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{messageid->} \"%{hfld3}\" %{payload}", processor_chain([
+      	setc("header_id","0003"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hdate"),
+      			constant(" "),
+      			field("htime"),
+      			constant(" "),
+      			field("hfld1"),
+      			constant(" "),
+      			field("hfld2"),
+      			constant(" "),
+      			field("messageid"),
+      			constant(" \""),
+      			field("hfld3"),
+      			constant("\" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr4 = match("HEADER#3:0004", "message", "DefensePro: %{hdate->} %{htime->} %{hfld1->} %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0004"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hdate"),
+      			constant(" "),
+      			field("htime"),
+      			constant(" "),
+      			field("hfld1"),
+      			constant(" "),
+      			field("messageid"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var select1 = linear_select([
+      	hdr1,
+      	hdr2,
+      	hdr3,
+      	hdr4,
+      ]);
+      
+      var msg1 = msg("Intrusions:01", dup46);
+      
+      var msg2 = msg("Intrusions:02", dup47);
+      
+      var select2 = linear_select([
+      	msg1,
+      	msg2,
+      ]);
+      
+      var msg3 = msg("SynFlood:01", dup48);
+      
+      var msg4 = msg("Behavioral-DoS:01", dup48);
+      
+      var msg5 = msg("Behavioral-DoS:02", dup49);
+      
+      var select3 = linear_select([
+      	msg4,
+      	msg5,
+      ]);
+      
+      var all1 = all_match({
+      	processors: [
+      		dup1,
+      		dup41,
+      		dup42,
+      		dup6,
+      		dup43,
+      	],
+      	on_success: processor_chain([
+      		dup9,
+      		dup17,
+      		dup18,
+      		dup10,
+      		dup11,
+      		dup12,
+      		dup13,
+      	]),
+      });
+      
+      var msg6 = msg("Anti-Scanning:01", all1);
+      
+      var all2 = all_match({
+      	processors: [
+      		dup14,
+      		dup41,
+      		dup42,
+      		dup15,
+      	],
+      	on_success: processor_chain([
+      		dup9,
+      		dup17,
+      		dup18,
+      		dup10,
+      		dup11,
+      		dup13,
+      	]),
+      });
+      
+      var msg7 = msg("Anti-Scanning:02", all2);
+      
+      var select4 = linear_select([
+      	msg6,
+      	msg7,
+      ]);
+      
+      var msg8 = msg("DoS:01", dup48);
+      
+      var all3 = all_match({
+      	processors: [
+      		dup14,
+      		dup41,
+      		dup42,
+      		dup15,
+      	],
+      	on_success: processor_chain([
+      		dup16,
+      		dup17,
+      		dup18,
+      		dup10,
+      		dup11,
+      		dup13,
+      	]),
+      });
+      
+      var msg9 = msg("DoS:02", all3);
+      
+      var select5 = linear_select([
+      	msg8,
+      	msg9,
+      ]);
+      
+      var msg10 = msg("Cracking-Protection:01", dup46);
+      
+      var msg11 = msg("Cracking-Protection:02", dup47);
+      
+      var select6 = linear_select([
+      	msg10,
+      	msg11,
+      ]);
+      
+      var msg12 = msg("Anomalies:01", dup48);
+      
+      var msg13 = msg("Anomalies:02", dup49);
+      
+      var select7 = linear_select([
+      	msg12,
+      	msg13,
+      ]);
+      
+      var msg14 = msg("HttpFlood:01", dup48);
+      
+      var msg15 = msg("HttpFlood:02", dup49);
+      
+      var select8 = linear_select([
+      	msg14,
+      	msg15,
+      ]);
+      
+      var part1 = match("MESSAGE#15:COMMAND:", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} COMMAND: \"%{action}\" by user %{username->} via %{network_service}, source IP %{saddr}", processor_chain([
+      	dup19,
+      	dup20,
+      	setc("ec_activity","Execute"),
+      	dup21,
+      	dup11,
+      	dup12,
+      ]));
+      
+      var msg16 = msg("COMMAND:", part1);
+      
+      var part2 = match("MESSAGE#16:Configuration:01", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} %{event_description->} set %{change_new}, Old Values: %{change_old}, ACTION: %{action->} by user %{username->} via %{network_service->} source IP %{saddr}", processor_chain([
+      	dup19,
+      	dup20,
+      	dup22,
+      	dup23,
+      	dup11,
+      	dup12,
+      ]));
+      
+      var msg17 = msg("Configuration:01", part2);
+      
+      var part3 = match("MESSAGE#17:Configuration:02", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} %{event_description}, ACTION: %{action->} by user %{username->} via %{network_service->} source IP %{saddr}", processor_chain([
+      	dup19,
+      	dup20,
+      	dup23,
+      	dup11,
+      	dup12,
+      ]));
+      
+      var msg18 = msg("Configuration:02", part3);
+      
+      var part4 = match("MESSAGE#18:Configuration:03", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Configuration File downloaded from device by user %{username->} via %{network_service}, source IP %{saddr}", processor_chain([
+      	dup19,
+      	dup20,
+      	dup23,
+      	dup11,
+      	setc("event_description","Configuration File downloaded"),
+      	dup12,
+      ]));
+      
+      var msg19 = msg("Configuration:03", part4);
+      
+      var part5 = match("MESSAGE#19:Configuration:04", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Configuration Upload has been completed", processor_chain([
+      	dup24,
+      	dup23,
+      	dup11,
+      	setc("event_description","Configuration Upload has been completed"),
+      	dup12,
+      ]));
+      
+      var msg20 = msg("Configuration:04", part5);
+      
+      var part6 = match("MESSAGE#20:Configuration:05", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Configuration Download has been completed", processor_chain([
+      	dup24,
+      	dup23,
+      	dup11,
+      	setc("event_description","Configuration Download has been completed"),
+      	dup12,
+      ]));
+      
+      var msg21 = msg("Configuration:05", part6);
+      
+      var part7 = match("MESSAGE#21:Configuration:06", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Configuration file has been modified. Device may fail to load configuration file!", processor_chain([
+      	dup24,
+      	dup22,
+      	dup23,
+      	dup11,
+      	setc("event_description","Configuration file has been modified. Device may fail to load configuration file!"),
+      	dup12,
+      ]));
+      
+      var msg22 = msg("Configuration:06", part7);
+      
+      var select9 = linear_select([
+      	msg17,
+      	msg18,
+      	msg19,
+      	msg20,
+      	msg21,
+      	msg22,
+      ]);
+      
+      var part8 = match("MESSAGE#22:Login:04/0", "nwparser.payload", "Login failed %{p0}");
+      
+      var all4 = all_match({
+      	processors: [
+      		part8,
+      		dup44,
+      		dup27,
+      		dup45,
+      	],
+      	on_success: processor_chain([
+      		dup30,
+      		dup20,
+      		dup31,
+      		dup32,
+      		dup33,
+      		dup11,
+      		dup34,
+      	]),
+      });
+      
+      var msg23 = msg("Login:04", all4);
+      
+      var part9 = match("MESSAGE#23:Login:05", "nwparser.payload", "Login locked user %{username->} (IP: %{saddr}): %{result}", processor_chain([
+      	dup30,
+      	dup20,
+      	dup31,
+      	dup32,
+      	dup35,
+      	dup11,
+      	setc("event_description","Login Locked"),
+      ]));
+      
+      var msg24 = msg("Login:05", part9);
+      
+      var part10 = match("MESSAGE#24:Login:01/0", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Login failed %{p0}");
+      
+      var all5 = all_match({
+      	processors: [
+      		part10,
+      		dup44,
+      		dup27,
+      		dup45,
+      	],
+      	on_success: processor_chain([
+      		dup30,
+      		dup20,
+      		dup31,
+      		dup32,
+      		dup33,
+      		dup11,
+      		dup34,
+      		dup12,
+      	]),
+      });
+      
+      var msg25 = msg("Login:01", all5);
+      
+      var part11 = match("MESSAGE#25:Login:02", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Login failed via %{network_service->} (IP: %{saddr}): %{result}", processor_chain([
+      	dup30,
+      	dup20,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup11,
+      	dup34,
+      	dup12,
+      ]));
+      
+      var msg26 = msg("Login:02", part11);
+      
+      var part12 = match("MESSAGE#26:Login:03", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Login locked user %{username->} (IP: %{saddr}): %{result}", processor_chain([
+      	dup30,
+      	dup20,
+      	dup31,
+      	dup32,
+      	dup35,
+      	dup11,
+      	dup34,
+      	dup12,
+      ]));
+      
+      var msg27 = msg("Login:03", part12);
+      
+      var select10 = linear_select([
+      	msg23,
+      	msg24,
+      	msg25,
+      	msg26,
+      	msg27,
+      ]);
+      
+      var part13 = match("MESSAGE#27:Connection", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Connection to NTP server timed out", processor_chain([
+      	dup36,
+      	dup21,
+      	dup11,
+      	setc("event_description","Connection to NTP server timed out"),
+      	dup12,
+      ]));
+      
+      var msg28 = msg("Connection", part13);
+      
+      var part14 = match("MESSAGE#28:Device", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Device was rebooted by user %{username->} via %{network_service}, source IP %{saddr}", processor_chain([
+      	dup19,
+      	dup20,
+      	dup21,
+      	dup11,
+      	setc("event_description","Device was rebooted"),
+      	dup12,
+      ]));
+      
+      var msg29 = msg("Device", part14);
+      
+      var part15 = match("MESSAGE#29:Power", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Power supply fully operational", processor_chain([
+      	dup24,
+      	dup21,
+      	dup11,
+      	setc("event_description","Power supply fully operational"),
+      	dup12,
+      ]));
+      
+      var msg30 = msg("Power", part15);
+      
+      var part16 = match("MESSAGE#30:Cold", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Cold Start", processor_chain([
+      	dup24,
+      	setc("ec_activity","Start"),
+      	dup21,
+      	dup11,
+      	setc("event_description","Cold Start"),
+      	dup12,
+      ]));
+      
+      var msg31 = msg("Cold", part16);
+      
+      var part17 = match("MESSAGE#31:Port/0", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Port %{interface->} %{p0}");
+      
+      var part18 = match("MESSAGE#31:Port/1_0", "nwparser.p0", "Down%{}");
+      
+      var part19 = match("MESSAGE#31:Port/1_1", "nwparser.p0", "Up %{}");
+      
+      var select11 = linear_select([
+      	part18,
+      	part19,
+      ]);
+      
+      var all6 = all_match({
+      	processors: [
+      		part17,
+      		select11,
+      	],
+      	on_success: processor_chain([
+      		dup24,
+      		dup21,
+      		dup11,
+      		setc("event_description","Port Status Change"),
+      		dup12,
+      	]),
+      });
+      
+      var msg32 = msg("Port", all6);
+      
+      var part20 = match("MESSAGE#32:DefensePro", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} DefensePro was powered off", processor_chain([
+      	dup24,
+      	dup21,
+      	dup11,
+      	setc("event_description","DefensePro Powered off"),
+      	dup12,
+      ]));
+      
+      var msg33 = msg("DefensePro", part20);
+      
+      var part21 = match("MESSAGE#33:Access:01/0", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} %{id->} %{category->} \"%{event_type}\" %{protocol->} %{saddr->} %{sport->} %{daddr->} %{dport->} %{interface->} %{context->} \"%{policyname}\" %{event_state->} %{packets->} %{dclass_counter1->} %{vlan->} %{fld15->} %{fld16->} %{risk->} %{p0}");
+      
+      var all7 = all_match({
+      	processors: [
+      		part21,
+      		dup43,
+      	],
+      	on_success: processor_chain([
+      		dup36,
+      		dup37,
+      		dup11,
+      		dup12,
+      	]),
+      });
+      
+      var msg34 = msg("Access:01", all7);
+      
+      var part22 = match("MESSAGE#34:Access", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Access attempted by unauthorized NMS, Community: %{fld3}, IP: \"%{saddr}\"", processor_chain([
+      	dup36,
+      	dup37,
+      	dup11,
+      	setc("event_description","Access attempted by unauthorized NMS"),
+      	dup12,
+      ]));
+      
+      var msg35 = msg("Access", part22);
+      
+      var select12 = linear_select([
+      	msg34,
+      	msg35,
+      ]);
+      
+      var part23 = match("MESSAGE#35:Please", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Please reboot the device for the latest changes to take effect", processor_chain([
+      	dup19,
+      	dup21,
+      	dup11,
+      	setc("event_description","Reboot required for latest changes"),
+      	dup12,
+      ]));
+      
+      var msg36 = msg("Please", part23);
+      
+      var part24 = match("MESSAGE#36:User:01", "nwparser.payload", "User %{username->} logged in via %{network_service->} (IP: %{saddr})", processor_chain([
+      	dup38,
+      	dup20,
+      	dup31,
+      	dup32,
+      	dup39,
+      	dup11,
+      	dup40,
+      ]));
+      
+      var msg37 = msg("User:01", part24);
+      
+      var part25 = match("MESSAGE#37:User", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} User %{username->} logged in via %{network_service->} (IP: %{saddr})", processor_chain([
+      	dup38,
+      	dup20,
+      	dup31,
+      	dup32,
+      	dup39,
+      	dup11,
+      	dup40,
+      	dup12,
+      ]));
+      
+      var msg38 = msg("User", part25);
+      
+      var select13 = linear_select([
+      	msg37,
+      	msg38,
+      ]);
+      
+      var part26 = match("MESSAGE#38:Certificate", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Certificate named %{fld3->} expired on %{fld4->} %{fld5}", processor_chain([
+      	dup19,
+      	dup11,
+      	setc("event_description","Certificate expired"),
+      	dup12,
+      	date_time({
+      		dest: "endtime",
+      		args: ["fld5"],
+      		fmts: [
+      			[dB,dF,dH,dc(":"),dU,dc(":"),dO,dW],
+      		],
+      	}),
+      ]));
+      
+      var msg39 = msg("Certificate", part26);
+      
+      var part27 = match("MESSAGE#39:Vision", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Vision %{event_description->} by user %{username->} via %{network_service}, source IP %{saddr}", processor_chain([
+      	dup19,
+      	dup11,
+      	dup12,
+      ]));
+      
+      var msg40 = msg("Vision", part27);
+      
+      var part28 = match("MESSAGE#40:Updating", "nwparser.payload", "Updating policy database%{fld1}", processor_chain([
+      	dup24,
+      	dup21,
+      	dup11,
+      	setc("event_description","Updating policy database"),
+      ]));
+      
+      var msg41 = msg("Updating", part28);
+      
+      var part29 = match("MESSAGE#41:Policy", "nwparser.payload", "Policy database updated successfully.%{}", processor_chain([
+      	dup24,
+      	dup23,
+      	dup39,
+      	dup11,
+      	setc("event_description","Policy database updated successfully"),
+      ]));
+      
+      var msg42 = msg("Policy", part29);
+      
+      var chain1 = processor_chain([
+      	select1,
+      	msgid_select({
+      		"Access": select12,
+      		"Anomalies": select7,
+      		"Anti-Scanning": select4,
+      		"Behavioral-DoS": select3,
+      		"COMMAND:": msg16,
+      		"Certificate": msg39,
+      		"Cold": msg31,
+      		"Configuration": select9,
+      		"Connection": msg28,
+      		"Cracking-Protection": select6,
+      		"DefensePro": msg33,
+      		"Device": msg29,
+      		"DoS": select5,
+      		"HttpFlood": select8,
+      		"Intrusions": select2,
+      		"Login": select10,
+      		"Please": msg36,
+      		"Policy": msg42,
+      		"Port": msg32,
+      		"Power": msg30,
+      		"SynFlood": msg3,
+      		"Updating": msg41,
+      		"User": select13,
+      		"Vision": msg40,
+      	}),
+      ]);
+      
+      var part30 = match("MESSAGE#0:Intrusions:01/0", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} %{id->} %{category->} \"%{event_type}\" %{protocol->} %{p0}");
+      
+      var part31 = match("MESSAGE#0:Intrusions:01/1_0", "nwparser.p0", "%{saddr}:%{sport->} %{p0}");
+      
+      var part32 = match("MESSAGE#0:Intrusions:01/1_1", "nwparser.p0", "%{saddr->} %{sport->} %{p0}");
+      
+      var part33 = match("MESSAGE#0:Intrusions:01/2_0", "nwparser.p0", "%{daddr}:%{dport->} %{p0}");
+      
+      var part34 = match("MESSAGE#0:Intrusions:01/2_1", "nwparser.p0", "%{daddr->} %{dport->} %{p0}");
+      
+      var part35 = match("MESSAGE#0:Intrusions:01/3", "nwparser.p0", "%{interface->} %{context->} \"%{policyname}\" %{event_state->} %{packets->} %{dclass_counter1->} %{vlan->} %{fld15->} %{fld16->} %{risk->} %{p0}");
+      
+      var part36 = match("MESSAGE#0:Intrusions:01/4_0", "nwparser.p0", "%{action->} %{sigid_string}");
+      
+      var part37 = match("MESSAGE#0:Intrusions:01/4_1", "nwparser.p0", "%{action}");
+      
+      var part38 = match("MESSAGE#1:Intrusions:02/0", "nwparser.payload", "%{id->} %{category->} \\\"%{event_type}\\\" %{protocol->} %{p0}");
+      
+      var part39 = match("MESSAGE#1:Intrusions:02/3", "nwparser.p0", "%{interface->} %{context->} \\\"%{policyname}\\\" %{event_state->} %{packets->} %{dclass_counter1->} %{fld1->} %{risk->} %{action->} %{vlan->} %{fld15->} %{fld16->} %{direction}");
+      
+      var part40 = match("MESSAGE#22:Login:04/1_0", "nwparser.p0", "for user%{p0}");
+      
+      var part41 = match("MESSAGE#22:Login:04/1_1", "nwparser.p0", "user%{p0}");
+      
+      var part42 = match("MESSAGE#22:Login:04/2", "nwparser.p0", "%{} %{username->} via %{network_service->} (IP: %{saddr})%{p0}");
+      
+      var part43 = match("MESSAGE#22:Login:04/3_0", "nwparser.p0", ": %{result}");
+      
+      var part44 = match("MESSAGE#22:Login:04/3_1", "nwparser.p0", "%{result}");
+      
+      var select14 = linear_select([
+      	dup2,
+      	dup3,
+      ]);
+      
+      var select15 = linear_select([
+      	dup4,
+      	dup5,
+      ]);
+      
+      var select16 = linear_select([
+      	dup7,
+      	dup8,
+      ]);
+      
+      var select17 = linear_select([
+      	dup25,
+      	dup26,
+      ]);
+      
+      var select18 = linear_select([
+      	dup28,
+      	dup29,
+      ]);
+      
+      var all8 = all_match({
+      	processors: [
+      		dup1,
+      		dup41,
+      		dup42,
+      		dup6,
+      		dup43,
+      	],
+      	on_success: processor_chain([
+      		dup9,
+      		dup10,
+      		dup11,
+      		dup12,
+      		dup13,
+      	]),
+      });
+      
+      var all9 = all_match({
+      	processors: [
+      		dup14,
+      		dup41,
+      		dup42,
+      		dup15,
+      	],
+      	on_success: processor_chain([
+      		dup9,
+      		dup10,
+      		dup11,
+      		dup13,
+      	]),
+      });
+      
+      var all10 = all_match({
+      	processors: [
+      		dup1,
+      		dup41,
+      		dup42,
+      		dup6,
+      		dup43,
+      	],
+      	on_success: processor_chain([
+      		dup16,
+      		dup10,
+      		dup11,
+      		dup12,
+      		dup13,
+      	]),
+      });
+      
+      var all11 = all_match({
+      	processors: [
+      		dup14,
+      		dup41,
+      		dup42,
+      		dup15,
+      	],
+      	on_success: processor_chain([
+      		dup16,
+      		dup10,
+      		dup11,
+      		dup13,
+      	]),
+      });
+      
+- community_id:
+- add_locale: ~
+- add_fields:
+    target: ''
+    fields:
+        ecs.version: 1.5.0
diff --git a/packages/radware/0.1.0/dataset/defensepro/agent/stream/tcp.yml.hbs b/packages/radware/0.1.0/dataset/defensepro/agent/stream/tcp.yml.hbs
new file mode 100644
index 0000000000..9913943042
--- /dev/null
+++ b/packages/radware/0.1.0/dataset/defensepro/agent/stream/tcp.yml.hbs
@@ -0,0 +1,3281 @@
+tcp:
+host: "{{tcp_host}}:{{tcp_port}}"
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "Radware"
+        product: "DefensePro"
+        type: "IDS"
+publisher_pipeline.disable_host: true
+
+processors:
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.error(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(populate_fields);
+      	builder.Add(restore_flags);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var dup1 = match("MESSAGE#0:Intrusions:01/0", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} %{id->} %{category->} \"%{event_type}\" %{protocol->} %{p0}");
+      
+      var dup2 = match("MESSAGE#0:Intrusions:01/1_0", "nwparser.p0", "%{saddr}:%{sport->} %{p0}");
+      
+      var dup3 = match("MESSAGE#0:Intrusions:01/1_1", "nwparser.p0", "%{saddr->} %{sport->} %{p0}");
+      
+      var dup4 = match("MESSAGE#0:Intrusions:01/2_0", "nwparser.p0", "%{daddr}:%{dport->} %{p0}");
+      
+      var dup5 = match("MESSAGE#0:Intrusions:01/2_1", "nwparser.p0", "%{daddr->} %{dport->} %{p0}");
+      
+      var dup6 = match("MESSAGE#0:Intrusions:01/3", "nwparser.p0", "%{interface->} %{context->} \"%{policyname}\" %{event_state->} %{packets->} %{dclass_counter1->} %{vlan->} %{fld15->} %{fld16->} %{risk->} %{p0}");
+      
+      var dup7 = match("MESSAGE#0:Intrusions:01/4_0", "nwparser.p0", "%{action->} %{sigid_string}");
+      
+      var dup8 = match("MESSAGE#0:Intrusions:01/4_1", "nwparser.p0", "%{action}");
+      
+      var dup9 = setc("eventcategory","1001000000");
+      
+      var dup10 = setc("ec_theme","TEV");
+      
+      var dup11 = setf("msg","$MSG");
+      
+      var dup12 = date_time({
+      	dest: "event_time",
+      	args: ["fld1","fld2"],
+      	fmts: [
+      		[dF,dc("-"),dG,dc("-"),dW,dN,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup13 = setc("dclass_counter1_string","Bandwidth in Kbps");
+      
+      var dup14 = match("MESSAGE#1:Intrusions:02/0", "nwparser.payload", "%{id->} %{category->} \\\"%{event_type}\\\" %{protocol->} %{p0}");
+      
+      var dup15 = match("MESSAGE#1:Intrusions:02/3", "nwparser.p0", "%{interface->} %{context->} \\\"%{policyname}\\\" %{event_state->} %{packets->} %{dclass_counter1->} %{fld1->} %{risk->} %{action->} %{vlan->} %{fld15->} %{fld16->} %{direction}");
+      
+      var dup16 = setc("eventcategory","1002000000");
+      
+      var dup17 = setc("ec_subject","NetworkComm");
+      
+      var dup18 = setc("ec_activity","Scan");
+      
+      var dup19 = setc("eventcategory","1401000000");
+      
+      var dup20 = setc("ec_subject","User");
+      
+      var dup21 = setc("ec_theme","ALM");
+      
+      var dup22 = setc("ec_activity","Modify");
+      
+      var dup23 = setc("ec_theme","Configuration");
+      
+      var dup24 = setc("eventcategory","1612000000");
+      
+      var dup25 = match("MESSAGE#22:Login:04/1_0", "nwparser.p0", "for user%{p0}");
+      
+      var dup26 = match("MESSAGE#22:Login:04/1_1", "nwparser.p0", "user%{p0}");
+      
+      var dup27 = match("MESSAGE#22:Login:04/2", "nwparser.p0", "%{} %{username->} via %{network_service->} (IP: %{saddr})%{p0}");
+      
+      var dup28 = match("MESSAGE#22:Login:04/3_0", "nwparser.p0", ": %{result}");
+      
+      var dup29 = match("MESSAGE#22:Login:04/3_1", "nwparser.p0", "%{result}");
+      
+      var dup30 = setc("eventcategory","1401030000");
+      
+      var dup31 = setc("ec_activity","Logon");
+      
+      var dup32 = setc("ec_theme","Authentication");
+      
+      var dup33 = setc("ec_outcome","Failure");
+      
+      var dup34 = setc("event_description","Login Failed");
+      
+      var dup35 = setc("ec_outcome","Error");
+      
+      var dup36 = setc("eventcategory","1603000000");
+      
+      var dup37 = setc("ec_theme","AccessControl");
+      
+      var dup38 = setc("eventcategory","1401060000");
+      
+      var dup39 = setc("ec_outcome","Success");
+      
+      var dup40 = setc("event_description","User logged in");
+      
+      var dup41 = linear_select([
+      	dup2,
+      	dup3,
+      ]);
+      
+      var dup42 = linear_select([
+      	dup4,
+      	dup5,
+      ]);
+      
+      var dup43 = linear_select([
+      	dup7,
+      	dup8,
+      ]);
+      
+      var dup44 = linear_select([
+      	dup25,
+      	dup26,
+      ]);
+      
+      var dup45 = linear_select([
+      	dup28,
+      	dup29,
+      ]);
+      
+      var dup46 = all_match({
+      	processors: [
+      		dup1,
+      		dup41,
+      		dup42,
+      		dup6,
+      		dup43,
+      	],
+      	on_success: processor_chain([
+      		dup9,
+      		dup10,
+      		dup11,
+      		dup12,
+      		dup13,
+      	]),
+      });
+      
+      var dup47 = all_match({
+      	processors: [
+      		dup14,
+      		dup41,
+      		dup42,
+      		dup15,
+      	],
+      	on_success: processor_chain([
+      		dup9,
+      		dup10,
+      		dup11,
+      		dup13,
+      	]),
+      });
+      
+      var dup48 = all_match({
+      	processors: [
+      		dup1,
+      		dup41,
+      		dup42,
+      		dup6,
+      		dup43,
+      	],
+      	on_success: processor_chain([
+      		dup16,
+      		dup10,
+      		dup11,
+      		dup12,
+      		dup13,
+      	]),
+      });
+      
+      var dup49 = all_match({
+      	processors: [
+      		dup14,
+      		dup41,
+      		dup42,
+      		dup15,
+      	],
+      	on_success: processor_chain([
+      		dup16,
+      		dup10,
+      		dup11,
+      		dup13,
+      	]),
+      });
+      
+      var hdr1 = match("HEADER#0:0001", "message", "%DefensePro %{hfld1->} %{hfld2->} %{hfld3->} %{messageid->} \\\"%{hfld4}\\\" %{payload}", processor_chain([
+      	setc("header_id","0001"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld3"),
+      			constant(" "),
+      			field("messageid"),
+      			constant(" \\\""),
+      			field("hfld4"),
+      			constant("\\\" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr2 = match("HEADER#1:0002", "message", "%DefensePro %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0002"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr3 = match("HEADER#2:0003", "message", "DefensePro: %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{messageid->} \"%{hfld3}\" %{payload}", processor_chain([
+      	setc("header_id","0003"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hdate"),
+      			constant(" "),
+      			field("htime"),
+      			constant(" "),
+      			field("hfld1"),
+      			constant(" "),
+      			field("hfld2"),
+      			constant(" "),
+      			field("messageid"),
+      			constant(" \""),
+      			field("hfld3"),
+      			constant("\" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr4 = match("HEADER#3:0004", "message", "DefensePro: %{hdate->} %{htime->} %{hfld1->} %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0004"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hdate"),
+      			constant(" "),
+      			field("htime"),
+      			constant(" "),
+      			field("hfld1"),
+      			constant(" "),
+      			field("messageid"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var select1 = linear_select([
+      	hdr1,
+      	hdr2,
+      	hdr3,
+      	hdr4,
+      ]);
+      
+      var msg1 = msg("Intrusions:01", dup46);
+      
+      var msg2 = msg("Intrusions:02", dup47);
+      
+      var select2 = linear_select([
+      	msg1,
+      	msg2,
+      ]);
+      
+      var msg3 = msg("SynFlood:01", dup48);
+      
+      var msg4 = msg("Behavioral-DoS:01", dup48);
+      
+      var msg5 = msg("Behavioral-DoS:02", dup49);
+      
+      var select3 = linear_select([
+      	msg4,
+      	msg5,
+      ]);
+      
+      var all1 = all_match({
+      	processors: [
+      		dup1,
+      		dup41,
+      		dup42,
+      		dup6,
+      		dup43,
+      	],
+      	on_success: processor_chain([
+      		dup9,
+      		dup17,
+      		dup18,
+      		dup10,
+      		dup11,
+      		dup12,
+      		dup13,
+      	]),
+      });
+      
+      var msg6 = msg("Anti-Scanning:01", all1);
+      
+      var all2 = all_match({
+      	processors: [
+      		dup14,
+      		dup41,
+      		dup42,
+      		dup15,
+      	],
+      	on_success: processor_chain([
+      		dup9,
+      		dup17,
+      		dup18,
+      		dup10,
+      		dup11,
+      		dup13,
+      	]),
+      });
+      
+      var msg7 = msg("Anti-Scanning:02", all2);
+      
+      var select4 = linear_select([
+      	msg6,
+      	msg7,
+      ]);
+      
+      var msg8 = msg("DoS:01", dup48);
+      
+      var all3 = all_match({
+      	processors: [
+      		dup14,
+      		dup41,
+      		dup42,
+      		dup15,
+      	],
+      	on_success: processor_chain([
+      		dup16,
+      		dup17,
+      		dup18,
+      		dup10,
+      		dup11,
+      		dup13,
+      	]),
+      });
+      
+      var msg9 = msg("DoS:02", all3);
+      
+      var select5 = linear_select([
+      	msg8,
+      	msg9,
+      ]);
+      
+      var msg10 = msg("Cracking-Protection:01", dup46);
+      
+      var msg11 = msg("Cracking-Protection:02", dup47);
+      
+      var select6 = linear_select([
+      	msg10,
+      	msg11,
+      ]);
+      
+      var msg12 = msg("Anomalies:01", dup48);
+      
+      var msg13 = msg("Anomalies:02", dup49);
+      
+      var select7 = linear_select([
+      	msg12,
+      	msg13,
+      ]);
+      
+      var msg14 = msg("HttpFlood:01", dup48);
+      
+      var msg15 = msg("HttpFlood:02", dup49);
+      
+      var select8 = linear_select([
+      	msg14,
+      	msg15,
+      ]);
+      
+      var part1 = match("MESSAGE#15:COMMAND:", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} COMMAND: \"%{action}\" by user %{username->} via %{network_service}, source IP %{saddr}", processor_chain([
+      	dup19,
+      	dup20,
+      	setc("ec_activity","Execute"),
+      	dup21,
+      	dup11,
+      	dup12,
+      ]));
+      
+      var msg16 = msg("COMMAND:", part1);
+      
+      var part2 = match("MESSAGE#16:Configuration:01", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} %{event_description->} set %{change_new}, Old Values: %{change_old}, ACTION: %{action->} by user %{username->} via %{network_service->} source IP %{saddr}", processor_chain([
+      	dup19,
+      	dup20,
+      	dup22,
+      	dup23,
+      	dup11,
+      	dup12,
+      ]));
+      
+      var msg17 = msg("Configuration:01", part2);
+      
+      var part3 = match("MESSAGE#17:Configuration:02", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} %{event_description}, ACTION: %{action->} by user %{username->} via %{network_service->} source IP %{saddr}", processor_chain([
+      	dup19,
+      	dup20,
+      	dup23,
+      	dup11,
+      	dup12,
+      ]));
+      
+      var msg18 = msg("Configuration:02", part3);
+      
+      var part4 = match("MESSAGE#18:Configuration:03", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Configuration File downloaded from device by user %{username->} via %{network_service}, source IP %{saddr}", processor_chain([
+      	dup19,
+      	dup20,
+      	dup23,
+      	dup11,
+      	setc("event_description","Configuration File downloaded"),
+      	dup12,
+      ]));
+      
+      var msg19 = msg("Configuration:03", part4);
+      
+      var part5 = match("MESSAGE#19:Configuration:04", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Configuration Upload has been completed", processor_chain([
+      	dup24,
+      	dup23,
+      	dup11,
+      	setc("event_description","Configuration Upload has been completed"),
+      	dup12,
+      ]));
+      
+      var msg20 = msg("Configuration:04", part5);
+      
+      var part6 = match("MESSAGE#20:Configuration:05", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Configuration Download has been completed", processor_chain([
+      	dup24,
+      	dup23,
+      	dup11,
+      	setc("event_description","Configuration Download has been completed"),
+      	dup12,
+      ]));
+      
+      var msg21 = msg("Configuration:05", part6);
+      
+      var part7 = match("MESSAGE#21:Configuration:06", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Configuration file has been modified. Device may fail to load configuration file!", processor_chain([
+      	dup24,
+      	dup22,
+      	dup23,
+      	dup11,
+      	setc("event_description","Configuration file has been modified. Device may fail to load configuration file!"),
+      	dup12,
+      ]));
+      
+      var msg22 = msg("Configuration:06", part7);
+      
+      var select9 = linear_select([
+      	msg17,
+      	msg18,
+      	msg19,
+      	msg20,
+      	msg21,
+      	msg22,
+      ]);
+      
+      var part8 = match("MESSAGE#22:Login:04/0", "nwparser.payload", "Login failed %{p0}");
+      
+      var all4 = all_match({
+      	processors: [
+      		part8,
+      		dup44,
+      		dup27,
+      		dup45,
+      	],
+      	on_success: processor_chain([
+      		dup30,
+      		dup20,
+      		dup31,
+      		dup32,
+      		dup33,
+      		dup11,
+      		dup34,
+      	]),
+      });
+      
+      var msg23 = msg("Login:04", all4);
+      
+      var part9 = match("MESSAGE#23:Login:05", "nwparser.payload", "Login locked user %{username->} (IP: %{saddr}): %{result}", processor_chain([
+      	dup30,
+      	dup20,
+      	dup31,
+      	dup32,
+      	dup35,
+      	dup11,
+      	setc("event_description","Login Locked"),
+      ]));
+      
+      var msg24 = msg("Login:05", part9);
+      
+      var part10 = match("MESSAGE#24:Login:01/0", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Login failed %{p0}");
+      
+      var all5 = all_match({
+      	processors: [
+      		part10,
+      		dup44,
+      		dup27,
+      		dup45,
+      	],
+      	on_success: processor_chain([
+      		dup30,
+      		dup20,
+      		dup31,
+      		dup32,
+      		dup33,
+      		dup11,
+      		dup34,
+      		dup12,
+      	]),
+      });
+      
+      var msg25 = msg("Login:01", all5);
+      
+      var part11 = match("MESSAGE#25:Login:02", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Login failed via %{network_service->} (IP: %{saddr}): %{result}", processor_chain([
+      	dup30,
+      	dup20,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup11,
+      	dup34,
+      	dup12,
+      ]));
+      
+      var msg26 = msg("Login:02", part11);
+      
+      var part12 = match("MESSAGE#26:Login:03", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Login locked user %{username->} (IP: %{saddr}): %{result}", processor_chain([
+      	dup30,
+      	dup20,
+      	dup31,
+      	dup32,
+      	dup35,
+      	dup11,
+      	dup34,
+      	dup12,
+      ]));
+      
+      var msg27 = msg("Login:03", part12);
+      
+      var select10 = linear_select([
+      	msg23,
+      	msg24,
+      	msg25,
+      	msg26,
+      	msg27,
+      ]);
+      
+      var part13 = match("MESSAGE#27:Connection", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Connection to NTP server timed out", processor_chain([
+      	dup36,
+      	dup21,
+      	dup11,
+      	setc("event_description","Connection to NTP server timed out"),
+      	dup12,
+      ]));
+      
+      var msg28 = msg("Connection", part13);
+      
+      var part14 = match("MESSAGE#28:Device", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Device was rebooted by user %{username->} via %{network_service}, source IP %{saddr}", processor_chain([
+      	dup19,
+      	dup20,
+      	dup21,
+      	dup11,
+      	setc("event_description","Device was rebooted"),
+      	dup12,
+      ]));
+      
+      var msg29 = msg("Device", part14);
+      
+      var part15 = match("MESSAGE#29:Power", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Power supply fully operational", processor_chain([
+      	dup24,
+      	dup21,
+      	dup11,
+      	setc("event_description","Power supply fully operational"),
+      	dup12,
+      ]));
+      
+      var msg30 = msg("Power", part15);
+      
+      var part16 = match("MESSAGE#30:Cold", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Cold Start", processor_chain([
+      	dup24,
+      	setc("ec_activity","Start"),
+      	dup21,
+      	dup11,
+      	setc("event_description","Cold Start"),
+      	dup12,
+      ]));
+      
+      var msg31 = msg("Cold", part16);
+      
+      var part17 = match("MESSAGE#31:Port/0", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Port %{interface->} %{p0}");
+      
+      var part18 = match("MESSAGE#31:Port/1_0", "nwparser.p0", "Down%{}");
+      
+      var part19 = match("MESSAGE#31:Port/1_1", "nwparser.p0", "Up %{}");
+      
+      var select11 = linear_select([
+      	part18,
+      	part19,
+      ]);
+      
+      var all6 = all_match({
+      	processors: [
+      		part17,
+      		select11,
+      	],
+      	on_success: processor_chain([
+      		dup24,
+      		dup21,
+      		dup11,
+      		setc("event_description","Port Status Change"),
+      		dup12,
+      	]),
+      });
+      
+      var msg32 = msg("Port", all6);
+      
+      var part20 = match("MESSAGE#32:DefensePro", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} DefensePro was powered off", processor_chain([
+      	dup24,
+      	dup21,
+      	dup11,
+      	setc("event_description","DefensePro Powered off"),
+      	dup12,
+      ]));
+      
+      var msg33 = msg("DefensePro", part20);
+      
+      var part21 = match("MESSAGE#33:Access:01/0", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} %{id->} %{category->} \"%{event_type}\" %{protocol->} %{saddr->} %{sport->} %{daddr->} %{dport->} %{interface->} %{context->} \"%{policyname}\" %{event_state->} %{packets->} %{dclass_counter1->} %{vlan->} %{fld15->} %{fld16->} %{risk->} %{p0}");
+      
+      var all7 = all_match({
+      	processors: [
+      		part21,
+      		dup43,
+      	],
+      	on_success: processor_chain([
+      		dup36,
+      		dup37,
+      		dup11,
+      		dup12,
+      	]),
+      });
+      
+      var msg34 = msg("Access:01", all7);
+      
+      var part22 = match("MESSAGE#34:Access", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Access attempted by unauthorized NMS, Community: %{fld3}, IP: \"%{saddr}\"", processor_chain([
+      	dup36,
+      	dup37,
+      	dup11,
+      	setc("event_description","Access attempted by unauthorized NMS"),
+      	dup12,
+      ]));
+      
+      var msg35 = msg("Access", part22);
+      
+      var select12 = linear_select([
+      	msg34,
+      	msg35,
+      ]);
+      
+      var part23 = match("MESSAGE#35:Please", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Please reboot the device for the latest changes to take effect", processor_chain([
+      	dup19,
+      	dup21,
+      	dup11,
+      	setc("event_description","Reboot required for latest changes"),
+      	dup12,
+      ]));
+      
+      var msg36 = msg("Please", part23);
+      
+      var part24 = match("MESSAGE#36:User:01", "nwparser.payload", "User %{username->} logged in via %{network_service->} (IP: %{saddr})", processor_chain([
+      	dup38,
+      	dup20,
+      	dup31,
+      	dup32,
+      	dup39,
+      	dup11,
+      	dup40,
+      ]));
+      
+      var msg37 = msg("User:01", part24);
+      
+      var part25 = match("MESSAGE#37:User", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} User %{username->} logged in via %{network_service->} (IP: %{saddr})", processor_chain([
+      	dup38,
+      	dup20,
+      	dup31,
+      	dup32,
+      	dup39,
+      	dup11,
+      	dup40,
+      	dup12,
+      ]));
+      
+      var msg38 = msg("User", part25);
+      
+      var select13 = linear_select([
+      	msg37,
+      	msg38,
+      ]);
+      
+      var part26 = match("MESSAGE#38:Certificate", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Certificate named %{fld3->} expired on %{fld4->} %{fld5}", processor_chain([
+      	dup19,
+      	dup11,
+      	setc("event_description","Certificate expired"),
+      	dup12,
+      	date_time({
+      		dest: "endtime",
+      		args: ["fld5"],
+      		fmts: [
+      			[dB,dF,dH,dc(":"),dU,dc(":"),dO,dW],
+      		],
+      	}),
+      ]));
+      
+      var msg39 = msg("Certificate", part26);
+      
+      var part27 = match("MESSAGE#39:Vision", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Vision %{event_description->} by user %{username->} via %{network_service}, source IP %{saddr}", processor_chain([
+      	dup19,
+      	dup11,
+      	dup12,
+      ]));
+      
+      var msg40 = msg("Vision", part27);
+      
+      var part28 = match("MESSAGE#40:Updating", "nwparser.payload", "Updating policy database%{fld1}", processor_chain([
+      	dup24,
+      	dup21,
+      	dup11,
+      	setc("event_description","Updating policy database"),
+      ]));
+      
+      var msg41 = msg("Updating", part28);
+      
+      var part29 = match("MESSAGE#41:Policy", "nwparser.payload", "Policy database updated successfully.%{}", processor_chain([
+      	dup24,
+      	dup23,
+      	dup39,
+      	dup11,
+      	setc("event_description","Policy database updated successfully"),
+      ]));
+      
+      var msg42 = msg("Policy", part29);
+      
+      var chain1 = processor_chain([
+      	select1,
+      	msgid_select({
+      		"Access": select12,
+      		"Anomalies": select7,
+      		"Anti-Scanning": select4,
+      		"Behavioral-DoS": select3,
+      		"COMMAND:": msg16,
+      		"Certificate": msg39,
+      		"Cold": msg31,
+      		"Configuration": select9,
+      		"Connection": msg28,
+      		"Cracking-Protection": select6,
+      		"DefensePro": msg33,
+      		"Device": msg29,
+      		"DoS": select5,
+      		"HttpFlood": select8,
+      		"Intrusions": select2,
+      		"Login": select10,
+      		"Please": msg36,
+      		"Policy": msg42,
+      		"Port": msg32,
+      		"Power": msg30,
+      		"SynFlood": msg3,
+      		"Updating": msg41,
+      		"User": select13,
+      		"Vision": msg40,
+      	}),
+      ]);
+      
+      var part30 = match("MESSAGE#0:Intrusions:01/0", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} %{id->} %{category->} \"%{event_type}\" %{protocol->} %{p0}");
+      
+      var part31 = match("MESSAGE#0:Intrusions:01/1_0", "nwparser.p0", "%{saddr}:%{sport->} %{p0}");
+      
+      var part32 = match("MESSAGE#0:Intrusions:01/1_1", "nwparser.p0", "%{saddr->} %{sport->} %{p0}");
+      
+      var part33 = match("MESSAGE#0:Intrusions:01/2_0", "nwparser.p0", "%{daddr}:%{dport->} %{p0}");
+      
+      var part34 = match("MESSAGE#0:Intrusions:01/2_1", "nwparser.p0", "%{daddr->} %{dport->} %{p0}");
+      
+      var part35 = match("MESSAGE#0:Intrusions:01/3", "nwparser.p0", "%{interface->} %{context->} \"%{policyname}\" %{event_state->} %{packets->} %{dclass_counter1->} %{vlan->} %{fld15->} %{fld16->} %{risk->} %{p0}");
+      
+      var part36 = match("MESSAGE#0:Intrusions:01/4_0", "nwparser.p0", "%{action->} %{sigid_string}");
+      
+      var part37 = match("MESSAGE#0:Intrusions:01/4_1", "nwparser.p0", "%{action}");
+      
+      var part38 = match("MESSAGE#1:Intrusions:02/0", "nwparser.payload", "%{id->} %{category->} \\\"%{event_type}\\\" %{protocol->} %{p0}");
+      
+      var part39 = match("MESSAGE#1:Intrusions:02/3", "nwparser.p0", "%{interface->} %{context->} \\\"%{policyname}\\\" %{event_state->} %{packets->} %{dclass_counter1->} %{fld1->} %{risk->} %{action->} %{vlan->} %{fld15->} %{fld16->} %{direction}");
+      
+      var part40 = match("MESSAGE#22:Login:04/1_0", "nwparser.p0", "for user%{p0}");
+      
+      var part41 = match("MESSAGE#22:Login:04/1_1", "nwparser.p0", "user%{p0}");
+      
+      var part42 = match("MESSAGE#22:Login:04/2", "nwparser.p0", "%{} %{username->} via %{network_service->} (IP: %{saddr})%{p0}");
+      
+      var part43 = match("MESSAGE#22:Login:04/3_0", "nwparser.p0", ": %{result}");
+      
+      var part44 = match("MESSAGE#22:Login:04/3_1", "nwparser.p0", "%{result}");
+      
+      var select14 = linear_select([
+      	dup2,
+      	dup3,
+      ]);
+      
+      var select15 = linear_select([
+      	dup4,
+      	dup5,
+      ]);
+      
+      var select16 = linear_select([
+      	dup7,
+      	dup8,
+      ]);
+      
+      var select17 = linear_select([
+      	dup25,
+      	dup26,
+      ]);
+      
+      var select18 = linear_select([
+      	dup28,
+      	dup29,
+      ]);
+      
+      var all8 = all_match({
+      	processors: [
+      		dup1,
+      		dup41,
+      		dup42,
+      		dup6,
+      		dup43,
+      	],
+      	on_success: processor_chain([
+      		dup9,
+      		dup10,
+      		dup11,
+      		dup12,
+      		dup13,
+      	]),
+      });
+      
+      var all9 = all_match({
+      	processors: [
+      		dup14,
+      		dup41,
+      		dup42,
+      		dup15,
+      	],
+      	on_success: processor_chain([
+      		dup9,
+      		dup10,
+      		dup11,
+      		dup13,
+      	]),
+      });
+      
+      var all10 = all_match({
+      	processors: [
+      		dup1,
+      		dup41,
+      		dup42,
+      		dup6,
+      		dup43,
+      	],
+      	on_success: processor_chain([
+      		dup16,
+      		dup10,
+      		dup11,
+      		dup12,
+      		dup13,
+      	]),
+      });
+      
+      var all11 = all_match({
+      	processors: [
+      		dup14,
+      		dup41,
+      		dup42,
+      		dup15,
+      	],
+      	on_success: processor_chain([
+      		dup16,
+      		dup10,
+      		dup11,
+      		dup13,
+      	]),
+      });
+      
+- community_id:
+- add_locale: ~
+- add_fields:
+    target: ''
+    fields:
+        ecs.version: 1.5.0
diff --git a/packages/radware/0.1.0/dataset/defensepro/agent/stream/udp.yml.hbs b/packages/radware/0.1.0/dataset/defensepro/agent/stream/udp.yml.hbs
new file mode 100644
index 0000000000..44d1abe72a
--- /dev/null
+++ b/packages/radware/0.1.0/dataset/defensepro/agent/stream/udp.yml.hbs
@@ -0,0 +1,3281 @@
+udp:
+host: "{{udp_host}}:{{udp_port}}"
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "Radware"
+        product: "DefensePro"
+        type: "IDS"
+publisher_pipeline.disable_host: true
+
+processors:
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.error(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(populate_fields);
+      	builder.Add(restore_flags);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var dup1 = match("MESSAGE#0:Intrusions:01/0", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} %{id->} %{category->} \"%{event_type}\" %{protocol->} %{p0}");
+      
+      var dup2 = match("MESSAGE#0:Intrusions:01/1_0", "nwparser.p0", "%{saddr}:%{sport->} %{p0}");
+      
+      var dup3 = match("MESSAGE#0:Intrusions:01/1_1", "nwparser.p0", "%{saddr->} %{sport->} %{p0}");
+      
+      var dup4 = match("MESSAGE#0:Intrusions:01/2_0", "nwparser.p0", "%{daddr}:%{dport->} %{p0}");
+      
+      var dup5 = match("MESSAGE#0:Intrusions:01/2_1", "nwparser.p0", "%{daddr->} %{dport->} %{p0}");
+      
+      var dup6 = match("MESSAGE#0:Intrusions:01/3", "nwparser.p0", "%{interface->} %{context->} \"%{policyname}\" %{event_state->} %{packets->} %{dclass_counter1->} %{vlan->} %{fld15->} %{fld16->} %{risk->} %{p0}");
+      
+      var dup7 = match("MESSAGE#0:Intrusions:01/4_0", "nwparser.p0", "%{action->} %{sigid_string}");
+      
+      var dup8 = match("MESSAGE#0:Intrusions:01/4_1", "nwparser.p0", "%{action}");
+      
+      var dup9 = setc("eventcategory","1001000000");
+      
+      var dup10 = setc("ec_theme","TEV");
+      
+      var dup11 = setf("msg","$MSG");
+      
+      var dup12 = date_time({
+      	dest: "event_time",
+      	args: ["fld1","fld2"],
+      	fmts: [
+      		[dF,dc("-"),dG,dc("-"),dW,dN,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup13 = setc("dclass_counter1_string","Bandwidth in Kbps");
+      
+      var dup14 = match("MESSAGE#1:Intrusions:02/0", "nwparser.payload", "%{id->} %{category->} \\\"%{event_type}\\\" %{protocol->} %{p0}");
+      
+      var dup15 = match("MESSAGE#1:Intrusions:02/3", "nwparser.p0", "%{interface->} %{context->} \\\"%{policyname}\\\" %{event_state->} %{packets->} %{dclass_counter1->} %{fld1->} %{risk->} %{action->} %{vlan->} %{fld15->} %{fld16->} %{direction}");
+      
+      var dup16 = setc("eventcategory","1002000000");
+      
+      var dup17 = setc("ec_subject","NetworkComm");
+      
+      var dup18 = setc("ec_activity","Scan");
+      
+      var dup19 = setc("eventcategory","1401000000");
+      
+      var dup20 = setc("ec_subject","User");
+      
+      var dup21 = setc("ec_theme","ALM");
+      
+      var dup22 = setc("ec_activity","Modify");
+      
+      var dup23 = setc("ec_theme","Configuration");
+      
+      var dup24 = setc("eventcategory","1612000000");
+      
+      var dup25 = match("MESSAGE#22:Login:04/1_0", "nwparser.p0", "for user%{p0}");
+      
+      var dup26 = match("MESSAGE#22:Login:04/1_1", "nwparser.p0", "user%{p0}");
+      
+      var dup27 = match("MESSAGE#22:Login:04/2", "nwparser.p0", "%{} %{username->} via %{network_service->} (IP: %{saddr})%{p0}");
+      
+      var dup28 = match("MESSAGE#22:Login:04/3_0", "nwparser.p0", ": %{result}");
+      
+      var dup29 = match("MESSAGE#22:Login:04/3_1", "nwparser.p0", "%{result}");
+      
+      var dup30 = setc("eventcategory","1401030000");
+      
+      var dup31 = setc("ec_activity","Logon");
+      
+      var dup32 = setc("ec_theme","Authentication");
+      
+      var dup33 = setc("ec_outcome","Failure");
+      
+      var dup34 = setc("event_description","Login Failed");
+      
+      var dup35 = setc("ec_outcome","Error");
+      
+      var dup36 = setc("eventcategory","1603000000");
+      
+      var dup37 = setc("ec_theme","AccessControl");
+      
+      var dup38 = setc("eventcategory","1401060000");
+      
+      var dup39 = setc("ec_outcome","Success");
+      
+      var dup40 = setc("event_description","User logged in");
+      
+      var dup41 = linear_select([
+      	dup2,
+      	dup3,
+      ]);
+      
+      var dup42 = linear_select([
+      	dup4,
+      	dup5,
+      ]);
+      
+      var dup43 = linear_select([
+      	dup7,
+      	dup8,
+      ]);
+      
+      var dup44 = linear_select([
+      	dup25,
+      	dup26,
+      ]);
+      
+      var dup45 = linear_select([
+      	dup28,
+      	dup29,
+      ]);
+      
+      var dup46 = all_match({
+      	processors: [
+      		dup1,
+      		dup41,
+      		dup42,
+      		dup6,
+      		dup43,
+      	],
+      	on_success: processor_chain([
+      		dup9,
+      		dup10,
+      		dup11,
+      		dup12,
+      		dup13,
+      	]),
+      });
+      
+      var dup47 = all_match({
+      	processors: [
+      		dup14,
+      		dup41,
+      		dup42,
+      		dup15,
+      	],
+      	on_success: processor_chain([
+      		dup9,
+      		dup10,
+      		dup11,
+      		dup13,
+      	]),
+      });
+      
+      var dup48 = all_match({
+      	processors: [
+      		dup1,
+      		dup41,
+      		dup42,
+      		dup6,
+      		dup43,
+      	],
+      	on_success: processor_chain([
+      		dup16,
+      		dup10,
+      		dup11,
+      		dup12,
+      		dup13,
+      	]),
+      });
+      
+      var dup49 = all_match({
+      	processors: [
+      		dup14,
+      		dup41,
+      		dup42,
+      		dup15,
+      	],
+      	on_success: processor_chain([
+      		dup16,
+      		dup10,
+      		dup11,
+      		dup13,
+      	]),
+      });
+      
+      var hdr1 = match("HEADER#0:0001", "message", "%DefensePro %{hfld1->} %{hfld2->} %{hfld3->} %{messageid->} \\\"%{hfld4}\\\" %{payload}", processor_chain([
+      	setc("header_id","0001"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld3"),
+      			constant(" "),
+      			field("messageid"),
+      			constant(" \\\""),
+      			field("hfld4"),
+      			constant("\\\" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr2 = match("HEADER#1:0002", "message", "%DefensePro %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0002"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr3 = match("HEADER#2:0003", "message", "DefensePro: %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{messageid->} \"%{hfld3}\" %{payload}", processor_chain([
+      	setc("header_id","0003"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hdate"),
+      			constant(" "),
+      			field("htime"),
+      			constant(" "),
+      			field("hfld1"),
+      			constant(" "),
+      			field("hfld2"),
+      			constant(" "),
+      			field("messageid"),
+      			constant(" \""),
+      			field("hfld3"),
+      			constant("\" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr4 = match("HEADER#3:0004", "message", "DefensePro: %{hdate->} %{htime->} %{hfld1->} %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0004"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hdate"),
+      			constant(" "),
+      			field("htime"),
+      			constant(" "),
+      			field("hfld1"),
+      			constant(" "),
+      			field("messageid"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var select1 = linear_select([
+      	hdr1,
+      	hdr2,
+      	hdr3,
+      	hdr4,
+      ]);
+      
+      var msg1 = msg("Intrusions:01", dup46);
+      
+      var msg2 = msg("Intrusions:02", dup47);
+      
+      var select2 = linear_select([
+      	msg1,
+      	msg2,
+      ]);
+      
+      var msg3 = msg("SynFlood:01", dup48);
+      
+      var msg4 = msg("Behavioral-DoS:01", dup48);
+      
+      var msg5 = msg("Behavioral-DoS:02", dup49);
+      
+      var select3 = linear_select([
+      	msg4,
+      	msg5,
+      ]);
+      
+      var all1 = all_match({
+      	processors: [
+      		dup1,
+      		dup41,
+      		dup42,
+      		dup6,
+      		dup43,
+      	],
+      	on_success: processor_chain([
+      		dup9,
+      		dup17,
+      		dup18,
+      		dup10,
+      		dup11,
+      		dup12,
+      		dup13,
+      	]),
+      });
+      
+      var msg6 = msg("Anti-Scanning:01", all1);
+      
+      var all2 = all_match({
+      	processors: [
+      		dup14,
+      		dup41,
+      		dup42,
+      		dup15,
+      	],
+      	on_success: processor_chain([
+      		dup9,
+      		dup17,
+      		dup18,
+      		dup10,
+      		dup11,
+      		dup13,
+      	]),
+      });
+      
+      var msg7 = msg("Anti-Scanning:02", all2);
+      
+      var select4 = linear_select([
+      	msg6,
+      	msg7,
+      ]);
+      
+      var msg8 = msg("DoS:01", dup48);
+      
+      var all3 = all_match({
+      	processors: [
+      		dup14,
+      		dup41,
+      		dup42,
+      		dup15,
+      	],
+      	on_success: processor_chain([
+      		dup16,
+      		dup17,
+      		dup18,
+      		dup10,
+      		dup11,
+      		dup13,
+      	]),
+      });
+      
+      var msg9 = msg("DoS:02", all3);
+      
+      var select5 = linear_select([
+      	msg8,
+      	msg9,
+      ]);
+      
+      var msg10 = msg("Cracking-Protection:01", dup46);
+      
+      var msg11 = msg("Cracking-Protection:02", dup47);
+      
+      var select6 = linear_select([
+      	msg10,
+      	msg11,
+      ]);
+      
+      var msg12 = msg("Anomalies:01", dup48);
+      
+      var msg13 = msg("Anomalies:02", dup49);
+      
+      var select7 = linear_select([
+      	msg12,
+      	msg13,
+      ]);
+      
+      var msg14 = msg("HttpFlood:01", dup48);
+      
+      var msg15 = msg("HttpFlood:02", dup49);
+      
+      var select8 = linear_select([
+      	msg14,
+      	msg15,
+      ]);
+      
+      var part1 = match("MESSAGE#15:COMMAND:", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} COMMAND: \"%{action}\" by user %{username->} via %{network_service}, source IP %{saddr}", processor_chain([
+      	dup19,
+      	dup20,
+      	setc("ec_activity","Execute"),
+      	dup21,
+      	dup11,
+      	dup12,
+      ]));
+      
+      var msg16 = msg("COMMAND:", part1);
+      
+      var part2 = match("MESSAGE#16:Configuration:01", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} %{event_description->} set %{change_new}, Old Values: %{change_old}, ACTION: %{action->} by user %{username->} via %{network_service->} source IP %{saddr}", processor_chain([
+      	dup19,
+      	dup20,
+      	dup22,
+      	dup23,
+      	dup11,
+      	dup12,
+      ]));
+      
+      var msg17 = msg("Configuration:01", part2);
+      
+      var part3 = match("MESSAGE#17:Configuration:02", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} %{event_description}, ACTION: %{action->} by user %{username->} via %{network_service->} source IP %{saddr}", processor_chain([
+      	dup19,
+      	dup20,
+      	dup23,
+      	dup11,
+      	dup12,
+      ]));
+      
+      var msg18 = msg("Configuration:02", part3);
+      
+      var part4 = match("MESSAGE#18:Configuration:03", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Configuration File downloaded from device by user %{username->} via %{network_service}, source IP %{saddr}", processor_chain([
+      	dup19,
+      	dup20,
+      	dup23,
+      	dup11,
+      	setc("event_description","Configuration File downloaded"),
+      	dup12,
+      ]));
+      
+      var msg19 = msg("Configuration:03", part4);
+      
+      var part5 = match("MESSAGE#19:Configuration:04", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Configuration Upload has been completed", processor_chain([
+      	dup24,
+      	dup23,
+      	dup11,
+      	setc("event_description","Configuration Upload has been completed"),
+      	dup12,
+      ]));
+      
+      var msg20 = msg("Configuration:04", part5);
+      
+      var part6 = match("MESSAGE#20:Configuration:05", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Configuration Download has been completed", processor_chain([
+      	dup24,
+      	dup23,
+      	dup11,
+      	setc("event_description","Configuration Download has been completed"),
+      	dup12,
+      ]));
+      
+      var msg21 = msg("Configuration:05", part6);
+      
+      var part7 = match("MESSAGE#21:Configuration:06", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Configuration file has been modified. Device may fail to load configuration file!", processor_chain([
+      	dup24,
+      	dup22,
+      	dup23,
+      	dup11,
+      	setc("event_description","Configuration file has been modified. Device may fail to load configuration file!"),
+      	dup12,
+      ]));
+      
+      var msg22 = msg("Configuration:06", part7);
+      
+      var select9 = linear_select([
+      	msg17,
+      	msg18,
+      	msg19,
+      	msg20,
+      	msg21,
+      	msg22,
+      ]);
+      
+      var part8 = match("MESSAGE#22:Login:04/0", "nwparser.payload", "Login failed %{p0}");
+      
+      var all4 = all_match({
+      	processors: [
+      		part8,
+      		dup44,
+      		dup27,
+      		dup45,
+      	],
+      	on_success: processor_chain([
+      		dup30,
+      		dup20,
+      		dup31,
+      		dup32,
+      		dup33,
+      		dup11,
+      		dup34,
+      	]),
+      });
+      
+      var msg23 = msg("Login:04", all4);
+      
+      var part9 = match("MESSAGE#23:Login:05", "nwparser.payload", "Login locked user %{username->} (IP: %{saddr}): %{result}", processor_chain([
+      	dup30,
+      	dup20,
+      	dup31,
+      	dup32,
+      	dup35,
+      	dup11,
+      	setc("event_description","Login Locked"),
+      ]));
+      
+      var msg24 = msg("Login:05", part9);
+      
+      var part10 = match("MESSAGE#24:Login:01/0", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Login failed %{p0}");
+      
+      var all5 = all_match({
+      	processors: [
+      		part10,
+      		dup44,
+      		dup27,
+      		dup45,
+      	],
+      	on_success: processor_chain([
+      		dup30,
+      		dup20,
+      		dup31,
+      		dup32,
+      		dup33,
+      		dup11,
+      		dup34,
+      		dup12,
+      	]),
+      });
+      
+      var msg25 = msg("Login:01", all5);
+      
+      var part11 = match("MESSAGE#25:Login:02", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Login failed via %{network_service->} (IP: %{saddr}): %{result}", processor_chain([
+      	dup30,
+      	dup20,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup11,
+      	dup34,
+      	dup12,
+      ]));
+      
+      var msg26 = msg("Login:02", part11);
+      
+      var part12 = match("MESSAGE#26:Login:03", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Login locked user %{username->} (IP: %{saddr}): %{result}", processor_chain([
+      	dup30,
+      	dup20,
+      	dup31,
+      	dup32,
+      	dup35,
+      	dup11,
+      	dup34,
+      	dup12,
+      ]));
+      
+      var msg27 = msg("Login:03", part12);
+      
+      var select10 = linear_select([
+      	msg23,
+      	msg24,
+      	msg25,
+      	msg26,
+      	msg27,
+      ]);
+      
+      var part13 = match("MESSAGE#27:Connection", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Connection to NTP server timed out", processor_chain([
+      	dup36,
+      	dup21,
+      	dup11,
+      	setc("event_description","Connection to NTP server timed out"),
+      	dup12,
+      ]));
+      
+      var msg28 = msg("Connection", part13);
+      
+      var part14 = match("MESSAGE#28:Device", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Device was rebooted by user %{username->} via %{network_service}, source IP %{saddr}", processor_chain([
+      	dup19,
+      	dup20,
+      	dup21,
+      	dup11,
+      	setc("event_description","Device was rebooted"),
+      	dup12,
+      ]));
+      
+      var msg29 = msg("Device", part14);
+      
+      var part15 = match("MESSAGE#29:Power", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Power supply fully operational", processor_chain([
+      	dup24,
+      	dup21,
+      	dup11,
+      	setc("event_description","Power supply fully operational"),
+      	dup12,
+      ]));
+      
+      var msg30 = msg("Power", part15);
+      
+      var part16 = match("MESSAGE#30:Cold", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Cold Start", processor_chain([
+      	dup24,
+      	setc("ec_activity","Start"),
+      	dup21,
+      	dup11,
+      	setc("event_description","Cold Start"),
+      	dup12,
+      ]));
+      
+      var msg31 = msg("Cold", part16);
+      
+      var part17 = match("MESSAGE#31:Port/0", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Port %{interface->} %{p0}");
+      
+      var part18 = match("MESSAGE#31:Port/1_0", "nwparser.p0", "Down%{}");
+      
+      var part19 = match("MESSAGE#31:Port/1_1", "nwparser.p0", "Up %{}");
+      
+      var select11 = linear_select([
+      	part18,
+      	part19,
+      ]);
+      
+      var all6 = all_match({
+      	processors: [
+      		part17,
+      		select11,
+      	],
+      	on_success: processor_chain([
+      		dup24,
+      		dup21,
+      		dup11,
+      		setc("event_description","Port Status Change"),
+      		dup12,
+      	]),
+      });
+      
+      var msg32 = msg("Port", all6);
+      
+      var part20 = match("MESSAGE#32:DefensePro", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} DefensePro was powered off", processor_chain([
+      	dup24,
+      	dup21,
+      	dup11,
+      	setc("event_description","DefensePro Powered off"),
+      	dup12,
+      ]));
+      
+      var msg33 = msg("DefensePro", part20);
+      
+      var part21 = match("MESSAGE#33:Access:01/0", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} %{id->} %{category->} \"%{event_type}\" %{protocol->} %{saddr->} %{sport->} %{daddr->} %{dport->} %{interface->} %{context->} \"%{policyname}\" %{event_state->} %{packets->} %{dclass_counter1->} %{vlan->} %{fld15->} %{fld16->} %{risk->} %{p0}");
+      
+      var all7 = all_match({
+      	processors: [
+      		part21,
+      		dup43,
+      	],
+      	on_success: processor_chain([
+      		dup36,
+      		dup37,
+      		dup11,
+      		dup12,
+      	]),
+      });
+      
+      var msg34 = msg("Access:01", all7);
+      
+      var part22 = match("MESSAGE#34:Access", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Access attempted by unauthorized NMS, Community: %{fld3}, IP: \"%{saddr}\"", processor_chain([
+      	dup36,
+      	dup37,
+      	dup11,
+      	setc("event_description","Access attempted by unauthorized NMS"),
+      	dup12,
+      ]));
+      
+      var msg35 = msg("Access", part22);
+      
+      var select12 = linear_select([
+      	msg34,
+      	msg35,
+      ]);
+      
+      var part23 = match("MESSAGE#35:Please", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Please reboot the device for the latest changes to take effect", processor_chain([
+      	dup19,
+      	dup21,
+      	dup11,
+      	setc("event_description","Reboot required for latest changes"),
+      	dup12,
+      ]));
+      
+      var msg36 = msg("Please", part23);
+      
+      var part24 = match("MESSAGE#36:User:01", "nwparser.payload", "User %{username->} logged in via %{network_service->} (IP: %{saddr})", processor_chain([
+      	dup38,
+      	dup20,
+      	dup31,
+      	dup32,
+      	dup39,
+      	dup11,
+      	dup40,
+      ]));
+      
+      var msg37 = msg("User:01", part24);
+      
+      var part25 = match("MESSAGE#37:User", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} User %{username->} logged in via %{network_service->} (IP: %{saddr})", processor_chain([
+      	dup38,
+      	dup20,
+      	dup31,
+      	dup32,
+      	dup39,
+      	dup11,
+      	dup40,
+      	dup12,
+      ]));
+      
+      var msg38 = msg("User", part25);
+      
+      var select13 = linear_select([
+      	msg37,
+      	msg38,
+      ]);
+      
+      var part26 = match("MESSAGE#38:Certificate", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Certificate named %{fld3->} expired on %{fld4->} %{fld5}", processor_chain([
+      	dup19,
+      	dup11,
+      	setc("event_description","Certificate expired"),
+      	dup12,
+      	date_time({
+      		dest: "endtime",
+      		args: ["fld5"],
+      		fmts: [
+      			[dB,dF,dH,dc(":"),dU,dc(":"),dO,dW],
+      		],
+      	}),
+      ]));
+      
+      var msg39 = msg("Certificate", part26);
+      
+      var part27 = match("MESSAGE#39:Vision", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Vision %{event_description->} by user %{username->} via %{network_service}, source IP %{saddr}", processor_chain([
+      	dup19,
+      	dup11,
+      	dup12,
+      ]));
+      
+      var msg40 = msg("Vision", part27);
+      
+      var part28 = match("MESSAGE#40:Updating", "nwparser.payload", "Updating policy database%{fld1}", processor_chain([
+      	dup24,
+      	dup21,
+      	dup11,
+      	setc("event_description","Updating policy database"),
+      ]));
+      
+      var msg41 = msg("Updating", part28);
+      
+      var part29 = match("MESSAGE#41:Policy", "nwparser.payload", "Policy database updated successfully.%{}", processor_chain([
+      	dup24,
+      	dup23,
+      	dup39,
+      	dup11,
+      	setc("event_description","Policy database updated successfully"),
+      ]));
+      
+      var msg42 = msg("Policy", part29);
+      
+      var chain1 = processor_chain([
+      	select1,
+      	msgid_select({
+      		"Access": select12,
+      		"Anomalies": select7,
+      		"Anti-Scanning": select4,
+      		"Behavioral-DoS": select3,
+      		"COMMAND:": msg16,
+      		"Certificate": msg39,
+      		"Cold": msg31,
+      		"Configuration": select9,
+      		"Connection": msg28,
+      		"Cracking-Protection": select6,
+      		"DefensePro": msg33,
+      		"Device": msg29,
+      		"DoS": select5,
+      		"HttpFlood": select8,
+      		"Intrusions": select2,
+      		"Login": select10,
+      		"Please": msg36,
+      		"Policy": msg42,
+      		"Port": msg32,
+      		"Power": msg30,
+      		"SynFlood": msg3,
+      		"Updating": msg41,
+      		"User": select13,
+      		"Vision": msg40,
+      	}),
+      ]);
+      
+      var part30 = match("MESSAGE#0:Intrusions:01/0", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} %{id->} %{category->} \"%{event_type}\" %{protocol->} %{p0}");
+      
+      var part31 = match("MESSAGE#0:Intrusions:01/1_0", "nwparser.p0", "%{saddr}:%{sport->} %{p0}");
+      
+      var part32 = match("MESSAGE#0:Intrusions:01/1_1", "nwparser.p0", "%{saddr->} %{sport->} %{p0}");
+      
+      var part33 = match("MESSAGE#0:Intrusions:01/2_0", "nwparser.p0", "%{daddr}:%{dport->} %{p0}");
+      
+      var part34 = match("MESSAGE#0:Intrusions:01/2_1", "nwparser.p0", "%{daddr->} %{dport->} %{p0}");
+      
+      var part35 = match("MESSAGE#0:Intrusions:01/3", "nwparser.p0", "%{interface->} %{context->} \"%{policyname}\" %{event_state->} %{packets->} %{dclass_counter1->} %{vlan->} %{fld15->} %{fld16->} %{risk->} %{p0}");
+      
+      var part36 = match("MESSAGE#0:Intrusions:01/4_0", "nwparser.p0", "%{action->} %{sigid_string}");
+      
+      var part37 = match("MESSAGE#0:Intrusions:01/4_1", "nwparser.p0", "%{action}");
+      
+      var part38 = match("MESSAGE#1:Intrusions:02/0", "nwparser.payload", "%{id->} %{category->} \\\"%{event_type}\\\" %{protocol->} %{p0}");
+      
+      var part39 = match("MESSAGE#1:Intrusions:02/3", "nwparser.p0", "%{interface->} %{context->} \\\"%{policyname}\\\" %{event_state->} %{packets->} %{dclass_counter1->} %{fld1->} %{risk->} %{action->} %{vlan->} %{fld15->} %{fld16->} %{direction}");
+      
+      var part40 = match("MESSAGE#22:Login:04/1_0", "nwparser.p0", "for user%{p0}");
+      
+      var part41 = match("MESSAGE#22:Login:04/1_1", "nwparser.p0", "user%{p0}");
+      
+      var part42 = match("MESSAGE#22:Login:04/2", "nwparser.p0", "%{} %{username->} via %{network_service->} (IP: %{saddr})%{p0}");
+      
+      var part43 = match("MESSAGE#22:Login:04/3_0", "nwparser.p0", ": %{result}");
+      
+      var part44 = match("MESSAGE#22:Login:04/3_1", "nwparser.p0", "%{result}");
+      
+      var select14 = linear_select([
+      	dup2,
+      	dup3,
+      ]);
+      
+      var select15 = linear_select([
+      	dup4,
+      	dup5,
+      ]);
+      
+      var select16 = linear_select([
+      	dup7,
+      	dup8,
+      ]);
+      
+      var select17 = linear_select([
+      	dup25,
+      	dup26,
+      ]);
+      
+      var select18 = linear_select([
+      	dup28,
+      	dup29,
+      ]);
+      
+      var all8 = all_match({
+      	processors: [
+      		dup1,
+      		dup41,
+      		dup42,
+      		dup6,
+      		dup43,
+      	],
+      	on_success: processor_chain([
+      		dup9,
+      		dup10,
+      		dup11,
+      		dup12,
+      		dup13,
+      	]),
+      });
+      
+      var all9 = all_match({
+      	processors: [
+      		dup14,
+      		dup41,
+      		dup42,
+      		dup15,
+      	],
+      	on_success: processor_chain([
+      		dup9,
+      		dup10,
+      		dup11,
+      		dup13,
+      	]),
+      });
+      
+      var all10 = all_match({
+      	processors: [
+      		dup1,
+      		dup41,
+      		dup42,
+      		dup6,
+      		dup43,
+      	],
+      	on_success: processor_chain([
+      		dup16,
+      		dup10,
+      		dup11,
+      		dup12,
+      		dup13,
+      	]),
+      });
+      
+      var all11 = all_match({
+      	processors: [
+      		dup14,
+      		dup41,
+      		dup42,
+      		dup15,
+      	],
+      	on_success: processor_chain([
+      		dup16,
+      		dup10,
+      		dup11,
+      		dup13,
+      	]),
+      });
+      
+- community_id:
+- add_locale: ~
+- add_fields:
+    target: ''
+    fields:
+        ecs.version: 1.5.0
diff --git a/packages/radware/0.1.0/dataset/defensepro/elasticsearch/ingest_pipeline/default.yml b/packages/radware/0.1.0/dataset/defensepro/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 0000000000..9b916ed880
--- /dev/null
+++ b/packages/radware/0.1.0/dataset/defensepro/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,55 @@
+---
+description: Pipeline for Radware DefensePro
+
+processors:
+  # User agent
+  - user_agent:
+        field: user_agent.original
+        ignore_missing: true
+  # IP Geolocation Lookup
+  - geoip:
+        field: source.ip
+        target_field: source.geo
+        ignore_missing: true
+  - geoip:
+        field: destination.ip
+        target_field: destination.geo
+        ignore_missing: true
+
+  # IP Autonomous System (AS) Lookup
+  - geoip:
+        database_file: GeoLite2-ASN.mmdb
+        field: source.ip
+        target_field: source.as
+        properties:
+            - asn
+            - organization_name
+        ignore_missing: true
+  - geoip:
+        database_file: GeoLite2-ASN.mmdb
+        field: destination.ip
+        target_field: destination.as
+        properties:
+            - asn
+            - organization_name
+        ignore_missing: true
+  - rename:
+        field: source.as.asn
+        target_field: source.as.number
+        ignore_missing: true
+  - rename:
+        field: source.as.organization_name
+        target_field: source.as.organization.name
+        ignore_missing: true
+  - rename:
+        field: destination.as.asn
+        target_field: destination.as.number
+        ignore_missing: true
+  - rename:
+        field: destination.as.organization_name
+        target_field: destination.as.organization.name
+        ignore_missing: true
+on_failure:
+  - append:
+        field: error.message
+        value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/radware/0.1.0/dataset/defensepro/fields/base-fields.yml b/packages/radware/0.1.0/dataset/defensepro/fields/base-fields.yml
new file mode 100644
index 0000000000..b294eaf20e
--- /dev/null
+++ b/packages/radware/0.1.0/dataset/defensepro/fields/base-fields.yml
@@ -0,0 +1,26 @@
+- name: datastream.type
+  type: constant_keyword
+  description: Datastream type.
+- name: datastream.dataset
+  type: constant_keyword
+  description: Datastream dataset.
+- name: datastream.namespace
+  type: constant_keyword
+  description: Datastream namespace.
+
+- name: dataset.type
+  type: constant_keyword
+  description: >
+    Dataset type.
+- name: dataset.name
+  type: constant_keyword
+  description: >
+    Dataset name.
+- name: dataset.namespace
+  type: constant_keyword
+  description: >
+    Dataset namespace.
+- name: "@timestamp"
+  type: date
+  description: >
+    Event timestamp.
diff --git a/packages/radware/0.1.0/dataset/defensepro/fields/ecs.yml b/packages/radware/0.1.0/dataset/defensepro/fields/ecs.yml
new file mode 100644
index 0000000000..92af91c339
--- /dev/null
+++ b/packages/radware/0.1.0/dataset/defensepro/fields/ecs.yml
@@ -0,0 +1,836 @@
+- name: log
+  type: group
+  fields:
+  - name: original
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'This is the original log message and contains the full log message
+      before splitting it up in multiple parts.
+
+      In contrast to the `message` field which can contain an extracted part of the
+      log message, this field contains the original, full log message. It can have
+      already some modifications applied like encoding or new lines removed to clean
+      up the log message.
+
+      This field is not indexed and doc_values are disabled so it can''t be queried
+      but the value can be retrieved from `_source`.'
+    example: Sep 19 08:26:10 localhost My log
+  - name: level
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Original log level of the log event.
+
+      If the source of the event provides a log level or textual severity, this is
+      the one that goes in `log.level`. If your source doesn''t specify one, you may
+      put your event transport''s severity here (e.g. Syslog severity).
+
+      Some examples are `warn`, `err`, `i`, `informational`.'
+    example: error
+  - name: syslog
+    type: group
+    fields:
+    - name: priority
+      level: extended
+      type: long
+      format: string
+      description: 'Syslog numeric priority of the event, if available.
+
+        According to RFCs 5424 and 3164, the priority is 8 * facility + severity.
+        This number is therefore expected to contain a value between 0 and 191.'
+      example: 135
+    - name: facility
+      type: group
+      fields:
+      - name: code
+        level: extended
+        type: long
+        format: string
+        description: 'The Syslog numeric facility of the log event, if available.
+
+          According to RFCs 5424 and 3164, this value should be an integer between
+          0 and 23.'
+        example: 23
+    - name: severity
+      type: group
+      fields:
+      - name: code
+        level: extended
+        type: long
+        description: 'The Syslog numeric severity of the log event, if available.
+
+          If the event source publishing via Syslog provides a different numeric severity
+          value (e.g. firewall, IDS), your source''s numeric severity should go to
+          `event.severity`. If the event source does not specify a distinct severity,
+          you can optionally copy the Syslog severity to `event.severity`.'
+        example: 3
+- name: event
+  type: group
+  fields:
+  - name: code
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Identification code for this event, if one exists.
+
+      Some event sources use event codes to identify messages unambiguously, regardless
+      of message language or wording adjustments over time. An example of this is
+      the Windows Event ID.'
+    example: 4648
+  - name: action
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'The action captured by the event.
+
+      This describes the information in the event. It is more specific than `event.category`.
+      Examples are `group-add`, `process-started`, `file-created`. The value is normally
+      defined by the implementer.'
+    example: user-password-change
+  - name: outcome
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'This is one of four ECS Categorization Fields, and indicates the
+      lowest level in the ECS category hierarchy.
+
+      `event.outcome` simply denotes whether the event represents a success or a failure
+      from the perspective of the entity that produced the event.
+
+      Note that when a single transaction is described in multiple events, each event
+      may populate different values of `event.outcome`, according to their perspective.
+
+      Also note that in the case of a compound event (a single event that contains
+      multiple logical events), this field should be populated with the value that
+      best captures the overall success or failure from the perspective of the event
+      producer.
+
+      Further note that not all events will have an associated outcome. For example,
+      this field is generally not populated for metric events, events with `event.type:info`,
+      or any events for which an outcome does not make logical sense.'
+    example: success
+  - name: category
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'This is one of four ECS Categorization Fields, and indicates the
+      second level in the ECS category hierarchy.
+
+      `event.category` represents the "big buckets" of ECS categories. For example,
+      filtering on `event.category:process` yields all events relating to process
+      activity. This field is closely related to `event.type`, which is used as a
+      subcategory.
+
+      This field is an array. This will allow proper categorization of some events
+      that fall in multiple categories.'
+    example: authentication
+  - name: timezone
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'This field should be populated when the event''s timestamp does
+      not include timezone information already (e.g. default Syslog timestamps). It''s
+      optional otherwise.
+
+      Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated
+      (e.g. "EST") or an HH:mm differential (e.g. "-05:00").'
+- name: '@timestamp'
+  level: core
+  required: true
+  type: date
+  description: 'Date/time when the event originated.
+
+    This is the date/time extracted from the event, typically representing when the
+    event was generated by the source.
+
+    If the event source has no original timestamp, this value is typically populated
+    by the first time the event was received by the pipeline.
+
+    Required field for all events.'
+  example: '2016-05-23T08:05:34.853Z'
+- name: user
+  type: group
+  fields:
+  - name: name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: Short name or login of the user.
+    example: albert
+  - name: full_name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: User's full name, if available.
+    example: Albert Einstein
+  - name: domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Name of the directory the user is a member of.
+
+      For example, an LDAP or Active Directory domain name.'
+  - name: id
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Unique identifiers of the user.
+- name: message
+  level: core
+  type: text
+  description: 'For log events the message field contains the log message, optimized
+    for viewing in a log viewer.
+
+    For structured logs without an original message field, other fields can be concatenated
+    to form a human-readable summary of the event.
+
+    If multiple messages exist, they can be combined into one message.'
+  example: Hello World
+- name: source
+  type: group
+  fields:
+  - name: ip
+    level: core
+    type: ip
+    description: 'IP address of the source.
+
+      Can be one or multiple IPv4 or IPv6 addresses.'
+  - name: port
+    level: core
+    type: long
+    format: string
+    description: Port of the source.
+  - name: address
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Some event source addresses are defined ambiguously. The event will
+      sometimes list an IP, a domain or a unix socket.  You should always store the
+      raw address in the `.address` field.
+
+      Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+      is.'
+  - name: mac
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: MAC address of the source.
+  - name: bytes
+    level: core
+    type: long
+    format: bytes
+    description: Bytes sent from the source to the destination.
+    example: 184
+  - name: nat
+    type: group
+    fields:
+    - name: ip
+      level: extended
+      type: ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+    - name: port
+      level: extended
+      type: long
+      format: string
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+  - name: domain
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Source domain.
+  - name: geo
+    type: group
+    fields:
+    - name: country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+    - name: location
+      type: group
+      fields:
+      - type: double
+        name: lat
+      - type: double
+        name: lon
+    - name: city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+- name: host
+  type: group
+  fields:
+  - name: name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Name of the host.
+
+      It can contain what `hostname` returns on Unix systems, the fully qualified
+      domain name, or a name specified by the user. The sender decides which value
+      to use.'
+  - name: ip
+    level: core
+    type: ip
+    description: Host ip addresses.
+  - name: hostname
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Hostname of the host.
+
+      It normally contains what the `hostname` command returns on the host machine.'
+  - name: mac
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Host mac addresses.
+- name: destination
+  type: group
+  fields:
+  - name: ip
+    level: core
+    type: ip
+    description: 'IP address of the destination.
+
+      Can be one or multiple IPv4 or IPv6 addresses.'
+  - name: port
+    level: core
+    type: long
+    format: string
+    description: Port of the destination.
+  - name: address
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Some event destination addresses are defined ambiguously. The event
+      will sometimes list an IP, a domain or a unix socket.  You should always store
+      the raw address in the `.address` field.
+
+      Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+      is.'
+  - name: bytes
+    level: core
+    type: long
+    format: bytes
+    description: Bytes sent from the destination to the source.
+    example: 184
+  - name: mac
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: MAC address of the destination.
+  - name: nat
+    type: group
+    fields:
+    - name: ip
+      level: extended
+      type: ip
+      description: 'Translated ip of destination based NAT sessions (e.g. internet
+        to private DMZ)
+
+        Typically used with load balancers, firewalls, or routers.'
+    - name: port
+      level: extended
+      type: long
+      format: string
+      description: 'Port the source session is translated to by NAT Device.
+
+        Typically used with load balancers, firewalls, or routers.'
+  - name: domain
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Destination domain.
+  - name: geo
+    type: group
+    fields:
+    - name: country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+    - name: location
+      type: group
+      fields:
+      - type: double
+        name: lat
+      - type: double
+        name: lon
+    - name: city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+- name: network
+  type: group
+  fields:
+  - name: protocol
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'L7 Network protocol name. ex. http, lumberjack, transport protocol.
+
+      The field value must be normalized to lowercase for querying. See the documentation
+      section "Implementing ECS".'
+    example: http
+  - name: application
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'A name given to an application level protocol. This can be arbitrarily
+      assigned for things like microservices, but also apply to things like skype,
+      icq, facebook, twitter. This would be used in situations where the vendor or
+      service can be decoded such as from the source/dest IP owners, ports, or wire
+      format.
+
+      The field value must be normalized to lowercase for querying. See the documentation
+      section "Implementing ECS".'
+    example: aim
+  - name: interface
+    type: group
+    fields:
+    - type: keyword
+      name: name
+  - name: bytes
+    level: core
+    type: long
+    format: bytes
+    description: 'Total bytes transferred in both directions.
+
+      If `source.bytes` and `destination.bytes` are known, `network.bytes` is their
+      sum.'
+    example: 368
+  - name: direction
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: "Direction of the network traffic.\nRecommended values are:\n  *\
+      \ inbound\n  * outbound\n  * internal\n  * external\n  * unknown\n\nWhen mapping\
+      \ events from a host-based monitoring context, populate this field from the\
+      \ host's point of view.\nWhen mapping events from a network or perimeter-based\
+      \ monitoring context, populate this field from the point of view of your network\
+      \ perimeter."
+    example: inbound
+  - name: packets
+    level: core
+    type: long
+    description: 'Total packets transferred in both directions.
+
+      If `source.packets` and `destination.packets` are known, `network.packets` is
+      their sum.'
+    example: 24
+  - name: forwarded_ip
+    level: core
+    type: ip
+    description: Host IP address when the source IP address is the proxy.
+    example: 192.1.1.2
+- name: observer
+  type: group
+  fields:
+  - name: version
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Observer version.
+  - name: product
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: The product name of the observer.
+    example: s200
+  - name: ingress
+    type: group
+    fields:
+    - name: interface
+      type: group
+      fields:
+      - name: name
+        level: extended
+        type: keyword
+        ignore_above: 1024
+        description: Interface name as reported by the system.
+        example: eth0
+        default_field: false
+  - name: egress
+    type: group
+    fields:
+    - name: interface
+      type: group
+      fields:
+      - name: name
+        level: extended
+        type: keyword
+        ignore_above: 1024
+        description: Interface name as reported by the system.
+        example: eth0
+        default_field: false
+- name: file
+  type: group
+  fields:
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: Name of the file including the extension, without the directory.
+    example: example.png
+  - name: directory
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: Directory where the file is located. It should include the drive
+      letter, when appropriate.
+    example: /home/alice
+  - name: size
+    level: extended
+    type: long
+    description: 'File size in bytes.
+
+      Only relevant when `file.type` is "file".'
+    example: 16384
+  - name: type
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: File type (file, dir, or symlink).
+    example: file
+  - name: extension
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: File extension.
+    example: png
+  - name: path
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: Full path to the file, including the file name. It should include
+      the drive letter, when appropriate.
+    example: /home/alice/example.png
+  - name: attributes
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Array of file attributes.
+
+      Attributes names will vary by platform. Here''s a non-exhaustive list of values
+      that are expected in this field: archive, compressed, directory, encrypted,
+      execute, hidden, read, readonly, system, write.'
+    example: '["readonly", "system"]'
+    default_field: false
+- name: url
+  type: group
+  fields:
+  - name: original
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: 'Unmodified original url as seen in the event source.
+
+      Note that in network monitoring, the observed URL may be a full URL, whereas
+      in access logs, the URL is often just represented as a path.
+
+      This field is meant to represent the URL as it was observed, complete or not.'
+    example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
+  - name: query
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'The query field describes the query string of the request, such
+      as "q=elasticsearch".
+
+      The `?` is excluded from the query string. If a URL contains no `?`, there is
+      no query field. If there is a `?` but no query, the query field exists with
+      an empty string. The `exists` query can be used to differentiate between the
+      two cases.'
+  - name: domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Domain of the url, such as "www.elastic.co".
+
+      In some cases a URL may refer to an IP and/or port directly, without a domain
+      name. In this case, the IP address would go to the `domain` field.'
+    example: www.elastic.co
+  - name: path
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: Path of the request, such as "/search".
+  - name: top_level_domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'The effective top level domain (eTLD), also known as the domain
+      suffix, is the last part of the domain name. For example, the top level domain
+      for google.com is "com".
+
+      This value can be determined precisely with a list like the public suffix list
+      (http://publicsuffix.org). Trying to approximate this by simply taking the last
+      label will not work well for effective TLDs such as "co.uk".'
+    example: co.uk
+  - name: registered_domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'The highest registered url domain, stripped of the subdomain.
+
+      For example, the registered domain for "foo.google.com" is "google.com".
+
+      This value can be determined precisely with a list like the public suffix list
+      (http://publicsuffix.org). Trying to approximate this by simply taking the last
+      two labels will not work well for TLDs such as "co.uk".'
+    example: google.com
+- name: service
+  type: group
+  fields:
+  - name: name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Name of the service data is collected from.
+
+      The name of the service is normally user given. This allows for distributed
+      services that run on multiple hosts to correlate the related instances based
+      on the name.
+
+      In the case of Elasticsearch the `service.name` could contain the cluster name.
+      For Beats the `service.name` is by default a copy of the `service.type` field
+      if no name is specified.'
+    example: elasticsearch-metrics
+- name: server
+  type: group
+  fields:
+  - name: domain
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Server domain.
+- name: process
+  type: group
+  fields:
+  - name: pid
+    level: core
+    type: long
+    format: string
+    description: Process id.
+    example: 4242
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: 'Process name.
+
+      Sometimes called program name or similar.'
+    example: ssh
+  - name: ppid
+    level: extended
+    type: long
+    format: string
+    description: Parent process' pid.
+    example: 4241
+  - name: parent
+    type: group
+    fields:
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      default_field: false
+    - name: title
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      default_field: false
+  - name: title
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: 'Process title.
+
+      The proctitle, some times the same as process name. Can also be different: for
+      example a browser setting its title to the web page currently opened.'
+- name: rule
+  type: group
+  fields:
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: The name of the rule or signature generating the event.
+    example: BLOCK_DNS_over_TLS
+    default_field: false
+- name: user_agent
+  type: group
+  fields:
+  - name: original
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+    description: Unparsed user_agent string.
+    example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15
+      (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
+- name: http
+  type: group
+  fields:
+  - name: response
+    type: group
+    fields:
+    - name: body
+      type: group
+      fields:
+      - name: content
+        level: extended
+        type: keyword
+        ignore_above: 1024
+        multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+        description: The full HTTP response body.
+        example: Hello world
+  - name: request
+    type: group
+    fields:
+    - name: referrer
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Referrer for this HTTP request.
+      example: https://blog.example.com/
+    - name: method
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'HTTP request method.
+
+        The field value must be normalized to lowercase for querying. See the documentation
+        section "Implementing ECS".'
+      example: get, post, put
+- name: geo
+  type: group
+  fields:
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'User-defined description of a location, at the level of granularity
+      they care about.
+
+      Could be the name of their data centers, the floor number, if this describes
+      a local physical entity, city names.
+
+      Not typically used in automated geolocation.'
+    example: boston-dc
+  - name: country_name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Country name.
+    example: Canada
+  - name: city_name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: City name.
+    example: Montreal
+  - name: region_name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Region name.
+    example: Quebec
+- name: dns
+  type: group
+  fields:
+  - name: question
+    type: group
+    fields:
+    - name: type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The type of record being queried.
+      example: AAAA
+  - name: answers
+    type: group
+    fields:
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The domain name to which this resource record pertains.
+
+        If a chain of CNAME is being resolved, each answer''s `name` should be the
+        one that corresponds with the answer''s `data`. It should not simply be the
+        original `question.name` repeated.'
+      example: www.google.com
+    - name: type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The type of data contained in this resource record.
+      example: CNAME
diff --git a/packages/radware/0.1.0/dataset/defensepro/fields/fields.yml b/packages/radware/0.1.0/dataset/defensepro/fields/fields.yml
new file mode 100644
index 0000000000..2abc947fe7
--- /dev/null
+++ b/packages/radware/0.1.0/dataset/defensepro/fields/fields.yml
@@ -0,0 +1,1939 @@
+- name: rsa
+  type: group
+  fields:
+  - name: internal
+    type: group
+    fields:
+    - name: msg
+      type: keyword
+      description: This key is used to capture the raw message that comes into the
+        Log Decoder
+    - name: messageid
+      type: keyword
+    - name: event_desc
+      type: keyword
+    - name: message
+      type: keyword
+      description: This key captures the contents of instant messages
+    - name: time
+      type: date
+      description: This is the time at which a session hits a NetWitness Decoder.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness.
+    - name: level
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: msg_id
+      type: keyword
+      description: This is the Message ID1 value that identifies the exact log parser
+        definition which parses a particular log session. This key should never be
+        used to parse Meta data from a session (Logs/Packets) Directly, this is a
+        Reserved key in NetWitness
+    - name: msg_vid
+      type: keyword
+      description: This is the Message ID2 value that identifies the exact log parser
+        definition which parses a particular log session. This key should never be
+        used to parse Meta data from a session (Logs/Packets) Directly, this is a
+        Reserved key in NetWitness
+    - name: data
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: obj_server
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: obj_val
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: resource
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: obj_id
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: statement
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: audit_class
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: entry
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: hcode
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: inode
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: resource_class
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: dead
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: feed_desc
+      type: keyword
+      description: This is used to capture the description of the feed. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: feed_name
+      type: keyword
+      description: This is used to capture the name of the feed. This key should never
+        be used to parse Meta data from a session (Logs/Packets) Directly, this is
+        a Reserved key in NetWitness
+    - name: cid
+      type: keyword
+      description: This is the unique identifier used to identify a NetWitness Concentrator.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: device_class
+      type: keyword
+      description: This is the Classification of the Log Event Source under a predefined
+        fixed set of Event Source Classifications. This key should never be used to
+        parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
+        key in NetWitness
+    - name: device_group
+      type: keyword
+      description: This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_host
+      type: keyword
+      description: This is the Hostname of the log Event Source sending the logs to
+        NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_ip
+      type: ip
+      description: This is the IPv4 address of the Log Event Source sending the logs
+        to NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_ipv6
+      type: ip
+      description: This is the IPv6 address of the Log Event Source sending the logs
+        to NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_type
+      type: keyword
+      description: This is the name of the log parser which parsed a given session.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: device_type_id
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: did
+      type: keyword
+      description: This is the unique identifier used to identify a NetWitness Decoder.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: entropy_req
+      type: long
+      description: This key is only used by the Entropy Parser, the Meta Type can
+        be either UInt16 or Float32 based on the configuration
+    - name: entropy_res
+      type: long
+      description: This key is only used by the Entropy Parser, the Meta Type can
+        be either UInt16 or Float32 based on the configuration
+    - name: event_name
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: feed_category
+      type: keyword
+      description: This is used to capture the category of the feed. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: forward_ip
+      type: ip
+      description: This key should be used to capture the IPV4 address of a relay
+        system which forwarded the events from the original system to NetWitness.
+    - name: forward_ipv6
+      type: ip
+      description: This key is used to capture the IPV6 address of a relay system
+        which forwarded the events from the original system to NetWitness. This key
+        should never be used to parse Meta data from a session (Logs/Packets) Directly,
+        this is a Reserved key in NetWitness
+    - name: header_id
+      type: keyword
+      description: This is the Header ID value that identifies the exact log parser
+        header definition that parses a particular log session. This key should never
+        be used to parse Meta data from a session (Logs/Packets) Directly, this is
+        a Reserved key in NetWitness
+    - name: lc_cid
+      type: keyword
+      description: This is a unique Identifier of a Log Collector. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: lc_ctime
+      type: date
+      description: This is the time at which a log is collected in a NetWitness Log
+        Collector. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: mcb_req
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        request is simply which byte for each side (0 thru 255) was seen the most
+    - name: mcb_res
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        response is simply which byte for each side (0 thru 255) was seen the most
+    - name: mcbc_req
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        count is the number of times the most common byte (above) was seen in the
+        session streams
+    - name: mcbc_res
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        count is the number of times the most common byte (above) was seen in the
+        session streams
+    - name: medium
+      type: long
+      description: "This key is used to identify if it\u2019s a log/packet session\
+        \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
+        \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
+        \ 32 = log, 33 = correlation session, &lt; 32 is packet session"
+    - name: node_name
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: nwe_callback_id
+      type: keyword
+      description: This key denotes that event is endpoint related
+    - name: parse_error
+      type: keyword
+      description: This is a special key that stores any Meta key validation error
+        found while parsing a log session. This key should never be used to parse
+        Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
+        NetWitness
+    - name: payload_req
+      type: long
+      description: This key is only used by the Entropy Parser, the payload size metrics
+        are the payload sizes of each session side at the time of parsing. However,
+        in order to keep
+    - name: payload_res
+      type: long
+      description: This key is only used by the Entropy Parser, the payload size metrics
+        are the payload sizes of each session side at the time of parsing. However,
+        in order to keep
+    - name: process_vid_dst
+      type: keyword
+      description: Endpoint generates and uses a unique virtual ID to identify any
+        similar group of process. This ID represents the target process.
+    - name: process_vid_src
+      type: keyword
+      description: Endpoint generates and uses a unique virtual ID to identify any
+        similar group of process. This ID represents the source process.
+    - name: rid
+      type: long
+      description: This is a special ID of the Remote Session created by NetWitness
+        Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: session_split
+      type: keyword
+      description: This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: site
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: size
+      type: long
+      description: This is the size of the session as seen by the NetWitness Decoder.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: sourcefile
+      type: keyword
+      description: This is the name of the log file or PCAPs that can be imported
+        into NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: ubc_req
+      type: long
+      description: This key is only used by the Entropy Parser, Unique byte count
+        is the number of unique bytes seen in each stream. 256 would mean all byte
+        values of 0 thru 255 were seen at least once
+    - name: ubc_res
+      type: long
+      description: This key is only used by the Entropy Parser, Unique byte count
+        is the number of unique bytes seen in each stream. 256 would mean all byte
+        values of 0 thru 255 were seen at least once
+    - name: word
+      type: keyword
+      description: This is used by the Word Parsing technology to capture the first
+        5 character of every word in an unparsed log
+  - name: time
+    type: group
+    fields:
+    - name: event_time
+      type: date
+      description: This key is used to capture the time mentioned in a raw session
+        that represents the actual time an event occured in a standard normalized
+        form
+    - name: duration_time
+      type: double
+      description: This key is used to capture the normalized duration/lifetime in
+        seconds.
+    - name: event_time_str
+      type: keyword
+      description: This key is used to capture the incomplete time mentioned in a
+        session as a string
+    - name: starttime
+      type: date
+      description: This key is used to capture the Start time mentioned in a session
+        in a standard form
+    - name: month
+      type: keyword
+    - name: day
+      type: keyword
+    - name: endtime
+      type: date
+      description: This key is used to capture the End time mentioned in a session
+        in a standard form
+    - name: timezone
+      type: keyword
+      description: This key is used to capture the timezone of the Event Time
+    - name: duration_str
+      type: keyword
+      description: A text string version of the duration
+    - name: date
+      type: keyword
+    - name: year
+      type: keyword
+    - name: recorded_time
+      type: date
+      description: The event time as recorded by the system the event is collected
+        from. The usage scenario is a multi-tier application where the management
+        layer of the system records it's own timestamp at the time of collection from
+        its child nodes. Must be in timestamp format.
+    - name: datetime
+      type: keyword
+    - name: effective_time
+      type: date
+      description: This key is the effective time referenced by an individual event
+        in a Standard Timestamp format
+    - name: expire_time
+      type: date
+      description: This key is the timestamp that explicitly refers to an expiration.
+    - name: process_time
+      type: keyword
+      description: Deprecated, use duration.time
+    - name: hour
+      type: keyword
+    - name: min
+      type: keyword
+    - name: timestamp
+      type: keyword
+    - name: event_queue_time
+      type: date
+      description: This key is the Time that the event was queued.
+    - name: p_time1
+      type: keyword
+    - name: tzone
+      type: keyword
+    - name: eventtime
+      type: keyword
+    - name: gmtdate
+      type: keyword
+    - name: gmttime
+      type: keyword
+    - name: p_date
+      type: keyword
+    - name: p_month
+      type: keyword
+    - name: p_time
+      type: keyword
+    - name: p_time2
+      type: keyword
+    - name: p_year
+      type: keyword
+    - name: expire_time_str
+      type: keyword
+      description: This key is used to capture incomplete timestamp that explicitly
+        refers to an expiration.
+    - name: stamp
+      type: date
+      description: Deprecated key defined only in table map.
+  - name: misc
+    type: group
+    fields:
+    - name: action
+      type: keyword
+    - name: result
+      type: keyword
+      description: This key is used to capture the outcome/result string value of
+        an action in a session.
+    - name: severity
+      type: keyword
+      description: This key is used to capture the severity given the session
+    - name: event_type
+      type: keyword
+      description: This key captures the event category type as specified by the event
+        source.
+    - name: reference_id
+      type: keyword
+      description: This key is used to capture an event id from the session directly
+    - name: version
+      type: keyword
+      description: This key captures Version of the application or OS which is generating
+        the event.
+    - name: disposition
+      type: keyword
+      description: This key captures the The end state of an action.
+    - name: result_code
+      type: keyword
+      description: This key is used to capture the outcome/result numeric value of
+        an action in a session
+    - name: category
+      type: keyword
+      description: This key is used to capture the category of an event given by the
+        vendor in the session
+    - name: obj_name
+      type: keyword
+      description: This is used to capture name of object
+    - name: obj_type
+      type: keyword
+      description: This is used to capture type of object
+    - name: event_source
+      type: keyword
+      description: "This key captures Source of the event that\u2019s not a hostname"
+    - name: log_session_id
+      type: keyword
+      description: This key is used to capture a sessionid from the session directly
+    - name: group
+      type: keyword
+      description: This key captures the Group Name value
+    - name: policy_name
+      type: keyword
+      description: This key is used to capture the Policy Name only.
+    - name: rule_name
+      type: keyword
+      description: This key captures the Rule Name
+    - name: context
+      type: keyword
+      description: This key captures Information which adds additional context to
+        the event.
+    - name: change_new
+      type: keyword
+      description: "This key is used to capture the new values of the attribute that\u2019\
+        s changing in a session"
+    - name: space
+      type: keyword
+    - name: client
+      type: keyword
+      description: This key is used to capture only the name of the client application
+        requesting resources of the server. See the user.agent meta key for capture
+        of the specific user agent identifier or browser identification string.
+    - name: msgIdPart1
+      type: keyword
+    - name: msgIdPart2
+      type: keyword
+    - name: change_old
+      type: keyword
+      description: "This key is used to capture the old value of the attribute that\u2019\
+        s changing in a session"
+    - name: operation_id
+      type: keyword
+      description: An alert number or operation number. The values should be unique
+        and non-repeating.
+    - name: event_state
+      type: keyword
+      description: This key captures the current state of the object/item referenced
+        within the event. Describing an on-going event.
+    - name: group_object
+      type: keyword
+      description: This key captures a collection/grouping of entities. Specific usage
+    - name: node
+      type: keyword
+      description: Common use case is the node name within a cluster. The cluster
+        name is reflected by the host name.
+    - name: rule
+      type: keyword
+      description: This key captures the Rule number
+    - name: device_name
+      type: keyword
+      description: 'This is used to capture name of the Device associated with the
+        node Like: a physical disk, printer, etc'
+    - name: param
+      type: keyword
+      description: This key is the parameters passed as part of a command or application,
+        etc.
+    - name: change_attrib
+      type: keyword
+      description: "This key is used to capture the name of the attribute that\u2019\
+        s changing in a session"
+    - name: event_computer
+      type: keyword
+      description: This key is a windows only concept, where this key is used to capture
+        fully qualified domain name in a windows log.
+    - name: reference_id1
+      type: keyword
+      description: This key is for Linked ID to be used as an addition to "reference.id"
+    - name: event_log
+      type: keyword
+      description: This key captures the Name of the event log
+    - name: OS
+      type: keyword
+      description: This key captures the Name of the Operating System
+    - name: terminal
+      type: keyword
+      description: This key captures the Terminal Names only
+    - name: msgIdPart3
+      type: keyword
+    - name: filter
+      type: keyword
+      description: This key captures Filter used to reduce result set
+    - name: serial_number
+      type: keyword
+      description: This key is the Serial number associated with a physical asset.
+    - name: checksum
+      type: keyword
+      description: This key is used to capture the checksum or hash of the entity
+        such as a file or process. Checksum should be used over checksum.src or checksum.dst
+        when it is unclear whether the entity is a source or target of an action.
+    - name: event_user
+      type: keyword
+      description: This key is a windows only concept, where this key is used to capture
+        combination of domain name and username in a windows log.
+    - name: virusname
+      type: keyword
+      description: This key captures the name of the virus
+    - name: content_type
+      type: keyword
+      description: This key is used to capture Content Type only.
+    - name: group_id
+      type: keyword
+      description: This key captures Group ID Number (related to the group name)
+    - name: policy_id
+      type: keyword
+      description: This key is used to capture the Policy ID only, this should be
+        a numeric value, use policy.name otherwise
+    - name: vsys
+      type: keyword
+      description: This key captures Virtual System Name
+    - name: connection_id
+      type: keyword
+      description: This key captures the Connection ID
+    - name: reference_id2
+      type: keyword
+      description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
+        or "reference.id1" value but should not be used unless the other two variables
+        are in play.
+    - name: sensor
+      type: keyword
+      description: This key captures Name of the sensor. Typically used in IDS/IPS
+        based devices
+    - name: sig_id
+      type: long
+      description: This key captures IDS/IPS Int Signature ID
+    - name: port_name
+      type: keyword
+      description: 'This key is used for Physical or logical port connection but does
+        NOT include a network port. (Example: Printer port name).'
+    - name: rule_group
+      type: keyword
+      description: This key captures the Rule group name
+    - name: risk_num
+      type: double
+      description: This key captures a Numeric Risk value
+    - name: trigger_val
+      type: keyword
+      description: This key captures the Value of the trigger or threshold condition.
+    - name: log_session_id1
+      type: keyword
+      description: This key is used to capture a Linked (Related) Session ID from
+        the session directly
+    - name: comp_version
+      type: keyword
+      description: This key captures the Version level of a sub-component of a product.
+    - name: content_version
+      type: keyword
+      description: This key captures Version level of a signature or database content.
+    - name: hardware_id
+      type: keyword
+      description: This key is used to capture unique identifier for a device or system
+        (NOT a Mac address)
+    - name: risk
+      type: keyword
+      description: This key captures the non-numeric risk value
+    - name: event_id
+      type: keyword
+    - name: reason
+      type: keyword
+    - name: status
+      type: keyword
+    - name: mail_id
+      type: keyword
+      description: This key is used to capture the mailbox id/name
+    - name: rule_uid
+      type: keyword
+      description: This key is the Unique Identifier for a rule.
+    - name: trigger_desc
+      type: keyword
+      description: This key captures the Description of the trigger or threshold condition.
+    - name: inout
+      type: keyword
+    - name: p_msgid
+      type: keyword
+    - name: data_type
+      type: keyword
+    - name: msgIdPart4
+      type: keyword
+    - name: error
+      type: keyword
+      description: This key captures All non successful Error codes or responses
+    - name: index
+      type: keyword
+    - name: listnum
+      type: keyword
+      description: This key is used to capture listname or listnumber, primarily for
+        collecting access-list
+    - name: ntype
+      type: keyword
+    - name: observed_val
+      type: keyword
+      description: This key captures the Value observed (from the perspective of the
+        device generating the log).
+    - name: policy_value
+      type: keyword
+      description: This key captures the contents of the policy. This contains details
+        about the policy
+    - name: pool_name
+      type: keyword
+      description: This key captures the name of a resource pool
+    - name: rule_template
+      type: keyword
+      description: A default set of parameters which are overlayed onto a rule (or
+        rulename) which efffectively constitutes a template
+    - name: count
+      type: keyword
+    - name: number
+      type: keyword
+    - name: sigcat
+      type: keyword
+    - name: type
+      type: keyword
+    - name: comments
+      type: keyword
+      description: Comment information provided in the log message
+    - name: doc_number
+      type: long
+      description: This key captures File Identification number
+    - name: expected_val
+      type: keyword
+      description: This key captures the Value expected (from the perspective of the
+        device generating the log).
+    - name: job_num
+      type: keyword
+      description: This key captures the Job Number
+    - name: spi_dst
+      type: keyword
+      description: Destination SPI Index
+    - name: spi_src
+      type: keyword
+      description: Source SPI Index
+    - name: code
+      type: keyword
+    - name: agent_id
+      type: keyword
+      description: This key is used to capture agent id
+    - name: message_body
+      type: keyword
+      description: This key captures the The contents of the message body.
+    - name: phone
+      type: keyword
+    - name: sig_id_str
+      type: keyword
+      description: This key captures a string object of the sigid variable.
+    - name: cmd
+      type: keyword
+    - name: misc
+      type: keyword
+    - name: name
+      type: keyword
+    - name: cpu
+      type: long
+      description: This key is the CPU time used in the execution of the event being
+        recorded.
+    - name: event_desc
+      type: keyword
+      description: This key is used to capture a description of an event available
+        directly or inferred
+    - name: sig_id1
+      type: long
+      description: This key captures IDS/IPS Int Signature ID. This must be linked
+        to the sig.id
+    - name: im_buddyid
+      type: keyword
+    - name: im_client
+      type: keyword
+    - name: im_userid
+      type: keyword
+    - name: pid
+      type: keyword
+    - name: priority
+      type: keyword
+    - name: context_subject
+      type: keyword
+      description: This key is to be used in an audit context where the subject is
+        the object being identified
+    - name: context_target
+      type: keyword
+    - name: cve
+      type: keyword
+      description: This key captures CVE (Common Vulnerabilities and Exposures) -
+        an identifier for known information security vulnerabilities.
+    - name: fcatnum
+      type: keyword
+      description: This key captures Filter Category Number. Legacy Usage
+    - name: library
+      type: keyword
+      description: This key is used to capture library information in mainframe devices
+    - name: parent_node
+      type: keyword
+      description: This key captures the Parent Node Name. Must be related to node
+        variable.
+    - name: risk_info
+      type: keyword
+      description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: tcp_flags
+      type: long
+      description: This key is captures the TCP flags set in any packet of session
+    - name: tos
+      type: long
+      description: This key describes the type of service
+    - name: vm_target
+      type: keyword
+      description: VMWare Target **VMWARE** only varaible.
+    - name: workspace
+      type: keyword
+      description: This key captures Workspace Description
+    - name: command
+      type: keyword
+    - name: event_category
+      type: keyword
+    - name: facilityname
+      type: keyword
+    - name: forensic_info
+      type: keyword
+    - name: jobname
+      type: keyword
+    - name: mode
+      type: keyword
+    - name: policy
+      type: keyword
+    - name: policy_waiver
+      type: keyword
+    - name: second
+      type: keyword
+    - name: space1
+      type: keyword
+    - name: subcategory
+      type: keyword
+    - name: tbdstr2
+      type: keyword
+    - name: alert_id
+      type: keyword
+      description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: checksum_dst
+      type: keyword
+      description: This key is used to capture the checksum or hash of the the target
+        entity such as a process or file.
+    - name: checksum_src
+      type: keyword
+      description: This key is used to capture the checksum or hash of the source
+        entity such as a file or process.
+    - name: fresult
+      type: long
+      description: This key captures the Filter Result
+    - name: payload_dst
+      type: keyword
+      description: This key is used to capture destination payload
+    - name: payload_src
+      type: keyword
+      description: This key is used to capture source payload
+    - name: pool_id
+      type: keyword
+      description: This key captures the identifier (typically numeric field) of a
+        resource pool
+    - name: process_id_val
+      type: keyword
+      description: This key is a failure key for Process ID when it is not an integer
+        value
+    - name: risk_num_comm
+      type: double
+      description: This key captures Risk Number Community
+    - name: risk_num_next
+      type: double
+      description: This key captures Risk Number NextGen
+    - name: risk_num_sand
+      type: double
+      description: This key captures Risk Number SandBox
+    - name: risk_num_static
+      type: double
+      description: This key captures Risk Number Static
+    - name: risk_suspicious
+      type: keyword
+      description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: risk_warning
+      type: keyword
+      description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: snmp_oid
+      type: keyword
+      description: SNMP Object Identifier
+    - name: sql
+      type: keyword
+      description: This key captures the SQL query
+    - name: vuln_ref
+      type: keyword
+      description: This key captures the Vulnerability Reference details
+    - name: acl_id
+      type: keyword
+    - name: acl_op
+      type: keyword
+    - name: acl_pos
+      type: keyword
+    - name: acl_table
+      type: keyword
+    - name: admin
+      type: keyword
+    - name: alarm_id
+      type: keyword
+    - name: alarmname
+      type: keyword
+    - name: app_id
+      type: keyword
+    - name: audit
+      type: keyword
+    - name: audit_object
+      type: keyword
+    - name: auditdata
+      type: keyword
+    - name: benchmark
+      type: keyword
+    - name: bypass
+      type: keyword
+    - name: cache
+      type: keyword
+    - name: cache_hit
+      type: keyword
+    - name: cefversion
+      type: keyword
+    - name: cfg_attr
+      type: keyword
+    - name: cfg_obj
+      type: keyword
+    - name: cfg_path
+      type: keyword
+    - name: changes
+      type: keyword
+    - name: client_ip
+      type: keyword
+    - name: clustermembers
+      type: keyword
+    - name: cn_acttimeout
+      type: keyword
+    - name: cn_asn_src
+      type: keyword
+    - name: cn_bgpv4nxthop
+      type: keyword
+    - name: cn_ctr_dst_code
+      type: keyword
+    - name: cn_dst_tos
+      type: keyword
+    - name: cn_dst_vlan
+      type: keyword
+    - name: cn_engine_id
+      type: keyword
+    - name: cn_engine_type
+      type: keyword
+    - name: cn_f_switch
+      type: keyword
+    - name: cn_flowsampid
+      type: keyword
+    - name: cn_flowsampintv
+      type: keyword
+    - name: cn_flowsampmode
+      type: keyword
+    - name: cn_inacttimeout
+      type: keyword
+    - name: cn_inpermbyts
+      type: keyword
+    - name: cn_inpermpckts
+      type: keyword
+    - name: cn_invalid
+      type: keyword
+    - name: cn_ip_proto_ver
+      type: keyword
+    - name: cn_ipv4_ident
+      type: keyword
+    - name: cn_l_switch
+      type: keyword
+    - name: cn_log_did
+      type: keyword
+    - name: cn_log_rid
+      type: keyword
+    - name: cn_max_ttl
+      type: keyword
+    - name: cn_maxpcktlen
+      type: keyword
+    - name: cn_min_ttl
+      type: keyword
+    - name: cn_minpcktlen
+      type: keyword
+    - name: cn_mpls_lbl_1
+      type: keyword
+    - name: cn_mpls_lbl_10
+      type: keyword
+    - name: cn_mpls_lbl_2
+      type: keyword
+    - name: cn_mpls_lbl_3
+      type: keyword
+    - name: cn_mpls_lbl_4
+      type: keyword
+    - name: cn_mpls_lbl_5
+      type: keyword
+    - name: cn_mpls_lbl_6
+      type: keyword
+    - name: cn_mpls_lbl_7
+      type: keyword
+    - name: cn_mpls_lbl_8
+      type: keyword
+    - name: cn_mpls_lbl_9
+      type: keyword
+    - name: cn_mplstoplabel
+      type: keyword
+    - name: cn_mplstoplabip
+      type: keyword
+    - name: cn_mul_dst_byt
+      type: keyword
+    - name: cn_mul_dst_pks
+      type: keyword
+    - name: cn_muligmptype
+      type: keyword
+    - name: cn_sampalgo
+      type: keyword
+    - name: cn_sampint
+      type: keyword
+    - name: cn_seqctr
+      type: keyword
+    - name: cn_spackets
+      type: keyword
+    - name: cn_src_tos
+      type: keyword
+    - name: cn_src_vlan
+      type: keyword
+    - name: cn_sysuptime
+      type: keyword
+    - name: cn_template_id
+      type: keyword
+    - name: cn_totbytsexp
+      type: keyword
+    - name: cn_totflowexp
+      type: keyword
+    - name: cn_totpcktsexp
+      type: keyword
+    - name: cn_unixnanosecs
+      type: keyword
+    - name: cn_v6flowlabel
+      type: keyword
+    - name: cn_v6optheaders
+      type: keyword
+    - name: comp_class
+      type: keyword
+    - name: comp_name
+      type: keyword
+    - name: comp_rbytes
+      type: keyword
+    - name: comp_sbytes
+      type: keyword
+    - name: cpu_data
+      type: keyword
+    - name: criticality
+      type: keyword
+    - name: cs_agency_dst
+      type: keyword
+    - name: cs_analyzedby
+      type: keyword
+    - name: cs_av_other
+      type: keyword
+    - name: cs_av_primary
+      type: keyword
+    - name: cs_av_secondary
+      type: keyword
+    - name: cs_bgpv6nxthop
+      type: keyword
+    - name: cs_bit9status
+      type: keyword
+    - name: cs_context
+      type: keyword
+    - name: cs_control
+      type: keyword
+    - name: cs_data
+      type: keyword
+    - name: cs_datecret
+      type: keyword
+    - name: cs_dst_tld
+      type: keyword
+    - name: cs_eth_dst_ven
+      type: keyword
+    - name: cs_eth_src_ven
+      type: keyword
+    - name: cs_event_uuid
+      type: keyword
+    - name: cs_filetype
+      type: keyword
+    - name: cs_fld
+      type: keyword
+    - name: cs_if_desc
+      type: keyword
+    - name: cs_if_name
+      type: keyword
+    - name: cs_ip_next_hop
+      type: keyword
+    - name: cs_ipv4dstpre
+      type: keyword
+    - name: cs_ipv4srcpre
+      type: keyword
+    - name: cs_lifetime
+      type: keyword
+    - name: cs_log_medium
+      type: keyword
+    - name: cs_loginname
+      type: keyword
+    - name: cs_modulescore
+      type: keyword
+    - name: cs_modulesign
+      type: keyword
+    - name: cs_opswatresult
+      type: keyword
+    - name: cs_payload
+      type: keyword
+    - name: cs_registrant
+      type: keyword
+    - name: cs_registrar
+      type: keyword
+    - name: cs_represult
+      type: keyword
+    - name: cs_rpayload
+      type: keyword
+    - name: cs_sampler_name
+      type: keyword
+    - name: cs_sourcemodule
+      type: keyword
+    - name: cs_streams
+      type: keyword
+    - name: cs_targetmodule
+      type: keyword
+    - name: cs_v6nxthop
+      type: keyword
+    - name: cs_whois_server
+      type: keyword
+    - name: cs_yararesult
+      type: keyword
+    - name: description
+      type: keyword
+    - name: devvendor
+      type: keyword
+    - name: distance
+      type: keyword
+    - name: dstburb
+      type: keyword
+    - name: edomain
+      type: keyword
+    - name: edomaub
+      type: keyword
+    - name: euid
+      type: keyword
+    - name: facility
+      type: keyword
+    - name: finterface
+      type: keyword
+    - name: flags
+      type: keyword
+    - name: gaddr
+      type: keyword
+    - name: id3
+      type: keyword
+    - name: im_buddyname
+      type: keyword
+    - name: im_croomid
+      type: keyword
+    - name: im_croomtype
+      type: keyword
+    - name: im_members
+      type: keyword
+    - name: im_username
+      type: keyword
+    - name: ipkt
+      type: keyword
+    - name: ipscat
+      type: keyword
+    - name: ipspri
+      type: keyword
+    - name: latitude
+      type: keyword
+    - name: linenum
+      type: keyword
+    - name: list_name
+      type: keyword
+    - name: load_data
+      type: keyword
+    - name: location_floor
+      type: keyword
+    - name: location_mark
+      type: keyword
+    - name: log_id
+      type: keyword
+    - name: log_type
+      type: keyword
+    - name: logid
+      type: keyword
+    - name: logip
+      type: keyword
+    - name: logname
+      type: keyword
+    - name: longitude
+      type: keyword
+    - name: lport
+      type: keyword
+    - name: mbug_data
+      type: keyword
+    - name: misc_name
+      type: keyword
+    - name: msg_type
+      type: keyword
+    - name: msgid
+      type: keyword
+    - name: netsessid
+      type: keyword
+    - name: num
+      type: keyword
+    - name: number1
+      type: keyword
+    - name: number2
+      type: keyword
+    - name: nwwn
+      type: keyword
+    - name: object
+      type: keyword
+    - name: operation
+      type: keyword
+    - name: opkt
+      type: keyword
+    - name: orig_from
+      type: keyword
+    - name: owner_id
+      type: keyword
+    - name: p_action
+      type: keyword
+    - name: p_filter
+      type: keyword
+    - name: p_group_object
+      type: keyword
+    - name: p_id
+      type: keyword
+    - name: p_msgid1
+      type: keyword
+    - name: p_msgid2
+      type: keyword
+    - name: p_result1
+      type: keyword
+    - name: password_chg
+      type: keyword
+    - name: password_expire
+      type: keyword
+    - name: permgranted
+      type: keyword
+    - name: permwanted
+      type: keyword
+    - name: pgid
+      type: keyword
+    - name: policyUUID
+      type: keyword
+    - name: prog_asp_num
+      type: keyword
+    - name: program
+      type: keyword
+    - name: real_data
+      type: keyword
+    - name: rec_asp_device
+      type: keyword
+    - name: rec_asp_num
+      type: keyword
+    - name: rec_library
+      type: keyword
+    - name: recordnum
+      type: keyword
+    - name: ruid
+      type: keyword
+    - name: sburb
+      type: keyword
+    - name: sdomain_fld
+      type: keyword
+    - name: sec
+      type: keyword
+    - name: sensorname
+      type: keyword
+    - name: seqnum
+      type: keyword
+    - name: session
+      type: keyword
+    - name: sessiontype
+      type: keyword
+    - name: sigUUID
+      type: keyword
+    - name: spi
+      type: keyword
+    - name: srcburb
+      type: keyword
+    - name: srcdom
+      type: keyword
+    - name: srcservice
+      type: keyword
+    - name: state
+      type: keyword
+    - name: status1
+      type: keyword
+    - name: svcno
+      type: keyword
+    - name: system
+      type: keyword
+    - name: tbdstr1
+      type: keyword
+    - name: tgtdom
+      type: keyword
+    - name: tgtdomain
+      type: keyword
+    - name: threshold
+      type: keyword
+    - name: type1
+      type: keyword
+    - name: udb_class
+      type: keyword
+    - name: url_fld
+      type: keyword
+    - name: user_div
+      type: keyword
+    - name: userid
+      type: keyword
+    - name: username_fld
+      type: keyword
+    - name: utcstamp
+      type: keyword
+    - name: v_instafname
+      type: keyword
+    - name: virt_data
+      type: keyword
+    - name: vpnid
+      type: keyword
+    - name: autorun_type
+      type: keyword
+      description: This is used to capture Auto Run type
+    - name: cc_number
+      type: long
+      description: Valid Credit Card Numbers only
+    - name: content
+      type: keyword
+      description: This key captures the content type from protocol headers
+    - name: ein_number
+      type: long
+      description: Employee Identification Numbers only
+    - name: found
+      type: keyword
+      description: This is used to capture the results of regex match
+    - name: language
+      type: keyword
+      description: This is used to capture list of languages the client support and
+        what it prefers
+    - name: lifetime
+      type: long
+      description: This key is used to capture the session lifetime in seconds.
+    - name: link
+      type: keyword
+      description: This key is used to link the sessions together. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: match
+      type: keyword
+      description: This key is for regex match name from search.ini
+    - name: param_dst
+      type: keyword
+      description: This key captures the command line/launch argument of the target
+        process or file
+    - name: param_src
+      type: keyword
+      description: This key captures source parameter
+    - name: search_text
+      type: keyword
+      description: This key captures the Search Text used
+    - name: sig_name
+      type: keyword
+      description: This key is used to capture the Signature Name only.
+    - name: snmp_value
+      type: keyword
+      description: SNMP set request value
+    - name: streams
+      type: long
+      description: This key captures number of streams in session
+  - name: db
+    type: group
+    fields:
+    - name: index
+      type: keyword
+      description: This key captures IndexID of the index.
+    - name: instance
+      type: keyword
+      description: This key is used to capture the database server instance name
+    - name: database
+      type: keyword
+      description: This key is used to capture the name of a database or an instance
+        as seen in a session
+    - name: transact_id
+      type: keyword
+      description: This key captures the SQL transantion ID of the current session
+    - name: permissions
+      type: keyword
+      description: This key captures permission or privilege level assigned to a resource.
+    - name: table_name
+      type: keyword
+      description: This key is used to capture the table name
+    - name: db_id
+      type: keyword
+      description: This key is used to capture the unique identifier for a database
+    - name: db_pid
+      type: long
+      description: This key captures the process id of a connection with database
+        server
+    - name: lread
+      type: long
+      description: This key is used for the number of logical reads
+    - name: lwrite
+      type: long
+      description: This key is used for the number of logical writes
+    - name: pread
+      type: long
+      description: This key is used for the number of physical writes
+  - name: network
+    type: group
+    fields:
+    - name: alias_host
+      type: keyword
+      description: This key should be used when the source or destination context
+        of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
+        that isnt ad.computer.
+    - name: domain
+      type: keyword
+    - name: host_dst
+      type: keyword
+      description: "This key should only be used when it\u2019s a Destination Hostname"
+    - name: network_service
+      type: keyword
+      description: This is used to capture layer 7 protocols/service names
+    - name: interface
+      type: keyword
+      description: This key should be used when the source or destination context
+        of an interface is not clear
+    - name: network_port
+      type: long
+      description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
+        used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
+    - name: eth_host
+      type: keyword
+      description: Deprecated, use alias.mac
+    - name: sinterface
+      type: keyword
+      description: "This key should only be used when it\u2019s a Source Interface"
+    - name: dinterface
+      type: keyword
+      description: "This key should only be used when it\u2019s a Destination Interface"
+    - name: vlan
+      type: long
+      description: This key should only be used to capture the ID of the Virtual LAN
+    - name: zone_src
+      type: keyword
+      description: "This key should only be used when it\u2019s a Source Zone."
+    - name: zone
+      type: keyword
+      description: This key should be used when the source or destination context
+        of a Zone is not clear
+    - name: zone_dst
+      type: keyword
+      description: "This key should only be used when it\u2019s a Destination Zone."
+    - name: gateway
+      type: keyword
+      description: This key is used to capture the IP Address of the gateway
+    - name: icmp_type
+      type: long
+      description: This key is used to capture the ICMP type only
+    - name: mask
+      type: keyword
+      description: This key is used to capture the device network IPmask.
+    - name: icmp_code
+      type: long
+      description: This key is used to capture the ICMP code only
+    - name: protocol_detail
+      type: keyword
+      description: This key should be used to capture additional protocol information
+    - name: dmask
+      type: keyword
+      description: This key is used for Destionation Device network mask
+    - name: port
+      type: long
+      description: This key should only be used to capture a Network Port when the
+        directionality is not clear
+    - name: smask
+      type: keyword
+      description: This key is used for capturing source Network Mask
+    - name: netname
+      type: keyword
+      description: This key is used to capture the network name associated with an
+        IP range. This is configured by the end user.
+    - name: paddr
+      type: ip
+      description: Deprecated
+    - name: faddr
+      type: keyword
+    - name: lhost
+      type: keyword
+    - name: origin
+      type: keyword
+    - name: remote_domain_id
+      type: keyword
+    - name: addr
+      type: keyword
+    - name: dns_a_record
+      type: keyword
+    - name: dns_ptr_record
+      type: keyword
+    - name: fhost
+      type: keyword
+    - name: fport
+      type: keyword
+    - name: laddr
+      type: keyword
+    - name: linterface
+      type: keyword
+    - name: phost
+      type: keyword
+    - name: ad_computer_dst
+      type: keyword
+      description: Deprecated, use host.dst
+    - name: eth_type
+      type: long
+      description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
+        Only
+    - name: ip_proto
+      type: long
+      description: This key should be used to capture the Protocol number, all the
+        protocol nubers are converted into string in UI
+    - name: dns_cname_record
+      type: keyword
+    - name: dns_id
+      type: keyword
+    - name: dns_opcode
+      type: keyword
+    - name: dns_resp
+      type: keyword
+    - name: dns_type
+      type: keyword
+    - name: domain1
+      type: keyword
+    - name: host_type
+      type: keyword
+    - name: packet_length
+      type: keyword
+    - name: host_orig
+      type: keyword
+      description: This is used to capture the original hostname in case of a Forwarding
+        Agent or a Proxy in between.
+    - name: rpayload
+      type: keyword
+      description: This key is used to capture the total number of payload bytes seen
+        in the retransmitted packets.
+    - name: vlan_name
+      type: keyword
+      description: This key should only be used to capture the name of the Virtual
+        LAN
+  - name: investigations
+    type: group
+    fields:
+    - name: ec_activity
+      type: keyword
+      description: This key captures the particular event activity(Ex:Logoff)
+    - name: ec_theme
+      type: keyword
+      description: This key captures the Theme of a particular Event(Ex:Authentication)
+    - name: ec_subject
+      type: keyword
+      description: This key captures the Subject of a particular Event(Ex:User)
+    - name: ec_outcome
+      type: keyword
+      description: This key captures the outcome of a particular Event(Ex:Success)
+    - name: event_cat
+      type: long
+      description: This key captures the Event category number
+    - name: event_cat_name
+      type: keyword
+      description: This key captures the event category name corresponding to the
+        event cat code
+    - name: event_vcat
+      type: keyword
+      description: This is a vendor supplied category. This should be used in situations
+        where the vendor has adopted their own event_category taxonomy.
+    - name: analysis_file
+      type: keyword
+      description: This is used to capture all indicators used in a File Analysis.
+        This key should be used to capture an analysis of a file
+    - name: analysis_service
+      type: keyword
+      description: This is used to capture all indicators used in a Service Analysis.
+        This key should be used to capture an analysis of a service
+    - name: analysis_session
+      type: keyword
+      description: This is used to capture all indicators used for a Session Analysis.
+        This key should be used to capture an analysis of a session
+    - name: boc
+      type: keyword
+      description: This is used to capture behaviour of compromise
+    - name: eoc
+      type: keyword
+      description: This is used to capture Enablers of Compromise
+    - name: inv_category
+      type: keyword
+      description: This used to capture investigation category
+    - name: inv_context
+      type: keyword
+      description: This used to capture investigation context
+    - name: ioc
+      type: keyword
+      description: This is key capture indicator of compromise
+  - name: counters
+    type: group
+    fields:
+    - name: dclass_c1
+      type: long
+      description: This is a generic counter key that should be used with the label
+        dclass.c1.str only
+    - name: dclass_c2
+      type: long
+      description: This is a generic counter key that should be used with the label
+        dclass.c2.str only
+    - name: event_counter
+      type: long
+      description: This is used to capture the number of times an event repeated
+    - name: dclass_r1
+      type: keyword
+      description: This is a generic ratio key that should be used with the label
+        dclass.r1.str only
+    - name: dclass_c3
+      type: long
+      description: This is a generic counter key that should be used with the label
+        dclass.c3.str only
+    - name: dclass_c1_str
+      type: keyword
+      description: This is a generic counter string key that should be used with the
+        label dclass.c1 only
+    - name: dclass_c2_str
+      type: keyword
+      description: This is a generic counter string key that should be used with the
+        label dclass.c2 only
+    - name: dclass_r1_str
+      type: keyword
+      description: This is a generic ratio string key that should be used with the
+        label dclass.r1 only
+    - name: dclass_r2
+      type: keyword
+      description: This is a generic ratio key that should be used with the label
+        dclass.r2.str only
+    - name: dclass_c3_str
+      type: keyword
+      description: This is a generic counter string key that should be used with the
+        label dclass.c3 only
+    - name: dclass_r3
+      type: keyword
+      description: This is a generic ratio key that should be used with the label
+        dclass.r3.str only
+    - name: dclass_r2_str
+      type: keyword
+      description: This is a generic ratio string key that should be used with the
+        label dclass.r2 only
+    - name: dclass_r3_str
+      type: keyword
+      description: This is a generic ratio string key that should be used with the
+        label dclass.r3 only
+  - name: identity
+    type: group
+    fields:
+    - name: auth_method
+      type: keyword
+      description: This key is used to capture authentication methods used only
+    - name: user_role
+      type: keyword
+      description: This key is used to capture the Role of a user only
+    - name: dn
+      type: keyword
+      description: X.500 (LDAP) Distinguished Name
+    - name: logon_type
+      type: keyword
+      description: This key is used to capture the type of logon method used.
+    - name: profile
+      type: keyword
+      description: This key is used to capture the user profile
+    - name: accesses
+      type: keyword
+      description: This key is used to capture actual privileges used in accessing
+        an object
+    - name: realm
+      type: keyword
+      description: Radius realm or similar grouping of accounts
+    - name: user_sid_dst
+      type: keyword
+      description: This key captures Destination User Session ID
+    - name: dn_src
+      type: keyword
+      description: An X.500 (LDAP) Distinguished name that is used in a context that
+        indicates a Source dn
+    - name: org
+      type: keyword
+      description: This key captures the User organization
+    - name: dn_dst
+      type: keyword
+      description: An X.500 (LDAP) Distinguished name that used in a context that
+        indicates a Destination dn
+    - name: firstname
+      type: keyword
+      description: This key is for First Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: lastname
+      type: keyword
+      description: This key is for Last Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: user_dept
+      type: keyword
+      description: User's Department Names only
+    - name: user_sid_src
+      type: keyword
+      description: This key captures Source User Session ID
+    - name: federated_sp
+      type: keyword
+      description: This key is the Federated Service Provider. This is the application
+        requesting authentication.
+    - name: federated_idp
+      type: keyword
+      description: This key is the federated Identity Provider. This is the server
+        providing the authentication.
+    - name: logon_type_desc
+      type: keyword
+      description: This key is used to capture the textual description of an integer
+        logon type as stored in the meta key 'logon.type'.
+    - name: middlename
+      type: keyword
+      description: This key is for Middle Names only, this is used for Healthcare
+        predominantly to capture Patients information
+    - name: password
+      type: keyword
+      description: This key is for Passwords seen in any session, plain text or encrypted
+    - name: host_role
+      type: keyword
+      description: This key should only be used to capture the role of a Host Machine
+    - name: ldap
+      type: keyword
+      description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
+        t have a clear query or response context"
+    - name: ldap_query
+      type: keyword
+      description: This key is the Search criteria from an LDAP search
+    - name: ldap_response
+      type: keyword
+      description: This key is to capture Results from an LDAP search
+    - name: owner
+      type: keyword
+      description: This is used to capture username the process or service is running
+        as, the author of the task
+    - name: service_account
+      type: keyword
+      description: This key is a windows specific key, used for capturing name of
+        the account a service (referenced in the event) is running under. Legacy Usage
+  - name: email
+    type: group
+    fields:
+    - name: email_dst
+      type: keyword
+      description: This key is used to capture the Destination email address only,
+        when the destination context is not clear use email
+    - name: email_src
+      type: keyword
+      description: This key is used to capture the source email address only, when
+        the source context is not clear use email
+    - name: subject
+      type: keyword
+      description: This key is used to capture the subject string from an Email only.
+    - name: email
+      type: keyword
+      description: This key is used to capture a generic email address where the source
+        or destination context is not clear
+    - name: trans_from
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: trans_to
+      type: keyword
+      description: Deprecated key defined only in table map.
+  - name: file
+    type: group
+    fields:
+    - name: privilege
+      type: keyword
+      description: Deprecated, use permissions
+    - name: attachment
+      type: keyword
+      description: This key captures the attachment file name
+    - name: filesystem
+      type: keyword
+    - name: binary
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: filename_dst
+      type: keyword
+      description: This is used to capture name of the file targeted by the action
+    - name: filename_src
+      type: keyword
+      description: This is used to capture name of the parent filename, the file which
+        performed the action
+    - name: filename_tmp
+      type: keyword
+    - name: directory_dst
+      type: keyword
+      description: <span>This key is used to capture the directory of the target process
+        or file</span>
+    - name: directory_src
+      type: keyword
+      description: This key is used to capture the directory of the source process
+        or file
+    - name: file_entropy
+      type: double
+      description: This is used to capture entropy vale of a file
+    - name: file_vendor
+      type: keyword
+      description: This is used to capture Company name of file located in version_info
+    - name: task_name
+      type: keyword
+      description: This is used to capture name of the task
+  - name: web
+    type: group
+    fields:
+    - name: fqdn
+      type: keyword
+      description: Fully Qualified Domain Names
+    - name: web_cookie
+      type: keyword
+      description: This key is used to capture the Web cookies specifically.
+    - name: alias_host
+      type: keyword
+    - name: reputation_num
+      type: double
+      description: Reputation Number of an entity. Typically used for Web Domains
+    - name: web_ref_domain
+      type: keyword
+      description: Web referer's domain
+    - name: web_ref_query
+      type: keyword
+      description: This key captures Web referer's query portion of the URL
+    - name: remote_domain
+      type: keyword
+    - name: web_ref_page
+      type: keyword
+      description: This key captures Web referer's page information
+    - name: web_ref_root
+      type: keyword
+      description: Web referer's root URL path
+    - name: cn_asn_dst
+      type: keyword
+    - name: cn_rpackets
+      type: keyword
+    - name: urlpage
+      type: keyword
+    - name: urlroot
+      type: keyword
+    - name: p_url
+      type: keyword
+    - name: p_user_agent
+      type: keyword
+    - name: p_web_cookie
+      type: keyword
+    - name: p_web_method
+      type: keyword
+    - name: p_web_referer
+      type: keyword
+    - name: web_extension_tmp
+      type: keyword
+    - name: web_page
+      type: keyword
+  - name: threat
+    type: group
+    fields:
+    - name: threat_category
+      type: keyword
+      description: This key captures Threat Name/Threat Category/Categorization of
+        alert
+    - name: threat_desc
+      type: keyword
+      description: This key is used to capture the threat description from the session
+        directly or inferred
+    - name: alert
+      type: keyword
+      description: This key is used to capture name of the alert
+    - name: threat_source
+      type: keyword
+      description: This key is used to capture source of the threat
+  - name: crypto
+    type: group
+    fields:
+    - name: crypto
+      type: keyword
+      description: This key is used to capture the Encryption Type or Encryption Key
+        only
+    - name: cipher_src
+      type: keyword
+      description: This key is for Source (Client) Cipher
+    - name: cert_subject
+      type: keyword
+      description: This key is used to capture the Certificate organization only
+    - name: peer
+      type: keyword
+      description: This key is for Encryption peer's IP Address
+    - name: cipher_size_src
+      type: long
+      description: This key captures Source (Client) Cipher Size
+    - name: ike
+      type: keyword
+      description: IKE negotiation phase.
+    - name: scheme
+      type: keyword
+      description: This key captures the Encryption scheme used
+    - name: peer_id
+      type: keyword
+      description: "This key is for Encryption peer\u2019s identity"
+    - name: sig_type
+      type: keyword
+      description: This key captures the Signature Type
+    - name: cert_issuer
+      type: keyword
+    - name: cert_host_name
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: cert_error
+      type: keyword
+      description: This key captures the Certificate Error String
+    - name: cipher_dst
+      type: keyword
+      description: This key is for Destination (Server) Cipher
+    - name: cipher_size_dst
+      type: long
+      description: This key captures Destination (Server) Cipher Size
+    - name: ssl_ver_src
+      type: keyword
+      description: Deprecated, use version
+    - name: d_certauth
+      type: keyword
+    - name: s_certauth
+      type: keyword
+    - name: ike_cookie1
+      type: keyword
+      description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
+    - name: ike_cookie2
+      type: keyword
+      description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
+    - name: cert_checksum
+      type: keyword
+    - name: cert_host_cat
+      type: keyword
+      description: This key is used for the hostname category value of a certificate
+    - name: cert_serial
+      type: keyword
+      description: This key is used to capture the Certificate serial number only
+    - name: cert_status
+      type: keyword
+      description: This key captures Certificate validation status
+    - name: ssl_ver_dst
+      type: keyword
+      description: Deprecated, use version
+    - name: cert_keysize
+      type: keyword
+    - name: cert_username
+      type: keyword
+    - name: https_insact
+      type: keyword
+    - name: https_valid
+      type: keyword
+    - name: cert_ca
+      type: keyword
+      description: This key is used to capture the Certificate signing authority only
+    - name: cert_common
+      type: keyword
+      description: This key is used to capture the Certificate common name only
+  - name: wireless
+    type: group
+    fields:
+    - name: wlan_ssid
+      type: keyword
+      description: This key is used to capture the ssid of a Wireless Session
+    - name: access_point
+      type: keyword
+      description: This key is used to capture the access point name.
+    - name: wlan_channel
+      type: long
+      description: This is used to capture the channel names
+    - name: wlan_name
+      type: keyword
+      description: This key captures either WLAN number/name
+  - name: storage
+    type: group
+    fields:
+    - name: disk_volume
+      type: keyword
+      description: A unique name assigned to logical units (volumes) within a physical
+        disk
+    - name: lun
+      type: keyword
+      description: Logical Unit Number.This key is a very useful concept in Storage.
+    - name: pwwn
+      type: keyword
+      description: This uniquely identifies a port on a HBA.
+  - name: physical
+    type: group
+    fields:
+    - name: org_dst
+      type: keyword
+      description: This is used to capture the destination organization based on the
+        GEOPIP Maxmind database.
+    - name: org_src
+      type: keyword
+      description: This is used to capture the source organization based on the GEOPIP
+        Maxmind database.
+  - name: healthcare
+    type: group
+    fields:
+    - name: patient_fname
+      type: keyword
+      description: This key is for First Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: patient_id
+      type: keyword
+      description: This key captures the unique ID for a patient
+    - name: patient_lname
+      type: keyword
+      description: This key is for Last Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: patient_mname
+      type: keyword
+      description: This key is for Middle Names only, this is used for Healthcare
+        predominantly to capture Patients information
+  - name: endpoint
+    type: group
+    fields:
+    - name: host_state
+      type: keyword
+      description: This key is used to capture the current state of the machine, such
+        as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
+        disabled</strong> and so on
+    - name: registry_key
+      type: keyword
+      description: This key captures the path to the registry key
+    - name: registry_value
+      type: keyword
+      description: This key captures values or decorators used within a registry entry
diff --git a/packages/radware/0.1.0/dataset/defensepro/manifest.yml b/packages/radware/0.1.0/dataset/defensepro/manifest.yml
new file mode 100644
index 0000000000..062ae7720a
--- /dev/null
+++ b/packages/radware/0.1.0/dataset/defensepro/manifest.yml
@@ -0,0 +1,155 @@
+title: Radware DefensePro logs
+release: experimental
+type: logs
+streams:
+- input: udp
+  title: Radware DefensePro logs
+  description: Collect Radware DefensePro logs
+  template_path: udp.yml.hbs
+  vars:
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - radware-defensepro
+      - forwarded
+  - name: udp_host
+    type: text
+    title: UDP host to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: localhost
+  - name: udp_port
+    type: integer
+    title: UDP port to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: 9517
+  - name: tz_offset
+    type: text
+    title: Timezone offset (+HH:mm format)
+    required: false
+    show_user: true
+    default: "local"
+  - name: rsa_fields
+    type: bool
+    title: Add non-ECS fields
+    required: false
+    show_user: true
+    default: true
+  - name: keep_raw_fields
+    type: bool
+    title: Keep raw parser fields
+    required: false
+    show_user: false
+    default: false
+  - name: debug
+    type: bool
+    title: Enable debug logging
+    required: false
+    show_user: false
+    default: false
+
+- input: tcp
+  title: Radware DefensePro logs
+  description: Collect Radware DefensePro logs
+  template_path: tcp.yml.hbs
+  vars:
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - radware-defensepro
+      - forwarded
+  - name: tcp_host
+    type: text
+    title: TCP host to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: localhost
+  - name: tcp_port
+    type: integer
+    title: TCP port to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: 9517
+  - name: tz_offset
+    type: text
+    title: Timezone offset (+HH:mm format)
+    required: false
+    show_user: true
+    default: "local"
+  - name: rsa_fields
+    type: bool
+    title: Add non-ECS fields
+    required: false
+    show_user: true
+    default: true
+  - name: keep_raw_fields
+    type: bool
+    title: Keep raw parser fields
+    required: false
+    show_user: false
+    default: false
+  - name: debug
+    type: bool
+    title: Enable debug logging
+    required: false
+    show_user: false
+    default: false
+
+- input: file
+  title: Radware DefensePro logs
+  description: Collect Radware DefensePro logs from file
+  vars:
+  - name: paths
+    type: text
+    title: Paths
+    multi: true
+    required: true
+    show_user: true
+    default:
+      - /var/log/radware-defensepro.log
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - radware-defensepro
+      - forwarded
+  - name: tz_offset
+    type: text
+    title: Timezone offset (+HH:mm format)
+    required: false
+    show_user: true
+    default: "local"
+  - name: rsa_fields
+    type: bool
+    title: Add non-ECS fields
+    required: false
+    show_user: true
+    default: true
+  - name: keep_raw_fields
+    type: bool
+    title: Keep raw parser fields
+    required: false
+    show_user: false
+    default: false
+  - name: debug
+    type: bool
+    title: Enable debug logging
+    required: false
+    show_user: false
+    default: false
diff --git a/packages/radware/0.1.0/docs/README.md b/packages/radware/0.1.0/docs/README.md
new file mode 100644
index 0000000000..cb02a3c81e
--- /dev/null
+++ b/packages/radware/0.1.0/docs/README.md
@@ -0,0 +1,780 @@
+# Radware integration
+
+This integration is for Radware device's logs. It includes the following
+datasets for receiving logs over syslog or read from a file:
+- `defensepro` dataset: supports Radware DefensePro logs.
+
+### Defensepro
+
+The `defensepro` dataset collects Radware DefensePro logs.
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
+| dataset.name | Dataset name. | constant_keyword |
+| dataset.namespace | Dataset namespace. | constant_keyword |
+| dataset.type | Dataset type. | constant_keyword |
+| datastream.dataset | Datastream dataset. | constant_keyword |
+| datastream.namespace | Datastream namespace. | constant_keyword |
+| datastream.type | Datastream type. | constant_keyword |
+| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| destination.bytes | Bytes sent from the destination to the source. | long |
+| destination.domain | Destination domain. | keyword |
+| destination.geo.city_name | City name. | keyword |
+| destination.geo.country_name | Country name. | keyword |
+| destination.geo.location.lat |  | double |
+| destination.geo.location.lon |  | double |
+| destination.ip | IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses. | ip |
+| destination.mac | MAC address of the destination. | keyword |
+| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip |
+| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long |
+| destination.port | Port of the destination. | long |
+| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword |
+| dns.answers.type | The type of data contained in this resource record. | keyword |
+| dns.question.type | The type of record being queried. | keyword |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword |
+| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword |
+| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword |
+| file.extension | File extension. | keyword |
+| file.name | Name of the file including the extension, without the directory. | keyword |
+| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword |
+| file.size | File size in bytes. Only relevant when `file.type` is "file". | long |
+| file.type | File type (file, dir, or symlink). | keyword |
+| geo.city_name | City name. | keyword |
+| geo.country_name | Country name. | keyword |
+| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| geo.region_name | Region name. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| http.request.method | HTTP request method. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| http.request.referrer | Referrer for this HTTP request. | keyword |
+| http.response.body.content | The full HTTP response body. | keyword |
+| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword |
+| log.original | This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. | keyword |
+| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long |
+| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. | long |
+| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text |
+| network.application | A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long |
+| network.direction | Direction of the network traffic. Recommended values are: * inbound * outbound * internal * external * unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view. When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. | keyword |
+| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip |
+| network.interface.name |  | keyword |
+| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long |
+| network.protocol | L7 Network protocol name. ex. http, lumberjack, transport protocol. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| observer.egress.interface.name | Interface name as reported by the system. | keyword |
+| observer.ingress.interface.name | Interface name as reported by the system. | keyword |
+| observer.product | The product name of the observer. | keyword |
+| observer.version | Observer version. | keyword |
+| process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.parent.name | Process name. Sometimes called program name or similar. | keyword |
+| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword |
+| process.pid | Process id. | long |
+| process.ppid | Parent process' pid. | long |
+| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword |
+| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long |
+| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword |
+| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long |
+| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword |
+| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long |
+| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword |
+| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword |
+| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword |
+| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword |
+| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword |
+| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword |
+| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword |
+| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long |
+| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword |
+| rsa.crypto.cert_checksum |  | keyword |
+| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword |
+| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword |
+| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword |
+| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword |
+| rsa.crypto.cert_issuer |  | keyword |
+| rsa.crypto.cert_keysize |  | keyword |
+| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword |
+| rsa.crypto.cert_status | This key captures Certificate validation status | keyword |
+| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword |
+| rsa.crypto.cert_username |  | keyword |
+| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword |
+| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long |
+| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long |
+| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword |
+| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword |
+| rsa.crypto.d_certauth |  | keyword |
+| rsa.crypto.https_insact |  | keyword |
+| rsa.crypto.https_valid |  | keyword |
+| rsa.crypto.ike | IKE negotiation phase. | keyword |
+| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword |
+| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword |
+| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword |
+| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword |
+| rsa.crypto.s_certauth |  | keyword |
+| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword |
+| rsa.crypto.sig_type | This key captures the Signature Type | keyword |
+| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword |
+| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword |
+| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword |
+| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword |
+| rsa.db.db_pid | This key captures the process id of a connection with database server | long |
+| rsa.db.index | This key captures IndexID of the index. | keyword |
+| rsa.db.instance | This key is used to capture the database server instance name | keyword |
+| rsa.db.lread | This key is used for the number of logical reads | long |
+| rsa.db.lwrite | This key is used for the number of logical writes | long |
+| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword |
+| rsa.db.pread | This key is used for the number of physical writes | long |
+| rsa.db.table_name | This key is used to capture the table name | keyword |
+| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword |
+| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword |
+| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword |
+| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword |
+| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword |
+| rsa.email.trans_from | Deprecated key defined only in table map. | keyword |
+| rsa.email.trans_to | Deprecated key defined only in table map. | keyword |
+| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall disabled</strong> and so on | keyword |
+| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword |
+| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword |
+| rsa.file.attachment | This key captures the attachment file name | keyword |
+| rsa.file.binary | Deprecated key defined only in table map. | keyword |
+| rsa.file.directory_dst | <span>This key is used to capture the directory of the target process or file</span> | keyword |
+| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword |
+| rsa.file.file_entropy | This is used to capture entropy vale of a file | double |
+| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword |
+| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword |
+| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword |
+| rsa.file.filename_tmp |  | keyword |
+| rsa.file.filesystem |  | keyword |
+| rsa.file.privilege | Deprecated, use permissions | keyword |
+| rsa.file.task_name | This is used to capture name of the task | keyword |
+| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword |
+| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword |
+| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword |
+| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword |
+| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword |
+| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword |
+| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword |
+| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword |
+| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword |
+| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword |
+| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword |
+| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword |
+| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword |
+| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword |
+| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.org | This key captures the User organization | keyword |
+| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword |
+| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword |
+| rsa.identity.profile | This key is used to capture the user profile | keyword |
+| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword |
+| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword |
+| rsa.identity.user_dept | User's Department Names only | keyword |
+| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword |
+| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword |
+| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword |
+| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword |
+| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.data | Deprecated key defined only in table map. | keyword |
+| rsa.internal.dead | Deprecated key defined only in table map. | long |
+| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_type_id | Deprecated key defined only in table map. | long |
+| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long |
+| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long |
+| rsa.internal.entry | Deprecated key defined only in table map. | keyword |
+| rsa.internal.event_desc |  | keyword |
+| rsa.internal.event_name | Deprecated key defined only in table map. | keyword |
+| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip |
+| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.hcode | Deprecated key defined only in table map. | keyword |
+| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.inode | Deprecated key defined only in table map. | long |
+| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date |
+| rsa.internal.level | Deprecated key defined only in table map. | long |
+| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long |
+| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long |
+| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long |
+| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long |
+| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, &lt; 32 is packet session | long |
+| rsa.internal.message | This key captures the contents of instant messages | keyword |
+| rsa.internal.messageid |  | keyword |
+| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword |
+| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.node_name | Deprecated key defined only in table map. | keyword |
+| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword |
+| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword |
+| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword |
+| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword |
+| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long |
+| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long |
+| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword |
+| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword |
+| rsa.internal.resource | Deprecated key defined only in table map. | keyword |
+| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword |
+| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long |
+| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.site | Deprecated key defined only in table map. | keyword |
+| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long |
+| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.statement | Deprecated key defined only in table map. | keyword |
+| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date |
+| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long |
+| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long |
+| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword |
+| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword |
+| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword |
+| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword |
+| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword |
+| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword |
+| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword |
+| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword |
+| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword |
+| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword |
+| rsa.investigations.event_cat | This key captures the Event category number | long |
+| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword |
+| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword |
+| rsa.investigations.inv_category | This used to capture investigation category | keyword |
+| rsa.investigations.inv_context | This used to capture investigation context | keyword |
+| rsa.investigations.ioc | This is key capture indicator of compromise | keyword |
+| rsa.misc.OS | This key captures the Name of the Operating System | keyword |
+| rsa.misc.acl_id |  | keyword |
+| rsa.misc.acl_op |  | keyword |
+| rsa.misc.acl_pos |  | keyword |
+| rsa.misc.acl_table |  | keyword |
+| rsa.misc.action |  | keyword |
+| rsa.misc.admin |  | keyword |
+| rsa.misc.agent_id | This key is used to capture agent id | keyword |
+| rsa.misc.alarm_id |  | keyword |
+| rsa.misc.alarmname |  | keyword |
+| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.app_id |  | keyword |
+| rsa.misc.audit |  | keyword |
+| rsa.misc.audit_object |  | keyword |
+| rsa.misc.auditdata |  | keyword |
+| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword |
+| rsa.misc.benchmark |  | keyword |
+| rsa.misc.bypass |  | keyword |
+| rsa.misc.cache |  | keyword |
+| rsa.misc.cache_hit |  | keyword |
+| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword |
+| rsa.misc.cc_number | Valid Credit Card Numbers only | long |
+| rsa.misc.cefversion |  | keyword |
+| rsa.misc.cfg_attr |  | keyword |
+| rsa.misc.cfg_obj |  | keyword |
+| rsa.misc.cfg_path |  | keyword |
+| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword |
+| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword |
+| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword |
+| rsa.misc.changes |  | keyword |
+| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword |
+| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword |
+| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword |
+| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword |
+| rsa.misc.client_ip |  | keyword |
+| rsa.misc.clustermembers |  | keyword |
+| rsa.misc.cmd |  | keyword |
+| rsa.misc.cn_acttimeout |  | keyword |
+| rsa.misc.cn_asn_src |  | keyword |
+| rsa.misc.cn_bgpv4nxthop |  | keyword |
+| rsa.misc.cn_ctr_dst_code |  | keyword |
+| rsa.misc.cn_dst_tos |  | keyword |
+| rsa.misc.cn_dst_vlan |  | keyword |
+| rsa.misc.cn_engine_id |  | keyword |
+| rsa.misc.cn_engine_type |  | keyword |
+| rsa.misc.cn_f_switch |  | keyword |
+| rsa.misc.cn_flowsampid |  | keyword |
+| rsa.misc.cn_flowsampintv |  | keyword |
+| rsa.misc.cn_flowsampmode |  | keyword |
+| rsa.misc.cn_inacttimeout |  | keyword |
+| rsa.misc.cn_inpermbyts |  | keyword |
+| rsa.misc.cn_inpermpckts |  | keyword |
+| rsa.misc.cn_invalid |  | keyword |
+| rsa.misc.cn_ip_proto_ver |  | keyword |
+| rsa.misc.cn_ipv4_ident |  | keyword |
+| rsa.misc.cn_l_switch |  | keyword |
+| rsa.misc.cn_log_did |  | keyword |
+| rsa.misc.cn_log_rid |  | keyword |
+| rsa.misc.cn_max_ttl |  | keyword |
+| rsa.misc.cn_maxpcktlen |  | keyword |
+| rsa.misc.cn_min_ttl |  | keyword |
+| rsa.misc.cn_minpcktlen |  | keyword |
+| rsa.misc.cn_mpls_lbl_1 |  | keyword |
+| rsa.misc.cn_mpls_lbl_10 |  | keyword |
+| rsa.misc.cn_mpls_lbl_2 |  | keyword |
+| rsa.misc.cn_mpls_lbl_3 |  | keyword |
+| rsa.misc.cn_mpls_lbl_4 |  | keyword |
+| rsa.misc.cn_mpls_lbl_5 |  | keyword |
+| rsa.misc.cn_mpls_lbl_6 |  | keyword |
+| rsa.misc.cn_mpls_lbl_7 |  | keyword |
+| rsa.misc.cn_mpls_lbl_8 |  | keyword |
+| rsa.misc.cn_mpls_lbl_9 |  | keyword |
+| rsa.misc.cn_mplstoplabel |  | keyword |
+| rsa.misc.cn_mplstoplabip |  | keyword |
+| rsa.misc.cn_mul_dst_byt |  | keyword |
+| rsa.misc.cn_mul_dst_pks |  | keyword |
+| rsa.misc.cn_muligmptype |  | keyword |
+| rsa.misc.cn_sampalgo |  | keyword |
+| rsa.misc.cn_sampint |  | keyword |
+| rsa.misc.cn_seqctr |  | keyword |
+| rsa.misc.cn_spackets |  | keyword |
+| rsa.misc.cn_src_tos |  | keyword |
+| rsa.misc.cn_src_vlan |  | keyword |
+| rsa.misc.cn_sysuptime |  | keyword |
+| rsa.misc.cn_template_id |  | keyword |
+| rsa.misc.cn_totbytsexp |  | keyword |
+| rsa.misc.cn_totflowexp |  | keyword |
+| rsa.misc.cn_totpcktsexp |  | keyword |
+| rsa.misc.cn_unixnanosecs |  | keyword |
+| rsa.misc.cn_v6flowlabel |  | keyword |
+| rsa.misc.cn_v6optheaders |  | keyword |
+| rsa.misc.code |  | keyword |
+| rsa.misc.command |  | keyword |
+| rsa.misc.comments | Comment information provided in the log message | keyword |
+| rsa.misc.comp_class |  | keyword |
+| rsa.misc.comp_name |  | keyword |
+| rsa.misc.comp_rbytes |  | keyword |
+| rsa.misc.comp_sbytes |  | keyword |
+| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword |
+| rsa.misc.connection_id | This key captures the Connection ID | keyword |
+| rsa.misc.content | This key captures the content type from protocol headers | keyword |
+| rsa.misc.content_type | This key is used to capture Content Type only. | keyword |
+| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword |
+| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword |
+| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword |
+| rsa.misc.context_target |  | keyword |
+| rsa.misc.count |  | keyword |
+| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long |
+| rsa.misc.cpu_data |  | keyword |
+| rsa.misc.criticality |  | keyword |
+| rsa.misc.cs_agency_dst |  | keyword |
+| rsa.misc.cs_analyzedby |  | keyword |
+| rsa.misc.cs_av_other |  | keyword |
+| rsa.misc.cs_av_primary |  | keyword |
+| rsa.misc.cs_av_secondary |  | keyword |
+| rsa.misc.cs_bgpv6nxthop |  | keyword |
+| rsa.misc.cs_bit9status |  | keyword |
+| rsa.misc.cs_context |  | keyword |
+| rsa.misc.cs_control |  | keyword |
+| rsa.misc.cs_data |  | keyword |
+| rsa.misc.cs_datecret |  | keyword |
+| rsa.misc.cs_dst_tld |  | keyword |
+| rsa.misc.cs_eth_dst_ven |  | keyword |
+| rsa.misc.cs_eth_src_ven |  | keyword |
+| rsa.misc.cs_event_uuid |  | keyword |
+| rsa.misc.cs_filetype |  | keyword |
+| rsa.misc.cs_fld |  | keyword |
+| rsa.misc.cs_if_desc |  | keyword |
+| rsa.misc.cs_if_name |  | keyword |
+| rsa.misc.cs_ip_next_hop |  | keyword |
+| rsa.misc.cs_ipv4dstpre |  | keyword |
+| rsa.misc.cs_ipv4srcpre |  | keyword |
+| rsa.misc.cs_lifetime |  | keyword |
+| rsa.misc.cs_log_medium |  | keyword |
+| rsa.misc.cs_loginname |  | keyword |
+| rsa.misc.cs_modulescore |  | keyword |
+| rsa.misc.cs_modulesign |  | keyword |
+| rsa.misc.cs_opswatresult |  | keyword |
+| rsa.misc.cs_payload |  | keyword |
+| rsa.misc.cs_registrant |  | keyword |
+| rsa.misc.cs_registrar |  | keyword |
+| rsa.misc.cs_represult |  | keyword |
+| rsa.misc.cs_rpayload |  | keyword |
+| rsa.misc.cs_sampler_name |  | keyword |
+| rsa.misc.cs_sourcemodule |  | keyword |
+| rsa.misc.cs_streams |  | keyword |
+| rsa.misc.cs_targetmodule |  | keyword |
+| rsa.misc.cs_v6nxthop |  | keyword |
+| rsa.misc.cs_whois_server |  | keyword |
+| rsa.misc.cs_yararesult |  | keyword |
+| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword |
+| rsa.misc.data_type |  | keyword |
+| rsa.misc.description |  | keyword |
+| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword |
+| rsa.misc.devvendor |  | keyword |
+| rsa.misc.disposition | This key captures the The end state of an action. | keyword |
+| rsa.misc.distance |  | keyword |
+| rsa.misc.doc_number | This key captures File Identification number | long |
+| rsa.misc.dstburb |  | keyword |
+| rsa.misc.edomain |  | keyword |
+| rsa.misc.edomaub |  | keyword |
+| rsa.misc.ein_number | Employee Identification Numbers only | long |
+| rsa.misc.error | This key captures All non successful Error codes or responses | keyword |
+| rsa.misc.euid |  | keyword |
+| rsa.misc.event_category |  | keyword |
+| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword |
+| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword |
+| rsa.misc.event_id |  | keyword |
+| rsa.misc.event_log | This key captures the Name of the event log | keyword |
+| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword |
+| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword |
+| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword |
+| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword |
+| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword |
+| rsa.misc.facility |  | keyword |
+| rsa.misc.facilityname |  | keyword |
+| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword |
+| rsa.misc.filter | This key captures Filter used to reduce result set | keyword |
+| rsa.misc.finterface |  | keyword |
+| rsa.misc.flags |  | keyword |
+| rsa.misc.forensic_info |  | keyword |
+| rsa.misc.found | This is used to capture the results of regex match | keyword |
+| rsa.misc.fresult | This key captures the Filter Result | long |
+| rsa.misc.gaddr |  | keyword |
+| rsa.misc.group | This key captures the Group Name value | keyword |
+| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword |
+| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword |
+| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword |
+| rsa.misc.id3 |  | keyword |
+| rsa.misc.im_buddyid |  | keyword |
+| rsa.misc.im_buddyname |  | keyword |
+| rsa.misc.im_client |  | keyword |
+| rsa.misc.im_croomid |  | keyword |
+| rsa.misc.im_croomtype |  | keyword |
+| rsa.misc.im_members |  | keyword |
+| rsa.misc.im_userid |  | keyword |
+| rsa.misc.im_username |  | keyword |
+| rsa.misc.index |  | keyword |
+| rsa.misc.inout |  | keyword |
+| rsa.misc.ipkt |  | keyword |
+| rsa.misc.ipscat |  | keyword |
+| rsa.misc.ipspri |  | keyword |
+| rsa.misc.job_num | This key captures the Job Number | keyword |
+| rsa.misc.jobname |  | keyword |
+| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword |
+| rsa.misc.latitude |  | keyword |
+| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword |
+| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long |
+| rsa.misc.linenum |  | keyword |
+| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.misc.list_name |  | keyword |
+| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword |
+| rsa.misc.load_data |  | keyword |
+| rsa.misc.location_floor |  | keyword |
+| rsa.misc.location_mark |  | keyword |
+| rsa.misc.log_id |  | keyword |
+| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword |
+| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword |
+| rsa.misc.log_type |  | keyword |
+| rsa.misc.logid |  | keyword |
+| rsa.misc.logip |  | keyword |
+| rsa.misc.logname |  | keyword |
+| rsa.misc.longitude |  | keyword |
+| rsa.misc.lport |  | keyword |
+| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword |
+| rsa.misc.match | This key is for regex match name from search.ini | keyword |
+| rsa.misc.mbug_data |  | keyword |
+| rsa.misc.message_body | This key captures the The contents of the message body. | keyword |
+| rsa.misc.misc |  | keyword |
+| rsa.misc.misc_name |  | keyword |
+| rsa.misc.mode |  | keyword |
+| rsa.misc.msgIdPart1 |  | keyword |
+| rsa.misc.msgIdPart2 |  | keyword |
+| rsa.misc.msgIdPart3 |  | keyword |
+| rsa.misc.msgIdPart4 |  | keyword |
+| rsa.misc.msg_type |  | keyword |
+| rsa.misc.msgid |  | keyword |
+| rsa.misc.name |  | keyword |
+| rsa.misc.netsessid |  | keyword |
+| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword |
+| rsa.misc.ntype |  | keyword |
+| rsa.misc.num |  | keyword |
+| rsa.misc.number |  | keyword |
+| rsa.misc.number1 |  | keyword |
+| rsa.misc.number2 |  | keyword |
+| rsa.misc.nwwn |  | keyword |
+| rsa.misc.obj_name | This is used to capture name of object | keyword |
+| rsa.misc.obj_type | This is used to capture type of object | keyword |
+| rsa.misc.object |  | keyword |
+| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword |
+| rsa.misc.operation |  | keyword |
+| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword |
+| rsa.misc.opkt |  | keyword |
+| rsa.misc.orig_from |  | keyword |
+| rsa.misc.owner_id |  | keyword |
+| rsa.misc.p_action |  | keyword |
+| rsa.misc.p_filter |  | keyword |
+| rsa.misc.p_group_object |  | keyword |
+| rsa.misc.p_id |  | keyword |
+| rsa.misc.p_msgid |  | keyword |
+| rsa.misc.p_msgid1 |  | keyword |
+| rsa.misc.p_msgid2 |  | keyword |
+| rsa.misc.p_result1 |  | keyword |
+| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword |
+| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword |
+| rsa.misc.param_src | This key captures source parameter | keyword |
+| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword |
+| rsa.misc.password_chg |  | keyword |
+| rsa.misc.password_expire |  | keyword |
+| rsa.misc.payload_dst | This key is used to capture destination payload | keyword |
+| rsa.misc.payload_src | This key is used to capture source payload | keyword |
+| rsa.misc.permgranted |  | keyword |
+| rsa.misc.permwanted |  | keyword |
+| rsa.misc.pgid |  | keyword |
+| rsa.misc.phone |  | keyword |
+| rsa.misc.pid |  | keyword |
+| rsa.misc.policy |  | keyword |
+| rsa.misc.policyUUID |  | keyword |
+| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword |
+| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword |
+| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword |
+| rsa.misc.policy_waiver |  | keyword |
+| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword |
+| rsa.misc.pool_name | This key captures the name of a resource pool | keyword |
+| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword |
+| rsa.misc.priority |  | keyword |
+| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword |
+| rsa.misc.prog_asp_num |  | keyword |
+| rsa.misc.program |  | keyword |
+| rsa.misc.real_data |  | keyword |
+| rsa.misc.reason |  | keyword |
+| rsa.misc.rec_asp_device |  | keyword |
+| rsa.misc.rec_asp_num |  | keyword |
+| rsa.misc.rec_library |  | keyword |
+| rsa.misc.recordnum |  | keyword |
+| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword |
+| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword |
+| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword |
+| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword |
+| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword |
+| rsa.misc.risk | This key captures the non-numeric risk value | keyword |
+| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.risk_num | This key captures a Numeric Risk value | double |
+| rsa.misc.risk_num_comm | This key captures Risk Number Community | double |
+| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double |
+| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double |
+| rsa.misc.risk_num_static | This key captures Risk Number Static | double |
+| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.ruid |  | keyword |
+| rsa.misc.rule | This key captures the Rule number | keyword |
+| rsa.misc.rule_group | This key captures the Rule group name | keyword |
+| rsa.misc.rule_name | This key captures the Rule Name | keyword |
+| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword |
+| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword |
+| rsa.misc.sburb |  | keyword |
+| rsa.misc.sdomain_fld |  | keyword |
+| rsa.misc.search_text | This key captures the Search Text used | keyword |
+| rsa.misc.sec |  | keyword |
+| rsa.misc.second |  | keyword |
+| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword |
+| rsa.misc.sensorname |  | keyword |
+| rsa.misc.seqnum |  | keyword |
+| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword |
+| rsa.misc.session |  | keyword |
+| rsa.misc.sessiontype |  | keyword |
+| rsa.misc.severity | This key is used to capture the severity given the session | keyword |
+| rsa.misc.sigUUID |  | keyword |
+| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long |
+| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long |
+| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword |
+| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword |
+| rsa.misc.sigcat |  | keyword |
+| rsa.misc.snmp_oid | SNMP Object Identifier | keyword |
+| rsa.misc.snmp_value | SNMP set request value | keyword |
+| rsa.misc.space |  | keyword |
+| rsa.misc.space1 |  | keyword |
+| rsa.misc.spi |  | keyword |
+| rsa.misc.spi_dst | Destination SPI Index | keyword |
+| rsa.misc.spi_src | Source SPI Index | keyword |
+| rsa.misc.sql | This key captures the SQL query | keyword |
+| rsa.misc.srcburb |  | keyword |
+| rsa.misc.srcdom |  | keyword |
+| rsa.misc.srcservice |  | keyword |
+| rsa.misc.state |  | keyword |
+| rsa.misc.status |  | keyword |
+| rsa.misc.status1 |  | keyword |
+| rsa.misc.streams | This key captures number of streams in session | long |
+| rsa.misc.subcategory |  | keyword |
+| rsa.misc.svcno |  | keyword |
+| rsa.misc.system |  | keyword |
+| rsa.misc.tbdstr1 |  | keyword |
+| rsa.misc.tbdstr2 |  | keyword |
+| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long |
+| rsa.misc.terminal | This key captures the Terminal Names only | keyword |
+| rsa.misc.tgtdom |  | keyword |
+| rsa.misc.tgtdomain |  | keyword |
+| rsa.misc.threshold |  | keyword |
+| rsa.misc.tos | This key describes the type of service | long |
+| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword |
+| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword |
+| rsa.misc.type |  | keyword |
+| rsa.misc.type1 |  | keyword |
+| rsa.misc.udb_class |  | keyword |
+| rsa.misc.url_fld |  | keyword |
+| rsa.misc.user_div |  | keyword |
+| rsa.misc.userid |  | keyword |
+| rsa.misc.username_fld |  | keyword |
+| rsa.misc.utcstamp |  | keyword |
+| rsa.misc.v_instafname |  | keyword |
+| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword |
+| rsa.misc.virt_data |  | keyword |
+| rsa.misc.virusname | This key captures the name of the virus | keyword |
+| rsa.misc.vm_target | VMWare Target **VMWARE** only varaible. | keyword |
+| rsa.misc.vpnid |  | keyword |
+| rsa.misc.vsys | This key captures Virtual System Name | keyword |
+| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword |
+| rsa.misc.workspace | This key captures Workspace Description | keyword |
+| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword |
+| rsa.network.addr |  | keyword |
+| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword |
+| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword |
+| rsa.network.dmask | This key is used for Destionation Device network mask | keyword |
+| rsa.network.dns_a_record |  | keyword |
+| rsa.network.dns_cname_record |  | keyword |
+| rsa.network.dns_id |  | keyword |
+| rsa.network.dns_opcode |  | keyword |
+| rsa.network.dns_ptr_record |  | keyword |
+| rsa.network.dns_resp |  | keyword |
+| rsa.network.dns_type |  | keyword |
+| rsa.network.domain |  | keyword |
+| rsa.network.domain1 |  | keyword |
+| rsa.network.eth_host | Deprecated, use alias.mac | keyword |
+| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long |
+| rsa.network.faddr |  | keyword |
+| rsa.network.fhost |  | keyword |
+| rsa.network.fport |  | keyword |
+| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword |
+| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword |
+| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword |
+| rsa.network.host_type |  | keyword |
+| rsa.network.icmp_code | This key is used to capture the ICMP code only | long |
+| rsa.network.icmp_type | This key is used to capture the ICMP type only | long |
+| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword |
+| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long |
+| rsa.network.laddr |  | keyword |
+| rsa.network.lhost |  | keyword |
+| rsa.network.linterface |  | keyword |
+| rsa.network.mask | This key is used to capture the device network IPmask. | keyword |
+| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword |
+| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long |
+| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword |
+| rsa.network.origin |  | keyword |
+| rsa.network.packet_length |  | keyword |
+| rsa.network.paddr | Deprecated | ip |
+| rsa.network.phost |  | keyword |
+| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long |
+| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword |
+| rsa.network.remote_domain_id |  | keyword |
+| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword |
+| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword |
+| rsa.network.smask | This key is used for capturing source Network Mask | keyword |
+| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long |
+| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword |
+| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword |
+| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword |
+| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword |
+| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword |
+| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword |
+| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword |
+| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword |
+| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword |
+| rsa.threat.alert | This key is used to capture name of the alert | keyword |
+| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword |
+| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword |
+| rsa.threat.threat_source | This key is used to capture source of the threat | keyword |
+| rsa.time.date |  | keyword |
+| rsa.time.datetime |  | keyword |
+| rsa.time.day |  | keyword |
+| rsa.time.duration_str | A text string version of the duration | keyword |
+| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double |
+| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date |
+| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date |
+| rsa.time.event_queue_time | This key is the Time that the event was queued. | date |
+| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date |
+| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword |
+| rsa.time.eventtime |  | keyword |
+| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date |
+| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword |
+| rsa.time.gmtdate |  | keyword |
+| rsa.time.gmttime |  | keyword |
+| rsa.time.hour |  | keyword |
+| rsa.time.min |  | keyword |
+| rsa.time.month |  | keyword |
+| rsa.time.p_date |  | keyword |
+| rsa.time.p_month |  | keyword |
+| rsa.time.p_time |  | keyword |
+| rsa.time.p_time1 |  | keyword |
+| rsa.time.p_time2 |  | keyword |
+| rsa.time.p_year |  | keyword |
+| rsa.time.process_time | Deprecated, use duration.time | keyword |
+| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date |
+| rsa.time.stamp | Deprecated key defined only in table map. | date |
+| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date |
+| rsa.time.timestamp |  | keyword |
+| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword |
+| rsa.time.tzone |  | keyword |
+| rsa.time.year |  | keyword |
+| rsa.web.alias_host |  | keyword |
+| rsa.web.cn_asn_dst |  | keyword |
+| rsa.web.cn_rpackets |  | keyword |
+| rsa.web.fqdn | Fully Qualified Domain Names | keyword |
+| rsa.web.p_url |  | keyword |
+| rsa.web.p_user_agent |  | keyword |
+| rsa.web.p_web_cookie |  | keyword |
+| rsa.web.p_web_method |  | keyword |
+| rsa.web.p_web_referer |  | keyword |
+| rsa.web.remote_domain |  | keyword |
+| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double |
+| rsa.web.urlpage |  | keyword |
+| rsa.web.urlroot |  | keyword |
+| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword |
+| rsa.web.web_extension_tmp |  | keyword |
+| rsa.web.web_page |  | keyword |
+| rsa.web.web_ref_domain | Web referer's domain | keyword |
+| rsa.web.web_ref_page | This key captures Web referer's page information | keyword |
+| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword |
+| rsa.web.web_ref_root | Web referer's root URL path | keyword |
+| rsa.wireless.access_point | This key is used to capture the access point name. | keyword |
+| rsa.wireless.wlan_channel | This is used to capture the channel names | long |
+| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword |
+| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword |
+| rule.name | The name of the rule or signature generating the event. | keyword |
+| server.domain | Server domain. | keyword |
+| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword |
+| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.bytes | Bytes sent from the source to the destination. | long |
+| source.domain | Source domain. | keyword |
+| source.geo.city_name | City name. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location.lat |  | double |
+| source.geo.location.lon |  | double |
+| source.ip | IP address of the source. Can be one or multiple IPv4 or IPv6 addresses. | ip |
+| source.mac | MAC address of the source. | keyword |
+| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip |
+| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long |
+| source.port | Port of the source. | long |
+| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. | keyword |
+| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | keyword |
+| url.path | Path of the request, such as "/search". | keyword |
+| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword |
+| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.google.com" is "google.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword |
+| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword |
+| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| user.full_name | User's full name, if available. | keyword |
+| user.id | Unique identifiers of the user. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user_agent.original | Unparsed user_agent string. | keyword |
diff --git a/packages/radware/0.1.0/img/logo.svg b/packages/radware/0.1.0/img/logo.svg
new file mode 100644
index 0000000000..6252efef77
--- /dev/null
+++ b/packages/radware/0.1.0/img/logo.svg
@@ -0,0 +1,66 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   viewBox="0 0 735.61334 123.8"
+   height="123.8"
+   width="735.61334"
+   xml:space="preserve"
+   id="svg2"
+   version="1.1"><metadata
+     id="metadata8"><rdf:RDF><cc:Work
+         rdf:about=""><dc:format>image/svg+xml</dc:format><dc:type
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" /></cc:Work></rdf:RDF></metadata><defs
+     id="defs6" /><g
+     transform="matrix(1.3333333,0,0,-1.3333333,0,123.8)"
+     id="g10"><g
+       transform="scale(0.1)"
+       id="g12"><path
+         id="path14"
+         style="fill:#100f0d;fill-opacity:1;fill-rule:nonzero;stroke:none"
+         d="m 977.73,793.262 c 0,74.75 60.49,135.269 135.26,135.269 74.65,0 135.27,-60.519 135.27,-135.269 0,-74.61 -60.62,-135.293 -135.27,-135.293 -74.77,0 -135.26,60.683 -135.26,135.293 v 0" /><path
+         id="path16"
+         style="fill:#d2d3d2;fill-opacity:1;fill-rule:nonzero;stroke:none"
+         d="m 0,793.262 c 0,74.75 60.4883,135.269 135.23,135.269 74.77,0 135.258,-60.519 135.258,-135.269 C 270.488,718.652 210,657.969 135.23,657.969 60.4883,657.969 0,718.652 0,793.262 v 0" /><path
+         id="path18"
+         style="fill:#d2d3d2;fill-opacity:1;fill-rule:nonzero;stroke:none"
+         d="m 324.551,793.262 c 0,74.75 60.527,135.269 135.254,135.269 74.722,0 135.246,-60.519 135.246,-135.269 0,-74.61 -60.524,-135.293 -135.246,-135.293 -74.727,0 -135.254,60.683 -135.254,135.293 v 0" /><path
+         id="path20"
+         style="fill:#d2d3d2;fill-opacity:1;fill-rule:nonzero;stroke:none"
+         d="m 978.418,464.313 c 0,74.621 60.582,135.234 135.272,135.234 74.58,0 135.29,-60.613 135.29,-135.234 0,-74.778 -60.71,-135.243 -135.29,-135.243 -74.69,0 -135.272,60.465 -135.272,135.243 v 0" /><path
+         id="path22"
+         style="fill:#b41d23;fill-opacity:1;fill-rule:nonzero;stroke:none"
+         d="m 650.813,793.262 c 0,74.75 60.613,135.269 135.265,135.269 74.645,0 135.254,-60.519 135.254,-135.269 0,-74.61 -60.609,-135.293 -135.254,-135.293 -74.652,0 -135.265,60.683 -135.265,135.293 v 0" /><path
+         id="path24"
+         style="fill:#f8a62b;fill-opacity:1;fill-rule:nonzero;stroke:none"
+         d="m 650.813,464.313 c 0,74.621 60.613,135.234 135.265,135.234 74.645,0 135.254,-60.613 135.254,-135.234 0,-74.778 -60.609,-135.243 -135.254,-135.243 -74.652,0 -135.265,60.465 -135.265,135.243 v 0" /><path
+         id="path26"
+         style="fill:#d2d3d2;fill-opacity:1;fill-rule:nonzero;stroke:none"
+         d="m 328.207,135.238 c 0,74.742 60.484,135.235 135.231,135.235 74.703,0 135.23,-60.493 135.23,-135.235 C 598.668,60.4648 538.141,0.00390625 463.438,0.00390625 388.691,0.00390625 328.207,60.4648 328.207,135.238 v 0" /><path
+         id="path28"
+         style="fill:#26853c;fill-opacity:1;fill-rule:nonzero;stroke:none"
+         d="m 650.813,135.781 c 0,74.762 60.613,135.258 135.265,135.258 74.645,0 135.254,-60.496 135.254,-135.258 0,-74.7224 -60.609,-135.230219 -135.254,-135.230219 -74.652,0 -135.265,60.507819 -135.265,135.230219 v 0" /><path
+         id="path30"
+         style="fill:#100f0d;fill-opacity:1;fill-rule:evenodd;stroke:none"
+         d="m 1866.89,567.223 v 87.336 h -132.75 c -164.29,0 -209.97,10.027 -209.97,-159.297 V 5.51172 l 99.37,-0.02734 -0.3,561.73862 h 243.65" /><path
+         id="path32"
+         style="fill:#100f0d;fill-opacity:1;fill-rule:evenodd;stroke:none"
+         d="m 2268.61,123.141 c -30.65,-23.078 -76.32,-23.8207 -121.63,-23.8207 -50.09,0 -84.93,1.8557 -106.11,23.9097 l -0.1,0.063 h 0.1 c -17.21,17.992 -25.37,49.449 -25.37,104.082 0,103.617 37.86,111.668 131.48,110.922 70.07,-0.477 158.37,0 158.37,0 l 0.02,-119.492 c 0,-49.594 -14.31,-78.606 -36.76,-95.575 h 0.09 z m -241.04,534.714 c 0,0 0,-94.32 0,-94.441 239.85,0 282.62,-11.074 282.62,-135.266 h -179.86 c -137.3,0 -216.45,-25.824 -216.45,-213.265 0,-36.602 3.66,-66.742 10.63,-91.653 h 0.19 l -0.19,-0.089 c 26.7,-95.8129 101.66,-113.73084 200.43,-113.73084 69.74,0 150.92,2.66404 182.74,80.14454 V 6.94922 h 101.88 V 438.75 c 0,223.383 -157.68,219.105 -381.99,219.105" /><path
+         id="path34"
+         style="fill:#100f0d;fill-opacity:1;fill-rule:evenodd;stroke:none"
+         d="m 2907.12,123.141 c -23.7,-15.946 -57.53,-21.965 -105.2,-21.965 -49.3,0 -84.99,3.922 -110.15,22.054 l -0.07,0.036 c -37.26,26.789 -51.24,84.707 -51.24,206.5 0,206.265 30.38,229.851 161.46,229.851 89.51,0 158.71,0.953 158.6,-0.242 0,-36.664 -0.39,-171.391 -0.39,-229.609 0,-116.68 -10.25,-177.797 -53.01,-206.536 h 0.13 z m 53.26,770.125 0.14,-235.504 -194.43,0.093 c -214.95,0 -235.51,-134.824 -235.51,-326.113 0,-82.672 3.83,-153.972 25.12,-208.512 h 0.03 c 28.48,-73.0581 87.93,-115.90187 210.36,-115.90187 174.4,0 194.29,91.71877 194.29,91.71877 V 6.94922 h 99.82 V 893.266 h -99.82" /><path
+         id="path36"
+         style="fill:#100f0d;fill-opacity:1;fill-rule:evenodd;stroke:none"
+         d="m 3959.66,657.762 h -95.63 l -106.24,-456.61 -152.05,456.61 h -82.34 l -148.11,-456.61 -114.07,456.61 H 3158.73 L 3318.39,6.94922 h 91.94 L 3561.73,497.477 3714.17,6.94922 h 92.36 L 3959.66,657.762" /><path
+         id="path38"
+         style="fill:#100f0d;fill-opacity:1;fill-rule:evenodd;stroke:none"
+         d="m 4341.17,123.141 c -30.56,-23.078 -76.2,-23.8207 -121.62,-23.8207 -49.97,0 -84.81,1.8557 -106.07,23.9097 l -0.19,0.063 h 0.19 c -17.23,17.992 -25.52,49.449 -25.52,104.082 0,103.617 37.92,111.668 131.59,110.922 70.11,-0.477 158.46,0 158.46,0 V 218.805 c 0,-49.594 -14.26,-78.606 -36.84,-95.575 h 0.15 z m -240.98,534.714 c 0,0 -0.05,-94.32 0,-94.441 239.81,0 282.71,-11.074 282.71,-135.266 h -180.09 c -137.19,0 -216.36,-25.824 -216.36,-213.265 0,-36.602 3.69,-66.742 10.65,-91.653 h 0.1 l -0.1,-0.089 C 4023.76,27.3281 4098.67,9.41016 4197.57,9.41016 c 69.67,0 151.01,2.66404 182.61,80.14454 V 6.94922 h 102.04 V 438.75 c 0,223.383 -157.66,219.105 -382.03,219.105" /><path
+         id="path40"
+         style="fill:#100f0d;fill-opacity:1;fill-rule:evenodd;stroke:none"
+         d="m 4931.85,567.223 v 87.336 h -132.77 c -164.33,0 -209.94,10.027 -209.94,-159.297 V 5.51172 l 99.34,-0.02734 -0.3,561.73862 h 243.67" /><path
+         id="path42"
+         style="fill:#100f0d;fill-opacity:1;fill-rule:evenodd;stroke:none"
+         d="m 5079.82,414.504 c 7.96,55.437 45.37,164.871 180.09,164.871 136.17,0 155.48,-105.336 157.79,-164.871 z M 5254,667.578 c -262.8,0 -347.78,-351.676 -221.12,-544.348 l 0.57,-0.148 h -0.57 c 49.3,-75.0976 130.57,-126.07419 245.98,-122.832 112.58,3.01563 191.24,38.1836 224.85,53.3867 0,0 0.4,104.4103 0,104.7423 -16.74,-10.57 -44.96,-23.742 -79.15,-35.055 h -0.2 C 5349.63,98.7148 5246.41,83.1602 5172.31,123.23 h -0.23 c -54.64,29.583 -93.46,89.293 -93.46,198.098 h 435.24 c 0,0 51.76,346.25 -259.86,346.25" /></g></g></svg>
\ No newline at end of file
diff --git a/packages/radware/0.1.0/manifest.yml b/packages/radware/0.1.0/manifest.yml
new file mode 100644
index 0000000000..ccb07daea8
--- /dev/null
+++ b/packages/radware/0.1.0/manifest.yml
@@ -0,0 +1,36 @@
+format_version: 1.0.0
+name: radware
+title: Radware DefensePro
+version: 0.1.0
+description: Radware DefensePro Integration
+categories: ["security"]
+release: experimental
+removable: true
+license: basic
+type: integration
+conditions:
+    kibana:
+        version: '>=7.9.0'
+    elasticsearch:
+        version: '>=7.9.0'
+config_templates:
+- name: defensepro
+  title: Radware DefensePro
+  description: Collect Radware DefensePro logs from syslog or a file.
+  inputs:
+      - type: udp
+        title: Collect logs from Radware DefensePro via UDP
+        description: Collecting syslog from Radware DefensePro via UDP
+      - type: tcp
+        title: Collect logs from Radware DefensePro via TCP
+        description: Collecting syslog from Radware DefensePro via TCP
+      - type: file
+        title: Collect logs from Radware DefensePro via file
+        description: Collecting syslog from Radware DefensePro via file.
+# No icon
+icons:
+ - src: /img/logo.svg
+   title: Radware DefensePro logo
+   size: 32x32
+   type: image/svg+xml
+
diff --git a/packages/rapid7/0.1.0/dataset/nexpose/agent/stream/stream.yml.hbs b/packages/rapid7/0.1.0/dataset/nexpose/agent/stream/stream.yml.hbs
new file mode 100644
index 0000000000..297c2c1489
--- /dev/null
+++ b/packages/rapid7/0.1.0/dataset/nexpose/agent/stream/stream.yml.hbs
@@ -0,0 +1,8270 @@
+paths:
+{{#each paths as |path i|}}
+  - {{path}}
+{{/each}}
+exclude_files: [".gz$"]
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "Rapid7"
+        product: "Nexpose"
+        type: "Vulnerability"
+publisher_pipeline.disable_host: true
+
+processors:
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.error(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(populate_fields);
+      	builder.Add(restore_flags);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var dup1 = match("HEADER#1:0022/0", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{p0}");
+      
+      var dup2 = match("HEADER#1:0022/1_1", "nwparser.p0", "%{hpriority}][%{p0}");
+      
+      var dup3 = match("HEADER#1:0022/1_2", "nwparser.p0", "%{hpriority}[%{p0}");
+      
+      var dup4 = call({
+      	dest: "nwparser.payload",
+      	fn: STRCAT,
+      	args: [
+      		field("messageid"),
+      		constant(": "),
+      		field("payload"),
+      	],
+      });
+      
+      var dup5 = call({
+      	dest: "nwparser.payload",
+      	fn: STRCAT,
+      	args: [
+      		field("messageid"),
+      		constant(" "),
+      		field("payload"),
+      	],
+      });
+      
+      var dup6 = match("HEADER#18:0034/0", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}]%{p0}");
+      
+      var dup7 = match("HEADER#18:0034/1_0", "nwparser.p0", " [%{p0}");
+      
+      var dup8 = match("HEADER#18:0034/1_1", "nwparser.p0", "[%{p0}");
+      
+      var dup9 = call({
+      	dest: "nwparser.payload",
+      	fn: STRCAT,
+      	args: [
+      		field("messageid"),
+      		constant(": "),
+      		field("hfld1"),
+      		constant(" "),
+      		field("payload"),
+      	],
+      });
+      
+      var dup10 = call({
+      	dest: "nwparser.messageid",
+      	fn: STRCAT,
+      	args: [
+      		field("msgIdPart1"),
+      		constant("_"),
+      		field("msgIdPart2"),
+      	],
+      });
+      
+      var dup11 = setc("eventcategory","1614000000");
+      
+      var dup12 = setc("ec_activity","Scan");
+      
+      var dup13 = setc("ec_theme","TEV");
+      
+      var dup14 = date_time({
+      	dest: "event_time",
+      	args: ["hdate","htime"],
+      	fmts: [
+      		[dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup15 = setf("msg","$MSG");
+      
+      var dup16 = setf("obj_name","hobj_name");
+      
+      var dup17 = setc("obj_type","Asset");
+      
+      var dup18 = setc("eventcategory","1614030000");
+      
+      var dup19 = setc("ec_outcome","Error");
+      
+      var dup20 = setc("eventcategory","1605000000");
+      
+      var dup21 = setc("ec_activity","Start");
+      
+      var dup22 = setc("ec_outcome","Success");
+      
+      var dup23 = setc("eventcategory","1611000000");
+      
+      var dup24 = setc("ec_activity","Stop");
+      
+      var dup25 = setc("action","Shutting down");
+      
+      var dup26 = setc("action","shutting down");
+      
+      var dup27 = setc("ec_outcome","Failure");
+      
+      var dup28 = match("MESSAGE#17:NSE:01/0", "nwparser.payload", "%{} %{p0}");
+      
+      var dup29 = setf("fld17","hfld17");
+      
+      var dup30 = setf("group_object","hsite");
+      
+      var dup31 = setf("shost","hshost");
+      
+      var dup32 = setf("sport","hsport");
+      
+      var dup33 = setf("protocol","hprotocol");
+      
+      var dup34 = setf("fld18","hinfo");
+      
+      var dup35 = setc("ec_subject","Service");
+      
+      var dup36 = setc("event_description","Nexpose is changing the database port number");
+      
+      var dup37 = setc("event_state","DONE");
+      
+      var dup38 = setc("event_description","Nexpose is executing data transfer process");
+      
+      var dup39 = setc("event_description","Nexpose is installing the database");
+      
+      var dup40 = match("MESSAGE#52:Scan:06/0", "nwparser.payload", "Scan: [ %{p0}");
+      
+      var dup41 = match("MESSAGE#52:Scan:06/1_0", "nwparser.p0", "%{saddr}:%{sport->} %{p0}");
+      
+      var dup42 = match("MESSAGE#52:Scan:06/1_1", "nwparser.p0", "%{saddr->} %{p0}");
+      
+      var dup43 = setc("ec_outcome","Unknown");
+      
+      var dup44 = setc("eventcategory","1701000000");
+      
+      var dup45 = setc("ec_subject","User");
+      
+      var dup46 = setc("ec_activity","Logon");
+      
+      var dup47 = setc("ec_theme","Authentication");
+      
+      var dup48 = setc("eventcategory","1401030000");
+      
+      var dup49 = setc("ec_subject","NetworkComm");
+      
+      var dup50 = setc("ec_subject","Group");
+      
+      var dup51 = setc("ec_activity","Detect");
+      
+      var dup52 = setc("ec_theme","Configuration");
+      
+      var dup53 = setc("eventcategory","1801010000");
+      
+      var dup54 = setf("obj_type","messageid");
+      
+      var dup55 = setc("event_description","Cannot preload incremental pool with a connection");
+      
+      var dup56 = setc("eventcategory","1605030000");
+      
+      var dup57 = setc("ec_activity","Modify");
+      
+      var dup58 = setc("action","Replaced conf values");
+      
+      var dup59 = setc("service","fld1");
+      
+      var dup60 = linear_select([
+      	dup7,
+      	dup8,
+      ]);
+      
+      var dup61 = match("MESSAGE#416:Nexpose:12", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var dup62 = match("MESSAGE#46:SPIDER", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var dup63 = linear_select([
+      	dup41,
+      	dup42,
+      ]);
+      
+      var dup64 = match("MESSAGE#93:Attempting", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var dup65 = match("MESSAGE#120:path", "nwparser.payload", "%{info}", processor_chain([
+      	dup20,
+      	dup15,
+      ]));
+      
+      var dup66 = match("MESSAGE#318:Loaded:01", "nwparser.payload", "%{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var dup67 = match("MESSAGE#236:Finished:03", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup20,
+      	dup15,
+      ]));
+      
+      var dup68 = match("MESSAGE#418:Mobile", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup25,
+      ]));
+      
+      var dup69 = match("MESSAGE#435:ConsoleProductInfoProvider", "nwparser.payload", "%{fld1->} %{action}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup59,
+      ]));
+      
+      var hdr1 = match("HEADER#0:0031", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] %{hfld39}[Thread: %{messageid}] [Started: %{hfld40}] [Duration: %{hfld41}] %{payload}", processor_chain([
+      	setc("header_id","0031"),
+      ]));
+      
+      var part1 = match("HEADER#1:0022/1_0", "nwparser.p0", "%{hpriority}] %{hfld39}[%{p0}");
+      
+      var select1 = linear_select([
+      	part1,
+      	dup2,
+      	dup3,
+      ]);
+      
+      var part2 = match("HEADER#1:0022/2", "nwparser.p0", "Thread: %{hfld17}] %{messageid->} %{payload}");
+      
+      var all1 = all_match({
+      	processors: [
+      		dup1,
+      		select1,
+      		part2,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","0022"),
+      	]),
+      });
+      
+      var hdr2 = match("HEADER#2:0028", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0028"),
+      	dup4,
+      ]));
+      
+      var hdr3 = match("HEADER#3:0017", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0017"),
+      	dup5,
+      ]));
+      
+      var hdr4 = match("HEADER#4:0024", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] %{hfld41->} %{messageid->} completed %{payload}", processor_chain([
+      	setc("header_id","0024"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant(" completed "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr5 = match("HEADER#5:0018", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] [%{hshost}:%{hsport}/%{hprotocol}] %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0018"),
+      	dup5,
+      ]));
+      
+      var hdr6 = match("HEADER#6:0029", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Silo ID: %{hfld22}] [Site: %{hsite}] [Site ID: %{hinfo}] %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0029"),
+      	dup5,
+      ]));
+      
+      var hdr7 = match("HEADER#7:0019", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] [%{hshost}] %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0019"),
+      	dup5,
+      ]));
+      
+      var hdr8 = match("HEADER#8:0020", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] [%{hshost}:%{hsport}/%{hprotocol}] [%{hinfo}] %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0020"),
+      	dup5,
+      ]));
+      
+      var hdr9 = match("HEADER#9:0021", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] [%{hshost}] [%{hinfo}] %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0021"),
+      	dup5,
+      ]));
+      
+      var hdr10 = match("HEADER#10:0023", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] [%{hshost}] [%{hinfo}]: %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0023"),
+      	dup5,
+      ]));
+      
+      var hdr11 = match("HEADER#11:0036", "message", "%NEXPOSE-%{hfld49}: %{hfld1}: %{messageid->} %{hfld2->} %{payload}", processor_chain([
+      	setc("header_id","0036"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant(" "),
+      			field("hfld2"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr12 = match("HEADER#12:0001", "message", "%NEXPOSE-%{hfld49}: %{messageid->} %{hdate}T%{htime->} [%{hobj_name}] %{payload}", processor_chain([
+      	setc("header_id","0001"),
+      ]));
+      
+      var hdr13 = match("HEADER#13:0037", "message", "%NEXPOSE-%{hfld49}: %{messageid->} %{hfld1->} '%{hfld2}' - %{hfld1->} %{payload}", processor_chain([
+      	setc("header_id","0037"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant(" "),
+      			field("hfld1"),
+      			constant(" '"),
+      			field("hfld2"),
+      			constant("' - "),
+      			field("hfld1"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr14 = match("HEADER#14:0002", "message", "%NEXPOSE-%{hfld49}: %{messageid->} %{hdate}T%{htime->} %{payload}", processor_chain([
+      	setc("header_id","0002"),
+      ]));
+      
+      var hdr15 = match("HEADER#15:0003", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] (%{hfld41}) %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0003"),
+      	dup5,
+      ]));
+      
+      var hdr16 = match("HEADER#16:0030", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0030"),
+      	dup4,
+      ]));
+      
+      var hdr17 = match("HEADER#17:0040", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Principal: %{username}] [%{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0040"),
+      ]));
+      
+      var part3 = match("HEADER#18:0034/2", "nwparser.p0", "Thread: %{hfld17}] [%{hfld18}] [%{hfld19}] %{messageid->} %{hfld21->} %{payload}");
+      
+      var all2 = all_match({
+      	processors: [
+      		dup6,
+      		dup60,
+      		part3,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","0034"),
+      	]),
+      });
+      
+      var part4 = match("HEADER#19:0035/1_0", "nwparser.p0", "%{hpriority}] [%{p0}");
+      
+      var select2 = linear_select([
+      	part4,
+      	dup2,
+      	dup3,
+      ]);
+      
+      var part5 = match("HEADER#19:0035/2", "nwparser.p0", "Thread: %{hfld17}] [%{hfld18}] %{messageid->} %{hfld21->} %{payload}");
+      
+      var all3 = all_match({
+      	processors: [
+      		dup1,
+      		select2,
+      		part5,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","0035"),
+      	]),
+      });
+      
+      var hdr18 = match("HEADER#20:0004", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0004"),
+      	dup5,
+      ]));
+      
+      var part6 = match("HEADER#21:0032/2", "nwparser.p0", "Thread: %{hfld17}] [Silo ID: %{hfld18}] [Report: %{hobj_name}] [%{messageid->} Config ID: %{hfld19}] %{payload}");
+      
+      var all4 = all_match({
+      	processors: [
+      		dup6,
+      		dup60,
+      		part6,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","0032"),
+      	]),
+      });
+      
+      var hdr19 = match("HEADER#22:0038", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{messageid}: %{hfld1->} %{payload}", processor_chain([
+      	setc("header_id","0038"),
+      	dup9,
+      ]));
+      
+      var hdr20 = match("HEADER#23:0039", "message", "%NEXPOSE-%{hfld49}: %{messageid}: %{hfld1->} %{payload}", processor_chain([
+      	setc("header_id","0039"),
+      	dup9,
+      ]));
+      
+      var hdr21 = match("HEADER#24:0005", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] %{hfld48->} %{hfld41->} %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0005"),
+      	dup5,
+      ]));
+      
+      var hdr22 = match("HEADER#25:0006", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] [%{messageid}] %{payload}", processor_chain([
+      	setc("header_id","0006"),
+      ]));
+      
+      var part7 = match("HEADER#26:0033/2", "nwparser.p0", "Thread: %{hfld17}] [%{hfld18}] [%{hfld19}] [%{p0}");
+      
+      var part8 = match("HEADER#26:0033/3_0", "nwparser.p0", "%{hfld20}] [%{hfld21}] [%{hfld22}] [%{hfld23}]%{p0}");
+      
+      var part9 = match("HEADER#26:0033/3_1", "nwparser.p0", "%{hfld20}] [%{hfld21}]%{p0}");
+      
+      var part10 = match("HEADER#26:0033/3_2", "nwparser.p0", "%{hfld20}]%{p0}");
+      
+      var select3 = linear_select([
+      	part8,
+      	part9,
+      	part10,
+      ]);
+      
+      var part11 = match("HEADER#26:0033/4", "nwparser.p0", "%{} %{messageid->} %{hfld24->} %{payload}");
+      
+      var all5 = all_match({
+      	processors: [
+      		dup6,
+      		dup60,
+      		part7,
+      		select3,
+      		part11,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","0033"),
+      	]),
+      });
+      
+      var hdr23 = match("HEADER#27:0007", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0007"),
+      	dup5,
+      ]));
+      
+      var hdr24 = match("HEADER#28:0008", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] (%{messageid}) %{payload}", processor_chain([
+      	setc("header_id","0008"),
+      ]));
+      
+      var hdr25 = match("HEADER#29:0009", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] %{fld41->} %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0009"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("fld41"),
+      			constant(" "),
+      			field("messageid"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr26 = match("HEADER#30:0010", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0010"),
+      	dup4,
+      ]));
+      
+      var hdr27 = match("HEADER#31:0011", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} %{messageid}(%{hobj_name}): %{payload}", processor_chain([
+      	setc("header_id","0011"),
+      ]));
+      
+      var hdr28 = match("HEADER#32:0012", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} %{hfld41->} %{hfld42->} %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0012"),
+      	dup5,
+      ]));
+      
+      var hdr29 = match("HEADER#33:0013", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] %{hfld45->} (%{hfld46}) - %{msgIdPart1->} %{msgIdPart2->} %{msgIdPart3->} %{payload}", processor_chain([
+      	setc("header_id","0013"),
+      	call({
+      		dest: "nwparser.messageid",
+      		fn: STRCAT,
+      		args: [
+      			field("msgIdPart1"),
+      			constant("_"),
+      			field("msgIdPart2"),
+      			constant("_"),
+      			field("msgIdPart3"),
+      		],
+      	}),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld45"),
+      			constant(" ("),
+      			field("hfld46"),
+      			constant(") - "),
+      			field("msgIdPart1"),
+      			constant(" "),
+      			field("msgIdPart2"),
+      			constant(" "),
+      			field("msgIdPart3"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr30 = match("HEADER#34:0014", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] %{hfld45->} (%{hfld46}) - %{msgIdPart1->} %{msgIdPart2->} %{payload}", processor_chain([
+      	setc("header_id","0014"),
+      	dup10,
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld45"),
+      			constant(" ("),
+      			field("hfld46"),
+      			constant(") - "),
+      			field("msgIdPart1"),
+      			constant(" "),
+      			field("msgIdPart2"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr31 = match("HEADER#35:0015", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] %{hfld45->} (%{hfld46}) - %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0015"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld45"),
+      			constant(" ("),
+      			field("hfld46"),
+      			constant(") - "),
+      			field("messageid"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr32 = match("HEADER#36:0016", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] %{hfld45->} (%{hfld46}) - %{msgIdPart1->} %{msgIdPart2}(U) %{payload}", processor_chain([
+      	setc("header_id","0016"),
+      	dup10,
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld45"),
+      			constant(" ("),
+      			field("hfld46"),
+      			constant(") - "),
+      			field("msgIdPart1"),
+      			constant(" "),
+      			field("msgIdPart2"),
+      			constant("(U) "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr33 = match("HEADER#37:0026", "message", "%NEXPOSE-%{hfld49}: %{messageid->} Constructor threw %{payload}", processor_chain([
+      	setc("header_id","0026"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant(" Constructor threw "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr34 = match("HEADER#38:0027", "message", "%NEXPOSE-%{hfld49}: %{messageid->} Called method %{payload}", processor_chain([
+      	setc("header_id","0027"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant(" Called method "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr35 = match("HEADER#39:0025", "message", "%NEXPOSE-%{hfld49}: %{hfld41->} %{hfld42->} %{messageid->} frames %{payload}", processor_chain([
+      	setc("header_id","0025"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant(" frames "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr36 = match("HEADER#40:9999", "message", "%NEXPOSE-%{hfld49}: %{payload}", processor_chain([
+      	setc("header_id","9999"),
+      	setc("messageid","NEXPOSE_GENERIC"),
+      ]));
+      
+      var select4 = linear_select([
+      	hdr1,
+      	all1,
+      	hdr2,
+      	hdr3,
+      	hdr4,
+      	hdr5,
+      	hdr6,
+      	hdr7,
+      	hdr8,
+      	hdr9,
+      	hdr10,
+      	hdr11,
+      	hdr12,
+      	hdr13,
+      	hdr14,
+      	hdr15,
+      	hdr16,
+      	hdr17,
+      	all2,
+      	all3,
+      	hdr18,
+      	all4,
+      	hdr19,
+      	hdr20,
+      	hdr21,
+      	hdr22,
+      	all5,
+      	hdr23,
+      	hdr24,
+      	hdr25,
+      	hdr26,
+      	hdr27,
+      	hdr28,
+      	hdr29,
+      	hdr30,
+      	hdr31,
+      	hdr32,
+      	hdr33,
+      	hdr34,
+      	hdr35,
+      	hdr36,
+      ]);
+      
+      var part12 = match("MESSAGE#0:NOT_VULNERABLE_VERSION", "nwparser.payload", "%{signame->} - NOT VULNERABLE VERSION .", processor_chain([
+      	dup11,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg1 = msg("NOT_VULNERABLE_VERSION", part12);
+      
+      var part13 = match("MESSAGE#1:VULNERABLE_VERSION", "nwparser.payload", "%{signame->} - VULNERABLE VERSION .", processor_chain([
+      	dup11,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg2 = msg("VULNERABLE_VERSION", part13);
+      
+      var part14 = match("MESSAGE#2:NOT_VULNERABLE", "nwparser.payload", "%{signame->} - NOT VULNERABLE [UNIQUE ID: %{fld45}]", processor_chain([
+      	dup11,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg3 = msg("NOT_VULNERABLE", part14);
+      
+      var part15 = match("MESSAGE#3:NOT_VULNERABLE:01", "nwparser.payload", "%{signame->} - NOT VULNERABLE(U) [UNIQUE ID: %{fld45}]", processor_chain([
+      	dup11,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg4 = msg("NOT_VULNERABLE:01", part15);
+      
+      var part16 = match("MESSAGE#4:NOT_VULNERABLE:02", "nwparser.payload", "%{signame->} - NOT VULNERABLE .", processor_chain([
+      	dup11,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg5 = msg("NOT_VULNERABLE:02", part16);
+      
+      var select5 = linear_select([
+      	msg3,
+      	msg4,
+      	msg5,
+      ]);
+      
+      var part17 = match("MESSAGE#5:VULNERABLE", "nwparser.payload", "%{signame->} - VULNERABLE [UNIQUE ID: %{fld45}]", processor_chain([
+      	dup11,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg6 = msg("VULNERABLE", part17);
+      
+      var part18 = match("MESSAGE#6:VULNERABLE:01", "nwparser.payload", "%{signame->} - VULNERABLE .", processor_chain([
+      	dup11,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg7 = msg("VULNERABLE:01", part18);
+      
+      var select6 = linear_select([
+      	msg6,
+      	msg7,
+      ]);
+      
+      var part19 = match("MESSAGE#7:ERROR", "nwparser.payload", "%{signame->} - ERROR [UNIQUE ID: %{fld45}] - %{context}", processor_chain([
+      	dup18,
+      	dup12,
+      	dup13,
+      	dup19,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg8 = msg("ERROR", part19);
+      
+      var part20 = match("MESSAGE#8:ERROR:01", "nwparser.payload", "%{signame->} - ERROR - %{context}", processor_chain([
+      	dup18,
+      	dup12,
+      	dup13,
+      	dup19,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg9 = msg("ERROR:01", part20);
+      
+      var select7 = linear_select([
+      	msg8,
+      	msg9,
+      ]);
+      
+      var part21 = match("MESSAGE#9:ExtMgr", "nwparser.payload", "Initialization successful.%{}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup13,
+      	dup22,
+      	dup14,
+      	dup15,
+      	setc("event_description","Initialization successful"),
+      ]));
+      
+      var msg10 = msg("ExtMgr", part21);
+      
+      var part22 = match("MESSAGE#10:ExtMgr:01", "nwparser.payload", "initializing...%{}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup13,
+      	dup14,
+      	dup15,
+      	setc("event_description","initializing"),
+      ]));
+      
+      var msg11 = msg("ExtMgr:01", part22);
+      
+      var part23 = match("MESSAGE#11:ExtMgr:02", "nwparser.payload", "Shutdown successful.%{}", processor_chain([
+      	dup23,
+      	dup24,
+      	dup13,
+      	dup22,
+      	dup14,
+      	dup15,
+      	setc("event_description","Shutdown successful."),
+      ]));
+      
+      var msg12 = msg("ExtMgr:02", part23);
+      
+      var part24 = match("MESSAGE#12:ExtMgr:03", "nwparser.payload", "Shutting down...%{}", processor_chain([
+      	dup23,
+      	dup24,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup25,
+      ]));
+      
+      var msg13 = msg("ExtMgr:03", part24);
+      
+      var select8 = linear_select([
+      	msg10,
+      	msg11,
+      	msg12,
+      	msg13,
+      ]);
+      
+      var part25 = match("MESSAGE#13:ScanMgr", "nwparser.payload", "Shutting down %{info}", processor_chain([
+      	dup20,
+      	dup24,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup25,
+      ]));
+      
+      var msg14 = msg("ScanMgr", part25);
+      
+      var part26 = match("MESSAGE#14:ScanMgr:01", "nwparser.payload", "shutting down...%{}", processor_chain([
+      	dup23,
+      	dup24,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup26,
+      ]));
+      
+      var msg15 = msg("ScanMgr:01", part26);
+      
+      var part27 = match("MESSAGE#15:ScanMgr:02", "nwparser.payload", "Scan %{fld30->} is being stopped.", processor_chain([
+      	dup20,
+      	dup12,
+      	dup13,
+      	dup27,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg16 = msg("ScanMgr:02", part27);
+      
+      var select9 = linear_select([
+      	msg14,
+      	msg15,
+      	msg16,
+      ]);
+      
+      var part28 = match("MESSAGE#16:NSE", "nwparser.payload", "Logging initialized %{fld30}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Logging initialized"),
+      ]));
+      
+      var msg17 = msg("NSE", part28);
+      
+      var part29 = match("MESSAGE#17:NSE:01/1_0", "nwparser.p0", "Initializing %{p0}");
+      
+      var part30 = match("MESSAGE#17:NSE:01/1_1", "nwparser.p0", "initializing %{p0}");
+      
+      var select10 = linear_select([
+      	part29,
+      	part30,
+      ]);
+      
+      var part31 = match("MESSAGE#17:NSE:01/2", "nwparser.p0", "%{} %{fld30}");
+      
+      var all6 = all_match({
+      	processors: [
+      		dup28,
+      		select10,
+      		part31,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup14,
+      		dup15,
+      		setc("action","Initializing"),
+      	]),
+      });
+      
+      var msg18 = msg("NSE:01", all6);
+      
+      var part32 = match("MESSAGE#18:NSE:02", "nwparser.payload", "shutting down %{fld30}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup26,
+      ]));
+      
+      var msg19 = msg("NSE:02", part32);
+      
+      var part33 = match("MESSAGE#19:NSE:03", "nwparser.payload", "NeXpose scan engine initialization completed.%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","NeXpose scan engine initialization completed."),
+      ]));
+      
+      var msg20 = msg("NSE:03", part33);
+      
+      var part34 = match("MESSAGE#20:NSE:04", "nwparser.payload", "disabling promiscuous on all devices...%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","disabling promiscuous on all devices"),
+      ]));
+      
+      var msg21 = msg("NSE:04", part34);
+      
+      var part35 = match("MESSAGE#213:NSE:05", "nwparser.payload", "NSE connection failure%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg22 = msg("NSE:05", part35);
+      
+      var part36 = match("MESSAGE#328:NSE:07", "nwparser.payload", "NSE DN is %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg23 = msg("NSE:07", part36);
+      
+      var select11 = linear_select([
+      	msg17,
+      	msg18,
+      	msg19,
+      	msg20,
+      	msg21,
+      	msg22,
+      	msg23,
+      ]);
+      
+      var part37 = match("MESSAGE#21:Console", "nwparser.payload", "NSE Name: %{fld30}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg24 = msg("Console", part37);
+      
+      var part38 = match("MESSAGE#22:Console:01", "nwparser.payload", "NSE Identifier: %{fld30}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg25 = msg("Console:01", part38);
+      
+      var part39 = match("MESSAGE#23:Console:02", "nwparser.payload", "NSE version: %{fld30}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg26 = msg("Console:02", part39);
+      
+      var part40 = match("MESSAGE#24:Console:03", "nwparser.payload", "Last update: %{fld30}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg27 = msg("Console:03", part40);
+      
+      var part41 = match("MESSAGE#25:Console:04", "nwparser.payload", "VM version: %{fld30}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg28 = msg("Console:04", part41);
+      
+      var part42 = match("MESSAGE#26:Console:05", "nwparser.payload", "log rotation completed%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","log rotation completed"),
+      ]));
+      
+      var msg29 = msg("Console:05", part42);
+      
+      var part43 = match("MESSAGE#27:Console:06", "nwparser.payload", "rotating logs...%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","rotating logs"),
+      ]));
+      
+      var msg30 = msg("Console:06", part43);
+      
+      var select12 = linear_select([
+      	msg24,
+      	msg25,
+      	msg26,
+      	msg27,
+      	msg28,
+      	msg29,
+      	msg30,
+      ]);
+      
+      var part44 = match("MESSAGE#28:ProtocolFper", "nwparser.payload", "Loaded %{fld30}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Loaded"),
+      ]));
+      
+      var msg31 = msg("ProtocolFper", part44);
+      
+      var part45 = match("MESSAGE#29:Nexpose", "nwparser.payload", "Closing service: %{fld30}", processor_chain([
+      	dup20,
+      	dup35,
+      	dup24,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      	setc("action","Closing service"),
+      ]));
+      
+      var msg32 = msg("Nexpose", part45);
+      
+      var part46 = match("MESSAGE#30:Nexpose:01", "nwparser.payload", "Freeing %{fld30}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      	setc("action","Freeing"),
+      ]));
+      
+      var msg33 = msg("Nexpose:01", part46);
+      
+      var part47 = match("MESSAGE#31:Nexpose:02", "nwparser.payload", "starting %{fld30}", processor_chain([
+      	dup11,
+      	dup12,
+      	dup13,
+      	dup22,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      	setc("action","starting"),
+      ]));
+      
+      var msg34 = msg("Nexpose:02", part47);
+      
+      var part48 = match("MESSAGE#32:Nexpose:03", "nwparser.payload", "%{fld31->} nodes completed, %{fld32->} active, %{fld33->} pending.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg35 = msg("Nexpose:03", part48);
+      
+      var part49 = match("MESSAGE#373:Backup_completed", "nwparser.payload", "Nexpose system backup completed successfully in %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Backup completed"),
+      ]));
+      
+      var msg36 = msg("Backup_completed", part49);
+      
+      var part50 = match("MESSAGE#408:Nexpose:04", "nwparser.payload", "Nexpose is changing the database port number from %{change_old->} to %{change_new}. DONE.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup36,
+      	dup37,
+      ]));
+      
+      var msg37 = msg("Nexpose:04", part50);
+      
+      var part51 = match("MESSAGE#409:Nexpose:05", "nwparser.payload", "Nexpose is changing the database port number from %{change_old->} to %{change_new}.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup36,
+      ]));
+      
+      var msg38 = msg("Nexpose:05", part51);
+      
+      var part52 = match("MESSAGE#410:Nexpose:06", "nwparser.payload", "Nexpose is executing the data transfer process from %{change_old->} to %{change_new->} DONE.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup38,
+      	dup37,
+      ]));
+      
+      var msg39 = msg("Nexpose:06", part52);
+      
+      var part53 = match("MESSAGE#411:Nexpose:07", "nwparser.payload", "Nexpose is executing the data transfer process from %{change_old->} to %{change_new}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup38,
+      ]));
+      
+      var msg40 = msg("Nexpose:07", part53);
+      
+      var part54 = match("MESSAGE#412:Nexpose:08", "nwparser.payload", "Nexpose is installing the %{db_name->} database. DONE.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup39,
+      	dup37,
+      ]));
+      
+      var msg41 = msg("Nexpose:08", part54);
+      
+      var part55 = match("MESSAGE#413:Nexpose:09", "nwparser.payload", "Nexpose is installing the %{db_name->} database to %{directory->} using PostgreSQL binaries from package %{filename}.%{fld1}.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup39,
+      ]));
+      
+      var msg42 = msg("Nexpose:09", part55);
+      
+      var part56 = match("MESSAGE#414:Nexpose:10", "nwparser.payload", "Nexpose is moving %{change_old->} to %{change_new}.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Nexpose is moving a directory"),
+      ]));
+      
+      var msg43 = msg("Nexpose:10", part56);
+      
+      var part57 = match("MESSAGE#415:Nexpose:11", "nwparser.payload", "%{event_description->} DONE.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup37,
+      ]));
+      
+      var msg44 = msg("Nexpose:11", part57);
+      
+      var msg45 = msg("Nexpose:12", dup61);
+      
+      var select13 = linear_select([
+      	msg32,
+      	msg33,
+      	msg34,
+      	msg35,
+      	msg36,
+      	msg37,
+      	msg38,
+      	msg39,
+      	msg40,
+      	msg41,
+      	msg42,
+      	msg43,
+      	msg44,
+      	msg45,
+      ]);
+      
+      var part58 = match("MESSAGE#33:Shutting", "nwparser.payload", "Shutting down %{fld30}", processor_chain([
+      	dup23,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      	dup25,
+      ]));
+      
+      var msg46 = msg("Shutting", part58);
+      
+      var part59 = match("MESSAGE#34:shutting:01", "nwparser.payload", "Interrupted, %{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg47 = msg("shutting:01", part59);
+      
+      var part60 = match("MESSAGE#35:shutting", "nwparser.payload", "shutting down %{fld30}", processor_chain([
+      	dup23,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      	dup26,
+      ]));
+      
+      var msg48 = msg("shutting", part60);
+      
+      var part61 = match("MESSAGE#36:Shutdown", "nwparser.payload", "Shutdown successful.%{}", processor_chain([
+      	dup23,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      	dup25,
+      ]));
+      
+      var msg49 = msg("Shutdown", part61);
+      
+      var part62 = match("MESSAGE#37:Security", "nwparser.payload", "Security Console shutting down.%{}", processor_chain([
+      	dup23,
+      	dup14,
+      	dup15,
+      	dup29,
+      	dup25,
+      ]));
+      
+      var msg50 = msg("Security", part62);
+      
+      var part63 = match("MESSAGE#261:Security:02", "nwparser.payload", "Security Console restarting from an auto-update%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg51 = msg("Security:02", part63);
+      
+      var part64 = match("MESSAGE#296:Security:06", "nwparser.payload", "Started: %{fld1}] [Duration: %{fld2}] Security Console started", processor_chain([
+      	dup20,
+      	dup15,
+      ]));
+      
+      var msg52 = msg("Security:06", part64);
+      
+      var part65 = match("MESSAGE#297:Security:03/0", "nwparser.payload", "%{}Security Console %{p0}");
+      
+      var part66 = match("MESSAGE#297:Security:03/1_0", "nwparser.p0", "started %{}");
+      
+      var part67 = match("MESSAGE#297:Security:03/1_1", "nwparser.p0", "web interface ready. %{info->} ");
+      
+      var select14 = linear_select([
+      	part66,
+      	part67,
+      ]);
+      
+      var all7 = all_match({
+      	processors: [
+      		part65,
+      		select14,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup15,
+      	]),
+      });
+      
+      var msg53 = msg("Security:03", all7);
+      
+      var part68 = match("MESSAGE#426:Security:04", "nwparser.payload", "Security Console is launching in Maintenance Mode. %{action}.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Security Console is launching in Maintenance Mode"),
+      ]));
+      
+      var msg54 = msg("Security:04", part68);
+      
+      var part69 = match("MESSAGE#427:Security:05", "nwparser.payload", "Security Console update failed.%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Security Console update failed"),
+      ]));
+      
+      var msg55 = msg("Security:05", part69);
+      
+      var select15 = linear_select([
+      	msg50,
+      	msg51,
+      	msg52,
+      	msg53,
+      	msg54,
+      	msg55,
+      ]);
+      
+      var part70 = match("MESSAGE#38:Web", "nwparser.payload", "Web server stopped%{}", processor_chain([
+      	dup23,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      	setc("action","Stopped"),
+      ]));
+      
+      var msg56 = msg("Web", part70);
+      
+      var part71 = match("MESSAGE#304:Web:02", "nwparser.payload", "Web %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg57 = msg("Web:02", part71);
+      
+      var select16 = linear_select([
+      	msg56,
+      	msg57,
+      ]);
+      
+      var part72 = match("MESSAGE#39:Done", "nwparser.payload", "Done shutting down.%{}", processor_chain([
+      	dup23,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      	dup26,
+      ]));
+      
+      var msg58 = msg("Done", part72);
+      
+      var part73 = match("MESSAGE#282:Done:02", "nwparser.payload", "Done with statistics generation [Started: %{fld1}] [Duration: %{fld2}].", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg59 = msg("Done:02", part73);
+      
+      var select17 = linear_select([
+      	msg58,
+      	msg59,
+      ]);
+      
+      var part74 = match("MESSAGE#40:Queueing:01", "nwparser.payload", "Queueing %{protocol->} port scan", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg60 = msg("Queueing:01", part74);
+      
+      var part75 = match("MESSAGE#41:Queueing", "nwparser.payload", "Queueing %{fld30}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      	setc("action","Queueing"),
+      ]));
+      
+      var msg61 = msg("Queueing", part75);
+      
+      var select18 = linear_select([
+      	msg60,
+      	msg61,
+      ]);
+      
+      var part76 = match("MESSAGE#42:Performing/0", "nwparser.payload", "Performing %{p0}");
+      
+      var part77 = match("MESSAGE#42:Performing/1_0", "nwparser.p0", "form %{p0}");
+      
+      var part78 = match("MESSAGE#42:Performing/1_1", "nwparser.p0", "query %{p0}");
+      
+      var select19 = linear_select([
+      	part77,
+      	part78,
+      ]);
+      
+      var part79 = match("MESSAGE#42:Performing/2", "nwparser.p0", "%{}injection against %{info}");
+      
+      var all8 = all_match({
+      	processors: [
+      		part76,
+      		select19,
+      		part79,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup12,
+      		dup13,
+      		dup14,
+      		dup15,
+      		dup16,
+      		dup17,
+      		setc("action","Performing injection"),
+      	]),
+      });
+      
+      var msg62 = msg("Performing", all8);
+      
+      var part80 = match("MESSAGE#43:Performing:01", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup20,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg63 = msg("Performing:01", part80);
+      
+      var select20 = linear_select([
+      	msg62,
+      	msg63,
+      ]);
+      
+      var part81 = match("MESSAGE#44:Trying", "nwparser.payload", "Trying %{fld30->} injection %{fld31}", processor_chain([
+      	dup20,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      	setc("action","Trying injection"),
+      ]));
+      
+      var msg64 = msg("Trying", part81);
+      
+      var part82 = match("MESSAGE#45:Rewrote", "nwparser.payload", "Rewrote to %{url}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg65 = msg("Rewrote", part82);
+      
+      var msg66 = msg("SPIDER", dup62);
+      
+      var msg67 = msg("Preparing", dup62);
+      
+      var part83 = match("MESSAGE#48:Scan", "nwparser.payload", "Scan started by: \"%{username}\" %{fld34}", processor_chain([
+      	dup11,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	setc("action","scan started"),
+      ]));
+      
+      var msg68 = msg("Scan", part83);
+      
+      var part84 = match("MESSAGE#49:Scan:01", "nwparser.payload", "Scan [%{fld35}] completed in %{fld36}", processor_chain([
+      	dup11,
+      	dup12,
+      	dup13,
+      	dup22,
+      	dup14,
+      	dup15,
+      	setc("action","scan completed"),
+      ]));
+      
+      var msg69 = msg("Scan:01", part84);
+      
+      var part85 = match("MESSAGE#50:Scan:03", "nwparser.payload", "Scan for site %{fld11->} started by Schedule[%{info}].", processor_chain([
+      	dup11,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg70 = msg("Scan:03", part85);
+      
+      var part86 = match("MESSAGE#51:Scan:04", "nwparser.payload", "Scan startup took %{fld24->} seconds", processor_chain([
+      	dup11,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg71 = msg("Scan:04", part86);
+      
+      var part87 = match("MESSAGE#52:Scan:06/2", "nwparser.p0", "] %{fld12->} (%{info}) - VULNERABLE VERSION");
+      
+      var all9 = all_match({
+      	processors: [
+      		dup40,
+      		dup63,
+      		part87,
+      	],
+      	on_success: processor_chain([
+      		dup11,
+      		dup12,
+      		dup13,
+      		dup14,
+      		dup15,
+      		dup29,
+      		dup30,
+      		dup31,
+      		dup32,
+      		dup33,
+      		dup34,
+      	]),
+      });
+      
+      var msg72 = msg("Scan:06", all9);
+      
+      var part88 = match("MESSAGE#53:Scan:05/2", "nwparser.p0", "] %{fld12->} (%{info}) - VULNERABLE");
+      
+      var all10 = all_match({
+      	processors: [
+      		dup40,
+      		dup63,
+      		part88,
+      	],
+      	on_success: processor_chain([
+      		dup11,
+      		dup12,
+      		dup13,
+      		dup14,
+      		dup15,
+      		dup29,
+      		dup30,
+      		dup31,
+      		dup32,
+      		dup33,
+      		dup34,
+      	]),
+      });
+      
+      var msg73 = msg("Scan:05", all10);
+      
+      var part89 = match("MESSAGE#54:Scan:07/2", "nwparser.p0", "] %{fld12->} (%{info}) - NOT VULNERABLE VERSION");
+      
+      var all11 = all_match({
+      	processors: [
+      		dup40,
+      		dup63,
+      		part89,
+      	],
+      	on_success: processor_chain([
+      		dup11,
+      		dup12,
+      		dup13,
+      		dup14,
+      		dup15,
+      		dup29,
+      		dup30,
+      		dup31,
+      		dup32,
+      		dup33,
+      		dup34,
+      	]),
+      });
+      
+      var msg74 = msg("Scan:07", all11);
+      
+      var part90 = match("MESSAGE#55:Scan:09/2", "nwparser.p0", "] %{fld12->} (%{info}) - NOT VULNERABLE [UNIQUE ID: %{fld13}]");
+      
+      var all12 = all_match({
+      	processors: [
+      		dup40,
+      		dup63,
+      		part90,
+      	],
+      	on_success: processor_chain([
+      		dup11,
+      		dup12,
+      		dup13,
+      		dup14,
+      		dup15,
+      		dup29,
+      		dup30,
+      		dup31,
+      		dup32,
+      		dup33,
+      		dup34,
+      	]),
+      });
+      
+      var msg75 = msg("Scan:09", all12);
+      
+      var part91 = match("MESSAGE#56:Scan:08/2", "nwparser.p0", "] %{fld12->} (%{info}) - NOT VULNERABLE");
+      
+      var all13 = all_match({
+      	processors: [
+      		dup40,
+      		dup63,
+      		part91,
+      	],
+      	on_success: processor_chain([
+      		dup11,
+      		dup12,
+      		dup13,
+      		dup14,
+      		dup15,
+      		dup29,
+      		dup30,
+      		dup31,
+      		dup32,
+      		dup33,
+      		dup34,
+      	]),
+      });
+      
+      var msg76 = msg("Scan:08", all13);
+      
+      var part92 = match("MESSAGE#57:Scan:10", "nwparser.payload", "Scan for site %{fld12->} started by \"%{username}\".", processor_chain([
+      	dup11,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg77 = msg("Scan:10", part92);
+      
+      var part93 = match("MESSAGE#58:Scan:11", "nwparser.payload", "Scan stopped: \"%{username}\"", processor_chain([
+      	dup18,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg78 = msg("Scan:11", part93);
+      
+      var part94 = match("MESSAGE#59:Scan:12", "nwparser.payload", "Scan Engine shutting down...%{}", processor_chain([
+      	dup23,
+      	dup12,
+      	dup13,
+      	dup19,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg79 = msg("Scan:12", part94);
+      
+      var part95 = match("MESSAGE#60:Scan:13", "nwparser.payload", "Scan ID: %{fld1}] [Started: %{fld2}T%{fld3}] [Duration: %{fld4}] Scan synopsis inconsistency resolved.", processor_chain([
+      	dup11,
+      	dup12,
+      	dup13,
+      	dup22,
+      	dup14,
+      	dup15,
+      	setc("event_description","Scan synopsis inconsistency resolved"),
+      ]));
+      
+      var msg80 = msg("Scan:13", part95);
+      
+      var part96 = match("MESSAGE#62:Scan:15/0", "nwparser.payload", "Silo ID: %{fld1}] [Scan ID: %{fld2}] Scan for site %{audit_object->} - %{p0}");
+      
+      var part97 = match("MESSAGE#62:Scan:15/1_0", "nwparser.p0", "Non-Windows Systems Audit%{p0}");
+      
+      var part98 = match("MESSAGE#62:Scan:15/1_1", "nwparser.p0", "Audit%{p0}");
+      
+      var select21 = linear_select([
+      	part97,
+      	part98,
+      ]);
+      
+      var part99 = match("MESSAGE#62:Scan:15/2", "nwparser.p0", "%{}restored. %{info}");
+      
+      var all14 = all_match({
+      	processors: [
+      		part96,
+      		select21,
+      		part99,
+      	],
+      	on_success: processor_chain([
+      		dup11,
+      		dup12,
+      		dup13,
+      		dup22,
+      		dup14,
+      		dup15,
+      		setc("event_description","Scan for site restored"),
+      	]),
+      });
+      
+      var msg81 = msg("Scan:15", all14);
+      
+      var part100 = match("MESSAGE#63:Scan:02", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup11,
+      	dup12,
+      	dup13,
+      	dup22,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg82 = msg("Scan:02", part100);
+      
+      var select22 = linear_select([
+      	msg68,
+      	msg69,
+      	msg70,
+      	msg71,
+      	msg72,
+      	msg73,
+      	msg74,
+      	msg75,
+      	msg76,
+      	msg77,
+      	msg78,
+      	msg79,
+      	msg80,
+      	msg81,
+      	msg82,
+      ]);
+      
+      var part101 = match("MESSAGE#61:Scan:14", "nwparser.payload", "Scan ID: %{fld1}] Inconsistency discovered for scan. %{info}", processor_chain([
+      	dup18,
+      	dup12,
+      	dup13,
+      	dup43,
+      	dup14,
+      	dup15,
+      	setc("event_description","Inconsistency discovered for scan"),
+      ]));
+      
+      var msg83 = msg("Scan:14", part101);
+      
+      var part102 = match("MESSAGE#64:Site", "nwparser.payload", "Site saved.%{}", processor_chain([
+      	dup44,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg84 = msg("Site", part102);
+      
+      var part103 = match("MESSAGE#65:Authenticated", "nwparser.payload", "Authenticated: %{username}", processor_chain([
+      	setc("eventcategory","1401060000"),
+      	dup45,
+      	dup46,
+      	dup47,
+      	dup22,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg85 = msg("Authenticated", part103);
+      
+      var part104 = match("MESSAGE#66:Authentication", "nwparser.payload", "Authentication failed. Login information is missing.%{}", processor_chain([
+      	dup48,
+      	dup45,
+      	dup46,
+      	dup47,
+      	dup27,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg86 = msg("Authentication", part104);
+      
+      var part105 = match("MESSAGE#67:Authentication:01", "nwparser.payload", "Authentication failed for %{username}: Access denied.", processor_chain([
+      	dup48,
+      	dup45,
+      	dup46,
+      	dup47,
+      	dup27,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg87 = msg("Authentication:01", part105);
+      
+      var part106 = match("MESSAGE#68:Authentication:02", "nwparser.payload", "Authentication failed. User account may be invalid or disabled.%{}", processor_chain([
+      	dup48,
+      	dup45,
+      	dup46,
+      	dup47,
+      	dup27,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg88 = msg("Authentication:02", part106);
+      
+      var part107 = match("MESSAGE#69:Authentication:03", "nwparser.payload", "%{info}", processor_chain([
+      	setc("eventcategory","1304000000"),
+      	dup45,
+      	dup46,
+      	dup47,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      ]));
+      
+      var msg89 = msg("Authentication:03", part107);
+      
+      var select23 = linear_select([
+      	msg86,
+      	msg87,
+      	msg88,
+      	msg89,
+      ]);
+      
+      var part108 = match("MESSAGE#70:User", "nwparser.payload", "User (%{username}) is over the limit (%{fld12}) for failed login attempts.", processor_chain([
+      	dup48,
+      	dup45,
+      	dup46,
+      	dup47,
+      	dup27,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg90 = msg("User", part108);
+      
+      var part109 = match("MESSAGE#265:User:04", "nwparser.payload", "User name: %{username}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg91 = msg("User:04", part109);
+      
+      var select24 = linear_select([
+      	msg90,
+      	msg91,
+      ]);
+      
+      var msg92 = msg("persistent-xss", dup61);
+      
+      var part110 = match("MESSAGE#72:Adding:01", "nwparser.payload", "Adding user to datastore: %{username}", processor_chain([
+      	setc("eventcategory","1402020200"),
+      	dup45,
+      	setc("ec_activity","Create"),
+      	dup47,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      	setc("obj_type","User"),
+      ]));
+      
+      var msg93 = msg("Adding:01", part110);
+      
+      var msg94 = msg("Adding", dup62);
+      
+      var select25 = linear_select([
+      	msg93,
+      	msg94,
+      ]);
+      
+      var msg95 = msg("credentials", dup62);
+      
+      var msg96 = msg("SPIDER-XSS", dup62);
+      
+      var msg97 = msg("Processing", dup62);
+      
+      var msg98 = msg("but", dup62);
+      
+      var msg99 = msg("j_password", dup62);
+      
+      var msg100 = msg("j_username", dup62);
+      
+      var msg101 = msg("osspi_defaultTargetLocation", dup62);
+      
+      var part111 = match("MESSAGE#81:spider-parse-robot-exclusions", "nwparser.payload", "spider-parse-robot-exclusions: %{fld40->} Malformed HTTP %{fld41}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg102 = msg("spider-parse-robot-exclusions", part111);
+      
+      var msg103 = msg("Cataloged", dup62);
+      
+      var msg104 = msg("Dumping", dup62);
+      
+      var msg105 = msg("Form", dup62);
+      
+      var msg106 = msg("Relaunching", dup62);
+      
+      var msg107 = msg("main", dup62);
+      
+      var msg108 = msg("SystemFingerprint", dup62);
+      
+      var part112 = match("MESSAGE#88:Searching", "nwparser.payload", "Searching for %{service->} domain %{fld11}...", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg109 = msg("Searching", part112);
+      
+      var msg110 = msg("TCPSocket", dup62);
+      
+      var part113 = match("MESSAGE#90:connected", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup20,
+      	dup49,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg111 = msg("connected", part113);
+      
+      var part114 = match("MESSAGE#91:Failed", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup20,
+      	dup49,
+      	dup27,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg112 = msg("Failed", part114);
+      
+      var part115 = match("MESSAGE#92:Attempting:01", "nwparser.payload", "Attempting to authenticate user %{username->} from %{saddr}.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg113 = msg("Attempting:01", part115);
+      
+      var msg114 = msg("Attempting", dup64);
+      
+      var select26 = linear_select([
+      	msg113,
+      	msg114,
+      ]);
+      
+      var part116 = match("MESSAGE#94:Recursively:01", "nwparser.payload", "Recursively listing files on %{service}[%{info}]", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg115 = msg("Recursively:01", part116);
+      
+      var msg116 = msg("Recursively", dup62);
+      
+      var select27 = linear_select([
+      	msg115,
+      	msg116,
+      ]);
+      
+      var msg117 = msg("building", dup62);
+      
+      var msg118 = msg("Sending", dup62);
+      
+      var msg119 = msg("sending", dup64);
+      
+      var part117 = match("MESSAGE#99:creating", "nwparser.payload", "creating new connection to %{obj_name}", processor_chain([
+      	dup20,
+      	dup49,
+      	dup14,
+      	dup15,
+      	dup17,
+      ]));
+      
+      var msg120 = msg("creating", part117);
+      
+      var part118 = match("MESSAGE#100:Trusted", "nwparser.payload", "Trusted MAC address checking is disabled%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg121 = msg("Trusted", part118);
+      
+      var part119 = match("MESSAGE#101:signon_type", "nwparser.payload", "signon_type: %{fld40}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg122 = msg("signon_type", part119);
+      
+      var msg123 = msg("list-user-directory", dup62);
+      
+      var msg124 = msg("dcerpc-get-ms-blaster-codes", dup62);
+      
+      var msg125 = msg("Could", dup62);
+      
+      var part120 = match("MESSAGE#105:Asserting", "nwparser.payload", "Asserting software fingerprint name=%{obj_name}, version=%{version}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      	setc("obj_type","Software Fingerprint"),
+      ]));
+      
+      var msg126 = msg("Asserting", part120);
+      
+      var part121 = match("MESSAGE#106:Asserting:01", "nwparser.payload", "Asserting run entry: %{service}: %{filename}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg127 = msg("Asserting:01", part121);
+      
+      var part122 = match("MESSAGE#107:Asserting:02", "nwparser.payload", "Asserting network interface: %{sinterface->} with IP: %{saddr->} and netmask: %{fld12}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg128 = msg("Asserting:02", part122);
+      
+      var part123 = match("MESSAGE#108:Asserting:03", "nwparser.payload", "Asserting highest MDAC version of %{version}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg129 = msg("Asserting:03", part123);
+      
+      var msg130 = msg("Asserting:04", dup62);
+      
+      var select28 = linear_select([
+      	msg126,
+      	msg127,
+      	msg128,
+      	msg129,
+      	msg130,
+      ]);
+      
+      var part124 = match("MESSAGE#110:Determining:01", "nwparser.payload", "Determining version of file %{filename->} (%{application})", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg131 = msg("Determining:01", part124);
+      
+      var msg132 = msg("Determining", dup62);
+      
+      var select29 = linear_select([
+      	msg131,
+      	msg132,
+      ]);
+      
+      var part125 = match("MESSAGE#112:Webmin", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup20,
+      	dup35,
+      	dup27,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg133 = msg("Webmin", part125);
+      
+      var part126 = match("MESSAGE#113:Running:02", "nwparser.payload", "Running unresolved %{service}", processor_chain([
+      	dup20,
+      	dup35,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg134 = msg("Running:02", part126);
+      
+      var part127 = match("MESSAGE#114:Running:01", "nwparser.payload", "Running %{protocol->} service %{service}", processor_chain([
+      	dup20,
+      	dup35,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg135 = msg("Running:01", part127);
+      
+      var part128 = match("MESSAGE#115:Running", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup20,
+      	dup35,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg136 = msg("Running", part128);
+      
+      var select30 = linear_select([
+      	msg134,
+      	msg135,
+      	msg136,
+      ]);
+      
+      var part129 = match("MESSAGE#116:path:/0_0", "nwparser.payload", "Service path:%{p0}");
+      
+      var part130 = match("MESSAGE#116:path:/0_1", "nwparser.payload", "path:%{p0}");
+      
+      var select31 = linear_select([
+      	part129,
+      	part130,
+      ]);
+      
+      var part131 = match("MESSAGE#116:path:/1", "nwparser.p0", "%{} %{filename}");
+      
+      var all15 = all_match({
+      	processors: [
+      		select31,
+      		part131,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup15,
+      	]),
+      });
+      
+      var msg137 = msg("path:", all15);
+      
+      var part132 = match("MESSAGE#117:path:01", "nwparser.payload", "Service path is insecure.%{}", processor_chain([
+      	dup20,
+      	dup15,
+      	setc("info","Service path is insecure."),
+      ]));
+      
+      var msg138 = msg("path:01", part132);
+      
+      var part133 = match("MESSAGE#118:Service", "nwparser.payload", "Service %{service->} %{action->} on Provider: %{fld2}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg139 = msg("Service", part133);
+      
+      var part134 = match("MESSAGE#119:ServiceFingerprint", "nwparser.payload", "Service running: %{event_description}", processor_chain([
+      	dup20,
+      	dup35,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg140 = msg("ServiceFingerprint", part134);
+      
+      var msg141 = msg("path", dup65);
+      
+      var select32 = linear_select([
+      	msg137,
+      	msg138,
+      	msg139,
+      	msg140,
+      	msg141,
+      ]);
+      
+      var msg142 = msg("using", dup61);
+      
+      var part135 = match("MESSAGE#122:Found:01", "nwparser.payload", "Found group: CIFS Group %{group}", processor_chain([
+      	dup20,
+      	dup50,
+      	dup51,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg143 = msg("Found:01", part135);
+      
+      var part136 = match("MESSAGE#123:Found:02", "nwparser.payload", "Found user: CIFS User %{username}", processor_chain([
+      	dup20,
+      	dup45,
+      	dup51,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg144 = msg("Found:02", part136);
+      
+      var part137 = match("MESSAGE#124:Found:03", "nwparser.payload", "Found user %{username}", processor_chain([
+      	dup20,
+      	dup45,
+      	dup51,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg145 = msg("Found:03", part137);
+      
+      var part138 = match("MESSAGE#125:Found:04", "nwparser.payload", "Found interface %{sinterface}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg146 = msg("Found:04", part138);
+      
+      var part139 = match("MESSAGE#126:Found:05", "nwparser.payload", "Found DHCP-assigned WINS server: %{saddr}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg147 = msg("Found:05", part139);
+      
+      var msg148 = msg("Found", dup62);
+      
+      var select33 = linear_select([
+      	msg143,
+      	msg144,
+      	msg145,
+      	msg146,
+      	msg147,
+      	msg148,
+      ]);
+      
+      var part140 = match("MESSAGE#128:FTP", "nwparser.payload", "FTP name: %{fld40}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg149 = msg("FTP", part140);
+      
+      var part141 = match("MESSAGE#129:Starting:02", "nwparser.payload", "Starting Office fingerprinting with dir %{directory}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg150 = msg("Starting:02", part141);
+      
+      var part142 = match("MESSAGE#130:Starting:01", "nwparser.payload", "Starting scan against %{fld11->} (%{fld12}) with scan template: %{fld13}.", processor_chain([
+      	dup20,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg151 = msg("Starting:01", part142);
+      
+      var msg152 = msg("Starting", dup62);
+      
+      var select34 = linear_select([
+      	msg150,
+      	msg151,
+      	msg152,
+      ]);
+      
+      var msg153 = msg("loading", dup61);
+      
+      var part143 = match("MESSAGE#133:trying", "nwparser.payload", "trying the next key: %{fld11}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg154 = msg("trying", part143);
+      
+      var msg155 = msg("Retrieving", dup64);
+      
+      var part144 = match("MESSAGE#135:Got", "nwparser.payload", "Got version: %{version}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      ]));
+      
+      var msg156 = msg("Got", part144);
+      
+      var msg157 = msg("unexpected", dup64);
+      
+      var part145 = match("MESSAGE#137:checking:03", "nwparser.payload", "checking version of '%{directory}'", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg158 = msg("checking:03", part145);
+      
+      var part146 = match("MESSAGE#138:No", "nwparser.payload", "No closed UDP ports, IP fingerprinting may be less accurate%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg159 = msg("No", part146);
+      
+      var part147 = match("MESSAGE#139:No:01", "nwparser.payload", "No credentials available%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg160 = msg("No:01", part147);
+      
+      var part148 = match("MESSAGE#140:No:02", "nwparser.payload", "No access to %{directory->} with %{service}[%{info}]", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg161 = msg("No:02", part148);
+      
+      var part149 = match("MESSAGE#141:No:03", "nwparser.payload", "No approved updates found for processing.%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg162 = msg("No:03", part149);
+      
+      var msg163 = msg("No:04", dup61);
+      
+      var select35 = linear_select([
+      	msg159,
+      	msg160,
+      	msg161,
+      	msg162,
+      	msg163,
+      ]);
+      
+      var part150 = match("MESSAGE#142:Applying", "nwparser.payload", "Applying update ID %{fld12}.", processor_chain([
+      	dup44,
+      	dup52,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg164 = msg("Applying", part150);
+      
+      var part151 = match("MESSAGE#143:Update", "nwparser.payload", "Update ID %{fld12->} applied successfully.", processor_chain([
+      	dup44,
+      	dup52,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg165 = msg("Update", part151);
+      
+      var part152 = match("MESSAGE#227:Update:02", "nwparser.payload", "Update ID %{fld1}, for product ID %{id}, %{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg166 = msg("Update:02", part152);
+      
+      var msg167 = msg("Update:03", dup61);
+      
+      var select36 = linear_select([
+      	msg165,
+      	msg166,
+      	msg167,
+      ]);
+      
+      var part153 = match("MESSAGE#144:Installing", "nwparser.payload", "Installing directory %{directory}.", processor_chain([
+      	dup20,
+      	dup52,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg168 = msg("Installing", part153);
+      
+      var part154 = match("MESSAGE#145:Installing:01", "nwparser.payload", "Installing file, %{filename}.", processor_chain([
+      	dup20,
+      	dup52,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg169 = msg("Installing:01", part154);
+      
+      var part155 = match("MESSAGE#405:Installing:02", "nwparser.payload", "Installing Postgres files into %{directory->} from %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Installing Postgres files"),
+      ]));
+      
+      var msg170 = msg("Installing:02", part155);
+      
+      var select37 = linear_select([
+      	msg168,
+      	msg169,
+      	msg170,
+      ]);
+      
+      var part156 = match("MESSAGE#146:Resolving", "nwparser.payload", "Resolving additional DNS records%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg171 = msg("Resolving", part156);
+      
+      var part157 = match("MESSAGE#147:DNS", "nwparser.payload", "DNS name: %{obj_name}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      	setc("obj_type","DNS"),
+      ]));
+      
+      var msg172 = msg("DNS", part157);
+      
+      var part158 = match("MESSAGE#148:Scanning", "nwparser.payload", "Scanning %{fld23->} %{protocol->} ports", processor_chain([
+      	dup11,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg173 = msg("Scanning", part158);
+      
+      var msg174 = msg("param:", dup64);
+      
+      var part159 = match("MESSAGE#150:Windows", "nwparser.payload", "Windows %{obj_name->} dir is: '%{directory}'", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg175 = msg("Windows", part159);
+      
+      var part160 = match("MESSAGE#151:Windows:01", "nwparser.payload", "Windows Media Player version: %{version}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg176 = msg("Windows:01", part160);
+      
+      var msg177 = msg("Windows:02", dup61);
+      
+      var select38 = linear_select([
+      	msg175,
+      	msg176,
+      	msg177,
+      ]);
+      
+      var msg178 = msg("Parsed", dup64);
+      
+      var part161 = match("MESSAGE#153:JRE", "nwparser.payload", "JRE version %{version->} is installed", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg179 = msg("JRE", part161);
+      
+      var msg180 = msg("Microsoft", dup64);
+      
+      var part162 = match("MESSAGE#155:MDAC", "nwparser.payload", "MDAC version: %{version}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg181 = msg("MDAC", part162);
+      
+      var part163 = match("MESSAGE#156:Name", "nwparser.payload", "Name Server: %{saddr}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg182 = msg("Name", part163);
+      
+      var msg183 = msg("Flash", dup64);
+      
+      var msg184 = msg("Skipping", dup64);
+      
+      var part164 = match("MESSAGE#159:Closing", "nwparser.payload", "Closing service: %{service->} (source: %{info})", processor_chain([
+      	dup20,
+      	dup35,
+      	dup24,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg185 = msg("Closing", part164);
+      
+      var part165 = match("MESSAGE#238:Closing:03", "nwparser.payload", "Engine: %{fld1}] [Engine ID: %{fld3}] Closing connection to scan engine.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Closing connection to scan engine"),
+      ]));
+      
+      var msg186 = msg("Closing:03", part165);
+      
+      var msg187 = msg("Closing:02", dup61);
+      
+      var select39 = linear_select([
+      	msg185,
+      	msg186,
+      	msg187,
+      ]);
+      
+      var part166 = match("MESSAGE#160:key", "nwparser.payload", "key does not exist: %{fld11}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg188 = msg("key", part166);
+      
+      var part167 = match("MESSAGE#161:Listing", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup20,
+      	dup50,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg189 = msg("Listing", part167);
+      
+      var msg190 = msg("Getting", dup64);
+      
+      var part168 = match("MESSAGE#163:Version:", "nwparser.payload", "Version: %{version}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg191 = msg("Version:", part168);
+      
+      var msg192 = msg("IE", dup64);
+      
+      var part169 = match("MESSAGE#165:Completed", "nwparser.payload", "Completed %{protocol->} port scan (%{dclass_counter1->} open ports): %{fld11->} seconds", processor_chain([
+      	dup20,
+      	dup12,
+      	dup13,
+      	dup22,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      	setc("dclass_counter1_string","No. of Open ports"),
+      ]));
+      
+      var msg193 = msg("Completed", part169);
+      
+      var part170 = match("MESSAGE#291:Completed:01", "nwparser.payload", "Completed %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg194 = msg("Completed:01", part170);
+      
+      var part171 = match("MESSAGE#344:Completed:02", "nwparser.payload", "Scan ID: %{fld1}] [Started: %{fld2}T%{fld3}] [Duration: %{fld4}] Completed computation of asset group synopses.", processor_chain([
+      	dup53,
+      	dup14,
+      	dup15,
+      	setc("event_description","Completed computation of asset group synopses"),
+      ]));
+      
+      var msg195 = msg("Completed:02", part171);
+      
+      var part172 = match("MESSAGE#345:Completed:03", "nwparser.payload", "Scan ID: %{fld1}] [Started: %{fld2}T%{fld3}] [Duration: %{fld4}] Completed computation of site synopsis.", processor_chain([
+      	dup53,
+      	dup14,
+      	dup15,
+      	setc("event_description","Completed computation of site synopsis"),
+      ]));
+      
+      var msg196 = msg("Completed:03", part172);
+      
+      var part173 = match("MESSAGE#346:Completed:04", "nwparser.payload", "Scan ID: %{fld1}] [Started: %{fld2}T%{fld3}] [Duration: %{fld4}] Completed recomputation of synopsis data.", processor_chain([
+      	dup53,
+      	dup14,
+      	dup15,
+      	setc("event_description","Completed recomputation of synopsis data"),
+      ]));
+      
+      var msg197 = msg("Completed:04", part173);
+      
+      var part174 = match("MESSAGE#347:Completed:05", "nwparser.payload", "Scan ID: %{fld1}] [Started: %{fld2}T%{fld3}] [Duration: %{fld4}] %{event_description}", processor_chain([
+      	dup18,
+      	dup12,
+      	dup13,
+      	dup43,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg198 = msg("Completed:05", part174);
+      
+      var part175 = match("MESSAGE#348:Completed:06", "nwparser.payload", "Started: %{fld2}T%{fld3}] [Duration: %{fld4}] %{event_description}", processor_chain([
+      	dup18,
+      	dup12,
+      	dup13,
+      	dup43,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg199 = msg("Completed:06", part175);
+      
+      var part176 = match("MESSAGE#460:Completed:07", "nwparser.payload", "%{fld1}] [%{fld2}] [%{fld3}] [%{fld4}] [Started: %{fld5}T%{fld6}] [Duration: %{fld7}] Completed purging sub-scan results.", processor_chain([
+      	dup53,
+      	dup14,
+      	dup15,
+      	setc("event_description","Completed purging sub-scan results"),
+      ]));
+      
+      var msg200 = msg("Completed:07", part176);
+      
+      var part177 = match("MESSAGE#461:Completed:08", "nwparser.payload", "SiteID: %{fld1}] [Scan ID: %{fld2}] [Started: %{fld3}T%{fld4}] [Duration: %{fld5}] Completed computation of synopsis.", processor_chain([
+      	dup53,
+      	dup14,
+      	dup15,
+      	setc("event_description","Completed computation of synopsis"),
+      ]));
+      
+      var msg201 = msg("Completed:08", part177);
+      
+      var select40 = linear_select([
+      	msg193,
+      	msg194,
+      	msg195,
+      	msg196,
+      	msg197,
+      	msg198,
+      	msg199,
+      	msg200,
+      	msg201,
+      ]);
+      
+      var part178 = match("MESSAGE#166:Retrieved", "nwparser.payload", "Retrieved XML version %{version->} for file %{filename}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg202 = msg("Retrieved", part178);
+      
+      var part179 = match("MESSAGE#167:CIFS", "nwparser.payload", "CIFS Name Service name: %{service}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg203 = msg("CIFS", part179);
+      
+      var msg204 = msg("Cached:", dup64);
+      
+      var msg205 = msg("Enumerating", dup64);
+      
+      var part180 = match("MESSAGE#170:Checking:01", "nwparser.payload", "Checking for approved updates.%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg206 = msg("Checking:01", part180);
+      
+      var msg207 = msg("Checking:02", dup64);
+      
+      var select41 = linear_select([
+      	msg206,
+      	msg207,
+      ]);
+      
+      var part181 = match("MESSAGE#172:CSIDL_SYSTEMX86", "nwparser.payload", "CSIDL_SYSTEMX86 dir is: '%{directory}'", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg208 = msg("CSIDL_SYSTEMX86", part181);
+      
+      var part182 = match("MESSAGE#173:CSIDL_SYSTEM", "nwparser.payload", "CSIDL_SYSTEM dir is: '%{directory}'", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg209 = msg("CSIDL_SYSTEM", part182);
+      
+      var part183 = match("MESSAGE#174:office", "nwparser.payload", "office root dir is: '%{directory}'", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg210 = msg("office", part183);
+      
+      var part184 = match("MESSAGE#175:Exchange", "nwparser.payload", "Exchange root dir is: '%{directory}'", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg211 = msg("Exchange", part184);
+      
+      var part185 = match("MESSAGE#176:SQL", "nwparser.payload", "SQL Server root dir is: '%{directory}'", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg212 = msg("SQL", part185);
+      
+      var part186 = match("MESSAGE#177:starting", "nwparser.payload", "starting %{service}", processor_chain([
+      	dup20,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg213 = msg("starting", part186);
+      
+      var part187 = match("MESSAGE#178:Host", "nwparser.payload", "Host type (from MAC %{smacaddr}): %{fld11}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg214 = msg("Host", part187);
+      
+      var part188 = match("MESSAGE#268:Host:01", "nwparser.payload", "Host Address: %{saddr}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg215 = msg("Host:01", part188);
+      
+      var part189 = match("MESSAGE#269:Host:02", "nwparser.payload", "Host FQDN: %{fqdn}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg216 = msg("Host:02", part189);
+      
+      var select42 = linear_select([
+      	msg214,
+      	msg215,
+      	msg216,
+      ]);
+      
+      var part190 = match("MESSAGE#179:Advertising", "nwparser.payload", "Advertising %{service->} service", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg217 = msg("Advertising", part190);
+      
+      var part191 = match("MESSAGE#180:IP", "nwparser.payload", "IP fingerprint:%{fld11}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg218 = msg("IP", part191);
+      
+      var part192 = match("MESSAGE#181:Updating:01", "nwparser.payload", "Updating file, %{filename}.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg219 = msg("Updating:01", part192);
+      
+      var part193 = match("MESSAGE#182:Updating", "nwparser.payload", "Updating %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg220 = msg("Updating", part193);
+      
+      var select43 = linear_select([
+      	msg219,
+      	msg220,
+      ]);
+      
+      var part194 = match("MESSAGE#183:Updated", "nwparser.payload", "Updated risk scores for %{dclass_counter1->} vulnerabilities in %{fld12}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      	setc("dclass_counter1_string","Number of vulnerabilities"),
+      ]));
+      
+      var msg221 = msg("Updated", part194);
+      
+      var part195 = match("MESSAGE#184:Updated:01", "nwparser.payload", "Updated risk scores for %{dclass_counter1->} assets in %{fld12}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      	setc("dclass_counter1_string","Number of assets"),
+      ]));
+      
+      var msg222 = msg("Updated:01", part195);
+      
+      var part196 = match("MESSAGE#185:Updated:02", "nwparser.payload", "Updated risk scores for %{dclass_counter1->} sites in %{fld12}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      	setc("dclass_counter1_string","Number of sites"),
+      ]));
+      
+      var msg223 = msg("Updated:02", part196);
+      
+      var part197 = match("MESSAGE#186:Updated:03", "nwparser.payload", "Updated risk scores for %{dclass_counter1->} groups in %{fld12}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      	setc("dclass_counter1_string","Number of groups"),
+      ]));
+      
+      var msg224 = msg("Updated:03", part197);
+      
+      var part198 = match("MESSAGE#260:Updated:04/0", "nwparser.payload", "Started: %{fld2}] [Duration: %{fld3}] Updated risk scores for %{fld1->} %{p0}");
+      
+      var part199 = match("MESSAGE#260:Updated:04/1_0", "nwparser.p0", "vulnerabilities.%{}");
+      
+      var part200 = match("MESSAGE#260:Updated:04/1_1", "nwparser.p0", "assets.%{}");
+      
+      var part201 = match("MESSAGE#260:Updated:04/1_2", "nwparser.p0", "sites.%{}");
+      
+      var part202 = match("MESSAGE#260:Updated:04/1_3", "nwparser.p0", "groups.%{}");
+      
+      var select44 = linear_select([
+      	part199,
+      	part200,
+      	part201,
+      	part202,
+      ]);
+      
+      var all16 = all_match({
+      	processors: [
+      		part198,
+      		select44,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup15,
+      	]),
+      });
+      
+      var msg225 = msg("Updated:04", all16);
+      
+      var part203 = match("MESSAGE#311:Updated:06/0", "nwparser.payload", "%{fld1}] [Started: %{fld2}] [Duration: %{fld3}] Updated %{p0}");
+      
+      var part204 = match("MESSAGE#311:Updated:06/1_0", "nwparser.p0", "scan risk scores%{p0}");
+      
+      var part205 = match("MESSAGE#311:Updated:06/1_1", "nwparser.p0", "risk scores for site%{p0}");
+      
+      var select45 = linear_select([
+      	part204,
+      	part205,
+      ]);
+      
+      var part206 = match("MESSAGE#311:Updated:06/2", "nwparser.p0", ".%{}");
+      
+      var all17 = all_match({
+      	processors: [
+      		part203,
+      		select45,
+      		part206,
+      	],
+      	on_success: processor_chain([
+      		dup11,
+      		dup14,
+      		dup15,
+      		setc("event_description","Updated risk scores"),
+      	]),
+      });
+      
+      var msg226 = msg("Updated:06", all17);
+      
+      var msg227 = msg("Updated:05", dup65);
+      
+      var select46 = linear_select([
+      	msg221,
+      	msg222,
+      	msg223,
+      	msg224,
+      	msg225,
+      	msg226,
+      	msg227,
+      ]);
+      
+      var part207 = match("MESSAGE#187:Started", "nwparser.payload", "Started auto-update.%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg228 = msg("Started", part207);
+      
+      var msg229 = msg("Started:02", dup61);
+      
+      var select47 = linear_select([
+      	msg228,
+      	msg229,
+      ]);
+      
+      var part208 = match("MESSAGE#188:Executing", "nwparser.payload", "Executing job JobID[%{info}] Risk and daily history updater for silo %{fld12}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg230 = msg("Executing", part208);
+      
+      var part209 = match("MESSAGE#189:Executing:01", "nwparser.payload", "Executing job JobID[%{info}] Auto-update retriever", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg231 = msg("Executing:01", part209);
+      
+      var part210 = match("MESSAGE#190:Executing:02", "nwparser.payload", "Executing job JobID[%{info}] %{fld1->} retention updater-default", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg232 = msg("Executing:02", part210);
+      
+      var part211 = match("MESSAGE#191:Executing:04", "nwparser.payload", "Executing job JobID[%{info}] %{obj_type}: %{obj_name}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg233 = msg("Executing:04", part211);
+      
+      var part212 = match("MESSAGE#326:Executing:03", "nwparser.payload", "Executing SQL: %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg234 = msg("Executing:03", part212);
+      
+      var select48 = linear_select([
+      	msg230,
+      	msg231,
+      	msg232,
+      	msg233,
+      	msg234,
+      ]);
+      
+      var part213 = match("MESSAGE#192:A", "nwparser.payload", "A set of SSH administrative credentials have failed verification.%{}", processor_chain([
+      	dup48,
+      	dup45,
+      	dup46,
+      	dup47,
+      	dup27,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg235 = msg("A", part213);
+      
+      var part214 = match("MESSAGE#193:Administrative:01", "nwparser.payload", "Administrative credentials failed (access denied).%{}", processor_chain([
+      	dup48,
+      	dup45,
+      	dup46,
+      	dup47,
+      	dup27,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg236 = msg("Administrative:01", part214);
+      
+      var part215 = match("MESSAGE#194:Administrative", "nwparser.payload", "Administrative credentials for %{service->} will be used.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg237 = msg("Administrative", part215);
+      
+      var select49 = linear_select([
+      	msg236,
+      	msg237,
+      ]);
+      
+      var part216 = match("MESSAGE#195:Initializing:01", "nwparser.payload", "Engine: %{fld1}] [Engine ID: %{fld2}] Initializing remote scan engine (%{dhost}).", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Initializing remote scan engine"),
+      ]));
+      
+      var msg238 = msg("Initializing:01", part216);
+      
+      var part217 = match("MESSAGE#196:Initializing/1_0", "nwparser.p0", "Initializing %{service}.");
+      
+      var part218 = match("MESSAGE#196:Initializing/1_1", "nwparser.p0", "Initializing JDBC drivers %{}");
+      
+      var part219 = match("MESSAGE#196:Initializing/1_2", "nwparser.p0", "%{event_description}");
+      
+      var select50 = linear_select([
+      	part217,
+      	part218,
+      	part219,
+      ]);
+      
+      var all18 = all_match({
+      	processors: [
+      		dup28,
+      		select50,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup14,
+      		dup15,
+      		dup16,
+      		dup29,
+      		dup30,
+      		dup31,
+      		dup32,
+      		dup33,
+      		dup34,
+      	]),
+      });
+      
+      var msg239 = msg("Initializing", all18);
+      
+      var select51 = linear_select([
+      	msg238,
+      	msg239,
+      ]);
+      
+      var msg240 = msg("Creating", dup64);
+      
+      var msg241 = msg("Loading", dup64);
+      
+      var part220 = match("MESSAGE#199:Loaded", "nwparser.payload", "Loaded %{dclass_counter1->} policy checks for scan.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      	setc("dclass_counter1_string","No. of policies"),
+      ]));
+      
+      var msg242 = msg("Loaded", part220);
+      
+      var msg243 = msg("Loaded:01", dup66);
+      
+      var select52 = linear_select([
+      	msg242,
+      	msg243,
+      ]);
+      
+      var part221 = match("MESSAGE#200:Finished", "nwparser.payload", "Finished locating %{dclass_counter1->} live nodes. [Started: %{fld11}] [Duration: %{fld12}]", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      	setc("dclass_counter1_string","No. of live nodes"),
+      ]));
+      
+      var msg244 = msg("Finished", part221);
+      
+      var part222 = match("MESSAGE#201:Finished:01", "nwparser.payload", "Finished loading %{service}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg245 = msg("Finished:01", part222);
+      
+      var part223 = match("MESSAGE#202:Finished:02", "nwparser.payload", "Finished resolving DNS records%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg246 = msg("Finished:02", part223);
+      
+      var msg247 = msg("Finished:03", dup67);
+      
+      var select53 = linear_select([
+      	msg244,
+      	msg245,
+      	msg246,
+      	msg247,
+      ]);
+      
+      var msg248 = msg("CheckProcessor:", dup64);
+      
+      var msg249 = msg("Locating", dup64);
+      
+      var part224 = match("MESSAGE#205:TCP", "nwparser.payload", "TCP port scanner is using: %{fld11}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg250 = msg("TCP", part224);
+      
+      var part225 = match("MESSAGE#206:UDP", "nwparser.payload", "UDP port scanner is using: %{fld11}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg251 = msg("UDP", part225);
+      
+      var part226 = match("MESSAGE#207:Queued", "nwparser.payload", "Queued live nodes for scanning: %{dclass_counter1}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      	setc("dclass_counter1_string","Live nodes"),
+      ]));
+      
+      var msg252 = msg("Queued", part226);
+      
+      var msg253 = msg("Reading", dup64);
+      
+      var msg254 = msg("Registering", dup64);
+      
+      var part227 = match("MESSAGE#210:Registered", "nwparser.payload", "Registered session [%{fld12}] for IP [%{saddr}]", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg255 = msg("Registered", part227);
+      
+      var part228 = match("MESSAGE#219:Registered:02", "nwparser.payload", "Registered session for principal name [%{username}] for IP [%{saddr}]", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg256 = msg("Registered:02", part228);
+      
+      var select54 = linear_select([
+      	msg255,
+      	msg256,
+      ]);
+      
+      var part229 = match("MESSAGE#211:Seeing", "nwparser.payload", "Seeing if %{saddr->} is a valid network node", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg257 = msg("Seeing", part229);
+      
+      var part230 = match("MESSAGE#212:Logging", "nwparser.payload", "Logging initialized. [Name = %{obj_name}] [Level = %{fld11}] [Timezone = %{fld12}]", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      ]));
+      
+      var msg258 = msg("Logging", part230);
+      
+      var msg259 = msg("Firefox", dup64);
+      
+      var msg260 = msg("nodes", dup64);
+      
+      var msg261 = msg("common", dup67);
+      
+      var msg262 = msg("jess.JessException:", dup67);
+      
+      var part231 = match("MESSAGE#218:Successfully", "nwparser.payload", "Successfully %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg263 = msg("Successfully", part231);
+      
+      var msg264 = msg("Establishing", dup61);
+      
+      var msg265 = msg("Response", dup61);
+      
+      var msg266 = msg("Auto-update", dup61);
+      
+      var msg267 = msg("Approved:03", dup61);
+      
+      var msg268 = msg("HHH000436:", dup61);
+      
+      var msg269 = msg("Staged", dup61);
+      
+      var msg270 = msg("Refreshing", dup61);
+      
+      var msg271 = msg("Activation", dup61);
+      
+      var msg272 = msg("Acknowledging", dup61);
+      
+      var msg273 = msg("Acknowledged", dup61);
+      
+      var msg274 = msg("Validating", dup61);
+      
+      var msg275 = msg("Patching", dup61);
+      
+      var msg276 = msg("JAR", dup61);
+      
+      var msg277 = msg("Destroying", dup61);
+      
+      var msg278 = msg("Invocation", dup61);
+      
+      var msg279 = msg("Using", dup61);
+      
+      var part232 = match("MESSAGE#243:Route:01", "nwparser.payload", "Route: %{fld1->} shutdown complete, %{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg280 = msg("Route:01", part232);
+      
+      var part233 = match("MESSAGE#244:Route:02", "nwparser.payload", "Route: %{fld1->} started and consuming from: %{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg281 = msg("Route:02", part233);
+      
+      var select55 = linear_select([
+      	msg280,
+      	msg281,
+      ]);
+      
+      var msg282 = msg("Deploying", dup61);
+      
+      var msg283 = msg("Generating", dup61);
+      
+      var msg284 = msg("Staging", dup61);
+      
+      var msg285 = msg("Removing", dup61);
+      
+      var msg286 = msg("At", dup61);
+      
+      var msg287 = msg("An", dup61);
+      
+      var msg288 = msg("The", dup61);
+      
+      var msg289 = msg("Downloading", dup61);
+      
+      var msg290 = msg("Downloaded", dup61);
+      
+      var msg291 = msg("Restarting", dup61);
+      
+      var msg292 = msg("Requested", dup61);
+      
+      var part234 = match("MESSAGE#257:Freeing", "nwparser.payload", "Freeing session for principal name [%{username}]", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg293 = msg("Freeing", part234);
+      
+      var part235 = match("MESSAGE#258:Freeing:01", "nwparser.payload", "Freeing %{dclass_counter1->} current sessions.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg294 = msg("Freeing:01", part235);
+      
+      var select56 = linear_select([
+      	msg293,
+      	msg294,
+      ]);
+      
+      var part236 = match("MESSAGE#259:Kill", "nwparser.payload", "Kill session for principal name [%{username}]", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg295 = msg("Kill", part236);
+      
+      var part237 = match("MESSAGE#262:Created:01", "nwparser.payload", "Created temporary directory %{filename}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg296 = msg("Created:01", part237);
+      
+      var part238 = match("MESSAGE#331:Created:02", "nwparser.payload", "Created %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg297 = msg("Created:02", part238);
+      
+      var select57 = linear_select([
+      	msg296,
+      	msg297,
+      ]);
+      
+      var part239 = match("MESSAGE#263:Product", "nwparser.payload", "Product Version: %{version}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg298 = msg("Product", part239);
+      
+      var part240 = match("MESSAGE#264:Current", "nwparser.payload", "Current directory: %{filename}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg299 = msg("Current", part240);
+      
+      var part241 = match("MESSAGE#308:Current:01", "nwparser.payload", "Current DB_VERSION = %{version}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg300 = msg("Current:01", part241);
+      
+      var select58 = linear_select([
+      	msg299,
+      	msg300,
+      ]);
+      
+      var part242 = match("MESSAGE#266:Super", "nwparser.payload", "Super user: %{result}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg301 = msg("Super", part242);
+      
+      var part243 = match("MESSAGE#267:Computer", "nwparser.payload", "Computer name: %{hostname}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg302 = msg("Computer", part243);
+      
+      var part244 = match("MESSAGE#270:Operating", "nwparser.payload", "Operating system: %{os}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg303 = msg("Operating", part244);
+      
+      var part245 = match("MESSAGE#271:CPU", "nwparser.payload", "CPU speed: %{fld1}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg304 = msg("CPU", part245);
+      
+      var part246 = match("MESSAGE#272:Number", "nwparser.payload", "Number of CPUs: %{dclass_counter1}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg305 = msg("Number", part246);
+      
+      var part247 = match("MESSAGE#273:Total", "nwparser.payload", "Total %{fld1}: %{fld2}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg306 = msg("Total", part247);
+      
+      var part248 = match("MESSAGE#320:Total:02", "nwparser.payload", "Total %{dclass_counter1->} routes, of which %{dclass_counter2->} is started.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg307 = msg("Total:02", part248);
+      
+      var select59 = linear_select([
+      	msg306,
+      	msg307,
+      ]);
+      
+      var part249 = match("MESSAGE#274:Available", "nwparser.payload", "Available %{fld1}: %{fld2}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg308 = msg("Available", part249);
+      
+      var part250 = match("MESSAGE#275:Disk", "nwparser.payload", "Disk space used by %{fld1}: %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg309 = msg("Disk", part250);
+      
+      var part251 = match("MESSAGE#276:JVM", "nwparser.payload", "JVM %{fld1}: %{info}", processor_chain([
+      	dup20,
+      	dup15,
+      ]));
+      
+      var msg310 = msg("JVM", part251);
+      
+      var part252 = match("MESSAGE#277:Pausing", "nwparser.payload", "Pausing ProtocolHandler [%{info}]", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg311 = msg("Pausing", part252);
+      
+      var part253 = match("MESSAGE#278:Policy", "nwparser.payload", "Policy %{policyname->} replaces %{fld1}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg312 = msg("Policy", part253);
+      
+      var part254 = match("MESSAGE#420:Policy:01", "nwparser.payload", "Policy benchmark %{policyname->} in %{info->} with hash %{fld1->} is not valid builtin content and will not load.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Policy benchmark is not valid builtin content and will not load"),
+      ]));
+      
+      var msg313 = msg("Policy:01", part254);
+      
+      var select60 = linear_select([
+      	msg312,
+      	msg313,
+      ]);
+      
+      var part255 = match("MESSAGE#279:Bulk", "nwparser.payload", "Bulk %{action->} %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg314 = msg("Bulk", part255);
+      
+      var part256 = match("MESSAGE#280:Importing", "nwparser.payload", "%{action->} %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg315 = msg("Importing", part256);
+      
+      var part257 = match("MESSAGE#281:Imported", "nwparser.payload", "%{action->} %{dclass_counter1->} new categories, categorized %{fld1->} vulnerabilities and %{fld2->} tags.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg316 = msg("Imported", part257);
+      
+      var msg317 = msg("Imported:01", dup65);
+      
+      var select61 = linear_select([
+      	msg316,
+      	msg317,
+      ]);
+      
+      var part258 = match("MESSAGE#283:Compiling", "nwparser.payload", "Compiling %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg318 = msg("Compiling", part258);
+      
+      var part259 = match("MESSAGE#284:Vulnerability", "nwparser.payload", "Vulnerability %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg319 = msg("Vulnerability", part259);
+      
+      var part260 = match("MESSAGE#285:Truncating", "nwparser.payload", "Truncating %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg320 = msg("Truncating", part260);
+      
+      var part261 = match("MESSAGE#286:Synchronizing", "nwparser.payload", "Synchronizing %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg321 = msg("Synchronizing", part261);
+      
+      var part262 = match("MESSAGE#287:Parsing", "nwparser.payload", "Parsing %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg322 = msg("Parsing", part262);
+      
+      var part263 = match("MESSAGE#288:Remapping", "nwparser.payload", "Remapping %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg323 = msg("Remapping", part263);
+      
+      var part264 = match("MESSAGE#289:Remapped", "nwparser.payload", "Started: %{fld1}] [Duration: %{fld2}] Remapped %{info}", processor_chain([
+      	dup20,
+      	dup15,
+      ]));
+      
+      var msg324 = msg("Remapped", part264);
+      
+      var part265 = match("MESSAGE#290:Database", "nwparser.payload", "Started: %{fld1}] [Duration: %{fld2}] Database %{info}", processor_chain([
+      	dup20,
+      	dup15,
+      ]));
+      
+      var msg325 = msg("Database", part265);
+      
+      var part266 = match("MESSAGE#428:Database:01", "nwparser.payload", "Database %{info}", processor_chain([
+      	dup20,
+      	dup15,
+      ]));
+      
+      var msg326 = msg("Database:01", part266);
+      
+      var select62 = linear_select([
+      	msg325,
+      	msg326,
+      ]);
+      
+      var part267 = match("MESSAGE#292:Accepting", "nwparser.payload", "Accepting %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg327 = msg("Accepting", part267);
+      
+      var part268 = match("MESSAGE#293:VERSION:03", "nwparser.payload", "VERSION %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg328 = msg("VERSION:03", part268);
+      
+      var part269 = match("MESSAGE#294:Detected", "nwparser.payload", "Detected %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg329 = msg("Detected", part269);
+      
+      var part270 = match("MESSAGE#295:Telling", "nwparser.payload", "Telling %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg330 = msg("Telling", part270);
+      
+      var part271 = match("MESSAGE#298:Stopping", "nwparser.payload", "Stopping %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg331 = msg("Stopping", part271);
+      
+      var part272 = match("MESSAGE#299:removing", "nwparser.payload", "removing %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg332 = msg("removing", part272);
+      
+      var part273 = match("MESSAGE#300:Enabling", "nwparser.payload", "Enabling %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg333 = msg("Enabling", part273);
+      
+      var part274 = match("MESSAGE#301:Granting", "nwparser.payload", "Granting %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg334 = msg("Granting", part274);
+      
+      var part275 = match("MESSAGE#302:Version", "nwparser.payload", "Version %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg335 = msg("Version", part275);
+      
+      var part276 = match("MESSAGE#303:Configuring", "nwparser.payload", "Configuring %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg336 = msg("Configuring", part276);
+      
+      var part277 = match("MESSAGE#305:Scheduler", "nwparser.payload", "Scheduler %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg337 = msg("Scheduler", part277);
+      
+      var part278 = match("MESSAGE#341:Scheduler:01", "nwparser.payload", "Silo: %{fld1}] [Started: %{fld2}] [Duration: %{fld3}] Scheduler started.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Scheduler started"),
+      ]));
+      
+      var msg338 = msg("Scheduler:01", part278);
+      
+      var part279 = match("MESSAGE#429:Scheduler:02", "nwparser.payload", "%{fld1}: %{fld2}] Scheduler %{info}", processor_chain([
+      	dup20,
+      	dup15,
+      ]));
+      
+      var msg339 = msg("Scheduler:02", part279);
+      
+      var select63 = linear_select([
+      	msg337,
+      	msg338,
+      	msg339,
+      ]);
+      
+      var part280 = match("MESSAGE#306:PostgreSQL", "nwparser.payload", "PostgreSQL %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg340 = msg("PostgreSQL", part280);
+      
+      var part281 = match("MESSAGE#307:Cleaning", "nwparser.payload", "Cleaning %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg341 = msg("Cleaning", part281);
+      
+      var part282 = match("MESSAGE#462:Cleaning:01", "nwparser.payload", "%{fld1}] [%{fld2}] [%{fld3}] [%{fld4}] Cleaning up sub-scan results.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Cleaning up sub-scan results"),
+      ]));
+      
+      var msg342 = msg("Cleaning:01", part282);
+      
+      var select64 = linear_select([
+      	msg341,
+      	msg342,
+      ]);
+      
+      var part283 = match("MESSAGE#309:Installed:01/0", "nwparser.payload", "Installed DB%{p0}");
+      
+      var part284 = match("MESSAGE#309:Installed:01/1_0", "nwparser.p0", "_VERSION after upgrade%{p0}");
+      
+      var part285 = match("MESSAGE#309:Installed:01/1_1", "nwparser.p0", " VERSION %{p0}");
+      
+      var select65 = linear_select([
+      	part284,
+      	part285,
+      ]);
+      
+      var part286 = match("MESSAGE#309:Installed:01/2", "nwparser.p0", "%{}= %{version}");
+      
+      var all19 = all_match({
+      	processors: [
+      		part283,
+      		select65,
+      		part286,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup14,
+      		dup15,
+      	]),
+      });
+      
+      var msg343 = msg("Installed:01", all19);
+      
+      var part287 = match("MESSAGE#310:Inserted", "nwparser.payload", "Inserted %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg344 = msg("Inserted", part287);
+      
+      var part288 = match("MESSAGE#313:Deleted", "nwparser.payload", "Started: %{fld1}] [Duration: %{fld2}] Deleted %{info}", processor_chain([
+      	dup20,
+      	dup15,
+      ]));
+      
+      var msg345 = msg("Deleted", part288);
+      
+      var msg346 = msg("Default", dup66);
+      
+      var msg347 = msg("Apache", dup66);
+      
+      var msg348 = msg("JMX", dup66);
+      
+      var msg349 = msg("AllowUseOriginalMessage", dup66);
+      
+      var part289 = match("MESSAGE#321:Initialized", "nwparser.payload", "Initialized PolicyCheckService with %{dclass_counter1->} benchmarks, containing %{fld1->} policies. The total check count is %{dclass_counter2}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg350 = msg("Initialized", part289);
+      
+      var part290 = match("MESSAGE#322:Initialized:01", "nwparser.payload", "Initialized %{dclass_counter1->} policy benchmarks in total.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg351 = msg("Initialized:01", part290);
+      
+      var part291 = match("MESSAGE#379:Initialized_Scheduler", "nwparser.payload", "Initialized Scheduler Signaller of type: %{obj_type->} %{obj_name}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Initialized Scheduler Signaller"),
+      ]));
+      
+      var msg352 = msg("Initialized_Scheduler", part291);
+      
+      var select66 = linear_select([
+      	msg350,
+      	msg351,
+      	msg352,
+      ]);
+      
+      var msg353 = msg("Error", dup66);
+      
+      var part292 = match("MESSAGE#324:Graceful", "nwparser.payload", "Graceful shutdown of %{dclass_counter1->} routes completed in %{dclass_counter2->} seconds", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg354 = msg("Graceful", part292);
+      
+      var msg355 = msg("StreamCaching", dup61);
+      
+      var msg356 = msg("Local", dup66);
+      
+      var part293 = match("MESSAGE#329:DB_VERSION", "nwparser.payload", "DB_VERSION = %{version}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg357 = msg("DB_VERSION", part293);
+      
+      var part294 = match("MESSAGE#330:Populating", "nwparser.payload", "Populating %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg358 = msg("Populating", part294);
+      
+      var part295 = match("MESSAGE#332:EventLog", "nwparser.payload", "EventLog %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg359 = msg("EventLog", part295);
+      
+      var part296 = match("MESSAGE#333:Making", "nwparser.payload", "Making %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg360 = msg("Making", part296);
+      
+      var part297 = match("MESSAGE#334:Setting", "nwparser.payload", "Setting %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg361 = msg("Setting", part297);
+      
+      var part298 = match("MESSAGE#335:initdb", "nwparser.payload", "initdb %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg362 = msg("initdb", part298);
+      
+      var part299 = match("MESSAGE#336:Verifying", "nwparser.payload", "Verifying %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg363 = msg("Verifying", part299);
+      
+      var msg364 = msg("OS", dup66);
+      
+      var part300 = match("MESSAGE#338:Benchmark", "nwparser.payload", "Benchmark %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg365 = msg("Benchmark", part300);
+      
+      var part301 = match("MESSAGE#339:Report:01", "nwparser.payload", "Report Config ID: %{fld1}] [Started: %{fld2}T%{fld3}] [Duration: %{fld4}] %{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup29,
+      	dup54,
+      	dup16,
+      ]));
+      
+      var msg366 = msg("Report:01", part301);
+      
+      var part302 = match("MESSAGE#340:Report", "nwparser.payload", "Report Config ID: %{fld1}] %{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup29,
+      	dup54,
+      	dup16,
+      ]));
+      
+      var msg367 = msg("Report", part302);
+      
+      var select67 = linear_select([
+      	msg366,
+      	msg367,
+      ]);
+      
+      var part303 = match("MESSAGE#342:Cannot_preload", "nwparser.payload", "Engine ID: %{fld1}] [Engine Name: %{fld2}] Cannot preload incremental pool with a connection %{fld3}", processor_chain([
+      	dup53,
+      	dup14,
+      	dup15,
+      	dup55,
+      ]));
+      
+      var msg368 = msg("Cannot_preload", part303);
+      
+      var part304 = match("MESSAGE#343:Cannot_preload:01", "nwparser.payload", "Cannot preload incremental pool with a connection%{fld3}", processor_chain([
+      	dup53,
+      	dup14,
+      	dup15,
+      	dup55,
+      ]));
+      
+      var msg369 = msg("Cannot_preload:01", part304);
+      
+      var select68 = linear_select([
+      	msg368,
+      	msg369,
+      ]);
+      
+      var part305 = match("MESSAGE#349:ERROR:02", "nwparser.payload", "ERROR: syntax error at or near \"%{fld1}\"", processor_chain([
+      	dup53,
+      	dup14,
+      	dup15,
+      	setc("event_description","Syntax error"),
+      ]));
+      
+      var msg370 = msg("ERROR:02", part305);
+      
+      var part306 = match("MESSAGE#350:QuartzRepeaterBuilder", "nwparser.payload", "QuartzRepeaterBuilder failed to add schedule to ScanConfig: null%{}", processor_chain([
+      	dup53,
+      	dup14,
+      	dup15,
+      	setc("event_description","QuartzRepeaterBuilder failed to add schedule"),
+      ]));
+      
+      var msg371 = msg("QuartzRepeaterBuilder", part306);
+      
+      var part307 = match("MESSAGE#351:Backing_up", "nwparser.payload", "Backing up %{event_source}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Backing up"),
+      ]));
+      
+      var msg372 = msg("Backing_up", part307);
+      
+      var part308 = match("MESSAGE#352:Not_configured", "nwparser.payload", "com.rapid.nexpose.scanpool.stateInterval is not configured - returning default value %{resultcode}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid.nexpose.scanpool.stateInterval is not configured"),
+      ]));
+      
+      var msg373 = msg("Not_configured", part308);
+      
+      var part309 = match("MESSAGE#353:Not_configured:01", "nwparser.payload", "com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout is not configured - returning default value %{resultcode}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout is not configured"),
+      ]));
+      
+      var msg374 = msg("Not_configured:01", part309);
+      
+      var part310 = match("MESSAGE#354:Not_configured:02", "nwparser.payload", "com.rapid7.nexpose.comms.clientConnectionProvider.getConnectionTimeout is not configured - returning default value %{resultcode}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.comms.clientConnectionProvider.getConnectionTimeout is not configured"),
+      ]));
+      
+      var msg375 = msg("Not_configured:02", part310);
+      
+      var part311 = match("MESSAGE#355:Not_configured:03", "nwparser.payload", "com.rapid7.nexpose.datastore.connection.evictionThreadTime is not configured - returning default value %{resultcode}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.datastore.connection.evictionThreadTime is not configured"),
+      ]));
+      
+      var msg376 = msg("Not_configured:03", part311);
+      
+      var part312 = match("MESSAGE#356:Not_configured:04", "nwparser.payload", "com.rapid7.nexpose.datastore.eviction.connection.threadIdleTimeout is not configured - returning default value %{resultcode}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.datastore.eviction.connection.threadIdleTimeout is not configured"),
+      ]));
+      
+      var msg377 = msg("Not_configured:04", part312);
+      
+      var part313 = match("MESSAGE#357:Not_configured:05", "nwparser.payload", "com.rapid7.nexpose.nsc.dbcc is not configured - returning default value %{result}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.nsc.dbcc is not configured"),
+      ]));
+      
+      var msg378 = msg("Not_configured:05", part313);
+      
+      var part314 = match("MESSAGE#358:Not_configured:06", "nwparser.payload", "com.rapid7.nexpose.nsc.scanExecutorService.maximumCorePoolSize is not configured - returning default value %{resultcode}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.nsc.scanExecutorService.maximumCorePoolSize is not configured"),
+      ]));
+      
+      var msg379 = msg("Not_configured:06", part314);
+      
+      var part315 = match("MESSAGE#359:Not_configured:07", "nwparser.payload", "com.rapid7.nexpose.nsc.scanExecutorService.minimumCorePoolSize is not configured - returning default value %{resultcode}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.nsc.scanExecutorService.minimumCorePoolSize is not configured"),
+      ]));
+      
+      var msg380 = msg("Not_configured:07", part315);
+      
+      var part316 = match("MESSAGE#360:Not_configured:08", "nwparser.payload", "com.rapid7.nexpose.nsc.scanExecutorService.monitorCorePoolSizeIncreaseOnSaturation is not configured - returning default value %{resultcode}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.nsc.scanExecutorService.monitorCorePoolSizeIncreaseOnSaturation is not configured"),
+      ]));
+      
+      var msg381 = msg("Not_configured:08", part316);
+      
+      var part317 = match("MESSAGE#361:Not_configured:09", "nwparser.payload", "com.rapid7.nexpose.nsc.scanExecutorService.monitorEnabled is not configured - returning default value %{result}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.nsc.scanExecutorService.monitorEnabled is not configured"),
+      ]));
+      
+      var msg382 = msg("Not_configured:09", part317);
+      
+      var part318 = match("MESSAGE#362:Not_configured:10", "nwparser.payload", "com.rapid7.nexpose.nsc.scanExecutorService.monitorInterval is not configured - returning default value %{resultcode}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.nsc.scanExecutorService.monitorInterval is not configured"),
+      ]));
+      
+      var msg383 = msg("Not_configured:10", part318);
+      
+      var part319 = match("MESSAGE#363:Not_configured:11", "nwparser.payload", "com.rapid7.nexpose.nse.nscClient.connectTimeout is not configured - returning default value %{resultcode}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.nse.nscClient.connectTimeout is not configured"),
+      ]));
+      
+      var msg384 = msg("Not_configured:11", part319);
+      
+      var part320 = match("MESSAGE#364:Not_configured:12", "nwparser.payload", "com.rapid7.nexpose.nse.nscClient.readTimeout is not configured - returning default value %{resultcode}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.nse.nscClient.readTimeout is not configured"),
+      ]));
+      
+      var msg385 = msg("Not_configured:12", part320);
+      
+      var part321 = match("MESSAGE#365:Not_configured:13", "nwparser.payload", "com.rapid7.nexpose.reportGenerator.assetCollectionUpdateTimeout is not configured - returning default value %{resultcode}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.reportGenerator.assetCollectionUpdateTimeout is not configured"),
+      ]));
+      
+      var msg386 = msg("Not_configured:13", part321);
+      
+      var part322 = match("MESSAGE#366:Not_configured:14", "nwparser.payload", "com.rapid7.nexpose.scan.consolidation.delay is not configured - returning default value %{resultcode}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.scan.consolidation.delay is not configured"),
+      ]));
+      
+      var msg387 = msg("Not_configured:14", part322);
+      
+      var part323 = match("MESSAGE#367:Not_configured:15", "nwparser.payload", "com.rapid7.nexpose.scan.lifecyclemonitor.delay is not configured - returning default value %{resultcode}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.scan.lifecyclemonitor.delay is not configured"),
+      ]));
+      
+      var msg388 = msg("Not_configured:15", part323);
+      
+      var part324 = match("MESSAGE#368:Not_configured:16", "nwparser.payload", "com.rapid7.nexpose.scan.usescanpool is not configured - returning default value %{result}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.scan.usescanpool is not configured"),
+      ]));
+      
+      var msg389 = msg("Not_configured:16", part324);
+      
+      var part325 = match("MESSAGE#369:Not_configured:17", "nwparser.payload", "com.rapid7.nsc.workflow.timeout is not configured - returning default value %{resultcode}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nsc.workflow.timeout is not configured"),
+      ]));
+      
+      var msg390 = msg("Not_configured:17", part325);
+      
+      var part326 = match("MESSAGE#370:Delivered", "nwparser.payload", "Delivered mail to %{to}: %{fld1->} %{fld2->} %{mail_id->} [InternalId=%{fld3}] Queued mail for delivery", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("action","Queued mail for delivery"),
+      ]));
+      
+      var msg391 = msg("Delivered", part326);
+      
+      var part327 = match("MESSAGE#371:Engine_update", "nwparser.payload", "Engine update thread pool shutting down.%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Engine update thread pool shutting down"),
+      ]));
+      
+      var msg392 = msg("Engine_update", part327);
+      
+      var part328 = match("MESSAGE#372:Freed_triggers", "nwparser.payload", "Freed %{fld1->} triggers from 'acquired' / 'blocked' state.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Freed triggers from 'acquired' / 'blocked' state"),
+      ]));
+      
+      var msg393 = msg("Freed_triggers", part328);
+      
+      var part329 = match("MESSAGE#374:Upgrade_completed", "nwparser.payload", "PG Upgrade has completed succesfully%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Upgrade has completed succesfully"),
+      ]));
+      
+      var msg394 = msg("Upgrade_completed", part329);
+      
+      var part330 = match("MESSAGE#375:PG", "nwparser.payload", "%{fld1}: %{process->} %{param}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg395 = msg("PG", part330);
+      
+      var select69 = linear_select([
+      	msg394,
+      	msg395,
+      ]);
+      
+      var part331 = match("MESSAGE#376:DEFAULT_SCHEDULER", "nwparser.payload", "DEFAULT SCHEDULER: %{obj_name}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","DEFAULT SCHEDULER"),
+      ]));
+      
+      var msg396 = msg("DEFAULT_SCHEDULER", part331);
+      
+      var part332 = match("MESSAGE#377:Context_loader", "nwparser.payload", "Context loader config file is jar:file:%{filename}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Context loader config file"),
+      ]));
+      
+      var msg397 = msg("Context_loader", part332);
+      
+      var part333 = match("MESSAGE#378:Copied_file", "nwparser.payload", "Copied %{filename->} file from %{directory->} to %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Copied file"),
+      ]));
+      
+      var msg398 = msg("Copied_file", part333);
+      
+      var part334 = match("MESSAGE#380:Java", "nwparser.payload", "Java HotSpot(TM) %{info}", processor_chain([
+      	dup20,
+      	dup15,
+      	setc("event_description","Console VM version"),
+      ]));
+      
+      var msg399 = msg("Java", part334);
+      
+      var part335 = match("MESSAGE#381:Changing", "nwparser.payload", "Changing permissions of %{obj_type->} '%{obj_name}' to %{change_new}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Changing permissions"),
+      ]));
+      
+      var msg400 = msg("Changing", part335);
+      
+      var part336 = match("MESSAGE#382:Changing:01", "nwparser.payload", "Changing the new database AUTH method to %{change_new}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Changing new database AUTH method"),
+      ]));
+      
+      var msg401 = msg("Changing:01", part336);
+      
+      var select70 = linear_select([
+      	msg400,
+      	msg401,
+      ]);
+      
+      var part337 = match("MESSAGE#383:Job_execution", "nwparser.payload", "Job execution threads will use class loader of thread: %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Job execution threads will use class loader"),
+      ]));
+      
+      var msg402 = msg("Job_execution", part337);
+      
+      var part338 = match("MESSAGE#384:Initialized:02", "nwparser.payload", "JobStoreCMT initialized.%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","JobStoreCMT initialized"),
+      ]));
+      
+      var msg403 = msg("Initialized:02", part338);
+      
+      var part339 = match("MESSAGE#385:Initialized:03", "nwparser.payload", "Quartz scheduler '%{obj_name}' %{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Quartz scheduler initialized"),
+      ]));
+      
+      var msg404 = msg("Initialized:03", part339);
+      
+      var part340 = match("MESSAGE#386:Created:03", "nwparser.payload", "Quartz Scheduler %{version->} created.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Quartz Scheduler created."),
+      ]));
+      
+      var msg405 = msg("Created:03", part340);
+      
+      var part341 = match("MESSAGE#387:Scheduler_version", "nwparser.payload", "Quartz scheduler version: %{version}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg406 = msg("Scheduler_version", part341);
+      
+      var select71 = linear_select([
+      	msg404,
+      	msg405,
+      	msg406,
+      ]);
+      
+      var part342 = match("MESSAGE#388:Recovering", "nwparser.payload", "Recovering %{fld1->} %{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Recovering jobs"),
+      ]));
+      
+      var msg407 = msg("Recovering", part342);
+      
+      var part343 = match("MESSAGE#389:Recovery", "nwparser.payload", "Recovery complete.%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Recovery"),
+      	setc("disposition","Complete"),
+      ]));
+      
+      var msg408 = msg("Recovery", part343);
+      
+      var part344 = match("MESSAGE#390:Removed", "nwparser.payload", "Removed %{fld1->} 'complete' triggers.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Removed triggers"),
+      ]));
+      
+      var msg409 = msg("Removed", part344);
+      
+      var part345 = match("MESSAGE#391:Removed:01", "nwparser.payload", "Removed %{fld1->} stale fired job entries.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Removed job entries"),
+      ]));
+      
+      var msg410 = msg("Removed:01", part345);
+      
+      var select72 = linear_select([
+      	msg409,
+      	msg410,
+      ]);
+      
+      var part346 = match("MESSAGE#392:Restoring", "nwparser.payload", "%{action}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg411 = msg("Restoring", part346);
+      
+      var part347 = match("MESSAGE#393:Upgrading", "nwparser.payload", "Upgrading database%{fld1}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Upgrading database"),
+      ]));
+      
+      var msg412 = msg("Upgrading", part347);
+      
+      var part348 = match("MESSAGE#394:Exploits", "nwparser.payload", "Exploits are up to date.%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Exploits are up to date"),
+      ]));
+      
+      var msg413 = msg("Exploits", part348);
+      
+      var part349 = match("MESSAGE#395:Failure", "nwparser.payload", "Failure communicating with NSE @ %{dhost}:%{dport}.", processor_chain([
+      	dup53,
+      	dup49,
+      	dup27,
+      	dup14,
+      	dup15,
+      	setc("event_description","Failure communicating with NSE"),
+      ]));
+      
+      var msg414 = msg("Failure", part349);
+      
+      var part350 = match("MESSAGE#396:Renamed", "nwparser.payload", "Renamed %{filename->} to %{info}", processor_chain([
+      	dup20,
+      	dup57,
+      	dup22,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg415 = msg("Renamed", part350);
+      
+      var part351 = match("MESSAGE#397:Reinitializing", "nwparser.payload", "Reinitializing web server for maintenance mode...%{}", processor_chain([
+      	dup20,
+      	dup57,
+      	dup22,
+      	dup14,
+      	dup15,
+      	setc("event_description","Reinitializing web server for maintenance mode"),
+      ]));
+      
+      var msg416 = msg("Reinitializing", part351);
+      
+      var part352 = match("MESSAGE#398:Replaced", "nwparser.payload", "Replaced %{change_old->} values from %{filename->} file with new auth method: %{change_new}.", processor_chain([
+      	dup20,
+      	dup57,
+      	dup22,
+      	dup14,
+      	dup15,
+      	dup58,
+      ]));
+      
+      var msg417 = msg("Replaced", part352);
+      
+      var part353 = match("MESSAGE#399:Replaced:01", "nwparser.payload", "Replaced %{change_old->} values from %{filename->} with new setting values", processor_chain([
+      	dup20,
+      	dup57,
+      	dup22,
+      	dup14,
+      	dup15,
+      	dup58,
+      ]));
+      
+      var msg418 = msg("Replaced:01", part353);
+      
+      var select73 = linear_select([
+      	msg417,
+      	msg418,
+      ]);
+      
+      var part354 = match("MESSAGE#400:System", "nwparser.payload", "System is running low on memory: %{fld1}MB total (%{fld2}MB free)", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","System is running low on memory"),
+      ]));
+      
+      var msg419 = msg("System", part354);
+      
+      var part355 = match("MESSAGE#401:System:01", "nwparser.payload", "%{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      ]));
+      
+      var msg420 = msg("System:01", part355);
+      
+      var select74 = linear_select([
+      	msg419,
+      	msg420,
+      ]);
+      
+      var part356 = match("MESSAGE#402:Analyzing", "nwparser.payload", "Analyzing the database.%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Analyzing the database"),
+      ]));
+      
+      var msg421 = msg("Analyzing", part356);
+      
+      var part357 = match("MESSAGE#403:Connection", "nwparser.payload", "Connection to the new database was successful. %{action}.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Connection to the new database was successful"),
+      ]));
+      
+      var msg422 = msg("Connection", part357);
+      
+      var part358 = match("MESSAGE#404:Handling", "nwparser.payload", "Handling %{fld1->} trigger(s) that missed their scheduled fire-time.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Handling trigger(s) that missed their scheduled fire-time"),
+      ]));
+      
+      var msg423 = msg("Handling", part358);
+      
+      var part359 = match("MESSAGE#406:LDAP", "nwparser.payload", "LDAP authentication requires resolution%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","LDAP authentication requires resolution"),
+      ]));
+      
+      var msg424 = msg("LDAP", part359);
+      
+      var part360 = match("MESSAGE#407:Maintenance", "nwparser.payload", "Maintenance Task Started%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Maintenance Task Started"),
+      ]));
+      
+      var msg425 = msg("Maintenance", part360);
+      
+      var msg426 = msg("Migration", dup61);
+      
+      var msg427 = msg("Mobile", dup68);
+      
+      var msg428 = msg("ConsoleScanImporter", dup68);
+      
+      var part361 = match("MESSAGE#421:Postgres:01", "nwparser.payload", "%{event_description}. Cleaning up. %{directory}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Cleaning up"),
+      ]));
+      
+      var msg429 = msg("Postgres:01", part361);
+      
+      var part362 = match("MESSAGE#422:Succesfully", "nwparser.payload", "Succesfully %{event_description->} to %{dport}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg430 = msg("Succesfully", part362);
+      
+      var part363 = match("MESSAGE#423:Unzipped", "nwparser.payload", "%{action->} %{fld1->} bytes into %{directory}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg431 = msg("Unzipped", part363);
+      
+      var part364 = match("MESSAGE#424:vacuumdb", "nwparser.payload", "%{process->} executed with a return value of %{resultcode}.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg432 = msg("vacuumdb", part364);
+      
+      var part365 = match("MESSAGE#425:Processed_vuln", "nwparser.payload", "Started: %{fld2}T%{fld3}] [Duration: %{fld4}] Processed vuln check types for %{fld5->} vuln checks.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Processed vuln check types"),
+      ]));
+      
+      var msg433 = msg("Processed_vuln", part365);
+      
+      var part366 = match("MESSAGE#430:Reflections", "nwparser.payload", "Reflections %{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg434 = msg("Reflections", part366);
+      
+      var part367 = match("MESSAGE#431:CorrelationAttributes", "nwparser.payload", "0.16: %{info}", processor_chain([
+      	dup20,
+      	dup15,
+      ]));
+      
+      var msg435 = msg("CorrelationAttributes", part367);
+      
+      var part368 = match("MESSAGE#432:CorrelationAttributes:01", "nwparser.payload", "0.49: %{info}", processor_chain([
+      	dup20,
+      	dup15,
+      ]));
+      
+      var msg436 = msg("CorrelationAttributes:01", part368);
+      
+      var part369 = match("MESSAGE#433:CorrelationAttributes:02", "nwparser.payload", "0.245: %{info}", processor_chain([
+      	dup20,
+      	dup15,
+      ]));
+      
+      var msg437 = msg("CorrelationAttributes:02", part369);
+      
+      var part370 = match("MESSAGE#434:CorrelationAttributes:03", "nwparser.payload", "0.325: %{info}", processor_chain([
+      	dup20,
+      	dup15,
+      ]));
+      
+      var msg438 = msg("CorrelationAttributes:03", part370);
+      
+      var msg439 = msg("ConsoleProductInfoProvider", dup69);
+      
+      var msg440 = msg("NSXAssetEventHandler", dup69);
+      
+      var msg441 = msg("ProductNotificationService", dup69);
+      
+      var msg442 = msg("AssetEventHandler", dup69);
+      
+      var msg443 = msg("SiteEventHandler", dup69);
+      
+      var msg444 = msg("UserEventHandler", dup69);
+      
+      var msg445 = msg("VulnerabilityExceptionEventHandler", dup69);
+      
+      var msg446 = msg("TagEventHandler", dup69);
+      
+      var msg447 = msg("AssetGroupEventHandler", dup69);
+      
+      var msg448 = msg("ScanEventHandler", dup69);
+      
+      var part371 = match("MESSAGE#445:Not_configured:18", "nwparser.payload", "com.rapid7.nexpose.nsc.critical.task.executor.core.thread.pool.size is not configured - returning default value %{result}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.nsc.critical.task.executor.core.thread.pool.size is not configured"),
+      ]));
+      
+      var msg449 = msg("Not_configured:18", part371);
+      
+      var part372 = match("MESSAGE#446:Not_configured:19", "nwparser.payload", "com.rapid7.nexpose.nsc.scan.multiengine.scanHaltTimeoutMilliSecond is not configured - returning default value %{result}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.nsc.scan.multiengine.scanHaltTimeoutMilliSecond is not configured"),
+      ]));
+      
+      var msg450 = msg("Not_configured:19", part372);
+      
+      var part373 = match("MESSAGE#447:Not_configured:20", "nwparser.payload", "com.rapid7.nexpose.nsc.scan.scan.event.monitor.poll.duration is not configured - returning default value %{result}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.nsc.scan.scan.event.monitor.poll.duration is not configured"),
+      ]));
+      
+      var msg451 = msg("Not_configured:20", part373);
+      
+      var part374 = match("MESSAGE#448:Not_configured:21", "nwparser.payload", "com.rapid7.nexpose.nse.excludedFileSystems is not configured - returning default value %{result}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.nse.excludedFileSystems is not configured"),
+      ]));
+      
+      var msg452 = msg("Not_configured:21", part374);
+      
+      var part375 = match("MESSAGE#449:Not_configured:22", "nwparser.payload", "com.rapid7.nexpose.scan.logCPUMemoryToMemLog.enable is not configured - returning default value %{result}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.scan.logCPUMemoryToMemLog.enable is not configured"),
+      ]));
+      
+      var msg453 = msg("Not_configured:22", part375);
+      
+      var part376 = match("MESSAGE#450:Not_configured:23", "nwparser.payload", "com.rapid7.nexpose.scan.logMemory.interval is not configured - returning default value %{result}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.scan.logMemory.interval is not configured"),
+      ]));
+      
+      var msg454 = msg("Not_configured:23", part376);
+      
+      var part377 = match("MESSAGE#451:Not_configured:24", "nwparser.payload", "com.rapid7.nexpose.scan.monitor.numberSavedAssetDurations is not configured - returning default value %{result}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.scan.monitor.numberSavedAssetDurations is not configured"),
+      ]));
+      
+      var msg455 = msg("Not_configured:24", part377);
+      
+      var part378 = match("MESSAGE#452:Not_configured:25", "nwparser.payload", "com.rapid7.scan.perTestDurationLogging is not configured - returning default value %{result}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.scan.perTestDurationLogging is not configured"),
+      ]));
+      
+      var msg456 = msg("Not_configured:25", part378);
+      
+      var part379 = match("MESSAGE#453:Not_configured:26", "nwparser.payload", "com.rapid7.thread.threadPoolNonBlockingOpsProviderParallelism is not configured - returning default value %{result}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.thread.threadPoolNonBlockingOpsProviderParallelism is not configured"),
+      ]));
+      
+      var msg457 = msg("Not_configured:26", part379);
+      
+      var part380 = match("MESSAGE#454:Not_configured:27", "nwparser.payload", "com.rapid7.nexpose.nsc.critical.task.executor.max.thread.pool.size is not configured - returning default value %{result}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.nsc.critical.task.executor.max.thread.pool.size is not configured"),
+      ]));
+      
+      var msg458 = msg("Not_configured:27", part380);
+      
+      var part381 = match("MESSAGE#455:Spring", "nwparser.payload", "%{process->} detected on classpath: [%{fld2}]", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","detected"),
+      ]));
+      
+      var msg459 = msg("Spring", part381);
+      
+      var part382 = match("MESSAGE#456:Storing", "nwparser.payload", "%{fld1}] [%{fld2}] Storing scan details for %{event_type}.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Storing scan details"),
+      ]));
+      
+      var msg460 = msg("Storing", part382);
+      
+      var part383 = match("MESSAGE#457:Clearing", "nwparser.payload", "Clearing object tracker after %{dclass_counter1->} hits and %{dclass_counter2->} misses.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Clearing object tracker"),
+      ]));
+      
+      var msg461 = msg("Clearing", part383);
+      
+      var part384 = match("MESSAGE#458:All", "nwparser.payload", "%{fld1}] [%{fld2}] All scan engines are up to date.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("result","All scan engines are up to date"),
+      ]));
+      
+      var msg462 = msg("All", part384);
+      
+      var part385 = match("MESSAGE#459:New", "nwparser.payload", "New Provider %{audit_object->} discovered.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","New Provider discovered"),
+      ]));
+      
+      var msg463 = msg("New", part385);
+      
+      var part386 = match("MESSAGE#463:Session", "nwparser.payload", "%{fld1}] [%{fld2}] [%{fld3}] Session created.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Session created"),
+      ]));
+      
+      var msg464 = msg("Session", part386);
+      
+      var part387 = match("MESSAGE#464:Debug", "nwparser.payload", "Debug logging is not enabled for this scan.%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Debug logging is not enabled"),
+      ]));
+      
+      var msg465 = msg("Debug", part387);
+      
+      var msg466 = msg("Debug:01", dup61);
+      
+      var select75 = linear_select([
+      	msg465,
+      	msg466,
+      ]);
+      
+      var part388 = match("MESSAGE#466:ACES", "nwparser.payload", "ACES logging is not enabled.%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","ACES logging is not enabled"),
+      ]));
+      
+      var msg467 = msg("ACES", part388);
+      
+      var msg468 = msg("ACES:01", dup61);
+      
+      var select76 = linear_select([
+      	msg467,
+      	msg468,
+      ]);
+      
+      var part389 = match("MESSAGE#468:Invulnerable", "nwparser.payload", "Invulnerable Data Storage is on.%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Invulnerable Data Storage is on"),
+      ]));
+      
+      var msg469 = msg("Invulnerable", part389);
+      
+      var part390 = match("MESSAGE#469:Nmap", "nwparser.payload", "Nmap ARP Ping for local networks%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Nmap ARP Ping for local networks"),
+      ]));
+      
+      var msg470 = msg("Nmap", part390);
+      
+      var part391 = match("MESSAGE#470:Nmap:01", "nwparser.payload", "%{event_description}", processor_chain([
+      	setc("eventcategory","1801000000"),
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg471 = msg("Nmap:01", part391);
+      
+      var select77 = linear_select([
+      	msg470,
+      	msg471,
+      ]);
+      
+      var part392 = match("MESSAGE#471:Cause/0_0", "nwparser.payload", "Authentication %{result->} for principal %{fld}] %{info}");
+      
+      var part393 = match("MESSAGE#471:Cause/0_1", "nwparser.payload", " %{result}] %{info}");
+      
+      var select78 = linear_select([
+      	part392,
+      	part393,
+      ]);
+      
+      var all20 = all_match({
+      	processors: [
+      		select78,
+      	],
+      	on_success: processor_chain([
+      		setc("eventcategory","1301000000"),
+      		dup14,
+      		dup15,
+      	]),
+      });
+      
+      var msg472 = msg("Cause", all20);
+      
+      var part394 = match("MESSAGE#472:NEXPOSE_GENERIC", "nwparser.payload", "%{fld1}", processor_chain([
+      	setc("eventcategory","1901000000"),
+      	dup15,
+      ]));
+      
+      var msg473 = msg("NEXPOSE_GENERIC", part394);
+      
+      var chain1 = processor_chain([
+      	select4,
+      	msgid_select({
+      		"0.16": msg435,
+      		"0.245": msg437,
+      		"0.325": msg438,
+      		"0.49": msg436,
+      		"A": msg235,
+      		"ACES": select76,
+      		"Accepting": msg327,
+      		"Acknowledged": msg273,
+      		"Acknowledging": msg272,
+      		"Activation": msg271,
+      		"Adding": select25,
+      		"Administrative": select49,
+      		"Advertising": msg217,
+      		"All": msg462,
+      		"AllowUseOriginalMessage": msg349,
+      		"An": msg287,
+      		"Analyzing": msg421,
+      		"Apache": msg347,
+      		"Applying": msg164,
+      		"Approved": msg267,
+      		"Asserting": select28,
+      		"AssetEventHandler": msg442,
+      		"AssetGroupEventHandler": msg447,
+      		"At": msg286,
+      		"Attempting": select26,
+      		"Authenticated": msg85,
+      		"Authentication": select23,
+      		"Auto-update": msg266,
+      		"Available": msg308,
+      		"Backing": msg372,
+      		"Benchmark": msg365,
+      		"Bulk": msg314,
+      		"CIFS": msg203,
+      		"CPU": msg304,
+      		"CSIDL_SYSTEM": msg209,
+      		"CSIDL_SYSTEMX86": msg208,
+      		"Cached:": msg204,
+      		"Cannot": select68,
+      		"Cataloged": msg103,
+      		"Cause": msg472,
+      		"Changing": select70,
+      		"CheckProcessor:": msg248,
+      		"Checking": select41,
+      		"Cleaning": select64,
+      		"Clearing": msg461,
+      		"Closing": select39,
+      		"Compiling": msg318,
+      		"Completed": select40,
+      		"Computer": msg302,
+      		"Configuring": msg336,
+      		"Connection": msg422,
+      		"Console": select12,
+      		"ConsoleProductInfoProvider": msg439,
+      		"ConsoleScanImporter": msg428,
+      		"Context": msg397,
+      		"Copied": msg398,
+      		"Could": msg125,
+      		"Created": select57,
+      		"Creating": msg240,
+      		"Current": select58,
+      		"DB_VERSION": msg357,
+      		"DEFAULT": msg396,
+      		"DNS": msg172,
+      		"Database": select62,
+      		"Debug": select75,
+      		"Default": msg346,
+      		"Deleted": msg345,
+      		"Delivered": msg391,
+      		"Deploying": msg282,
+      		"Destroying": msg277,
+      		"Detected": msg329,
+      		"Determining": select29,
+      		"Disk": msg309,
+      		"Done": select17,
+      		"Downloaded": msg290,
+      		"Downloading": msg289,
+      		"Dumping": msg104,
+      		"ERROR": select7,
+      		"ERROR:": msg370,
+      		"Enabling": msg333,
+      		"Engine": msg392,
+      		"Enumerating": msg205,
+      		"Error": msg353,
+      		"Establishing": msg264,
+      		"EventLog": msg359,
+      		"Exchange": msg211,
+      		"Executing": select48,
+      		"Exploits": msg413,
+      		"ExtMgr": select8,
+      		"FTP": msg149,
+      		"Failed": msg112,
+      		"Failure": msg414,
+      		"Finished": select53,
+      		"Firefox": msg259,
+      		"Flash": msg183,
+      		"Form": msg105,
+      		"Found": select33,
+      		"Freed": msg393,
+      		"Freeing": select56,
+      		"Generating": msg283,
+      		"Getting": msg190,
+      		"Got": msg156,
+      		"Graceful": msg354,
+      		"Granting": msg334,
+      		"HHH000436:": msg268,
+      		"Handling": msg423,
+      		"Host": select42,
+      		"IE": msg192,
+      		"IP": msg218,
+      		"Imported": select61,
+      		"Importing": msg315,
+      		"Inconsistency": msg83,
+      		"Initialized": select66,
+      		"Initializing": select51,
+      		"Inserted": msg344,
+      		"Installed": msg343,
+      		"Installing": select37,
+      		"Interrupted,": msg47,
+      		"Invocation": msg278,
+      		"Invulnerable": msg469,
+      		"JAR": msg276,
+      		"JMX": msg348,
+      		"JRE": msg179,
+      		"JVM": msg310,
+      		"Java": msg399,
+      		"Job": msg402,
+      		"JobStoreCMT": msg403,
+      		"Kill": msg295,
+      		"LDAP": msg424,
+      		"Listing": msg189,
+      		"Loaded": select52,
+      		"Loading": msg241,
+      		"Local": msg356,
+      		"Locating": msg249,
+      		"Logging": msg258,
+      		"MDAC": msg181,
+      		"Maintenance": msg425,
+      		"Making": msg360,
+      		"Microsoft": msg180,
+      		"Migration": msg426,
+      		"Mobile": msg427,
+      		"NEXPOSE_GENERIC": msg473,
+      		"NOT_VULNERABLE": select5,
+      		"NOT_VULNERABLE_VERSION": msg1,
+      		"NSE": select11,
+      		"NSXAssetEventHandler": msg440,
+      		"Name": msg182,
+      		"New": msg463,
+      		"Nexpose": select13,
+      		"Nmap": select77,
+      		"No": select35,
+      		"Number": msg305,
+      		"OS": msg364,
+      		"Operating": msg303,
+      		"PG": select69,
+      		"Parsed": msg178,
+      		"Parsing": msg322,
+      		"Patching": msg275,
+      		"Pausing": msg311,
+      		"Performing": select20,
+      		"Policy": select60,
+      		"Populating": msg358,
+      		"PostgreSQL": msg340,
+      		"Postgres": msg429,
+      		"Preparing": msg67,
+      		"Processed": msg433,
+      		"Processing": msg97,
+      		"Product": msg298,
+      		"ProductNotificationService": msg441,
+      		"ProtocolFper": msg31,
+      		"Quartz": select71,
+      		"QuartzRepeaterBuilder": msg371,
+      		"Queued": msg252,
+      		"Queueing": select18,
+      		"Reading": msg253,
+      		"Recovering": msg407,
+      		"Recovery": msg408,
+      		"Recursively": select27,
+      		"Reflections": msg434,
+      		"Refreshing": msg270,
+      		"Registered": select54,
+      		"Registering": msg254,
+      		"Reinitializing": msg416,
+      		"Relaunching": msg106,
+      		"Remapped": msg324,
+      		"Remapping": msg323,
+      		"Removed": select72,
+      		"Removing": msg285,
+      		"Renamed": msg415,
+      		"Replaced": select73,
+      		"Report": select67,
+      		"Requested": msg292,
+      		"Resolving": msg171,
+      		"Response": msg265,
+      		"Restarting": msg291,
+      		"Restoring": msg411,
+      		"Retrieved": msg202,
+      		"Retrieving": msg155,
+      		"Rewrote": msg65,
+      		"Route:": select55,
+      		"Running": select30,
+      		"SPIDER": msg66,
+      		"SPIDER-XSS": msg96,
+      		"SQL": msg212,
+      		"Scan": select22,
+      		"ScanEventHandler": msg448,
+      		"ScanMgr": select9,
+      		"Scanning": msg173,
+      		"Scheduler": select63,
+      		"Searching": msg109,
+      		"Security": select15,
+      		"Seeing": msg257,
+      		"Sending": msg118,
+      		"Service": select32,
+      		"Session": msg464,
+      		"Setting": msg361,
+      		"Shutdown": msg49,
+      		"Shutting": msg46,
+      		"Site": msg84,
+      		"SiteEventHandler": msg443,
+      		"Skipping": msg184,
+      		"Spring": msg459,
+      		"Staged": msg269,
+      		"Staging": msg284,
+      		"Started": select47,
+      		"Starting": select34,
+      		"Stopping": msg331,
+      		"Storing": msg460,
+      		"StreamCaching": msg355,
+      		"Succesfully": msg430,
+      		"Successfully": msg263,
+      		"Super": msg301,
+      		"Synchronizing": msg321,
+      		"System": select74,
+      		"SystemFingerprint": msg108,
+      		"TCP": msg250,
+      		"TCPSocket": msg110,
+      		"TagEventHandler": msg446,
+      		"Telling": msg330,
+      		"The": msg288,
+      		"Total": select59,
+      		"Truncating": msg320,
+      		"Trusted": msg121,
+      		"Trying": msg64,
+      		"UDP": msg251,
+      		"Unzipped": msg431,
+      		"Update": select36,
+      		"Updated": select46,
+      		"Updating": select43,
+      		"Upgrading": msg412,
+      		"User": select24,
+      		"UserEventHandler": msg444,
+      		"Using": msg279,
+      		"VERSION": msg328,
+      		"VULNERABLE": select6,
+      		"VULNERABLE_VERSION": msg2,
+      		"Validating": msg274,
+      		"Verifying": msg363,
+      		"Version": msg335,
+      		"Version:": msg191,
+      		"Vulnerability": msg319,
+      		"VulnerabilityExceptionEventHandler": msg445,
+      		"Web": select16,
+      		"Webmin": msg133,
+      		"Windows": select38,
+      		"building": msg117,
+      		"but": msg98,
+      		"checking": msg158,
+      		"com.rapid.nexpose.scanpool.stateInterval": msg373,
+      		"com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout": msg374,
+      		"com.rapid7.nexpose.comms.clientConnectionProvider.getConnectionTimeout": msg375,
+      		"com.rapid7.nexpose.datastore.connection.evictionThreadTime": msg376,
+      		"com.rapid7.nexpose.datastore.eviction.connection.threadIdleTimeout": msg377,
+      		"com.rapid7.nexpose.nsc.critical.task.executor.core.thread.pool.size": msg449,
+      		"com.rapid7.nexpose.nsc.critical.task.executor.max.thread.pool.size": msg458,
+      		"com.rapid7.nexpose.nsc.dbcc": msg378,
+      		"com.rapid7.nexpose.nsc.scan.multiengine.scanHaltTimeoutMilliSecond": msg450,
+      		"com.rapid7.nexpose.nsc.scan.scan.event.monitor.poll.duration": msg451,
+      		"com.rapid7.nexpose.nsc.scanExecutorService.maximumCorePoolSize": msg379,
+      		"com.rapid7.nexpose.nsc.scanExecutorService.minimumCorePoolSize": msg380,
+      		"com.rapid7.nexpose.nsc.scanExecutorService.monitorCorePoolSizeIncreaseOnSaturation": msg381,
+      		"com.rapid7.nexpose.nsc.scanExecutorService.monitorEnabled": msg382,
+      		"com.rapid7.nexpose.nsc.scanExecutorService.monitorInterval": msg383,
+      		"com.rapid7.nexpose.nse.excludedFileSystems": msg452,
+      		"com.rapid7.nexpose.nse.nscClient.connectTimeout": msg384,
+      		"com.rapid7.nexpose.nse.nscClient.readTimeout": msg385,
+      		"com.rapid7.nexpose.reportGenerator.assetCollectionUpdateTimeout": msg386,
+      		"com.rapid7.nexpose.scan.consolidation.delay": msg387,
+      		"com.rapid7.nexpose.scan.lifecyclemonitor.delay": msg388,
+      		"com.rapid7.nexpose.scan.logCPUMemoryToMemLog.enable": msg453,
+      		"com.rapid7.nexpose.scan.logMemory.interval": msg454,
+      		"com.rapid7.nexpose.scan.monitor.numberSavedAssetDurations": msg455,
+      		"com.rapid7.nexpose.scan.usescanpool": msg389,
+      		"com.rapid7.nsc.workflow.timeout": msg390,
+      		"com.rapid7.scan.perTestDurationLogging": msg456,
+      		"com.rapid7.thread.threadPoolNonBlockingOpsProviderParallelism": msg457,
+      		"common": msg261,
+      		"connected": msg111,
+      		"creating": msg120,
+      		"credentials": msg95,
+      		"dcerpc-get-ms-blaster-codes": msg124,
+      		"initdb": msg362,
+      		"j_password": msg99,
+      		"j_username": msg100,
+      		"jess.JessException:": msg262,
+      		"key": msg188,
+      		"list-user-directory": msg123,
+      		"loading": msg153,
+      		"main": msg107,
+      		"nodes": msg260,
+      		"office": msg210,
+      		"osspi_defaultTargetLocation": msg101,
+      		"param:": msg174,
+      		"persistent-xss": msg92,
+      		"removing": msg332,
+      		"sending": msg119,
+      		"shutting": msg48,
+      		"signon_type": msg122,
+      		"spider-parse-robot-exclusions": msg102,
+      		"starting": msg213,
+      		"trying": msg154,
+      		"unexpected": msg157,
+      		"using": msg142,
+      		"vacuumdb": msg432,
+      	}),
+      ]);
+      
+      var hdr37 = match("HEADER#1:0022/0", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{p0}");
+      
+      var part395 = match("HEADER#1:0022/1_1", "nwparser.p0", "%{hpriority}][%{p0}");
+      
+      var part396 = match("HEADER#1:0022/1_2", "nwparser.p0", "%{hpriority}[%{p0}");
+      
+      var hdr38 = match("HEADER#18:0034/0", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}]%{p0}");
+      
+      var part397 = match("HEADER#18:0034/1_0", "nwparser.p0", " [%{p0}");
+      
+      var part398 = match("HEADER#18:0034/1_1", "nwparser.p0", "[%{p0}");
+      
+      var part399 = match("MESSAGE#17:NSE:01/0", "nwparser.payload", "%{} %{p0}");
+      
+      var part400 = match("MESSAGE#52:Scan:06/0", "nwparser.payload", "Scan: [ %{p0}");
+      
+      var part401 = match("MESSAGE#52:Scan:06/1_0", "nwparser.p0", "%{saddr}:%{sport->} %{p0}");
+      
+      var part402 = match("MESSAGE#52:Scan:06/1_1", "nwparser.p0", "%{saddr->} %{p0}");
+      
+      var select79 = linear_select([
+      	dup7,
+      	dup8,
+      ]);
+      
+      var part403 = match("MESSAGE#416:Nexpose:12", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var part404 = match("MESSAGE#46:SPIDER", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var select80 = linear_select([
+      	dup41,
+      	dup42,
+      ]);
+      
+      var part405 = match("MESSAGE#93:Attempting", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var part406 = match("MESSAGE#120:path", "nwparser.payload", "%{info}", processor_chain([
+      	dup20,
+      	dup15,
+      ]));
+      
+      var part407 = match("MESSAGE#318:Loaded:01", "nwparser.payload", "%{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var part408 = match("MESSAGE#236:Finished:03", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup20,
+      	dup15,
+      ]));
+      
+      var part409 = match("MESSAGE#418:Mobile", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup25,
+      ]));
+      
+      var part410 = match("MESSAGE#435:ConsoleProductInfoProvider", "nwparser.payload", "%{fld1->} %{action}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup59,
+      ]));
+      
+- community_id:
+- add_locale: ~
+- add_fields:
+    target: ''
+    fields:
+        ecs.version: 1.5.0
diff --git a/packages/rapid7/0.1.0/dataset/nexpose/agent/stream/tcp.yml.hbs b/packages/rapid7/0.1.0/dataset/nexpose/agent/stream/tcp.yml.hbs
new file mode 100644
index 0000000000..522eb1e9a4
--- /dev/null
+++ b/packages/rapid7/0.1.0/dataset/nexpose/agent/stream/tcp.yml.hbs
@@ -0,0 +1,8267 @@
+tcp:
+host: "{{tcp_host}}:{{tcp_port}}"
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "Rapid7"
+        product: "Nexpose"
+        type: "Vulnerability"
+publisher_pipeline.disable_host: true
+
+processors:
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.error(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(populate_fields);
+      	builder.Add(restore_flags);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var dup1 = match("HEADER#1:0022/0", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{p0}");
+      
+      var dup2 = match("HEADER#1:0022/1_1", "nwparser.p0", "%{hpriority}][%{p0}");
+      
+      var dup3 = match("HEADER#1:0022/1_2", "nwparser.p0", "%{hpriority}[%{p0}");
+      
+      var dup4 = call({
+      	dest: "nwparser.payload",
+      	fn: STRCAT,
+      	args: [
+      		field("messageid"),
+      		constant(": "),
+      		field("payload"),
+      	],
+      });
+      
+      var dup5 = call({
+      	dest: "nwparser.payload",
+      	fn: STRCAT,
+      	args: [
+      		field("messageid"),
+      		constant(" "),
+      		field("payload"),
+      	],
+      });
+      
+      var dup6 = match("HEADER#18:0034/0", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}]%{p0}");
+      
+      var dup7 = match("HEADER#18:0034/1_0", "nwparser.p0", " [%{p0}");
+      
+      var dup8 = match("HEADER#18:0034/1_1", "nwparser.p0", "[%{p0}");
+      
+      var dup9 = call({
+      	dest: "nwparser.payload",
+      	fn: STRCAT,
+      	args: [
+      		field("messageid"),
+      		constant(": "),
+      		field("hfld1"),
+      		constant(" "),
+      		field("payload"),
+      	],
+      });
+      
+      var dup10 = call({
+      	dest: "nwparser.messageid",
+      	fn: STRCAT,
+      	args: [
+      		field("msgIdPart1"),
+      		constant("_"),
+      		field("msgIdPart2"),
+      	],
+      });
+      
+      var dup11 = setc("eventcategory","1614000000");
+      
+      var dup12 = setc("ec_activity","Scan");
+      
+      var dup13 = setc("ec_theme","TEV");
+      
+      var dup14 = date_time({
+      	dest: "event_time",
+      	args: ["hdate","htime"],
+      	fmts: [
+      		[dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup15 = setf("msg","$MSG");
+      
+      var dup16 = setf("obj_name","hobj_name");
+      
+      var dup17 = setc("obj_type","Asset");
+      
+      var dup18 = setc("eventcategory","1614030000");
+      
+      var dup19 = setc("ec_outcome","Error");
+      
+      var dup20 = setc("eventcategory","1605000000");
+      
+      var dup21 = setc("ec_activity","Start");
+      
+      var dup22 = setc("ec_outcome","Success");
+      
+      var dup23 = setc("eventcategory","1611000000");
+      
+      var dup24 = setc("ec_activity","Stop");
+      
+      var dup25 = setc("action","Shutting down");
+      
+      var dup26 = setc("action","shutting down");
+      
+      var dup27 = setc("ec_outcome","Failure");
+      
+      var dup28 = match("MESSAGE#17:NSE:01/0", "nwparser.payload", "%{} %{p0}");
+      
+      var dup29 = setf("fld17","hfld17");
+      
+      var dup30 = setf("group_object","hsite");
+      
+      var dup31 = setf("shost","hshost");
+      
+      var dup32 = setf("sport","hsport");
+      
+      var dup33 = setf("protocol","hprotocol");
+      
+      var dup34 = setf("fld18","hinfo");
+      
+      var dup35 = setc("ec_subject","Service");
+      
+      var dup36 = setc("event_description","Nexpose is changing the database port number");
+      
+      var dup37 = setc("event_state","DONE");
+      
+      var dup38 = setc("event_description","Nexpose is executing data transfer process");
+      
+      var dup39 = setc("event_description","Nexpose is installing the database");
+      
+      var dup40 = match("MESSAGE#52:Scan:06/0", "nwparser.payload", "Scan: [ %{p0}");
+      
+      var dup41 = match("MESSAGE#52:Scan:06/1_0", "nwparser.p0", "%{saddr}:%{sport->} %{p0}");
+      
+      var dup42 = match("MESSAGE#52:Scan:06/1_1", "nwparser.p0", "%{saddr->} %{p0}");
+      
+      var dup43 = setc("ec_outcome","Unknown");
+      
+      var dup44 = setc("eventcategory","1701000000");
+      
+      var dup45 = setc("ec_subject","User");
+      
+      var dup46 = setc("ec_activity","Logon");
+      
+      var dup47 = setc("ec_theme","Authentication");
+      
+      var dup48 = setc("eventcategory","1401030000");
+      
+      var dup49 = setc("ec_subject","NetworkComm");
+      
+      var dup50 = setc("ec_subject","Group");
+      
+      var dup51 = setc("ec_activity","Detect");
+      
+      var dup52 = setc("ec_theme","Configuration");
+      
+      var dup53 = setc("eventcategory","1801010000");
+      
+      var dup54 = setf("obj_type","messageid");
+      
+      var dup55 = setc("event_description","Cannot preload incremental pool with a connection");
+      
+      var dup56 = setc("eventcategory","1605030000");
+      
+      var dup57 = setc("ec_activity","Modify");
+      
+      var dup58 = setc("action","Replaced conf values");
+      
+      var dup59 = setc("service","fld1");
+      
+      var dup60 = linear_select([
+      	dup7,
+      	dup8,
+      ]);
+      
+      var dup61 = match("MESSAGE#416:Nexpose:12", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var dup62 = match("MESSAGE#46:SPIDER", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var dup63 = linear_select([
+      	dup41,
+      	dup42,
+      ]);
+      
+      var dup64 = match("MESSAGE#93:Attempting", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var dup65 = match("MESSAGE#120:path", "nwparser.payload", "%{info}", processor_chain([
+      	dup20,
+      	dup15,
+      ]));
+      
+      var dup66 = match("MESSAGE#318:Loaded:01", "nwparser.payload", "%{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var dup67 = match("MESSAGE#236:Finished:03", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup20,
+      	dup15,
+      ]));
+      
+      var dup68 = match("MESSAGE#418:Mobile", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup25,
+      ]));
+      
+      var dup69 = match("MESSAGE#435:ConsoleProductInfoProvider", "nwparser.payload", "%{fld1->} %{action}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup59,
+      ]));
+      
+      var hdr1 = match("HEADER#0:0031", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] %{hfld39}[Thread: %{messageid}] [Started: %{hfld40}] [Duration: %{hfld41}] %{payload}", processor_chain([
+      	setc("header_id","0031"),
+      ]));
+      
+      var part1 = match("HEADER#1:0022/1_0", "nwparser.p0", "%{hpriority}] %{hfld39}[%{p0}");
+      
+      var select1 = linear_select([
+      	part1,
+      	dup2,
+      	dup3,
+      ]);
+      
+      var part2 = match("HEADER#1:0022/2", "nwparser.p0", "Thread: %{hfld17}] %{messageid->} %{payload}");
+      
+      var all1 = all_match({
+      	processors: [
+      		dup1,
+      		select1,
+      		part2,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","0022"),
+      	]),
+      });
+      
+      var hdr2 = match("HEADER#2:0028", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0028"),
+      	dup4,
+      ]));
+      
+      var hdr3 = match("HEADER#3:0017", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0017"),
+      	dup5,
+      ]));
+      
+      var hdr4 = match("HEADER#4:0024", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] %{hfld41->} %{messageid->} completed %{payload}", processor_chain([
+      	setc("header_id","0024"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant(" completed "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr5 = match("HEADER#5:0018", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] [%{hshost}:%{hsport}/%{hprotocol}] %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0018"),
+      	dup5,
+      ]));
+      
+      var hdr6 = match("HEADER#6:0029", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Silo ID: %{hfld22}] [Site: %{hsite}] [Site ID: %{hinfo}] %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0029"),
+      	dup5,
+      ]));
+      
+      var hdr7 = match("HEADER#7:0019", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] [%{hshost}] %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0019"),
+      	dup5,
+      ]));
+      
+      var hdr8 = match("HEADER#8:0020", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] [%{hshost}:%{hsport}/%{hprotocol}] [%{hinfo}] %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0020"),
+      	dup5,
+      ]));
+      
+      var hdr9 = match("HEADER#9:0021", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] [%{hshost}] [%{hinfo}] %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0021"),
+      	dup5,
+      ]));
+      
+      var hdr10 = match("HEADER#10:0023", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] [%{hshost}] [%{hinfo}]: %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0023"),
+      	dup5,
+      ]));
+      
+      var hdr11 = match("HEADER#11:0036", "message", "%NEXPOSE-%{hfld49}: %{hfld1}: %{messageid->} %{hfld2->} %{payload}", processor_chain([
+      	setc("header_id","0036"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant(" "),
+      			field("hfld2"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr12 = match("HEADER#12:0001", "message", "%NEXPOSE-%{hfld49}: %{messageid->} %{hdate}T%{htime->} [%{hobj_name}] %{payload}", processor_chain([
+      	setc("header_id","0001"),
+      ]));
+      
+      var hdr13 = match("HEADER#13:0037", "message", "%NEXPOSE-%{hfld49}: %{messageid->} %{hfld1->} '%{hfld2}' - %{hfld1->} %{payload}", processor_chain([
+      	setc("header_id","0037"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant(" "),
+      			field("hfld1"),
+      			constant(" '"),
+      			field("hfld2"),
+      			constant("' - "),
+      			field("hfld1"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr14 = match("HEADER#14:0002", "message", "%NEXPOSE-%{hfld49}: %{messageid->} %{hdate}T%{htime->} %{payload}", processor_chain([
+      	setc("header_id","0002"),
+      ]));
+      
+      var hdr15 = match("HEADER#15:0003", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] (%{hfld41}) %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0003"),
+      	dup5,
+      ]));
+      
+      var hdr16 = match("HEADER#16:0030", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0030"),
+      	dup4,
+      ]));
+      
+      var hdr17 = match("HEADER#17:0040", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Principal: %{username}] [%{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0040"),
+      ]));
+      
+      var part3 = match("HEADER#18:0034/2", "nwparser.p0", "Thread: %{hfld17}] [%{hfld18}] [%{hfld19}] %{messageid->} %{hfld21->} %{payload}");
+      
+      var all2 = all_match({
+      	processors: [
+      		dup6,
+      		dup60,
+      		part3,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","0034"),
+      	]),
+      });
+      
+      var part4 = match("HEADER#19:0035/1_0", "nwparser.p0", "%{hpriority}] [%{p0}");
+      
+      var select2 = linear_select([
+      	part4,
+      	dup2,
+      	dup3,
+      ]);
+      
+      var part5 = match("HEADER#19:0035/2", "nwparser.p0", "Thread: %{hfld17}] [%{hfld18}] %{messageid->} %{hfld21->} %{payload}");
+      
+      var all3 = all_match({
+      	processors: [
+      		dup1,
+      		select2,
+      		part5,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","0035"),
+      	]),
+      });
+      
+      var hdr18 = match("HEADER#20:0004", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0004"),
+      	dup5,
+      ]));
+      
+      var part6 = match("HEADER#21:0032/2", "nwparser.p0", "Thread: %{hfld17}] [Silo ID: %{hfld18}] [Report: %{hobj_name}] [%{messageid->} Config ID: %{hfld19}] %{payload}");
+      
+      var all4 = all_match({
+      	processors: [
+      		dup6,
+      		dup60,
+      		part6,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","0032"),
+      	]),
+      });
+      
+      var hdr19 = match("HEADER#22:0038", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{messageid}: %{hfld1->} %{payload}", processor_chain([
+      	setc("header_id","0038"),
+      	dup9,
+      ]));
+      
+      var hdr20 = match("HEADER#23:0039", "message", "%NEXPOSE-%{hfld49}: %{messageid}: %{hfld1->} %{payload}", processor_chain([
+      	setc("header_id","0039"),
+      	dup9,
+      ]));
+      
+      var hdr21 = match("HEADER#24:0005", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] %{hfld48->} %{hfld41->} %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0005"),
+      	dup5,
+      ]));
+      
+      var hdr22 = match("HEADER#25:0006", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] [%{messageid}] %{payload}", processor_chain([
+      	setc("header_id","0006"),
+      ]));
+      
+      var part7 = match("HEADER#26:0033/2", "nwparser.p0", "Thread: %{hfld17}] [%{hfld18}] [%{hfld19}] [%{p0}");
+      
+      var part8 = match("HEADER#26:0033/3_0", "nwparser.p0", "%{hfld20}] [%{hfld21}] [%{hfld22}] [%{hfld23}]%{p0}");
+      
+      var part9 = match("HEADER#26:0033/3_1", "nwparser.p0", "%{hfld20}] [%{hfld21}]%{p0}");
+      
+      var part10 = match("HEADER#26:0033/3_2", "nwparser.p0", "%{hfld20}]%{p0}");
+      
+      var select3 = linear_select([
+      	part8,
+      	part9,
+      	part10,
+      ]);
+      
+      var part11 = match("HEADER#26:0033/4", "nwparser.p0", "%{} %{messageid->} %{hfld24->} %{payload}");
+      
+      var all5 = all_match({
+      	processors: [
+      		dup6,
+      		dup60,
+      		part7,
+      		select3,
+      		part11,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","0033"),
+      	]),
+      });
+      
+      var hdr23 = match("HEADER#27:0007", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0007"),
+      	dup5,
+      ]));
+      
+      var hdr24 = match("HEADER#28:0008", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] (%{messageid}) %{payload}", processor_chain([
+      	setc("header_id","0008"),
+      ]));
+      
+      var hdr25 = match("HEADER#29:0009", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] %{fld41->} %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0009"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("fld41"),
+      			constant(" "),
+      			field("messageid"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr26 = match("HEADER#30:0010", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0010"),
+      	dup4,
+      ]));
+      
+      var hdr27 = match("HEADER#31:0011", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} %{messageid}(%{hobj_name}): %{payload}", processor_chain([
+      	setc("header_id","0011"),
+      ]));
+      
+      var hdr28 = match("HEADER#32:0012", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} %{hfld41->} %{hfld42->} %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0012"),
+      	dup5,
+      ]));
+      
+      var hdr29 = match("HEADER#33:0013", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] %{hfld45->} (%{hfld46}) - %{msgIdPart1->} %{msgIdPart2->} %{msgIdPart3->} %{payload}", processor_chain([
+      	setc("header_id","0013"),
+      	call({
+      		dest: "nwparser.messageid",
+      		fn: STRCAT,
+      		args: [
+      			field("msgIdPart1"),
+      			constant("_"),
+      			field("msgIdPart2"),
+      			constant("_"),
+      			field("msgIdPart3"),
+      		],
+      	}),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld45"),
+      			constant(" ("),
+      			field("hfld46"),
+      			constant(") - "),
+      			field("msgIdPart1"),
+      			constant(" "),
+      			field("msgIdPart2"),
+      			constant(" "),
+      			field("msgIdPart3"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr30 = match("HEADER#34:0014", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] %{hfld45->} (%{hfld46}) - %{msgIdPart1->} %{msgIdPart2->} %{payload}", processor_chain([
+      	setc("header_id","0014"),
+      	dup10,
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld45"),
+      			constant(" ("),
+      			field("hfld46"),
+      			constant(") - "),
+      			field("msgIdPart1"),
+      			constant(" "),
+      			field("msgIdPart2"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr31 = match("HEADER#35:0015", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] %{hfld45->} (%{hfld46}) - %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0015"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld45"),
+      			constant(" ("),
+      			field("hfld46"),
+      			constant(") - "),
+      			field("messageid"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr32 = match("HEADER#36:0016", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] %{hfld45->} (%{hfld46}) - %{msgIdPart1->} %{msgIdPart2}(U) %{payload}", processor_chain([
+      	setc("header_id","0016"),
+      	dup10,
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld45"),
+      			constant(" ("),
+      			field("hfld46"),
+      			constant(") - "),
+      			field("msgIdPart1"),
+      			constant(" "),
+      			field("msgIdPart2"),
+      			constant("(U) "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr33 = match("HEADER#37:0026", "message", "%NEXPOSE-%{hfld49}: %{messageid->} Constructor threw %{payload}", processor_chain([
+      	setc("header_id","0026"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant(" Constructor threw "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr34 = match("HEADER#38:0027", "message", "%NEXPOSE-%{hfld49}: %{messageid->} Called method %{payload}", processor_chain([
+      	setc("header_id","0027"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant(" Called method "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr35 = match("HEADER#39:0025", "message", "%NEXPOSE-%{hfld49}: %{hfld41->} %{hfld42->} %{messageid->} frames %{payload}", processor_chain([
+      	setc("header_id","0025"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant(" frames "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr36 = match("HEADER#40:9999", "message", "%NEXPOSE-%{hfld49}: %{payload}", processor_chain([
+      	setc("header_id","9999"),
+      	setc("messageid","NEXPOSE_GENERIC"),
+      ]));
+      
+      var select4 = linear_select([
+      	hdr1,
+      	all1,
+      	hdr2,
+      	hdr3,
+      	hdr4,
+      	hdr5,
+      	hdr6,
+      	hdr7,
+      	hdr8,
+      	hdr9,
+      	hdr10,
+      	hdr11,
+      	hdr12,
+      	hdr13,
+      	hdr14,
+      	hdr15,
+      	hdr16,
+      	hdr17,
+      	all2,
+      	all3,
+      	hdr18,
+      	all4,
+      	hdr19,
+      	hdr20,
+      	hdr21,
+      	hdr22,
+      	all5,
+      	hdr23,
+      	hdr24,
+      	hdr25,
+      	hdr26,
+      	hdr27,
+      	hdr28,
+      	hdr29,
+      	hdr30,
+      	hdr31,
+      	hdr32,
+      	hdr33,
+      	hdr34,
+      	hdr35,
+      	hdr36,
+      ]);
+      
+      var part12 = match("MESSAGE#0:NOT_VULNERABLE_VERSION", "nwparser.payload", "%{signame->} - NOT VULNERABLE VERSION .", processor_chain([
+      	dup11,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg1 = msg("NOT_VULNERABLE_VERSION", part12);
+      
+      var part13 = match("MESSAGE#1:VULNERABLE_VERSION", "nwparser.payload", "%{signame->} - VULNERABLE VERSION .", processor_chain([
+      	dup11,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg2 = msg("VULNERABLE_VERSION", part13);
+      
+      var part14 = match("MESSAGE#2:NOT_VULNERABLE", "nwparser.payload", "%{signame->} - NOT VULNERABLE [UNIQUE ID: %{fld45}]", processor_chain([
+      	dup11,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg3 = msg("NOT_VULNERABLE", part14);
+      
+      var part15 = match("MESSAGE#3:NOT_VULNERABLE:01", "nwparser.payload", "%{signame->} - NOT VULNERABLE(U) [UNIQUE ID: %{fld45}]", processor_chain([
+      	dup11,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg4 = msg("NOT_VULNERABLE:01", part15);
+      
+      var part16 = match("MESSAGE#4:NOT_VULNERABLE:02", "nwparser.payload", "%{signame->} - NOT VULNERABLE .", processor_chain([
+      	dup11,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg5 = msg("NOT_VULNERABLE:02", part16);
+      
+      var select5 = linear_select([
+      	msg3,
+      	msg4,
+      	msg5,
+      ]);
+      
+      var part17 = match("MESSAGE#5:VULNERABLE", "nwparser.payload", "%{signame->} - VULNERABLE [UNIQUE ID: %{fld45}]", processor_chain([
+      	dup11,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg6 = msg("VULNERABLE", part17);
+      
+      var part18 = match("MESSAGE#6:VULNERABLE:01", "nwparser.payload", "%{signame->} - VULNERABLE .", processor_chain([
+      	dup11,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg7 = msg("VULNERABLE:01", part18);
+      
+      var select6 = linear_select([
+      	msg6,
+      	msg7,
+      ]);
+      
+      var part19 = match("MESSAGE#7:ERROR", "nwparser.payload", "%{signame->} - ERROR [UNIQUE ID: %{fld45}] - %{context}", processor_chain([
+      	dup18,
+      	dup12,
+      	dup13,
+      	dup19,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg8 = msg("ERROR", part19);
+      
+      var part20 = match("MESSAGE#8:ERROR:01", "nwparser.payload", "%{signame->} - ERROR - %{context}", processor_chain([
+      	dup18,
+      	dup12,
+      	dup13,
+      	dup19,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg9 = msg("ERROR:01", part20);
+      
+      var select7 = linear_select([
+      	msg8,
+      	msg9,
+      ]);
+      
+      var part21 = match("MESSAGE#9:ExtMgr", "nwparser.payload", "Initialization successful.%{}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup13,
+      	dup22,
+      	dup14,
+      	dup15,
+      	setc("event_description","Initialization successful"),
+      ]));
+      
+      var msg10 = msg("ExtMgr", part21);
+      
+      var part22 = match("MESSAGE#10:ExtMgr:01", "nwparser.payload", "initializing...%{}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup13,
+      	dup14,
+      	dup15,
+      	setc("event_description","initializing"),
+      ]));
+      
+      var msg11 = msg("ExtMgr:01", part22);
+      
+      var part23 = match("MESSAGE#11:ExtMgr:02", "nwparser.payload", "Shutdown successful.%{}", processor_chain([
+      	dup23,
+      	dup24,
+      	dup13,
+      	dup22,
+      	dup14,
+      	dup15,
+      	setc("event_description","Shutdown successful."),
+      ]));
+      
+      var msg12 = msg("ExtMgr:02", part23);
+      
+      var part24 = match("MESSAGE#12:ExtMgr:03", "nwparser.payload", "Shutting down...%{}", processor_chain([
+      	dup23,
+      	dup24,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup25,
+      ]));
+      
+      var msg13 = msg("ExtMgr:03", part24);
+      
+      var select8 = linear_select([
+      	msg10,
+      	msg11,
+      	msg12,
+      	msg13,
+      ]);
+      
+      var part25 = match("MESSAGE#13:ScanMgr", "nwparser.payload", "Shutting down %{info}", processor_chain([
+      	dup20,
+      	dup24,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup25,
+      ]));
+      
+      var msg14 = msg("ScanMgr", part25);
+      
+      var part26 = match("MESSAGE#14:ScanMgr:01", "nwparser.payload", "shutting down...%{}", processor_chain([
+      	dup23,
+      	dup24,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup26,
+      ]));
+      
+      var msg15 = msg("ScanMgr:01", part26);
+      
+      var part27 = match("MESSAGE#15:ScanMgr:02", "nwparser.payload", "Scan %{fld30->} is being stopped.", processor_chain([
+      	dup20,
+      	dup12,
+      	dup13,
+      	dup27,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg16 = msg("ScanMgr:02", part27);
+      
+      var select9 = linear_select([
+      	msg14,
+      	msg15,
+      	msg16,
+      ]);
+      
+      var part28 = match("MESSAGE#16:NSE", "nwparser.payload", "Logging initialized %{fld30}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Logging initialized"),
+      ]));
+      
+      var msg17 = msg("NSE", part28);
+      
+      var part29 = match("MESSAGE#17:NSE:01/1_0", "nwparser.p0", "Initializing %{p0}");
+      
+      var part30 = match("MESSAGE#17:NSE:01/1_1", "nwparser.p0", "initializing %{p0}");
+      
+      var select10 = linear_select([
+      	part29,
+      	part30,
+      ]);
+      
+      var part31 = match("MESSAGE#17:NSE:01/2", "nwparser.p0", "%{} %{fld30}");
+      
+      var all6 = all_match({
+      	processors: [
+      		dup28,
+      		select10,
+      		part31,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup14,
+      		dup15,
+      		setc("action","Initializing"),
+      	]),
+      });
+      
+      var msg18 = msg("NSE:01", all6);
+      
+      var part32 = match("MESSAGE#18:NSE:02", "nwparser.payload", "shutting down %{fld30}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup26,
+      ]));
+      
+      var msg19 = msg("NSE:02", part32);
+      
+      var part33 = match("MESSAGE#19:NSE:03", "nwparser.payload", "NeXpose scan engine initialization completed.%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","NeXpose scan engine initialization completed."),
+      ]));
+      
+      var msg20 = msg("NSE:03", part33);
+      
+      var part34 = match("MESSAGE#20:NSE:04", "nwparser.payload", "disabling promiscuous on all devices...%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","disabling promiscuous on all devices"),
+      ]));
+      
+      var msg21 = msg("NSE:04", part34);
+      
+      var part35 = match("MESSAGE#213:NSE:05", "nwparser.payload", "NSE connection failure%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg22 = msg("NSE:05", part35);
+      
+      var part36 = match("MESSAGE#328:NSE:07", "nwparser.payload", "NSE DN is %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg23 = msg("NSE:07", part36);
+      
+      var select11 = linear_select([
+      	msg17,
+      	msg18,
+      	msg19,
+      	msg20,
+      	msg21,
+      	msg22,
+      	msg23,
+      ]);
+      
+      var part37 = match("MESSAGE#21:Console", "nwparser.payload", "NSE Name: %{fld30}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg24 = msg("Console", part37);
+      
+      var part38 = match("MESSAGE#22:Console:01", "nwparser.payload", "NSE Identifier: %{fld30}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg25 = msg("Console:01", part38);
+      
+      var part39 = match("MESSAGE#23:Console:02", "nwparser.payload", "NSE version: %{fld30}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg26 = msg("Console:02", part39);
+      
+      var part40 = match("MESSAGE#24:Console:03", "nwparser.payload", "Last update: %{fld30}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg27 = msg("Console:03", part40);
+      
+      var part41 = match("MESSAGE#25:Console:04", "nwparser.payload", "VM version: %{fld30}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg28 = msg("Console:04", part41);
+      
+      var part42 = match("MESSAGE#26:Console:05", "nwparser.payload", "log rotation completed%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","log rotation completed"),
+      ]));
+      
+      var msg29 = msg("Console:05", part42);
+      
+      var part43 = match("MESSAGE#27:Console:06", "nwparser.payload", "rotating logs...%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","rotating logs"),
+      ]));
+      
+      var msg30 = msg("Console:06", part43);
+      
+      var select12 = linear_select([
+      	msg24,
+      	msg25,
+      	msg26,
+      	msg27,
+      	msg28,
+      	msg29,
+      	msg30,
+      ]);
+      
+      var part44 = match("MESSAGE#28:ProtocolFper", "nwparser.payload", "Loaded %{fld30}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Loaded"),
+      ]));
+      
+      var msg31 = msg("ProtocolFper", part44);
+      
+      var part45 = match("MESSAGE#29:Nexpose", "nwparser.payload", "Closing service: %{fld30}", processor_chain([
+      	dup20,
+      	dup35,
+      	dup24,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      	setc("action","Closing service"),
+      ]));
+      
+      var msg32 = msg("Nexpose", part45);
+      
+      var part46 = match("MESSAGE#30:Nexpose:01", "nwparser.payload", "Freeing %{fld30}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      	setc("action","Freeing"),
+      ]));
+      
+      var msg33 = msg("Nexpose:01", part46);
+      
+      var part47 = match("MESSAGE#31:Nexpose:02", "nwparser.payload", "starting %{fld30}", processor_chain([
+      	dup11,
+      	dup12,
+      	dup13,
+      	dup22,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      	setc("action","starting"),
+      ]));
+      
+      var msg34 = msg("Nexpose:02", part47);
+      
+      var part48 = match("MESSAGE#32:Nexpose:03", "nwparser.payload", "%{fld31->} nodes completed, %{fld32->} active, %{fld33->} pending.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg35 = msg("Nexpose:03", part48);
+      
+      var part49 = match("MESSAGE#373:Backup_completed", "nwparser.payload", "Nexpose system backup completed successfully in %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Backup completed"),
+      ]));
+      
+      var msg36 = msg("Backup_completed", part49);
+      
+      var part50 = match("MESSAGE#408:Nexpose:04", "nwparser.payload", "Nexpose is changing the database port number from %{change_old->} to %{change_new}. DONE.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup36,
+      	dup37,
+      ]));
+      
+      var msg37 = msg("Nexpose:04", part50);
+      
+      var part51 = match("MESSAGE#409:Nexpose:05", "nwparser.payload", "Nexpose is changing the database port number from %{change_old->} to %{change_new}.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup36,
+      ]));
+      
+      var msg38 = msg("Nexpose:05", part51);
+      
+      var part52 = match("MESSAGE#410:Nexpose:06", "nwparser.payload", "Nexpose is executing the data transfer process from %{change_old->} to %{change_new->} DONE.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup38,
+      	dup37,
+      ]));
+      
+      var msg39 = msg("Nexpose:06", part52);
+      
+      var part53 = match("MESSAGE#411:Nexpose:07", "nwparser.payload", "Nexpose is executing the data transfer process from %{change_old->} to %{change_new}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup38,
+      ]));
+      
+      var msg40 = msg("Nexpose:07", part53);
+      
+      var part54 = match("MESSAGE#412:Nexpose:08", "nwparser.payload", "Nexpose is installing the %{db_name->} database. DONE.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup39,
+      	dup37,
+      ]));
+      
+      var msg41 = msg("Nexpose:08", part54);
+      
+      var part55 = match("MESSAGE#413:Nexpose:09", "nwparser.payload", "Nexpose is installing the %{db_name->} database to %{directory->} using PostgreSQL binaries from package %{filename}.%{fld1}.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup39,
+      ]));
+      
+      var msg42 = msg("Nexpose:09", part55);
+      
+      var part56 = match("MESSAGE#414:Nexpose:10", "nwparser.payload", "Nexpose is moving %{change_old->} to %{change_new}.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Nexpose is moving a directory"),
+      ]));
+      
+      var msg43 = msg("Nexpose:10", part56);
+      
+      var part57 = match("MESSAGE#415:Nexpose:11", "nwparser.payload", "%{event_description->} DONE.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup37,
+      ]));
+      
+      var msg44 = msg("Nexpose:11", part57);
+      
+      var msg45 = msg("Nexpose:12", dup61);
+      
+      var select13 = linear_select([
+      	msg32,
+      	msg33,
+      	msg34,
+      	msg35,
+      	msg36,
+      	msg37,
+      	msg38,
+      	msg39,
+      	msg40,
+      	msg41,
+      	msg42,
+      	msg43,
+      	msg44,
+      	msg45,
+      ]);
+      
+      var part58 = match("MESSAGE#33:Shutting", "nwparser.payload", "Shutting down %{fld30}", processor_chain([
+      	dup23,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      	dup25,
+      ]));
+      
+      var msg46 = msg("Shutting", part58);
+      
+      var part59 = match("MESSAGE#34:shutting:01", "nwparser.payload", "Interrupted, %{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg47 = msg("shutting:01", part59);
+      
+      var part60 = match("MESSAGE#35:shutting", "nwparser.payload", "shutting down %{fld30}", processor_chain([
+      	dup23,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      	dup26,
+      ]));
+      
+      var msg48 = msg("shutting", part60);
+      
+      var part61 = match("MESSAGE#36:Shutdown", "nwparser.payload", "Shutdown successful.%{}", processor_chain([
+      	dup23,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      	dup25,
+      ]));
+      
+      var msg49 = msg("Shutdown", part61);
+      
+      var part62 = match("MESSAGE#37:Security", "nwparser.payload", "Security Console shutting down.%{}", processor_chain([
+      	dup23,
+      	dup14,
+      	dup15,
+      	dup29,
+      	dup25,
+      ]));
+      
+      var msg50 = msg("Security", part62);
+      
+      var part63 = match("MESSAGE#261:Security:02", "nwparser.payload", "Security Console restarting from an auto-update%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg51 = msg("Security:02", part63);
+      
+      var part64 = match("MESSAGE#296:Security:06", "nwparser.payload", "Started: %{fld1}] [Duration: %{fld2}] Security Console started", processor_chain([
+      	dup20,
+      	dup15,
+      ]));
+      
+      var msg52 = msg("Security:06", part64);
+      
+      var part65 = match("MESSAGE#297:Security:03/0", "nwparser.payload", "%{}Security Console %{p0}");
+      
+      var part66 = match("MESSAGE#297:Security:03/1_0", "nwparser.p0", "started %{}");
+      
+      var part67 = match("MESSAGE#297:Security:03/1_1", "nwparser.p0", "web interface ready. %{info->} ");
+      
+      var select14 = linear_select([
+      	part66,
+      	part67,
+      ]);
+      
+      var all7 = all_match({
+      	processors: [
+      		part65,
+      		select14,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup15,
+      	]),
+      });
+      
+      var msg53 = msg("Security:03", all7);
+      
+      var part68 = match("MESSAGE#426:Security:04", "nwparser.payload", "Security Console is launching in Maintenance Mode. %{action}.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Security Console is launching in Maintenance Mode"),
+      ]));
+      
+      var msg54 = msg("Security:04", part68);
+      
+      var part69 = match("MESSAGE#427:Security:05", "nwparser.payload", "Security Console update failed.%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Security Console update failed"),
+      ]));
+      
+      var msg55 = msg("Security:05", part69);
+      
+      var select15 = linear_select([
+      	msg50,
+      	msg51,
+      	msg52,
+      	msg53,
+      	msg54,
+      	msg55,
+      ]);
+      
+      var part70 = match("MESSAGE#38:Web", "nwparser.payload", "Web server stopped%{}", processor_chain([
+      	dup23,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      	setc("action","Stopped"),
+      ]));
+      
+      var msg56 = msg("Web", part70);
+      
+      var part71 = match("MESSAGE#304:Web:02", "nwparser.payload", "Web %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg57 = msg("Web:02", part71);
+      
+      var select16 = linear_select([
+      	msg56,
+      	msg57,
+      ]);
+      
+      var part72 = match("MESSAGE#39:Done", "nwparser.payload", "Done shutting down.%{}", processor_chain([
+      	dup23,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      	dup26,
+      ]));
+      
+      var msg58 = msg("Done", part72);
+      
+      var part73 = match("MESSAGE#282:Done:02", "nwparser.payload", "Done with statistics generation [Started: %{fld1}] [Duration: %{fld2}].", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg59 = msg("Done:02", part73);
+      
+      var select17 = linear_select([
+      	msg58,
+      	msg59,
+      ]);
+      
+      var part74 = match("MESSAGE#40:Queueing:01", "nwparser.payload", "Queueing %{protocol->} port scan", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg60 = msg("Queueing:01", part74);
+      
+      var part75 = match("MESSAGE#41:Queueing", "nwparser.payload", "Queueing %{fld30}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      	setc("action","Queueing"),
+      ]));
+      
+      var msg61 = msg("Queueing", part75);
+      
+      var select18 = linear_select([
+      	msg60,
+      	msg61,
+      ]);
+      
+      var part76 = match("MESSAGE#42:Performing/0", "nwparser.payload", "Performing %{p0}");
+      
+      var part77 = match("MESSAGE#42:Performing/1_0", "nwparser.p0", "form %{p0}");
+      
+      var part78 = match("MESSAGE#42:Performing/1_1", "nwparser.p0", "query %{p0}");
+      
+      var select19 = linear_select([
+      	part77,
+      	part78,
+      ]);
+      
+      var part79 = match("MESSAGE#42:Performing/2", "nwparser.p0", "%{}injection against %{info}");
+      
+      var all8 = all_match({
+      	processors: [
+      		part76,
+      		select19,
+      		part79,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup12,
+      		dup13,
+      		dup14,
+      		dup15,
+      		dup16,
+      		dup17,
+      		setc("action","Performing injection"),
+      	]),
+      });
+      
+      var msg62 = msg("Performing", all8);
+      
+      var part80 = match("MESSAGE#43:Performing:01", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup20,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg63 = msg("Performing:01", part80);
+      
+      var select20 = linear_select([
+      	msg62,
+      	msg63,
+      ]);
+      
+      var part81 = match("MESSAGE#44:Trying", "nwparser.payload", "Trying %{fld30->} injection %{fld31}", processor_chain([
+      	dup20,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      	setc("action","Trying injection"),
+      ]));
+      
+      var msg64 = msg("Trying", part81);
+      
+      var part82 = match("MESSAGE#45:Rewrote", "nwparser.payload", "Rewrote to %{url}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg65 = msg("Rewrote", part82);
+      
+      var msg66 = msg("SPIDER", dup62);
+      
+      var msg67 = msg("Preparing", dup62);
+      
+      var part83 = match("MESSAGE#48:Scan", "nwparser.payload", "Scan started by: \"%{username}\" %{fld34}", processor_chain([
+      	dup11,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	setc("action","scan started"),
+      ]));
+      
+      var msg68 = msg("Scan", part83);
+      
+      var part84 = match("MESSAGE#49:Scan:01", "nwparser.payload", "Scan [%{fld35}] completed in %{fld36}", processor_chain([
+      	dup11,
+      	dup12,
+      	dup13,
+      	dup22,
+      	dup14,
+      	dup15,
+      	setc("action","scan completed"),
+      ]));
+      
+      var msg69 = msg("Scan:01", part84);
+      
+      var part85 = match("MESSAGE#50:Scan:03", "nwparser.payload", "Scan for site %{fld11->} started by Schedule[%{info}].", processor_chain([
+      	dup11,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg70 = msg("Scan:03", part85);
+      
+      var part86 = match("MESSAGE#51:Scan:04", "nwparser.payload", "Scan startup took %{fld24->} seconds", processor_chain([
+      	dup11,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg71 = msg("Scan:04", part86);
+      
+      var part87 = match("MESSAGE#52:Scan:06/2", "nwparser.p0", "] %{fld12->} (%{info}) - VULNERABLE VERSION");
+      
+      var all9 = all_match({
+      	processors: [
+      		dup40,
+      		dup63,
+      		part87,
+      	],
+      	on_success: processor_chain([
+      		dup11,
+      		dup12,
+      		dup13,
+      		dup14,
+      		dup15,
+      		dup29,
+      		dup30,
+      		dup31,
+      		dup32,
+      		dup33,
+      		dup34,
+      	]),
+      });
+      
+      var msg72 = msg("Scan:06", all9);
+      
+      var part88 = match("MESSAGE#53:Scan:05/2", "nwparser.p0", "] %{fld12->} (%{info}) - VULNERABLE");
+      
+      var all10 = all_match({
+      	processors: [
+      		dup40,
+      		dup63,
+      		part88,
+      	],
+      	on_success: processor_chain([
+      		dup11,
+      		dup12,
+      		dup13,
+      		dup14,
+      		dup15,
+      		dup29,
+      		dup30,
+      		dup31,
+      		dup32,
+      		dup33,
+      		dup34,
+      	]),
+      });
+      
+      var msg73 = msg("Scan:05", all10);
+      
+      var part89 = match("MESSAGE#54:Scan:07/2", "nwparser.p0", "] %{fld12->} (%{info}) - NOT VULNERABLE VERSION");
+      
+      var all11 = all_match({
+      	processors: [
+      		dup40,
+      		dup63,
+      		part89,
+      	],
+      	on_success: processor_chain([
+      		dup11,
+      		dup12,
+      		dup13,
+      		dup14,
+      		dup15,
+      		dup29,
+      		dup30,
+      		dup31,
+      		dup32,
+      		dup33,
+      		dup34,
+      	]),
+      });
+      
+      var msg74 = msg("Scan:07", all11);
+      
+      var part90 = match("MESSAGE#55:Scan:09/2", "nwparser.p0", "] %{fld12->} (%{info}) - NOT VULNERABLE [UNIQUE ID: %{fld13}]");
+      
+      var all12 = all_match({
+      	processors: [
+      		dup40,
+      		dup63,
+      		part90,
+      	],
+      	on_success: processor_chain([
+      		dup11,
+      		dup12,
+      		dup13,
+      		dup14,
+      		dup15,
+      		dup29,
+      		dup30,
+      		dup31,
+      		dup32,
+      		dup33,
+      		dup34,
+      	]),
+      });
+      
+      var msg75 = msg("Scan:09", all12);
+      
+      var part91 = match("MESSAGE#56:Scan:08/2", "nwparser.p0", "] %{fld12->} (%{info}) - NOT VULNERABLE");
+      
+      var all13 = all_match({
+      	processors: [
+      		dup40,
+      		dup63,
+      		part91,
+      	],
+      	on_success: processor_chain([
+      		dup11,
+      		dup12,
+      		dup13,
+      		dup14,
+      		dup15,
+      		dup29,
+      		dup30,
+      		dup31,
+      		dup32,
+      		dup33,
+      		dup34,
+      	]),
+      });
+      
+      var msg76 = msg("Scan:08", all13);
+      
+      var part92 = match("MESSAGE#57:Scan:10", "nwparser.payload", "Scan for site %{fld12->} started by \"%{username}\".", processor_chain([
+      	dup11,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg77 = msg("Scan:10", part92);
+      
+      var part93 = match("MESSAGE#58:Scan:11", "nwparser.payload", "Scan stopped: \"%{username}\"", processor_chain([
+      	dup18,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg78 = msg("Scan:11", part93);
+      
+      var part94 = match("MESSAGE#59:Scan:12", "nwparser.payload", "Scan Engine shutting down...%{}", processor_chain([
+      	dup23,
+      	dup12,
+      	dup13,
+      	dup19,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg79 = msg("Scan:12", part94);
+      
+      var part95 = match("MESSAGE#60:Scan:13", "nwparser.payload", "Scan ID: %{fld1}] [Started: %{fld2}T%{fld3}] [Duration: %{fld4}] Scan synopsis inconsistency resolved.", processor_chain([
+      	dup11,
+      	dup12,
+      	dup13,
+      	dup22,
+      	dup14,
+      	dup15,
+      	setc("event_description","Scan synopsis inconsistency resolved"),
+      ]));
+      
+      var msg80 = msg("Scan:13", part95);
+      
+      var part96 = match("MESSAGE#62:Scan:15/0", "nwparser.payload", "Silo ID: %{fld1}] [Scan ID: %{fld2}] Scan for site %{audit_object->} - %{p0}");
+      
+      var part97 = match("MESSAGE#62:Scan:15/1_0", "nwparser.p0", "Non-Windows Systems Audit%{p0}");
+      
+      var part98 = match("MESSAGE#62:Scan:15/1_1", "nwparser.p0", "Audit%{p0}");
+      
+      var select21 = linear_select([
+      	part97,
+      	part98,
+      ]);
+      
+      var part99 = match("MESSAGE#62:Scan:15/2", "nwparser.p0", "%{}restored. %{info}");
+      
+      var all14 = all_match({
+      	processors: [
+      		part96,
+      		select21,
+      		part99,
+      	],
+      	on_success: processor_chain([
+      		dup11,
+      		dup12,
+      		dup13,
+      		dup22,
+      		dup14,
+      		dup15,
+      		setc("event_description","Scan for site restored"),
+      	]),
+      });
+      
+      var msg81 = msg("Scan:15", all14);
+      
+      var part100 = match("MESSAGE#63:Scan:02", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup11,
+      	dup12,
+      	dup13,
+      	dup22,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg82 = msg("Scan:02", part100);
+      
+      var select22 = linear_select([
+      	msg68,
+      	msg69,
+      	msg70,
+      	msg71,
+      	msg72,
+      	msg73,
+      	msg74,
+      	msg75,
+      	msg76,
+      	msg77,
+      	msg78,
+      	msg79,
+      	msg80,
+      	msg81,
+      	msg82,
+      ]);
+      
+      var part101 = match("MESSAGE#61:Scan:14", "nwparser.payload", "Scan ID: %{fld1}] Inconsistency discovered for scan. %{info}", processor_chain([
+      	dup18,
+      	dup12,
+      	dup13,
+      	dup43,
+      	dup14,
+      	dup15,
+      	setc("event_description","Inconsistency discovered for scan"),
+      ]));
+      
+      var msg83 = msg("Scan:14", part101);
+      
+      var part102 = match("MESSAGE#64:Site", "nwparser.payload", "Site saved.%{}", processor_chain([
+      	dup44,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg84 = msg("Site", part102);
+      
+      var part103 = match("MESSAGE#65:Authenticated", "nwparser.payload", "Authenticated: %{username}", processor_chain([
+      	setc("eventcategory","1401060000"),
+      	dup45,
+      	dup46,
+      	dup47,
+      	dup22,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg85 = msg("Authenticated", part103);
+      
+      var part104 = match("MESSAGE#66:Authentication", "nwparser.payload", "Authentication failed. Login information is missing.%{}", processor_chain([
+      	dup48,
+      	dup45,
+      	dup46,
+      	dup47,
+      	dup27,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg86 = msg("Authentication", part104);
+      
+      var part105 = match("MESSAGE#67:Authentication:01", "nwparser.payload", "Authentication failed for %{username}: Access denied.", processor_chain([
+      	dup48,
+      	dup45,
+      	dup46,
+      	dup47,
+      	dup27,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg87 = msg("Authentication:01", part105);
+      
+      var part106 = match("MESSAGE#68:Authentication:02", "nwparser.payload", "Authentication failed. User account may be invalid or disabled.%{}", processor_chain([
+      	dup48,
+      	dup45,
+      	dup46,
+      	dup47,
+      	dup27,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg88 = msg("Authentication:02", part106);
+      
+      var part107 = match("MESSAGE#69:Authentication:03", "nwparser.payload", "%{info}", processor_chain([
+      	setc("eventcategory","1304000000"),
+      	dup45,
+      	dup46,
+      	dup47,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      ]));
+      
+      var msg89 = msg("Authentication:03", part107);
+      
+      var select23 = linear_select([
+      	msg86,
+      	msg87,
+      	msg88,
+      	msg89,
+      ]);
+      
+      var part108 = match("MESSAGE#70:User", "nwparser.payload", "User (%{username}) is over the limit (%{fld12}) for failed login attempts.", processor_chain([
+      	dup48,
+      	dup45,
+      	dup46,
+      	dup47,
+      	dup27,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg90 = msg("User", part108);
+      
+      var part109 = match("MESSAGE#265:User:04", "nwparser.payload", "User name: %{username}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg91 = msg("User:04", part109);
+      
+      var select24 = linear_select([
+      	msg90,
+      	msg91,
+      ]);
+      
+      var msg92 = msg("persistent-xss", dup61);
+      
+      var part110 = match("MESSAGE#72:Adding:01", "nwparser.payload", "Adding user to datastore: %{username}", processor_chain([
+      	setc("eventcategory","1402020200"),
+      	dup45,
+      	setc("ec_activity","Create"),
+      	dup47,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      	setc("obj_type","User"),
+      ]));
+      
+      var msg93 = msg("Adding:01", part110);
+      
+      var msg94 = msg("Adding", dup62);
+      
+      var select25 = linear_select([
+      	msg93,
+      	msg94,
+      ]);
+      
+      var msg95 = msg("credentials", dup62);
+      
+      var msg96 = msg("SPIDER-XSS", dup62);
+      
+      var msg97 = msg("Processing", dup62);
+      
+      var msg98 = msg("but", dup62);
+      
+      var msg99 = msg("j_password", dup62);
+      
+      var msg100 = msg("j_username", dup62);
+      
+      var msg101 = msg("osspi_defaultTargetLocation", dup62);
+      
+      var part111 = match("MESSAGE#81:spider-parse-robot-exclusions", "nwparser.payload", "spider-parse-robot-exclusions: %{fld40->} Malformed HTTP %{fld41}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg102 = msg("spider-parse-robot-exclusions", part111);
+      
+      var msg103 = msg("Cataloged", dup62);
+      
+      var msg104 = msg("Dumping", dup62);
+      
+      var msg105 = msg("Form", dup62);
+      
+      var msg106 = msg("Relaunching", dup62);
+      
+      var msg107 = msg("main", dup62);
+      
+      var msg108 = msg("SystemFingerprint", dup62);
+      
+      var part112 = match("MESSAGE#88:Searching", "nwparser.payload", "Searching for %{service->} domain %{fld11}...", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg109 = msg("Searching", part112);
+      
+      var msg110 = msg("TCPSocket", dup62);
+      
+      var part113 = match("MESSAGE#90:connected", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup20,
+      	dup49,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg111 = msg("connected", part113);
+      
+      var part114 = match("MESSAGE#91:Failed", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup20,
+      	dup49,
+      	dup27,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg112 = msg("Failed", part114);
+      
+      var part115 = match("MESSAGE#92:Attempting:01", "nwparser.payload", "Attempting to authenticate user %{username->} from %{saddr}.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg113 = msg("Attempting:01", part115);
+      
+      var msg114 = msg("Attempting", dup64);
+      
+      var select26 = linear_select([
+      	msg113,
+      	msg114,
+      ]);
+      
+      var part116 = match("MESSAGE#94:Recursively:01", "nwparser.payload", "Recursively listing files on %{service}[%{info}]", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg115 = msg("Recursively:01", part116);
+      
+      var msg116 = msg("Recursively", dup62);
+      
+      var select27 = linear_select([
+      	msg115,
+      	msg116,
+      ]);
+      
+      var msg117 = msg("building", dup62);
+      
+      var msg118 = msg("Sending", dup62);
+      
+      var msg119 = msg("sending", dup64);
+      
+      var part117 = match("MESSAGE#99:creating", "nwparser.payload", "creating new connection to %{obj_name}", processor_chain([
+      	dup20,
+      	dup49,
+      	dup14,
+      	dup15,
+      	dup17,
+      ]));
+      
+      var msg120 = msg("creating", part117);
+      
+      var part118 = match("MESSAGE#100:Trusted", "nwparser.payload", "Trusted MAC address checking is disabled%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg121 = msg("Trusted", part118);
+      
+      var part119 = match("MESSAGE#101:signon_type", "nwparser.payload", "signon_type: %{fld40}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg122 = msg("signon_type", part119);
+      
+      var msg123 = msg("list-user-directory", dup62);
+      
+      var msg124 = msg("dcerpc-get-ms-blaster-codes", dup62);
+      
+      var msg125 = msg("Could", dup62);
+      
+      var part120 = match("MESSAGE#105:Asserting", "nwparser.payload", "Asserting software fingerprint name=%{obj_name}, version=%{version}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      	setc("obj_type","Software Fingerprint"),
+      ]));
+      
+      var msg126 = msg("Asserting", part120);
+      
+      var part121 = match("MESSAGE#106:Asserting:01", "nwparser.payload", "Asserting run entry: %{service}: %{filename}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg127 = msg("Asserting:01", part121);
+      
+      var part122 = match("MESSAGE#107:Asserting:02", "nwparser.payload", "Asserting network interface: %{sinterface->} with IP: %{saddr->} and netmask: %{fld12}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg128 = msg("Asserting:02", part122);
+      
+      var part123 = match("MESSAGE#108:Asserting:03", "nwparser.payload", "Asserting highest MDAC version of %{version}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg129 = msg("Asserting:03", part123);
+      
+      var msg130 = msg("Asserting:04", dup62);
+      
+      var select28 = linear_select([
+      	msg126,
+      	msg127,
+      	msg128,
+      	msg129,
+      	msg130,
+      ]);
+      
+      var part124 = match("MESSAGE#110:Determining:01", "nwparser.payload", "Determining version of file %{filename->} (%{application})", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg131 = msg("Determining:01", part124);
+      
+      var msg132 = msg("Determining", dup62);
+      
+      var select29 = linear_select([
+      	msg131,
+      	msg132,
+      ]);
+      
+      var part125 = match("MESSAGE#112:Webmin", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup20,
+      	dup35,
+      	dup27,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg133 = msg("Webmin", part125);
+      
+      var part126 = match("MESSAGE#113:Running:02", "nwparser.payload", "Running unresolved %{service}", processor_chain([
+      	dup20,
+      	dup35,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg134 = msg("Running:02", part126);
+      
+      var part127 = match("MESSAGE#114:Running:01", "nwparser.payload", "Running %{protocol->} service %{service}", processor_chain([
+      	dup20,
+      	dup35,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg135 = msg("Running:01", part127);
+      
+      var part128 = match("MESSAGE#115:Running", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup20,
+      	dup35,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg136 = msg("Running", part128);
+      
+      var select30 = linear_select([
+      	msg134,
+      	msg135,
+      	msg136,
+      ]);
+      
+      var part129 = match("MESSAGE#116:path:/0_0", "nwparser.payload", "Service path:%{p0}");
+      
+      var part130 = match("MESSAGE#116:path:/0_1", "nwparser.payload", "path:%{p0}");
+      
+      var select31 = linear_select([
+      	part129,
+      	part130,
+      ]);
+      
+      var part131 = match("MESSAGE#116:path:/1", "nwparser.p0", "%{} %{filename}");
+      
+      var all15 = all_match({
+      	processors: [
+      		select31,
+      		part131,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup15,
+      	]),
+      });
+      
+      var msg137 = msg("path:", all15);
+      
+      var part132 = match("MESSAGE#117:path:01", "nwparser.payload", "Service path is insecure.%{}", processor_chain([
+      	dup20,
+      	dup15,
+      	setc("info","Service path is insecure."),
+      ]));
+      
+      var msg138 = msg("path:01", part132);
+      
+      var part133 = match("MESSAGE#118:Service", "nwparser.payload", "Service %{service->} %{action->} on Provider: %{fld2}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg139 = msg("Service", part133);
+      
+      var part134 = match("MESSAGE#119:ServiceFingerprint", "nwparser.payload", "Service running: %{event_description}", processor_chain([
+      	dup20,
+      	dup35,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg140 = msg("ServiceFingerprint", part134);
+      
+      var msg141 = msg("path", dup65);
+      
+      var select32 = linear_select([
+      	msg137,
+      	msg138,
+      	msg139,
+      	msg140,
+      	msg141,
+      ]);
+      
+      var msg142 = msg("using", dup61);
+      
+      var part135 = match("MESSAGE#122:Found:01", "nwparser.payload", "Found group: CIFS Group %{group}", processor_chain([
+      	dup20,
+      	dup50,
+      	dup51,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg143 = msg("Found:01", part135);
+      
+      var part136 = match("MESSAGE#123:Found:02", "nwparser.payload", "Found user: CIFS User %{username}", processor_chain([
+      	dup20,
+      	dup45,
+      	dup51,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg144 = msg("Found:02", part136);
+      
+      var part137 = match("MESSAGE#124:Found:03", "nwparser.payload", "Found user %{username}", processor_chain([
+      	dup20,
+      	dup45,
+      	dup51,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg145 = msg("Found:03", part137);
+      
+      var part138 = match("MESSAGE#125:Found:04", "nwparser.payload", "Found interface %{sinterface}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg146 = msg("Found:04", part138);
+      
+      var part139 = match("MESSAGE#126:Found:05", "nwparser.payload", "Found DHCP-assigned WINS server: %{saddr}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg147 = msg("Found:05", part139);
+      
+      var msg148 = msg("Found", dup62);
+      
+      var select33 = linear_select([
+      	msg143,
+      	msg144,
+      	msg145,
+      	msg146,
+      	msg147,
+      	msg148,
+      ]);
+      
+      var part140 = match("MESSAGE#128:FTP", "nwparser.payload", "FTP name: %{fld40}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg149 = msg("FTP", part140);
+      
+      var part141 = match("MESSAGE#129:Starting:02", "nwparser.payload", "Starting Office fingerprinting with dir %{directory}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg150 = msg("Starting:02", part141);
+      
+      var part142 = match("MESSAGE#130:Starting:01", "nwparser.payload", "Starting scan against %{fld11->} (%{fld12}) with scan template: %{fld13}.", processor_chain([
+      	dup20,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg151 = msg("Starting:01", part142);
+      
+      var msg152 = msg("Starting", dup62);
+      
+      var select34 = linear_select([
+      	msg150,
+      	msg151,
+      	msg152,
+      ]);
+      
+      var msg153 = msg("loading", dup61);
+      
+      var part143 = match("MESSAGE#133:trying", "nwparser.payload", "trying the next key: %{fld11}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg154 = msg("trying", part143);
+      
+      var msg155 = msg("Retrieving", dup64);
+      
+      var part144 = match("MESSAGE#135:Got", "nwparser.payload", "Got version: %{version}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      ]));
+      
+      var msg156 = msg("Got", part144);
+      
+      var msg157 = msg("unexpected", dup64);
+      
+      var part145 = match("MESSAGE#137:checking:03", "nwparser.payload", "checking version of '%{directory}'", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg158 = msg("checking:03", part145);
+      
+      var part146 = match("MESSAGE#138:No", "nwparser.payload", "No closed UDP ports, IP fingerprinting may be less accurate%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg159 = msg("No", part146);
+      
+      var part147 = match("MESSAGE#139:No:01", "nwparser.payload", "No credentials available%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg160 = msg("No:01", part147);
+      
+      var part148 = match("MESSAGE#140:No:02", "nwparser.payload", "No access to %{directory->} with %{service}[%{info}]", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg161 = msg("No:02", part148);
+      
+      var part149 = match("MESSAGE#141:No:03", "nwparser.payload", "No approved updates found for processing.%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg162 = msg("No:03", part149);
+      
+      var msg163 = msg("No:04", dup61);
+      
+      var select35 = linear_select([
+      	msg159,
+      	msg160,
+      	msg161,
+      	msg162,
+      	msg163,
+      ]);
+      
+      var part150 = match("MESSAGE#142:Applying", "nwparser.payload", "Applying update ID %{fld12}.", processor_chain([
+      	dup44,
+      	dup52,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg164 = msg("Applying", part150);
+      
+      var part151 = match("MESSAGE#143:Update", "nwparser.payload", "Update ID %{fld12->} applied successfully.", processor_chain([
+      	dup44,
+      	dup52,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg165 = msg("Update", part151);
+      
+      var part152 = match("MESSAGE#227:Update:02", "nwparser.payload", "Update ID %{fld1}, for product ID %{id}, %{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg166 = msg("Update:02", part152);
+      
+      var msg167 = msg("Update:03", dup61);
+      
+      var select36 = linear_select([
+      	msg165,
+      	msg166,
+      	msg167,
+      ]);
+      
+      var part153 = match("MESSAGE#144:Installing", "nwparser.payload", "Installing directory %{directory}.", processor_chain([
+      	dup20,
+      	dup52,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg168 = msg("Installing", part153);
+      
+      var part154 = match("MESSAGE#145:Installing:01", "nwparser.payload", "Installing file, %{filename}.", processor_chain([
+      	dup20,
+      	dup52,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg169 = msg("Installing:01", part154);
+      
+      var part155 = match("MESSAGE#405:Installing:02", "nwparser.payload", "Installing Postgres files into %{directory->} from %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Installing Postgres files"),
+      ]));
+      
+      var msg170 = msg("Installing:02", part155);
+      
+      var select37 = linear_select([
+      	msg168,
+      	msg169,
+      	msg170,
+      ]);
+      
+      var part156 = match("MESSAGE#146:Resolving", "nwparser.payload", "Resolving additional DNS records%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg171 = msg("Resolving", part156);
+      
+      var part157 = match("MESSAGE#147:DNS", "nwparser.payload", "DNS name: %{obj_name}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      	setc("obj_type","DNS"),
+      ]));
+      
+      var msg172 = msg("DNS", part157);
+      
+      var part158 = match("MESSAGE#148:Scanning", "nwparser.payload", "Scanning %{fld23->} %{protocol->} ports", processor_chain([
+      	dup11,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg173 = msg("Scanning", part158);
+      
+      var msg174 = msg("param:", dup64);
+      
+      var part159 = match("MESSAGE#150:Windows", "nwparser.payload", "Windows %{obj_name->} dir is: '%{directory}'", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg175 = msg("Windows", part159);
+      
+      var part160 = match("MESSAGE#151:Windows:01", "nwparser.payload", "Windows Media Player version: %{version}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg176 = msg("Windows:01", part160);
+      
+      var msg177 = msg("Windows:02", dup61);
+      
+      var select38 = linear_select([
+      	msg175,
+      	msg176,
+      	msg177,
+      ]);
+      
+      var msg178 = msg("Parsed", dup64);
+      
+      var part161 = match("MESSAGE#153:JRE", "nwparser.payload", "JRE version %{version->} is installed", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg179 = msg("JRE", part161);
+      
+      var msg180 = msg("Microsoft", dup64);
+      
+      var part162 = match("MESSAGE#155:MDAC", "nwparser.payload", "MDAC version: %{version}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg181 = msg("MDAC", part162);
+      
+      var part163 = match("MESSAGE#156:Name", "nwparser.payload", "Name Server: %{saddr}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg182 = msg("Name", part163);
+      
+      var msg183 = msg("Flash", dup64);
+      
+      var msg184 = msg("Skipping", dup64);
+      
+      var part164 = match("MESSAGE#159:Closing", "nwparser.payload", "Closing service: %{service->} (source: %{info})", processor_chain([
+      	dup20,
+      	dup35,
+      	dup24,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg185 = msg("Closing", part164);
+      
+      var part165 = match("MESSAGE#238:Closing:03", "nwparser.payload", "Engine: %{fld1}] [Engine ID: %{fld3}] Closing connection to scan engine.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Closing connection to scan engine"),
+      ]));
+      
+      var msg186 = msg("Closing:03", part165);
+      
+      var msg187 = msg("Closing:02", dup61);
+      
+      var select39 = linear_select([
+      	msg185,
+      	msg186,
+      	msg187,
+      ]);
+      
+      var part166 = match("MESSAGE#160:key", "nwparser.payload", "key does not exist: %{fld11}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg188 = msg("key", part166);
+      
+      var part167 = match("MESSAGE#161:Listing", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup20,
+      	dup50,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg189 = msg("Listing", part167);
+      
+      var msg190 = msg("Getting", dup64);
+      
+      var part168 = match("MESSAGE#163:Version:", "nwparser.payload", "Version: %{version}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg191 = msg("Version:", part168);
+      
+      var msg192 = msg("IE", dup64);
+      
+      var part169 = match("MESSAGE#165:Completed", "nwparser.payload", "Completed %{protocol->} port scan (%{dclass_counter1->} open ports): %{fld11->} seconds", processor_chain([
+      	dup20,
+      	dup12,
+      	dup13,
+      	dup22,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      	setc("dclass_counter1_string","No. of Open ports"),
+      ]));
+      
+      var msg193 = msg("Completed", part169);
+      
+      var part170 = match("MESSAGE#291:Completed:01", "nwparser.payload", "Completed %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg194 = msg("Completed:01", part170);
+      
+      var part171 = match("MESSAGE#344:Completed:02", "nwparser.payload", "Scan ID: %{fld1}] [Started: %{fld2}T%{fld3}] [Duration: %{fld4}] Completed computation of asset group synopses.", processor_chain([
+      	dup53,
+      	dup14,
+      	dup15,
+      	setc("event_description","Completed computation of asset group synopses"),
+      ]));
+      
+      var msg195 = msg("Completed:02", part171);
+      
+      var part172 = match("MESSAGE#345:Completed:03", "nwparser.payload", "Scan ID: %{fld1}] [Started: %{fld2}T%{fld3}] [Duration: %{fld4}] Completed computation of site synopsis.", processor_chain([
+      	dup53,
+      	dup14,
+      	dup15,
+      	setc("event_description","Completed computation of site synopsis"),
+      ]));
+      
+      var msg196 = msg("Completed:03", part172);
+      
+      var part173 = match("MESSAGE#346:Completed:04", "nwparser.payload", "Scan ID: %{fld1}] [Started: %{fld2}T%{fld3}] [Duration: %{fld4}] Completed recomputation of synopsis data.", processor_chain([
+      	dup53,
+      	dup14,
+      	dup15,
+      	setc("event_description","Completed recomputation of synopsis data"),
+      ]));
+      
+      var msg197 = msg("Completed:04", part173);
+      
+      var part174 = match("MESSAGE#347:Completed:05", "nwparser.payload", "Scan ID: %{fld1}] [Started: %{fld2}T%{fld3}] [Duration: %{fld4}] %{event_description}", processor_chain([
+      	dup18,
+      	dup12,
+      	dup13,
+      	dup43,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg198 = msg("Completed:05", part174);
+      
+      var part175 = match("MESSAGE#348:Completed:06", "nwparser.payload", "Started: %{fld2}T%{fld3}] [Duration: %{fld4}] %{event_description}", processor_chain([
+      	dup18,
+      	dup12,
+      	dup13,
+      	dup43,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg199 = msg("Completed:06", part175);
+      
+      var part176 = match("MESSAGE#460:Completed:07", "nwparser.payload", "%{fld1}] [%{fld2}] [%{fld3}] [%{fld4}] [Started: %{fld5}T%{fld6}] [Duration: %{fld7}] Completed purging sub-scan results.", processor_chain([
+      	dup53,
+      	dup14,
+      	dup15,
+      	setc("event_description","Completed purging sub-scan results"),
+      ]));
+      
+      var msg200 = msg("Completed:07", part176);
+      
+      var part177 = match("MESSAGE#461:Completed:08", "nwparser.payload", "SiteID: %{fld1}] [Scan ID: %{fld2}] [Started: %{fld3}T%{fld4}] [Duration: %{fld5}] Completed computation of synopsis.", processor_chain([
+      	dup53,
+      	dup14,
+      	dup15,
+      	setc("event_description","Completed computation of synopsis"),
+      ]));
+      
+      var msg201 = msg("Completed:08", part177);
+      
+      var select40 = linear_select([
+      	msg193,
+      	msg194,
+      	msg195,
+      	msg196,
+      	msg197,
+      	msg198,
+      	msg199,
+      	msg200,
+      	msg201,
+      ]);
+      
+      var part178 = match("MESSAGE#166:Retrieved", "nwparser.payload", "Retrieved XML version %{version->} for file %{filename}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg202 = msg("Retrieved", part178);
+      
+      var part179 = match("MESSAGE#167:CIFS", "nwparser.payload", "CIFS Name Service name: %{service}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg203 = msg("CIFS", part179);
+      
+      var msg204 = msg("Cached:", dup64);
+      
+      var msg205 = msg("Enumerating", dup64);
+      
+      var part180 = match("MESSAGE#170:Checking:01", "nwparser.payload", "Checking for approved updates.%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg206 = msg("Checking:01", part180);
+      
+      var msg207 = msg("Checking:02", dup64);
+      
+      var select41 = linear_select([
+      	msg206,
+      	msg207,
+      ]);
+      
+      var part181 = match("MESSAGE#172:CSIDL_SYSTEMX86", "nwparser.payload", "CSIDL_SYSTEMX86 dir is: '%{directory}'", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg208 = msg("CSIDL_SYSTEMX86", part181);
+      
+      var part182 = match("MESSAGE#173:CSIDL_SYSTEM", "nwparser.payload", "CSIDL_SYSTEM dir is: '%{directory}'", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg209 = msg("CSIDL_SYSTEM", part182);
+      
+      var part183 = match("MESSAGE#174:office", "nwparser.payload", "office root dir is: '%{directory}'", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg210 = msg("office", part183);
+      
+      var part184 = match("MESSAGE#175:Exchange", "nwparser.payload", "Exchange root dir is: '%{directory}'", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg211 = msg("Exchange", part184);
+      
+      var part185 = match("MESSAGE#176:SQL", "nwparser.payload", "SQL Server root dir is: '%{directory}'", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg212 = msg("SQL", part185);
+      
+      var part186 = match("MESSAGE#177:starting", "nwparser.payload", "starting %{service}", processor_chain([
+      	dup20,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg213 = msg("starting", part186);
+      
+      var part187 = match("MESSAGE#178:Host", "nwparser.payload", "Host type (from MAC %{smacaddr}): %{fld11}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg214 = msg("Host", part187);
+      
+      var part188 = match("MESSAGE#268:Host:01", "nwparser.payload", "Host Address: %{saddr}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg215 = msg("Host:01", part188);
+      
+      var part189 = match("MESSAGE#269:Host:02", "nwparser.payload", "Host FQDN: %{fqdn}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg216 = msg("Host:02", part189);
+      
+      var select42 = linear_select([
+      	msg214,
+      	msg215,
+      	msg216,
+      ]);
+      
+      var part190 = match("MESSAGE#179:Advertising", "nwparser.payload", "Advertising %{service->} service", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg217 = msg("Advertising", part190);
+      
+      var part191 = match("MESSAGE#180:IP", "nwparser.payload", "IP fingerprint:%{fld11}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg218 = msg("IP", part191);
+      
+      var part192 = match("MESSAGE#181:Updating:01", "nwparser.payload", "Updating file, %{filename}.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg219 = msg("Updating:01", part192);
+      
+      var part193 = match("MESSAGE#182:Updating", "nwparser.payload", "Updating %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg220 = msg("Updating", part193);
+      
+      var select43 = linear_select([
+      	msg219,
+      	msg220,
+      ]);
+      
+      var part194 = match("MESSAGE#183:Updated", "nwparser.payload", "Updated risk scores for %{dclass_counter1->} vulnerabilities in %{fld12}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      	setc("dclass_counter1_string","Number of vulnerabilities"),
+      ]));
+      
+      var msg221 = msg("Updated", part194);
+      
+      var part195 = match("MESSAGE#184:Updated:01", "nwparser.payload", "Updated risk scores for %{dclass_counter1->} assets in %{fld12}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      	setc("dclass_counter1_string","Number of assets"),
+      ]));
+      
+      var msg222 = msg("Updated:01", part195);
+      
+      var part196 = match("MESSAGE#185:Updated:02", "nwparser.payload", "Updated risk scores for %{dclass_counter1->} sites in %{fld12}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      	setc("dclass_counter1_string","Number of sites"),
+      ]));
+      
+      var msg223 = msg("Updated:02", part196);
+      
+      var part197 = match("MESSAGE#186:Updated:03", "nwparser.payload", "Updated risk scores for %{dclass_counter1->} groups in %{fld12}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      	setc("dclass_counter1_string","Number of groups"),
+      ]));
+      
+      var msg224 = msg("Updated:03", part197);
+      
+      var part198 = match("MESSAGE#260:Updated:04/0", "nwparser.payload", "Started: %{fld2}] [Duration: %{fld3}] Updated risk scores for %{fld1->} %{p0}");
+      
+      var part199 = match("MESSAGE#260:Updated:04/1_0", "nwparser.p0", "vulnerabilities.%{}");
+      
+      var part200 = match("MESSAGE#260:Updated:04/1_1", "nwparser.p0", "assets.%{}");
+      
+      var part201 = match("MESSAGE#260:Updated:04/1_2", "nwparser.p0", "sites.%{}");
+      
+      var part202 = match("MESSAGE#260:Updated:04/1_3", "nwparser.p0", "groups.%{}");
+      
+      var select44 = linear_select([
+      	part199,
+      	part200,
+      	part201,
+      	part202,
+      ]);
+      
+      var all16 = all_match({
+      	processors: [
+      		part198,
+      		select44,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup15,
+      	]),
+      });
+      
+      var msg225 = msg("Updated:04", all16);
+      
+      var part203 = match("MESSAGE#311:Updated:06/0", "nwparser.payload", "%{fld1}] [Started: %{fld2}] [Duration: %{fld3}] Updated %{p0}");
+      
+      var part204 = match("MESSAGE#311:Updated:06/1_0", "nwparser.p0", "scan risk scores%{p0}");
+      
+      var part205 = match("MESSAGE#311:Updated:06/1_1", "nwparser.p0", "risk scores for site%{p0}");
+      
+      var select45 = linear_select([
+      	part204,
+      	part205,
+      ]);
+      
+      var part206 = match("MESSAGE#311:Updated:06/2", "nwparser.p0", ".%{}");
+      
+      var all17 = all_match({
+      	processors: [
+      		part203,
+      		select45,
+      		part206,
+      	],
+      	on_success: processor_chain([
+      		dup11,
+      		dup14,
+      		dup15,
+      		setc("event_description","Updated risk scores"),
+      	]),
+      });
+      
+      var msg226 = msg("Updated:06", all17);
+      
+      var msg227 = msg("Updated:05", dup65);
+      
+      var select46 = linear_select([
+      	msg221,
+      	msg222,
+      	msg223,
+      	msg224,
+      	msg225,
+      	msg226,
+      	msg227,
+      ]);
+      
+      var part207 = match("MESSAGE#187:Started", "nwparser.payload", "Started auto-update.%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg228 = msg("Started", part207);
+      
+      var msg229 = msg("Started:02", dup61);
+      
+      var select47 = linear_select([
+      	msg228,
+      	msg229,
+      ]);
+      
+      var part208 = match("MESSAGE#188:Executing", "nwparser.payload", "Executing job JobID[%{info}] Risk and daily history updater for silo %{fld12}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg230 = msg("Executing", part208);
+      
+      var part209 = match("MESSAGE#189:Executing:01", "nwparser.payload", "Executing job JobID[%{info}] Auto-update retriever", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg231 = msg("Executing:01", part209);
+      
+      var part210 = match("MESSAGE#190:Executing:02", "nwparser.payload", "Executing job JobID[%{info}] %{fld1->} retention updater-default", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg232 = msg("Executing:02", part210);
+      
+      var part211 = match("MESSAGE#191:Executing:04", "nwparser.payload", "Executing job JobID[%{info}] %{obj_type}: %{obj_name}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg233 = msg("Executing:04", part211);
+      
+      var part212 = match("MESSAGE#326:Executing:03", "nwparser.payload", "Executing SQL: %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg234 = msg("Executing:03", part212);
+      
+      var select48 = linear_select([
+      	msg230,
+      	msg231,
+      	msg232,
+      	msg233,
+      	msg234,
+      ]);
+      
+      var part213 = match("MESSAGE#192:A", "nwparser.payload", "A set of SSH administrative credentials have failed verification.%{}", processor_chain([
+      	dup48,
+      	dup45,
+      	dup46,
+      	dup47,
+      	dup27,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg235 = msg("A", part213);
+      
+      var part214 = match("MESSAGE#193:Administrative:01", "nwparser.payload", "Administrative credentials failed (access denied).%{}", processor_chain([
+      	dup48,
+      	dup45,
+      	dup46,
+      	dup47,
+      	dup27,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg236 = msg("Administrative:01", part214);
+      
+      var part215 = match("MESSAGE#194:Administrative", "nwparser.payload", "Administrative credentials for %{service->} will be used.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg237 = msg("Administrative", part215);
+      
+      var select49 = linear_select([
+      	msg236,
+      	msg237,
+      ]);
+      
+      var part216 = match("MESSAGE#195:Initializing:01", "nwparser.payload", "Engine: %{fld1}] [Engine ID: %{fld2}] Initializing remote scan engine (%{dhost}).", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Initializing remote scan engine"),
+      ]));
+      
+      var msg238 = msg("Initializing:01", part216);
+      
+      var part217 = match("MESSAGE#196:Initializing/1_0", "nwparser.p0", "Initializing %{service}.");
+      
+      var part218 = match("MESSAGE#196:Initializing/1_1", "nwparser.p0", "Initializing JDBC drivers %{}");
+      
+      var part219 = match("MESSAGE#196:Initializing/1_2", "nwparser.p0", "%{event_description}");
+      
+      var select50 = linear_select([
+      	part217,
+      	part218,
+      	part219,
+      ]);
+      
+      var all18 = all_match({
+      	processors: [
+      		dup28,
+      		select50,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup14,
+      		dup15,
+      		dup16,
+      		dup29,
+      		dup30,
+      		dup31,
+      		dup32,
+      		dup33,
+      		dup34,
+      	]),
+      });
+      
+      var msg239 = msg("Initializing", all18);
+      
+      var select51 = linear_select([
+      	msg238,
+      	msg239,
+      ]);
+      
+      var msg240 = msg("Creating", dup64);
+      
+      var msg241 = msg("Loading", dup64);
+      
+      var part220 = match("MESSAGE#199:Loaded", "nwparser.payload", "Loaded %{dclass_counter1->} policy checks for scan.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      	setc("dclass_counter1_string","No. of policies"),
+      ]));
+      
+      var msg242 = msg("Loaded", part220);
+      
+      var msg243 = msg("Loaded:01", dup66);
+      
+      var select52 = linear_select([
+      	msg242,
+      	msg243,
+      ]);
+      
+      var part221 = match("MESSAGE#200:Finished", "nwparser.payload", "Finished locating %{dclass_counter1->} live nodes. [Started: %{fld11}] [Duration: %{fld12}]", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      	setc("dclass_counter1_string","No. of live nodes"),
+      ]));
+      
+      var msg244 = msg("Finished", part221);
+      
+      var part222 = match("MESSAGE#201:Finished:01", "nwparser.payload", "Finished loading %{service}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg245 = msg("Finished:01", part222);
+      
+      var part223 = match("MESSAGE#202:Finished:02", "nwparser.payload", "Finished resolving DNS records%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg246 = msg("Finished:02", part223);
+      
+      var msg247 = msg("Finished:03", dup67);
+      
+      var select53 = linear_select([
+      	msg244,
+      	msg245,
+      	msg246,
+      	msg247,
+      ]);
+      
+      var msg248 = msg("CheckProcessor:", dup64);
+      
+      var msg249 = msg("Locating", dup64);
+      
+      var part224 = match("MESSAGE#205:TCP", "nwparser.payload", "TCP port scanner is using: %{fld11}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg250 = msg("TCP", part224);
+      
+      var part225 = match("MESSAGE#206:UDP", "nwparser.payload", "UDP port scanner is using: %{fld11}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg251 = msg("UDP", part225);
+      
+      var part226 = match("MESSAGE#207:Queued", "nwparser.payload", "Queued live nodes for scanning: %{dclass_counter1}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      	setc("dclass_counter1_string","Live nodes"),
+      ]));
+      
+      var msg252 = msg("Queued", part226);
+      
+      var msg253 = msg("Reading", dup64);
+      
+      var msg254 = msg("Registering", dup64);
+      
+      var part227 = match("MESSAGE#210:Registered", "nwparser.payload", "Registered session [%{fld12}] for IP [%{saddr}]", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg255 = msg("Registered", part227);
+      
+      var part228 = match("MESSAGE#219:Registered:02", "nwparser.payload", "Registered session for principal name [%{username}] for IP [%{saddr}]", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg256 = msg("Registered:02", part228);
+      
+      var select54 = linear_select([
+      	msg255,
+      	msg256,
+      ]);
+      
+      var part229 = match("MESSAGE#211:Seeing", "nwparser.payload", "Seeing if %{saddr->} is a valid network node", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg257 = msg("Seeing", part229);
+      
+      var part230 = match("MESSAGE#212:Logging", "nwparser.payload", "Logging initialized. [Name = %{obj_name}] [Level = %{fld11}] [Timezone = %{fld12}]", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      ]));
+      
+      var msg258 = msg("Logging", part230);
+      
+      var msg259 = msg("Firefox", dup64);
+      
+      var msg260 = msg("nodes", dup64);
+      
+      var msg261 = msg("common", dup67);
+      
+      var msg262 = msg("jess.JessException:", dup67);
+      
+      var part231 = match("MESSAGE#218:Successfully", "nwparser.payload", "Successfully %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg263 = msg("Successfully", part231);
+      
+      var msg264 = msg("Establishing", dup61);
+      
+      var msg265 = msg("Response", dup61);
+      
+      var msg266 = msg("Auto-update", dup61);
+      
+      var msg267 = msg("Approved:03", dup61);
+      
+      var msg268 = msg("HHH000436:", dup61);
+      
+      var msg269 = msg("Staged", dup61);
+      
+      var msg270 = msg("Refreshing", dup61);
+      
+      var msg271 = msg("Activation", dup61);
+      
+      var msg272 = msg("Acknowledging", dup61);
+      
+      var msg273 = msg("Acknowledged", dup61);
+      
+      var msg274 = msg("Validating", dup61);
+      
+      var msg275 = msg("Patching", dup61);
+      
+      var msg276 = msg("JAR", dup61);
+      
+      var msg277 = msg("Destroying", dup61);
+      
+      var msg278 = msg("Invocation", dup61);
+      
+      var msg279 = msg("Using", dup61);
+      
+      var part232 = match("MESSAGE#243:Route:01", "nwparser.payload", "Route: %{fld1->} shutdown complete, %{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg280 = msg("Route:01", part232);
+      
+      var part233 = match("MESSAGE#244:Route:02", "nwparser.payload", "Route: %{fld1->} started and consuming from: %{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg281 = msg("Route:02", part233);
+      
+      var select55 = linear_select([
+      	msg280,
+      	msg281,
+      ]);
+      
+      var msg282 = msg("Deploying", dup61);
+      
+      var msg283 = msg("Generating", dup61);
+      
+      var msg284 = msg("Staging", dup61);
+      
+      var msg285 = msg("Removing", dup61);
+      
+      var msg286 = msg("At", dup61);
+      
+      var msg287 = msg("An", dup61);
+      
+      var msg288 = msg("The", dup61);
+      
+      var msg289 = msg("Downloading", dup61);
+      
+      var msg290 = msg("Downloaded", dup61);
+      
+      var msg291 = msg("Restarting", dup61);
+      
+      var msg292 = msg("Requested", dup61);
+      
+      var part234 = match("MESSAGE#257:Freeing", "nwparser.payload", "Freeing session for principal name [%{username}]", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg293 = msg("Freeing", part234);
+      
+      var part235 = match("MESSAGE#258:Freeing:01", "nwparser.payload", "Freeing %{dclass_counter1->} current sessions.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg294 = msg("Freeing:01", part235);
+      
+      var select56 = linear_select([
+      	msg293,
+      	msg294,
+      ]);
+      
+      var part236 = match("MESSAGE#259:Kill", "nwparser.payload", "Kill session for principal name [%{username}]", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg295 = msg("Kill", part236);
+      
+      var part237 = match("MESSAGE#262:Created:01", "nwparser.payload", "Created temporary directory %{filename}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg296 = msg("Created:01", part237);
+      
+      var part238 = match("MESSAGE#331:Created:02", "nwparser.payload", "Created %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg297 = msg("Created:02", part238);
+      
+      var select57 = linear_select([
+      	msg296,
+      	msg297,
+      ]);
+      
+      var part239 = match("MESSAGE#263:Product", "nwparser.payload", "Product Version: %{version}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg298 = msg("Product", part239);
+      
+      var part240 = match("MESSAGE#264:Current", "nwparser.payload", "Current directory: %{filename}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg299 = msg("Current", part240);
+      
+      var part241 = match("MESSAGE#308:Current:01", "nwparser.payload", "Current DB_VERSION = %{version}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg300 = msg("Current:01", part241);
+      
+      var select58 = linear_select([
+      	msg299,
+      	msg300,
+      ]);
+      
+      var part242 = match("MESSAGE#266:Super", "nwparser.payload", "Super user: %{result}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg301 = msg("Super", part242);
+      
+      var part243 = match("MESSAGE#267:Computer", "nwparser.payload", "Computer name: %{hostname}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg302 = msg("Computer", part243);
+      
+      var part244 = match("MESSAGE#270:Operating", "nwparser.payload", "Operating system: %{os}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg303 = msg("Operating", part244);
+      
+      var part245 = match("MESSAGE#271:CPU", "nwparser.payload", "CPU speed: %{fld1}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg304 = msg("CPU", part245);
+      
+      var part246 = match("MESSAGE#272:Number", "nwparser.payload", "Number of CPUs: %{dclass_counter1}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg305 = msg("Number", part246);
+      
+      var part247 = match("MESSAGE#273:Total", "nwparser.payload", "Total %{fld1}: %{fld2}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg306 = msg("Total", part247);
+      
+      var part248 = match("MESSAGE#320:Total:02", "nwparser.payload", "Total %{dclass_counter1->} routes, of which %{dclass_counter2->} is started.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg307 = msg("Total:02", part248);
+      
+      var select59 = linear_select([
+      	msg306,
+      	msg307,
+      ]);
+      
+      var part249 = match("MESSAGE#274:Available", "nwparser.payload", "Available %{fld1}: %{fld2}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg308 = msg("Available", part249);
+      
+      var part250 = match("MESSAGE#275:Disk", "nwparser.payload", "Disk space used by %{fld1}: %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg309 = msg("Disk", part250);
+      
+      var part251 = match("MESSAGE#276:JVM", "nwparser.payload", "JVM %{fld1}: %{info}", processor_chain([
+      	dup20,
+      	dup15,
+      ]));
+      
+      var msg310 = msg("JVM", part251);
+      
+      var part252 = match("MESSAGE#277:Pausing", "nwparser.payload", "Pausing ProtocolHandler [%{info}]", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg311 = msg("Pausing", part252);
+      
+      var part253 = match("MESSAGE#278:Policy", "nwparser.payload", "Policy %{policyname->} replaces %{fld1}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg312 = msg("Policy", part253);
+      
+      var part254 = match("MESSAGE#420:Policy:01", "nwparser.payload", "Policy benchmark %{policyname->} in %{info->} with hash %{fld1->} is not valid builtin content and will not load.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Policy benchmark is not valid builtin content and will not load"),
+      ]));
+      
+      var msg313 = msg("Policy:01", part254);
+      
+      var select60 = linear_select([
+      	msg312,
+      	msg313,
+      ]);
+      
+      var part255 = match("MESSAGE#279:Bulk", "nwparser.payload", "Bulk %{action->} %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg314 = msg("Bulk", part255);
+      
+      var part256 = match("MESSAGE#280:Importing", "nwparser.payload", "%{action->} %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg315 = msg("Importing", part256);
+      
+      var part257 = match("MESSAGE#281:Imported", "nwparser.payload", "%{action->} %{dclass_counter1->} new categories, categorized %{fld1->} vulnerabilities and %{fld2->} tags.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg316 = msg("Imported", part257);
+      
+      var msg317 = msg("Imported:01", dup65);
+      
+      var select61 = linear_select([
+      	msg316,
+      	msg317,
+      ]);
+      
+      var part258 = match("MESSAGE#283:Compiling", "nwparser.payload", "Compiling %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg318 = msg("Compiling", part258);
+      
+      var part259 = match("MESSAGE#284:Vulnerability", "nwparser.payload", "Vulnerability %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg319 = msg("Vulnerability", part259);
+      
+      var part260 = match("MESSAGE#285:Truncating", "nwparser.payload", "Truncating %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg320 = msg("Truncating", part260);
+      
+      var part261 = match("MESSAGE#286:Synchronizing", "nwparser.payload", "Synchronizing %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg321 = msg("Synchronizing", part261);
+      
+      var part262 = match("MESSAGE#287:Parsing", "nwparser.payload", "Parsing %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg322 = msg("Parsing", part262);
+      
+      var part263 = match("MESSAGE#288:Remapping", "nwparser.payload", "Remapping %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg323 = msg("Remapping", part263);
+      
+      var part264 = match("MESSAGE#289:Remapped", "nwparser.payload", "Started: %{fld1}] [Duration: %{fld2}] Remapped %{info}", processor_chain([
+      	dup20,
+      	dup15,
+      ]));
+      
+      var msg324 = msg("Remapped", part264);
+      
+      var part265 = match("MESSAGE#290:Database", "nwparser.payload", "Started: %{fld1}] [Duration: %{fld2}] Database %{info}", processor_chain([
+      	dup20,
+      	dup15,
+      ]));
+      
+      var msg325 = msg("Database", part265);
+      
+      var part266 = match("MESSAGE#428:Database:01", "nwparser.payload", "Database %{info}", processor_chain([
+      	dup20,
+      	dup15,
+      ]));
+      
+      var msg326 = msg("Database:01", part266);
+      
+      var select62 = linear_select([
+      	msg325,
+      	msg326,
+      ]);
+      
+      var part267 = match("MESSAGE#292:Accepting", "nwparser.payload", "Accepting %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg327 = msg("Accepting", part267);
+      
+      var part268 = match("MESSAGE#293:VERSION:03", "nwparser.payload", "VERSION %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg328 = msg("VERSION:03", part268);
+      
+      var part269 = match("MESSAGE#294:Detected", "nwparser.payload", "Detected %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg329 = msg("Detected", part269);
+      
+      var part270 = match("MESSAGE#295:Telling", "nwparser.payload", "Telling %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg330 = msg("Telling", part270);
+      
+      var part271 = match("MESSAGE#298:Stopping", "nwparser.payload", "Stopping %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg331 = msg("Stopping", part271);
+      
+      var part272 = match("MESSAGE#299:removing", "nwparser.payload", "removing %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg332 = msg("removing", part272);
+      
+      var part273 = match("MESSAGE#300:Enabling", "nwparser.payload", "Enabling %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg333 = msg("Enabling", part273);
+      
+      var part274 = match("MESSAGE#301:Granting", "nwparser.payload", "Granting %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg334 = msg("Granting", part274);
+      
+      var part275 = match("MESSAGE#302:Version", "nwparser.payload", "Version %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg335 = msg("Version", part275);
+      
+      var part276 = match("MESSAGE#303:Configuring", "nwparser.payload", "Configuring %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg336 = msg("Configuring", part276);
+      
+      var part277 = match("MESSAGE#305:Scheduler", "nwparser.payload", "Scheduler %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg337 = msg("Scheduler", part277);
+      
+      var part278 = match("MESSAGE#341:Scheduler:01", "nwparser.payload", "Silo: %{fld1}] [Started: %{fld2}] [Duration: %{fld3}] Scheduler started.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Scheduler started"),
+      ]));
+      
+      var msg338 = msg("Scheduler:01", part278);
+      
+      var part279 = match("MESSAGE#429:Scheduler:02", "nwparser.payload", "%{fld1}: %{fld2}] Scheduler %{info}", processor_chain([
+      	dup20,
+      	dup15,
+      ]));
+      
+      var msg339 = msg("Scheduler:02", part279);
+      
+      var select63 = linear_select([
+      	msg337,
+      	msg338,
+      	msg339,
+      ]);
+      
+      var part280 = match("MESSAGE#306:PostgreSQL", "nwparser.payload", "PostgreSQL %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg340 = msg("PostgreSQL", part280);
+      
+      var part281 = match("MESSAGE#307:Cleaning", "nwparser.payload", "Cleaning %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg341 = msg("Cleaning", part281);
+      
+      var part282 = match("MESSAGE#462:Cleaning:01", "nwparser.payload", "%{fld1}] [%{fld2}] [%{fld3}] [%{fld4}] Cleaning up sub-scan results.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Cleaning up sub-scan results"),
+      ]));
+      
+      var msg342 = msg("Cleaning:01", part282);
+      
+      var select64 = linear_select([
+      	msg341,
+      	msg342,
+      ]);
+      
+      var part283 = match("MESSAGE#309:Installed:01/0", "nwparser.payload", "Installed DB%{p0}");
+      
+      var part284 = match("MESSAGE#309:Installed:01/1_0", "nwparser.p0", "_VERSION after upgrade%{p0}");
+      
+      var part285 = match("MESSAGE#309:Installed:01/1_1", "nwparser.p0", " VERSION %{p0}");
+      
+      var select65 = linear_select([
+      	part284,
+      	part285,
+      ]);
+      
+      var part286 = match("MESSAGE#309:Installed:01/2", "nwparser.p0", "%{}= %{version}");
+      
+      var all19 = all_match({
+      	processors: [
+      		part283,
+      		select65,
+      		part286,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup14,
+      		dup15,
+      	]),
+      });
+      
+      var msg343 = msg("Installed:01", all19);
+      
+      var part287 = match("MESSAGE#310:Inserted", "nwparser.payload", "Inserted %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg344 = msg("Inserted", part287);
+      
+      var part288 = match("MESSAGE#313:Deleted", "nwparser.payload", "Started: %{fld1}] [Duration: %{fld2}] Deleted %{info}", processor_chain([
+      	dup20,
+      	dup15,
+      ]));
+      
+      var msg345 = msg("Deleted", part288);
+      
+      var msg346 = msg("Default", dup66);
+      
+      var msg347 = msg("Apache", dup66);
+      
+      var msg348 = msg("JMX", dup66);
+      
+      var msg349 = msg("AllowUseOriginalMessage", dup66);
+      
+      var part289 = match("MESSAGE#321:Initialized", "nwparser.payload", "Initialized PolicyCheckService with %{dclass_counter1->} benchmarks, containing %{fld1->} policies. The total check count is %{dclass_counter2}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg350 = msg("Initialized", part289);
+      
+      var part290 = match("MESSAGE#322:Initialized:01", "nwparser.payload", "Initialized %{dclass_counter1->} policy benchmarks in total.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg351 = msg("Initialized:01", part290);
+      
+      var part291 = match("MESSAGE#379:Initialized_Scheduler", "nwparser.payload", "Initialized Scheduler Signaller of type: %{obj_type->} %{obj_name}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Initialized Scheduler Signaller"),
+      ]));
+      
+      var msg352 = msg("Initialized_Scheduler", part291);
+      
+      var select66 = linear_select([
+      	msg350,
+      	msg351,
+      	msg352,
+      ]);
+      
+      var msg353 = msg("Error", dup66);
+      
+      var part292 = match("MESSAGE#324:Graceful", "nwparser.payload", "Graceful shutdown of %{dclass_counter1->} routes completed in %{dclass_counter2->} seconds", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg354 = msg("Graceful", part292);
+      
+      var msg355 = msg("StreamCaching", dup61);
+      
+      var msg356 = msg("Local", dup66);
+      
+      var part293 = match("MESSAGE#329:DB_VERSION", "nwparser.payload", "DB_VERSION = %{version}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg357 = msg("DB_VERSION", part293);
+      
+      var part294 = match("MESSAGE#330:Populating", "nwparser.payload", "Populating %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg358 = msg("Populating", part294);
+      
+      var part295 = match("MESSAGE#332:EventLog", "nwparser.payload", "EventLog %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg359 = msg("EventLog", part295);
+      
+      var part296 = match("MESSAGE#333:Making", "nwparser.payload", "Making %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg360 = msg("Making", part296);
+      
+      var part297 = match("MESSAGE#334:Setting", "nwparser.payload", "Setting %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg361 = msg("Setting", part297);
+      
+      var part298 = match("MESSAGE#335:initdb", "nwparser.payload", "initdb %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg362 = msg("initdb", part298);
+      
+      var part299 = match("MESSAGE#336:Verifying", "nwparser.payload", "Verifying %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg363 = msg("Verifying", part299);
+      
+      var msg364 = msg("OS", dup66);
+      
+      var part300 = match("MESSAGE#338:Benchmark", "nwparser.payload", "Benchmark %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg365 = msg("Benchmark", part300);
+      
+      var part301 = match("MESSAGE#339:Report:01", "nwparser.payload", "Report Config ID: %{fld1}] [Started: %{fld2}T%{fld3}] [Duration: %{fld4}] %{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup29,
+      	dup54,
+      	dup16,
+      ]));
+      
+      var msg366 = msg("Report:01", part301);
+      
+      var part302 = match("MESSAGE#340:Report", "nwparser.payload", "Report Config ID: %{fld1}] %{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup29,
+      	dup54,
+      	dup16,
+      ]));
+      
+      var msg367 = msg("Report", part302);
+      
+      var select67 = linear_select([
+      	msg366,
+      	msg367,
+      ]);
+      
+      var part303 = match("MESSAGE#342:Cannot_preload", "nwparser.payload", "Engine ID: %{fld1}] [Engine Name: %{fld2}] Cannot preload incremental pool with a connection %{fld3}", processor_chain([
+      	dup53,
+      	dup14,
+      	dup15,
+      	dup55,
+      ]));
+      
+      var msg368 = msg("Cannot_preload", part303);
+      
+      var part304 = match("MESSAGE#343:Cannot_preload:01", "nwparser.payload", "Cannot preload incremental pool with a connection%{fld3}", processor_chain([
+      	dup53,
+      	dup14,
+      	dup15,
+      	dup55,
+      ]));
+      
+      var msg369 = msg("Cannot_preload:01", part304);
+      
+      var select68 = linear_select([
+      	msg368,
+      	msg369,
+      ]);
+      
+      var part305 = match("MESSAGE#349:ERROR:02", "nwparser.payload", "ERROR: syntax error at or near \"%{fld1}\"", processor_chain([
+      	dup53,
+      	dup14,
+      	dup15,
+      	setc("event_description","Syntax error"),
+      ]));
+      
+      var msg370 = msg("ERROR:02", part305);
+      
+      var part306 = match("MESSAGE#350:QuartzRepeaterBuilder", "nwparser.payload", "QuartzRepeaterBuilder failed to add schedule to ScanConfig: null%{}", processor_chain([
+      	dup53,
+      	dup14,
+      	dup15,
+      	setc("event_description","QuartzRepeaterBuilder failed to add schedule"),
+      ]));
+      
+      var msg371 = msg("QuartzRepeaterBuilder", part306);
+      
+      var part307 = match("MESSAGE#351:Backing_up", "nwparser.payload", "Backing up %{event_source}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Backing up"),
+      ]));
+      
+      var msg372 = msg("Backing_up", part307);
+      
+      var part308 = match("MESSAGE#352:Not_configured", "nwparser.payload", "com.rapid.nexpose.scanpool.stateInterval is not configured - returning default value %{resultcode}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid.nexpose.scanpool.stateInterval is not configured"),
+      ]));
+      
+      var msg373 = msg("Not_configured", part308);
+      
+      var part309 = match("MESSAGE#353:Not_configured:01", "nwparser.payload", "com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout is not configured - returning default value %{resultcode}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout is not configured"),
+      ]));
+      
+      var msg374 = msg("Not_configured:01", part309);
+      
+      var part310 = match("MESSAGE#354:Not_configured:02", "nwparser.payload", "com.rapid7.nexpose.comms.clientConnectionProvider.getConnectionTimeout is not configured - returning default value %{resultcode}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.comms.clientConnectionProvider.getConnectionTimeout is not configured"),
+      ]));
+      
+      var msg375 = msg("Not_configured:02", part310);
+      
+      var part311 = match("MESSAGE#355:Not_configured:03", "nwparser.payload", "com.rapid7.nexpose.datastore.connection.evictionThreadTime is not configured - returning default value %{resultcode}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.datastore.connection.evictionThreadTime is not configured"),
+      ]));
+      
+      var msg376 = msg("Not_configured:03", part311);
+      
+      var part312 = match("MESSAGE#356:Not_configured:04", "nwparser.payload", "com.rapid7.nexpose.datastore.eviction.connection.threadIdleTimeout is not configured - returning default value %{resultcode}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.datastore.eviction.connection.threadIdleTimeout is not configured"),
+      ]));
+      
+      var msg377 = msg("Not_configured:04", part312);
+      
+      var part313 = match("MESSAGE#357:Not_configured:05", "nwparser.payload", "com.rapid7.nexpose.nsc.dbcc is not configured - returning default value %{result}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.nsc.dbcc is not configured"),
+      ]));
+      
+      var msg378 = msg("Not_configured:05", part313);
+      
+      var part314 = match("MESSAGE#358:Not_configured:06", "nwparser.payload", "com.rapid7.nexpose.nsc.scanExecutorService.maximumCorePoolSize is not configured - returning default value %{resultcode}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.nsc.scanExecutorService.maximumCorePoolSize is not configured"),
+      ]));
+      
+      var msg379 = msg("Not_configured:06", part314);
+      
+      var part315 = match("MESSAGE#359:Not_configured:07", "nwparser.payload", "com.rapid7.nexpose.nsc.scanExecutorService.minimumCorePoolSize is not configured - returning default value %{resultcode}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.nsc.scanExecutorService.minimumCorePoolSize is not configured"),
+      ]));
+      
+      var msg380 = msg("Not_configured:07", part315);
+      
+      var part316 = match("MESSAGE#360:Not_configured:08", "nwparser.payload", "com.rapid7.nexpose.nsc.scanExecutorService.monitorCorePoolSizeIncreaseOnSaturation is not configured - returning default value %{resultcode}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.nsc.scanExecutorService.monitorCorePoolSizeIncreaseOnSaturation is not configured"),
+      ]));
+      
+      var msg381 = msg("Not_configured:08", part316);
+      
+      var part317 = match("MESSAGE#361:Not_configured:09", "nwparser.payload", "com.rapid7.nexpose.nsc.scanExecutorService.monitorEnabled is not configured - returning default value %{result}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.nsc.scanExecutorService.monitorEnabled is not configured"),
+      ]));
+      
+      var msg382 = msg("Not_configured:09", part317);
+      
+      var part318 = match("MESSAGE#362:Not_configured:10", "nwparser.payload", "com.rapid7.nexpose.nsc.scanExecutorService.monitorInterval is not configured - returning default value %{resultcode}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.nsc.scanExecutorService.monitorInterval is not configured"),
+      ]));
+      
+      var msg383 = msg("Not_configured:10", part318);
+      
+      var part319 = match("MESSAGE#363:Not_configured:11", "nwparser.payload", "com.rapid7.nexpose.nse.nscClient.connectTimeout is not configured - returning default value %{resultcode}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.nse.nscClient.connectTimeout is not configured"),
+      ]));
+      
+      var msg384 = msg("Not_configured:11", part319);
+      
+      var part320 = match("MESSAGE#364:Not_configured:12", "nwparser.payload", "com.rapid7.nexpose.nse.nscClient.readTimeout is not configured - returning default value %{resultcode}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.nse.nscClient.readTimeout is not configured"),
+      ]));
+      
+      var msg385 = msg("Not_configured:12", part320);
+      
+      var part321 = match("MESSAGE#365:Not_configured:13", "nwparser.payload", "com.rapid7.nexpose.reportGenerator.assetCollectionUpdateTimeout is not configured - returning default value %{resultcode}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.reportGenerator.assetCollectionUpdateTimeout is not configured"),
+      ]));
+      
+      var msg386 = msg("Not_configured:13", part321);
+      
+      var part322 = match("MESSAGE#366:Not_configured:14", "nwparser.payload", "com.rapid7.nexpose.scan.consolidation.delay is not configured - returning default value %{resultcode}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.scan.consolidation.delay is not configured"),
+      ]));
+      
+      var msg387 = msg("Not_configured:14", part322);
+      
+      var part323 = match("MESSAGE#367:Not_configured:15", "nwparser.payload", "com.rapid7.nexpose.scan.lifecyclemonitor.delay is not configured - returning default value %{resultcode}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.scan.lifecyclemonitor.delay is not configured"),
+      ]));
+      
+      var msg388 = msg("Not_configured:15", part323);
+      
+      var part324 = match("MESSAGE#368:Not_configured:16", "nwparser.payload", "com.rapid7.nexpose.scan.usescanpool is not configured - returning default value %{result}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.scan.usescanpool is not configured"),
+      ]));
+      
+      var msg389 = msg("Not_configured:16", part324);
+      
+      var part325 = match("MESSAGE#369:Not_configured:17", "nwparser.payload", "com.rapid7.nsc.workflow.timeout is not configured - returning default value %{resultcode}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nsc.workflow.timeout is not configured"),
+      ]));
+      
+      var msg390 = msg("Not_configured:17", part325);
+      
+      var part326 = match("MESSAGE#370:Delivered", "nwparser.payload", "Delivered mail to %{to}: %{fld1->} %{fld2->} %{mail_id->} [InternalId=%{fld3}] Queued mail for delivery", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("action","Queued mail for delivery"),
+      ]));
+      
+      var msg391 = msg("Delivered", part326);
+      
+      var part327 = match("MESSAGE#371:Engine_update", "nwparser.payload", "Engine update thread pool shutting down.%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Engine update thread pool shutting down"),
+      ]));
+      
+      var msg392 = msg("Engine_update", part327);
+      
+      var part328 = match("MESSAGE#372:Freed_triggers", "nwparser.payload", "Freed %{fld1->} triggers from 'acquired' / 'blocked' state.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Freed triggers from 'acquired' / 'blocked' state"),
+      ]));
+      
+      var msg393 = msg("Freed_triggers", part328);
+      
+      var part329 = match("MESSAGE#374:Upgrade_completed", "nwparser.payload", "PG Upgrade has completed succesfully%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Upgrade has completed succesfully"),
+      ]));
+      
+      var msg394 = msg("Upgrade_completed", part329);
+      
+      var part330 = match("MESSAGE#375:PG", "nwparser.payload", "%{fld1}: %{process->} %{param}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg395 = msg("PG", part330);
+      
+      var select69 = linear_select([
+      	msg394,
+      	msg395,
+      ]);
+      
+      var part331 = match("MESSAGE#376:DEFAULT_SCHEDULER", "nwparser.payload", "DEFAULT SCHEDULER: %{obj_name}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","DEFAULT SCHEDULER"),
+      ]));
+      
+      var msg396 = msg("DEFAULT_SCHEDULER", part331);
+      
+      var part332 = match("MESSAGE#377:Context_loader", "nwparser.payload", "Context loader config file is jar:file:%{filename}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Context loader config file"),
+      ]));
+      
+      var msg397 = msg("Context_loader", part332);
+      
+      var part333 = match("MESSAGE#378:Copied_file", "nwparser.payload", "Copied %{filename->} file from %{directory->} to %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Copied file"),
+      ]));
+      
+      var msg398 = msg("Copied_file", part333);
+      
+      var part334 = match("MESSAGE#380:Java", "nwparser.payload", "Java HotSpot(TM) %{info}", processor_chain([
+      	dup20,
+      	dup15,
+      	setc("event_description","Console VM version"),
+      ]));
+      
+      var msg399 = msg("Java", part334);
+      
+      var part335 = match("MESSAGE#381:Changing", "nwparser.payload", "Changing permissions of %{obj_type->} '%{obj_name}' to %{change_new}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Changing permissions"),
+      ]));
+      
+      var msg400 = msg("Changing", part335);
+      
+      var part336 = match("MESSAGE#382:Changing:01", "nwparser.payload", "Changing the new database AUTH method to %{change_new}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Changing new database AUTH method"),
+      ]));
+      
+      var msg401 = msg("Changing:01", part336);
+      
+      var select70 = linear_select([
+      	msg400,
+      	msg401,
+      ]);
+      
+      var part337 = match("MESSAGE#383:Job_execution", "nwparser.payload", "Job execution threads will use class loader of thread: %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Job execution threads will use class loader"),
+      ]));
+      
+      var msg402 = msg("Job_execution", part337);
+      
+      var part338 = match("MESSAGE#384:Initialized:02", "nwparser.payload", "JobStoreCMT initialized.%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","JobStoreCMT initialized"),
+      ]));
+      
+      var msg403 = msg("Initialized:02", part338);
+      
+      var part339 = match("MESSAGE#385:Initialized:03", "nwparser.payload", "Quartz scheduler '%{obj_name}' %{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Quartz scheduler initialized"),
+      ]));
+      
+      var msg404 = msg("Initialized:03", part339);
+      
+      var part340 = match("MESSAGE#386:Created:03", "nwparser.payload", "Quartz Scheduler %{version->} created.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Quartz Scheduler created."),
+      ]));
+      
+      var msg405 = msg("Created:03", part340);
+      
+      var part341 = match("MESSAGE#387:Scheduler_version", "nwparser.payload", "Quartz scheduler version: %{version}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg406 = msg("Scheduler_version", part341);
+      
+      var select71 = linear_select([
+      	msg404,
+      	msg405,
+      	msg406,
+      ]);
+      
+      var part342 = match("MESSAGE#388:Recovering", "nwparser.payload", "Recovering %{fld1->} %{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Recovering jobs"),
+      ]));
+      
+      var msg407 = msg("Recovering", part342);
+      
+      var part343 = match("MESSAGE#389:Recovery", "nwparser.payload", "Recovery complete.%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Recovery"),
+      	setc("disposition","Complete"),
+      ]));
+      
+      var msg408 = msg("Recovery", part343);
+      
+      var part344 = match("MESSAGE#390:Removed", "nwparser.payload", "Removed %{fld1->} 'complete' triggers.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Removed triggers"),
+      ]));
+      
+      var msg409 = msg("Removed", part344);
+      
+      var part345 = match("MESSAGE#391:Removed:01", "nwparser.payload", "Removed %{fld1->} stale fired job entries.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Removed job entries"),
+      ]));
+      
+      var msg410 = msg("Removed:01", part345);
+      
+      var select72 = linear_select([
+      	msg409,
+      	msg410,
+      ]);
+      
+      var part346 = match("MESSAGE#392:Restoring", "nwparser.payload", "%{action}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg411 = msg("Restoring", part346);
+      
+      var part347 = match("MESSAGE#393:Upgrading", "nwparser.payload", "Upgrading database%{fld1}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Upgrading database"),
+      ]));
+      
+      var msg412 = msg("Upgrading", part347);
+      
+      var part348 = match("MESSAGE#394:Exploits", "nwparser.payload", "Exploits are up to date.%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Exploits are up to date"),
+      ]));
+      
+      var msg413 = msg("Exploits", part348);
+      
+      var part349 = match("MESSAGE#395:Failure", "nwparser.payload", "Failure communicating with NSE @ %{dhost}:%{dport}.", processor_chain([
+      	dup53,
+      	dup49,
+      	dup27,
+      	dup14,
+      	dup15,
+      	setc("event_description","Failure communicating with NSE"),
+      ]));
+      
+      var msg414 = msg("Failure", part349);
+      
+      var part350 = match("MESSAGE#396:Renamed", "nwparser.payload", "Renamed %{filename->} to %{info}", processor_chain([
+      	dup20,
+      	dup57,
+      	dup22,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg415 = msg("Renamed", part350);
+      
+      var part351 = match("MESSAGE#397:Reinitializing", "nwparser.payload", "Reinitializing web server for maintenance mode...%{}", processor_chain([
+      	dup20,
+      	dup57,
+      	dup22,
+      	dup14,
+      	dup15,
+      	setc("event_description","Reinitializing web server for maintenance mode"),
+      ]));
+      
+      var msg416 = msg("Reinitializing", part351);
+      
+      var part352 = match("MESSAGE#398:Replaced", "nwparser.payload", "Replaced %{change_old->} values from %{filename->} file with new auth method: %{change_new}.", processor_chain([
+      	dup20,
+      	dup57,
+      	dup22,
+      	dup14,
+      	dup15,
+      	dup58,
+      ]));
+      
+      var msg417 = msg("Replaced", part352);
+      
+      var part353 = match("MESSAGE#399:Replaced:01", "nwparser.payload", "Replaced %{change_old->} values from %{filename->} with new setting values", processor_chain([
+      	dup20,
+      	dup57,
+      	dup22,
+      	dup14,
+      	dup15,
+      	dup58,
+      ]));
+      
+      var msg418 = msg("Replaced:01", part353);
+      
+      var select73 = linear_select([
+      	msg417,
+      	msg418,
+      ]);
+      
+      var part354 = match("MESSAGE#400:System", "nwparser.payload", "System is running low on memory: %{fld1}MB total (%{fld2}MB free)", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","System is running low on memory"),
+      ]));
+      
+      var msg419 = msg("System", part354);
+      
+      var part355 = match("MESSAGE#401:System:01", "nwparser.payload", "%{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      ]));
+      
+      var msg420 = msg("System:01", part355);
+      
+      var select74 = linear_select([
+      	msg419,
+      	msg420,
+      ]);
+      
+      var part356 = match("MESSAGE#402:Analyzing", "nwparser.payload", "Analyzing the database.%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Analyzing the database"),
+      ]));
+      
+      var msg421 = msg("Analyzing", part356);
+      
+      var part357 = match("MESSAGE#403:Connection", "nwparser.payload", "Connection to the new database was successful. %{action}.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Connection to the new database was successful"),
+      ]));
+      
+      var msg422 = msg("Connection", part357);
+      
+      var part358 = match("MESSAGE#404:Handling", "nwparser.payload", "Handling %{fld1->} trigger(s) that missed their scheduled fire-time.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Handling trigger(s) that missed their scheduled fire-time"),
+      ]));
+      
+      var msg423 = msg("Handling", part358);
+      
+      var part359 = match("MESSAGE#406:LDAP", "nwparser.payload", "LDAP authentication requires resolution%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","LDAP authentication requires resolution"),
+      ]));
+      
+      var msg424 = msg("LDAP", part359);
+      
+      var part360 = match("MESSAGE#407:Maintenance", "nwparser.payload", "Maintenance Task Started%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Maintenance Task Started"),
+      ]));
+      
+      var msg425 = msg("Maintenance", part360);
+      
+      var msg426 = msg("Migration", dup61);
+      
+      var msg427 = msg("Mobile", dup68);
+      
+      var msg428 = msg("ConsoleScanImporter", dup68);
+      
+      var part361 = match("MESSAGE#421:Postgres:01", "nwparser.payload", "%{event_description}. Cleaning up. %{directory}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Cleaning up"),
+      ]));
+      
+      var msg429 = msg("Postgres:01", part361);
+      
+      var part362 = match("MESSAGE#422:Succesfully", "nwparser.payload", "Succesfully %{event_description->} to %{dport}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg430 = msg("Succesfully", part362);
+      
+      var part363 = match("MESSAGE#423:Unzipped", "nwparser.payload", "%{action->} %{fld1->} bytes into %{directory}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg431 = msg("Unzipped", part363);
+      
+      var part364 = match("MESSAGE#424:vacuumdb", "nwparser.payload", "%{process->} executed with a return value of %{resultcode}.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg432 = msg("vacuumdb", part364);
+      
+      var part365 = match("MESSAGE#425:Processed_vuln", "nwparser.payload", "Started: %{fld2}T%{fld3}] [Duration: %{fld4}] Processed vuln check types for %{fld5->} vuln checks.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Processed vuln check types"),
+      ]));
+      
+      var msg433 = msg("Processed_vuln", part365);
+      
+      var part366 = match("MESSAGE#430:Reflections", "nwparser.payload", "Reflections %{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg434 = msg("Reflections", part366);
+      
+      var part367 = match("MESSAGE#431:CorrelationAttributes", "nwparser.payload", "0.16: %{info}", processor_chain([
+      	dup20,
+      	dup15,
+      ]));
+      
+      var msg435 = msg("CorrelationAttributes", part367);
+      
+      var part368 = match("MESSAGE#432:CorrelationAttributes:01", "nwparser.payload", "0.49: %{info}", processor_chain([
+      	dup20,
+      	dup15,
+      ]));
+      
+      var msg436 = msg("CorrelationAttributes:01", part368);
+      
+      var part369 = match("MESSAGE#433:CorrelationAttributes:02", "nwparser.payload", "0.245: %{info}", processor_chain([
+      	dup20,
+      	dup15,
+      ]));
+      
+      var msg437 = msg("CorrelationAttributes:02", part369);
+      
+      var part370 = match("MESSAGE#434:CorrelationAttributes:03", "nwparser.payload", "0.325: %{info}", processor_chain([
+      	dup20,
+      	dup15,
+      ]));
+      
+      var msg438 = msg("CorrelationAttributes:03", part370);
+      
+      var msg439 = msg("ConsoleProductInfoProvider", dup69);
+      
+      var msg440 = msg("NSXAssetEventHandler", dup69);
+      
+      var msg441 = msg("ProductNotificationService", dup69);
+      
+      var msg442 = msg("AssetEventHandler", dup69);
+      
+      var msg443 = msg("SiteEventHandler", dup69);
+      
+      var msg444 = msg("UserEventHandler", dup69);
+      
+      var msg445 = msg("VulnerabilityExceptionEventHandler", dup69);
+      
+      var msg446 = msg("TagEventHandler", dup69);
+      
+      var msg447 = msg("AssetGroupEventHandler", dup69);
+      
+      var msg448 = msg("ScanEventHandler", dup69);
+      
+      var part371 = match("MESSAGE#445:Not_configured:18", "nwparser.payload", "com.rapid7.nexpose.nsc.critical.task.executor.core.thread.pool.size is not configured - returning default value %{result}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.nsc.critical.task.executor.core.thread.pool.size is not configured"),
+      ]));
+      
+      var msg449 = msg("Not_configured:18", part371);
+      
+      var part372 = match("MESSAGE#446:Not_configured:19", "nwparser.payload", "com.rapid7.nexpose.nsc.scan.multiengine.scanHaltTimeoutMilliSecond is not configured - returning default value %{result}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.nsc.scan.multiengine.scanHaltTimeoutMilliSecond is not configured"),
+      ]));
+      
+      var msg450 = msg("Not_configured:19", part372);
+      
+      var part373 = match("MESSAGE#447:Not_configured:20", "nwparser.payload", "com.rapid7.nexpose.nsc.scan.scan.event.monitor.poll.duration is not configured - returning default value %{result}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.nsc.scan.scan.event.monitor.poll.duration is not configured"),
+      ]));
+      
+      var msg451 = msg("Not_configured:20", part373);
+      
+      var part374 = match("MESSAGE#448:Not_configured:21", "nwparser.payload", "com.rapid7.nexpose.nse.excludedFileSystems is not configured - returning default value %{result}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.nse.excludedFileSystems is not configured"),
+      ]));
+      
+      var msg452 = msg("Not_configured:21", part374);
+      
+      var part375 = match("MESSAGE#449:Not_configured:22", "nwparser.payload", "com.rapid7.nexpose.scan.logCPUMemoryToMemLog.enable is not configured - returning default value %{result}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.scan.logCPUMemoryToMemLog.enable is not configured"),
+      ]));
+      
+      var msg453 = msg("Not_configured:22", part375);
+      
+      var part376 = match("MESSAGE#450:Not_configured:23", "nwparser.payload", "com.rapid7.nexpose.scan.logMemory.interval is not configured - returning default value %{result}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.scan.logMemory.interval is not configured"),
+      ]));
+      
+      var msg454 = msg("Not_configured:23", part376);
+      
+      var part377 = match("MESSAGE#451:Not_configured:24", "nwparser.payload", "com.rapid7.nexpose.scan.monitor.numberSavedAssetDurations is not configured - returning default value %{result}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.scan.monitor.numberSavedAssetDurations is not configured"),
+      ]));
+      
+      var msg455 = msg("Not_configured:24", part377);
+      
+      var part378 = match("MESSAGE#452:Not_configured:25", "nwparser.payload", "com.rapid7.scan.perTestDurationLogging is not configured - returning default value %{result}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.scan.perTestDurationLogging is not configured"),
+      ]));
+      
+      var msg456 = msg("Not_configured:25", part378);
+      
+      var part379 = match("MESSAGE#453:Not_configured:26", "nwparser.payload", "com.rapid7.thread.threadPoolNonBlockingOpsProviderParallelism is not configured - returning default value %{result}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.thread.threadPoolNonBlockingOpsProviderParallelism is not configured"),
+      ]));
+      
+      var msg457 = msg("Not_configured:26", part379);
+      
+      var part380 = match("MESSAGE#454:Not_configured:27", "nwparser.payload", "com.rapid7.nexpose.nsc.critical.task.executor.max.thread.pool.size is not configured - returning default value %{result}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.nsc.critical.task.executor.max.thread.pool.size is not configured"),
+      ]));
+      
+      var msg458 = msg("Not_configured:27", part380);
+      
+      var part381 = match("MESSAGE#455:Spring", "nwparser.payload", "%{process->} detected on classpath: [%{fld2}]", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","detected"),
+      ]));
+      
+      var msg459 = msg("Spring", part381);
+      
+      var part382 = match("MESSAGE#456:Storing", "nwparser.payload", "%{fld1}] [%{fld2}] Storing scan details for %{event_type}.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Storing scan details"),
+      ]));
+      
+      var msg460 = msg("Storing", part382);
+      
+      var part383 = match("MESSAGE#457:Clearing", "nwparser.payload", "Clearing object tracker after %{dclass_counter1->} hits and %{dclass_counter2->} misses.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Clearing object tracker"),
+      ]));
+      
+      var msg461 = msg("Clearing", part383);
+      
+      var part384 = match("MESSAGE#458:All", "nwparser.payload", "%{fld1}] [%{fld2}] All scan engines are up to date.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("result","All scan engines are up to date"),
+      ]));
+      
+      var msg462 = msg("All", part384);
+      
+      var part385 = match("MESSAGE#459:New", "nwparser.payload", "New Provider %{audit_object->} discovered.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","New Provider discovered"),
+      ]));
+      
+      var msg463 = msg("New", part385);
+      
+      var part386 = match("MESSAGE#463:Session", "nwparser.payload", "%{fld1}] [%{fld2}] [%{fld3}] Session created.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Session created"),
+      ]));
+      
+      var msg464 = msg("Session", part386);
+      
+      var part387 = match("MESSAGE#464:Debug", "nwparser.payload", "Debug logging is not enabled for this scan.%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Debug logging is not enabled"),
+      ]));
+      
+      var msg465 = msg("Debug", part387);
+      
+      var msg466 = msg("Debug:01", dup61);
+      
+      var select75 = linear_select([
+      	msg465,
+      	msg466,
+      ]);
+      
+      var part388 = match("MESSAGE#466:ACES", "nwparser.payload", "ACES logging is not enabled.%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","ACES logging is not enabled"),
+      ]));
+      
+      var msg467 = msg("ACES", part388);
+      
+      var msg468 = msg("ACES:01", dup61);
+      
+      var select76 = linear_select([
+      	msg467,
+      	msg468,
+      ]);
+      
+      var part389 = match("MESSAGE#468:Invulnerable", "nwparser.payload", "Invulnerable Data Storage is on.%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Invulnerable Data Storage is on"),
+      ]));
+      
+      var msg469 = msg("Invulnerable", part389);
+      
+      var part390 = match("MESSAGE#469:Nmap", "nwparser.payload", "Nmap ARP Ping for local networks%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Nmap ARP Ping for local networks"),
+      ]));
+      
+      var msg470 = msg("Nmap", part390);
+      
+      var part391 = match("MESSAGE#470:Nmap:01", "nwparser.payload", "%{event_description}", processor_chain([
+      	setc("eventcategory","1801000000"),
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg471 = msg("Nmap:01", part391);
+      
+      var select77 = linear_select([
+      	msg470,
+      	msg471,
+      ]);
+      
+      var part392 = match("MESSAGE#471:Cause/0_0", "nwparser.payload", "Authentication %{result->} for principal %{fld}] %{info}");
+      
+      var part393 = match("MESSAGE#471:Cause/0_1", "nwparser.payload", " %{result}] %{info}");
+      
+      var select78 = linear_select([
+      	part392,
+      	part393,
+      ]);
+      
+      var all20 = all_match({
+      	processors: [
+      		select78,
+      	],
+      	on_success: processor_chain([
+      		setc("eventcategory","1301000000"),
+      		dup14,
+      		dup15,
+      	]),
+      });
+      
+      var msg472 = msg("Cause", all20);
+      
+      var part394 = match("MESSAGE#472:NEXPOSE_GENERIC", "nwparser.payload", "%{fld1}", processor_chain([
+      	setc("eventcategory","1901000000"),
+      	dup15,
+      ]));
+      
+      var msg473 = msg("NEXPOSE_GENERIC", part394);
+      
+      var chain1 = processor_chain([
+      	select4,
+      	msgid_select({
+      		"0.16": msg435,
+      		"0.245": msg437,
+      		"0.325": msg438,
+      		"0.49": msg436,
+      		"A": msg235,
+      		"ACES": select76,
+      		"Accepting": msg327,
+      		"Acknowledged": msg273,
+      		"Acknowledging": msg272,
+      		"Activation": msg271,
+      		"Adding": select25,
+      		"Administrative": select49,
+      		"Advertising": msg217,
+      		"All": msg462,
+      		"AllowUseOriginalMessage": msg349,
+      		"An": msg287,
+      		"Analyzing": msg421,
+      		"Apache": msg347,
+      		"Applying": msg164,
+      		"Approved": msg267,
+      		"Asserting": select28,
+      		"AssetEventHandler": msg442,
+      		"AssetGroupEventHandler": msg447,
+      		"At": msg286,
+      		"Attempting": select26,
+      		"Authenticated": msg85,
+      		"Authentication": select23,
+      		"Auto-update": msg266,
+      		"Available": msg308,
+      		"Backing": msg372,
+      		"Benchmark": msg365,
+      		"Bulk": msg314,
+      		"CIFS": msg203,
+      		"CPU": msg304,
+      		"CSIDL_SYSTEM": msg209,
+      		"CSIDL_SYSTEMX86": msg208,
+      		"Cached:": msg204,
+      		"Cannot": select68,
+      		"Cataloged": msg103,
+      		"Cause": msg472,
+      		"Changing": select70,
+      		"CheckProcessor:": msg248,
+      		"Checking": select41,
+      		"Cleaning": select64,
+      		"Clearing": msg461,
+      		"Closing": select39,
+      		"Compiling": msg318,
+      		"Completed": select40,
+      		"Computer": msg302,
+      		"Configuring": msg336,
+      		"Connection": msg422,
+      		"Console": select12,
+      		"ConsoleProductInfoProvider": msg439,
+      		"ConsoleScanImporter": msg428,
+      		"Context": msg397,
+      		"Copied": msg398,
+      		"Could": msg125,
+      		"Created": select57,
+      		"Creating": msg240,
+      		"Current": select58,
+      		"DB_VERSION": msg357,
+      		"DEFAULT": msg396,
+      		"DNS": msg172,
+      		"Database": select62,
+      		"Debug": select75,
+      		"Default": msg346,
+      		"Deleted": msg345,
+      		"Delivered": msg391,
+      		"Deploying": msg282,
+      		"Destroying": msg277,
+      		"Detected": msg329,
+      		"Determining": select29,
+      		"Disk": msg309,
+      		"Done": select17,
+      		"Downloaded": msg290,
+      		"Downloading": msg289,
+      		"Dumping": msg104,
+      		"ERROR": select7,
+      		"ERROR:": msg370,
+      		"Enabling": msg333,
+      		"Engine": msg392,
+      		"Enumerating": msg205,
+      		"Error": msg353,
+      		"Establishing": msg264,
+      		"EventLog": msg359,
+      		"Exchange": msg211,
+      		"Executing": select48,
+      		"Exploits": msg413,
+      		"ExtMgr": select8,
+      		"FTP": msg149,
+      		"Failed": msg112,
+      		"Failure": msg414,
+      		"Finished": select53,
+      		"Firefox": msg259,
+      		"Flash": msg183,
+      		"Form": msg105,
+      		"Found": select33,
+      		"Freed": msg393,
+      		"Freeing": select56,
+      		"Generating": msg283,
+      		"Getting": msg190,
+      		"Got": msg156,
+      		"Graceful": msg354,
+      		"Granting": msg334,
+      		"HHH000436:": msg268,
+      		"Handling": msg423,
+      		"Host": select42,
+      		"IE": msg192,
+      		"IP": msg218,
+      		"Imported": select61,
+      		"Importing": msg315,
+      		"Inconsistency": msg83,
+      		"Initialized": select66,
+      		"Initializing": select51,
+      		"Inserted": msg344,
+      		"Installed": msg343,
+      		"Installing": select37,
+      		"Interrupted,": msg47,
+      		"Invocation": msg278,
+      		"Invulnerable": msg469,
+      		"JAR": msg276,
+      		"JMX": msg348,
+      		"JRE": msg179,
+      		"JVM": msg310,
+      		"Java": msg399,
+      		"Job": msg402,
+      		"JobStoreCMT": msg403,
+      		"Kill": msg295,
+      		"LDAP": msg424,
+      		"Listing": msg189,
+      		"Loaded": select52,
+      		"Loading": msg241,
+      		"Local": msg356,
+      		"Locating": msg249,
+      		"Logging": msg258,
+      		"MDAC": msg181,
+      		"Maintenance": msg425,
+      		"Making": msg360,
+      		"Microsoft": msg180,
+      		"Migration": msg426,
+      		"Mobile": msg427,
+      		"NEXPOSE_GENERIC": msg473,
+      		"NOT_VULNERABLE": select5,
+      		"NOT_VULNERABLE_VERSION": msg1,
+      		"NSE": select11,
+      		"NSXAssetEventHandler": msg440,
+      		"Name": msg182,
+      		"New": msg463,
+      		"Nexpose": select13,
+      		"Nmap": select77,
+      		"No": select35,
+      		"Number": msg305,
+      		"OS": msg364,
+      		"Operating": msg303,
+      		"PG": select69,
+      		"Parsed": msg178,
+      		"Parsing": msg322,
+      		"Patching": msg275,
+      		"Pausing": msg311,
+      		"Performing": select20,
+      		"Policy": select60,
+      		"Populating": msg358,
+      		"PostgreSQL": msg340,
+      		"Postgres": msg429,
+      		"Preparing": msg67,
+      		"Processed": msg433,
+      		"Processing": msg97,
+      		"Product": msg298,
+      		"ProductNotificationService": msg441,
+      		"ProtocolFper": msg31,
+      		"Quartz": select71,
+      		"QuartzRepeaterBuilder": msg371,
+      		"Queued": msg252,
+      		"Queueing": select18,
+      		"Reading": msg253,
+      		"Recovering": msg407,
+      		"Recovery": msg408,
+      		"Recursively": select27,
+      		"Reflections": msg434,
+      		"Refreshing": msg270,
+      		"Registered": select54,
+      		"Registering": msg254,
+      		"Reinitializing": msg416,
+      		"Relaunching": msg106,
+      		"Remapped": msg324,
+      		"Remapping": msg323,
+      		"Removed": select72,
+      		"Removing": msg285,
+      		"Renamed": msg415,
+      		"Replaced": select73,
+      		"Report": select67,
+      		"Requested": msg292,
+      		"Resolving": msg171,
+      		"Response": msg265,
+      		"Restarting": msg291,
+      		"Restoring": msg411,
+      		"Retrieved": msg202,
+      		"Retrieving": msg155,
+      		"Rewrote": msg65,
+      		"Route:": select55,
+      		"Running": select30,
+      		"SPIDER": msg66,
+      		"SPIDER-XSS": msg96,
+      		"SQL": msg212,
+      		"Scan": select22,
+      		"ScanEventHandler": msg448,
+      		"ScanMgr": select9,
+      		"Scanning": msg173,
+      		"Scheduler": select63,
+      		"Searching": msg109,
+      		"Security": select15,
+      		"Seeing": msg257,
+      		"Sending": msg118,
+      		"Service": select32,
+      		"Session": msg464,
+      		"Setting": msg361,
+      		"Shutdown": msg49,
+      		"Shutting": msg46,
+      		"Site": msg84,
+      		"SiteEventHandler": msg443,
+      		"Skipping": msg184,
+      		"Spring": msg459,
+      		"Staged": msg269,
+      		"Staging": msg284,
+      		"Started": select47,
+      		"Starting": select34,
+      		"Stopping": msg331,
+      		"Storing": msg460,
+      		"StreamCaching": msg355,
+      		"Succesfully": msg430,
+      		"Successfully": msg263,
+      		"Super": msg301,
+      		"Synchronizing": msg321,
+      		"System": select74,
+      		"SystemFingerprint": msg108,
+      		"TCP": msg250,
+      		"TCPSocket": msg110,
+      		"TagEventHandler": msg446,
+      		"Telling": msg330,
+      		"The": msg288,
+      		"Total": select59,
+      		"Truncating": msg320,
+      		"Trusted": msg121,
+      		"Trying": msg64,
+      		"UDP": msg251,
+      		"Unzipped": msg431,
+      		"Update": select36,
+      		"Updated": select46,
+      		"Updating": select43,
+      		"Upgrading": msg412,
+      		"User": select24,
+      		"UserEventHandler": msg444,
+      		"Using": msg279,
+      		"VERSION": msg328,
+      		"VULNERABLE": select6,
+      		"VULNERABLE_VERSION": msg2,
+      		"Validating": msg274,
+      		"Verifying": msg363,
+      		"Version": msg335,
+      		"Version:": msg191,
+      		"Vulnerability": msg319,
+      		"VulnerabilityExceptionEventHandler": msg445,
+      		"Web": select16,
+      		"Webmin": msg133,
+      		"Windows": select38,
+      		"building": msg117,
+      		"but": msg98,
+      		"checking": msg158,
+      		"com.rapid.nexpose.scanpool.stateInterval": msg373,
+      		"com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout": msg374,
+      		"com.rapid7.nexpose.comms.clientConnectionProvider.getConnectionTimeout": msg375,
+      		"com.rapid7.nexpose.datastore.connection.evictionThreadTime": msg376,
+      		"com.rapid7.nexpose.datastore.eviction.connection.threadIdleTimeout": msg377,
+      		"com.rapid7.nexpose.nsc.critical.task.executor.core.thread.pool.size": msg449,
+      		"com.rapid7.nexpose.nsc.critical.task.executor.max.thread.pool.size": msg458,
+      		"com.rapid7.nexpose.nsc.dbcc": msg378,
+      		"com.rapid7.nexpose.nsc.scan.multiengine.scanHaltTimeoutMilliSecond": msg450,
+      		"com.rapid7.nexpose.nsc.scan.scan.event.monitor.poll.duration": msg451,
+      		"com.rapid7.nexpose.nsc.scanExecutorService.maximumCorePoolSize": msg379,
+      		"com.rapid7.nexpose.nsc.scanExecutorService.minimumCorePoolSize": msg380,
+      		"com.rapid7.nexpose.nsc.scanExecutorService.monitorCorePoolSizeIncreaseOnSaturation": msg381,
+      		"com.rapid7.nexpose.nsc.scanExecutorService.monitorEnabled": msg382,
+      		"com.rapid7.nexpose.nsc.scanExecutorService.monitorInterval": msg383,
+      		"com.rapid7.nexpose.nse.excludedFileSystems": msg452,
+      		"com.rapid7.nexpose.nse.nscClient.connectTimeout": msg384,
+      		"com.rapid7.nexpose.nse.nscClient.readTimeout": msg385,
+      		"com.rapid7.nexpose.reportGenerator.assetCollectionUpdateTimeout": msg386,
+      		"com.rapid7.nexpose.scan.consolidation.delay": msg387,
+      		"com.rapid7.nexpose.scan.lifecyclemonitor.delay": msg388,
+      		"com.rapid7.nexpose.scan.logCPUMemoryToMemLog.enable": msg453,
+      		"com.rapid7.nexpose.scan.logMemory.interval": msg454,
+      		"com.rapid7.nexpose.scan.monitor.numberSavedAssetDurations": msg455,
+      		"com.rapid7.nexpose.scan.usescanpool": msg389,
+      		"com.rapid7.nsc.workflow.timeout": msg390,
+      		"com.rapid7.scan.perTestDurationLogging": msg456,
+      		"com.rapid7.thread.threadPoolNonBlockingOpsProviderParallelism": msg457,
+      		"common": msg261,
+      		"connected": msg111,
+      		"creating": msg120,
+      		"credentials": msg95,
+      		"dcerpc-get-ms-blaster-codes": msg124,
+      		"initdb": msg362,
+      		"j_password": msg99,
+      		"j_username": msg100,
+      		"jess.JessException:": msg262,
+      		"key": msg188,
+      		"list-user-directory": msg123,
+      		"loading": msg153,
+      		"main": msg107,
+      		"nodes": msg260,
+      		"office": msg210,
+      		"osspi_defaultTargetLocation": msg101,
+      		"param:": msg174,
+      		"persistent-xss": msg92,
+      		"removing": msg332,
+      		"sending": msg119,
+      		"shutting": msg48,
+      		"signon_type": msg122,
+      		"spider-parse-robot-exclusions": msg102,
+      		"starting": msg213,
+      		"trying": msg154,
+      		"unexpected": msg157,
+      		"using": msg142,
+      		"vacuumdb": msg432,
+      	}),
+      ]);
+      
+      var hdr37 = match("HEADER#1:0022/0", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{p0}");
+      
+      var part395 = match("HEADER#1:0022/1_1", "nwparser.p0", "%{hpriority}][%{p0}");
+      
+      var part396 = match("HEADER#1:0022/1_2", "nwparser.p0", "%{hpriority}[%{p0}");
+      
+      var hdr38 = match("HEADER#18:0034/0", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}]%{p0}");
+      
+      var part397 = match("HEADER#18:0034/1_0", "nwparser.p0", " [%{p0}");
+      
+      var part398 = match("HEADER#18:0034/1_1", "nwparser.p0", "[%{p0}");
+      
+      var part399 = match("MESSAGE#17:NSE:01/0", "nwparser.payload", "%{} %{p0}");
+      
+      var part400 = match("MESSAGE#52:Scan:06/0", "nwparser.payload", "Scan: [ %{p0}");
+      
+      var part401 = match("MESSAGE#52:Scan:06/1_0", "nwparser.p0", "%{saddr}:%{sport->} %{p0}");
+      
+      var part402 = match("MESSAGE#52:Scan:06/1_1", "nwparser.p0", "%{saddr->} %{p0}");
+      
+      var select79 = linear_select([
+      	dup7,
+      	dup8,
+      ]);
+      
+      var part403 = match("MESSAGE#416:Nexpose:12", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var part404 = match("MESSAGE#46:SPIDER", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var select80 = linear_select([
+      	dup41,
+      	dup42,
+      ]);
+      
+      var part405 = match("MESSAGE#93:Attempting", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var part406 = match("MESSAGE#120:path", "nwparser.payload", "%{info}", processor_chain([
+      	dup20,
+      	dup15,
+      ]));
+      
+      var part407 = match("MESSAGE#318:Loaded:01", "nwparser.payload", "%{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var part408 = match("MESSAGE#236:Finished:03", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup20,
+      	dup15,
+      ]));
+      
+      var part409 = match("MESSAGE#418:Mobile", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup25,
+      ]));
+      
+      var part410 = match("MESSAGE#435:ConsoleProductInfoProvider", "nwparser.payload", "%{fld1->} %{action}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup59,
+      ]));
+      
+- community_id:
+- add_locale: ~
+- add_fields:
+    target: ''
+    fields:
+        ecs.version: 1.5.0
diff --git a/packages/rapid7/0.1.0/dataset/nexpose/agent/stream/udp.yml.hbs b/packages/rapid7/0.1.0/dataset/nexpose/agent/stream/udp.yml.hbs
new file mode 100644
index 0000000000..4788939d4d
--- /dev/null
+++ b/packages/rapid7/0.1.0/dataset/nexpose/agent/stream/udp.yml.hbs
@@ -0,0 +1,8267 @@
+udp:
+host: "{{udp_host}}:{{udp_port}}"
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "Rapid7"
+        product: "Nexpose"
+        type: "Vulnerability"
+publisher_pipeline.disable_host: true
+
+processors:
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.error(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(populate_fields);
+      	builder.Add(restore_flags);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var dup1 = match("HEADER#1:0022/0", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{p0}");
+      
+      var dup2 = match("HEADER#1:0022/1_1", "nwparser.p0", "%{hpriority}][%{p0}");
+      
+      var dup3 = match("HEADER#1:0022/1_2", "nwparser.p0", "%{hpriority}[%{p0}");
+      
+      var dup4 = call({
+      	dest: "nwparser.payload",
+      	fn: STRCAT,
+      	args: [
+      		field("messageid"),
+      		constant(": "),
+      		field("payload"),
+      	],
+      });
+      
+      var dup5 = call({
+      	dest: "nwparser.payload",
+      	fn: STRCAT,
+      	args: [
+      		field("messageid"),
+      		constant(" "),
+      		field("payload"),
+      	],
+      });
+      
+      var dup6 = match("HEADER#18:0034/0", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}]%{p0}");
+      
+      var dup7 = match("HEADER#18:0034/1_0", "nwparser.p0", " [%{p0}");
+      
+      var dup8 = match("HEADER#18:0034/1_1", "nwparser.p0", "[%{p0}");
+      
+      var dup9 = call({
+      	dest: "nwparser.payload",
+      	fn: STRCAT,
+      	args: [
+      		field("messageid"),
+      		constant(": "),
+      		field("hfld1"),
+      		constant(" "),
+      		field("payload"),
+      	],
+      });
+      
+      var dup10 = call({
+      	dest: "nwparser.messageid",
+      	fn: STRCAT,
+      	args: [
+      		field("msgIdPart1"),
+      		constant("_"),
+      		field("msgIdPart2"),
+      	],
+      });
+      
+      var dup11 = setc("eventcategory","1614000000");
+      
+      var dup12 = setc("ec_activity","Scan");
+      
+      var dup13 = setc("ec_theme","TEV");
+      
+      var dup14 = date_time({
+      	dest: "event_time",
+      	args: ["hdate","htime"],
+      	fmts: [
+      		[dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup15 = setf("msg","$MSG");
+      
+      var dup16 = setf("obj_name","hobj_name");
+      
+      var dup17 = setc("obj_type","Asset");
+      
+      var dup18 = setc("eventcategory","1614030000");
+      
+      var dup19 = setc("ec_outcome","Error");
+      
+      var dup20 = setc("eventcategory","1605000000");
+      
+      var dup21 = setc("ec_activity","Start");
+      
+      var dup22 = setc("ec_outcome","Success");
+      
+      var dup23 = setc("eventcategory","1611000000");
+      
+      var dup24 = setc("ec_activity","Stop");
+      
+      var dup25 = setc("action","Shutting down");
+      
+      var dup26 = setc("action","shutting down");
+      
+      var dup27 = setc("ec_outcome","Failure");
+      
+      var dup28 = match("MESSAGE#17:NSE:01/0", "nwparser.payload", "%{} %{p0}");
+      
+      var dup29 = setf("fld17","hfld17");
+      
+      var dup30 = setf("group_object","hsite");
+      
+      var dup31 = setf("shost","hshost");
+      
+      var dup32 = setf("sport","hsport");
+      
+      var dup33 = setf("protocol","hprotocol");
+      
+      var dup34 = setf("fld18","hinfo");
+      
+      var dup35 = setc("ec_subject","Service");
+      
+      var dup36 = setc("event_description","Nexpose is changing the database port number");
+      
+      var dup37 = setc("event_state","DONE");
+      
+      var dup38 = setc("event_description","Nexpose is executing data transfer process");
+      
+      var dup39 = setc("event_description","Nexpose is installing the database");
+      
+      var dup40 = match("MESSAGE#52:Scan:06/0", "nwparser.payload", "Scan: [ %{p0}");
+      
+      var dup41 = match("MESSAGE#52:Scan:06/1_0", "nwparser.p0", "%{saddr}:%{sport->} %{p0}");
+      
+      var dup42 = match("MESSAGE#52:Scan:06/1_1", "nwparser.p0", "%{saddr->} %{p0}");
+      
+      var dup43 = setc("ec_outcome","Unknown");
+      
+      var dup44 = setc("eventcategory","1701000000");
+      
+      var dup45 = setc("ec_subject","User");
+      
+      var dup46 = setc("ec_activity","Logon");
+      
+      var dup47 = setc("ec_theme","Authentication");
+      
+      var dup48 = setc("eventcategory","1401030000");
+      
+      var dup49 = setc("ec_subject","NetworkComm");
+      
+      var dup50 = setc("ec_subject","Group");
+      
+      var dup51 = setc("ec_activity","Detect");
+      
+      var dup52 = setc("ec_theme","Configuration");
+      
+      var dup53 = setc("eventcategory","1801010000");
+      
+      var dup54 = setf("obj_type","messageid");
+      
+      var dup55 = setc("event_description","Cannot preload incremental pool with a connection");
+      
+      var dup56 = setc("eventcategory","1605030000");
+      
+      var dup57 = setc("ec_activity","Modify");
+      
+      var dup58 = setc("action","Replaced conf values");
+      
+      var dup59 = setc("service","fld1");
+      
+      var dup60 = linear_select([
+      	dup7,
+      	dup8,
+      ]);
+      
+      var dup61 = match("MESSAGE#416:Nexpose:12", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var dup62 = match("MESSAGE#46:SPIDER", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var dup63 = linear_select([
+      	dup41,
+      	dup42,
+      ]);
+      
+      var dup64 = match("MESSAGE#93:Attempting", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var dup65 = match("MESSAGE#120:path", "nwparser.payload", "%{info}", processor_chain([
+      	dup20,
+      	dup15,
+      ]));
+      
+      var dup66 = match("MESSAGE#318:Loaded:01", "nwparser.payload", "%{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var dup67 = match("MESSAGE#236:Finished:03", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup20,
+      	dup15,
+      ]));
+      
+      var dup68 = match("MESSAGE#418:Mobile", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup25,
+      ]));
+      
+      var dup69 = match("MESSAGE#435:ConsoleProductInfoProvider", "nwparser.payload", "%{fld1->} %{action}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup59,
+      ]));
+      
+      var hdr1 = match("HEADER#0:0031", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] %{hfld39}[Thread: %{messageid}] [Started: %{hfld40}] [Duration: %{hfld41}] %{payload}", processor_chain([
+      	setc("header_id","0031"),
+      ]));
+      
+      var part1 = match("HEADER#1:0022/1_0", "nwparser.p0", "%{hpriority}] %{hfld39}[%{p0}");
+      
+      var select1 = linear_select([
+      	part1,
+      	dup2,
+      	dup3,
+      ]);
+      
+      var part2 = match("HEADER#1:0022/2", "nwparser.p0", "Thread: %{hfld17}] %{messageid->} %{payload}");
+      
+      var all1 = all_match({
+      	processors: [
+      		dup1,
+      		select1,
+      		part2,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","0022"),
+      	]),
+      });
+      
+      var hdr2 = match("HEADER#2:0028", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0028"),
+      	dup4,
+      ]));
+      
+      var hdr3 = match("HEADER#3:0017", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0017"),
+      	dup5,
+      ]));
+      
+      var hdr4 = match("HEADER#4:0024", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] %{hfld41->} %{messageid->} completed %{payload}", processor_chain([
+      	setc("header_id","0024"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant(" completed "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr5 = match("HEADER#5:0018", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] [%{hshost}:%{hsport}/%{hprotocol}] %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0018"),
+      	dup5,
+      ]));
+      
+      var hdr6 = match("HEADER#6:0029", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Silo ID: %{hfld22}] [Site: %{hsite}] [Site ID: %{hinfo}] %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0029"),
+      	dup5,
+      ]));
+      
+      var hdr7 = match("HEADER#7:0019", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] [%{hshost}] %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0019"),
+      	dup5,
+      ]));
+      
+      var hdr8 = match("HEADER#8:0020", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] [%{hshost}:%{hsport}/%{hprotocol}] [%{hinfo}] %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0020"),
+      	dup5,
+      ]));
+      
+      var hdr9 = match("HEADER#9:0021", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] [%{hshost}] [%{hinfo}] %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0021"),
+      	dup5,
+      ]));
+      
+      var hdr10 = match("HEADER#10:0023", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] [%{hshost}] [%{hinfo}]: %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0023"),
+      	dup5,
+      ]));
+      
+      var hdr11 = match("HEADER#11:0036", "message", "%NEXPOSE-%{hfld49}: %{hfld1}: %{messageid->} %{hfld2->} %{payload}", processor_chain([
+      	setc("header_id","0036"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant(" "),
+      			field("hfld2"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr12 = match("HEADER#12:0001", "message", "%NEXPOSE-%{hfld49}: %{messageid->} %{hdate}T%{htime->} [%{hobj_name}] %{payload}", processor_chain([
+      	setc("header_id","0001"),
+      ]));
+      
+      var hdr13 = match("HEADER#13:0037", "message", "%NEXPOSE-%{hfld49}: %{messageid->} %{hfld1->} '%{hfld2}' - %{hfld1->} %{payload}", processor_chain([
+      	setc("header_id","0037"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant(" "),
+      			field("hfld1"),
+      			constant(" '"),
+      			field("hfld2"),
+      			constant("' - "),
+      			field("hfld1"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr14 = match("HEADER#14:0002", "message", "%NEXPOSE-%{hfld49}: %{messageid->} %{hdate}T%{htime->} %{payload}", processor_chain([
+      	setc("header_id","0002"),
+      ]));
+      
+      var hdr15 = match("HEADER#15:0003", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] (%{hfld41}) %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0003"),
+      	dup5,
+      ]));
+      
+      var hdr16 = match("HEADER#16:0030", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0030"),
+      	dup4,
+      ]));
+      
+      var hdr17 = match("HEADER#17:0040", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Principal: %{username}] [%{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0040"),
+      ]));
+      
+      var part3 = match("HEADER#18:0034/2", "nwparser.p0", "Thread: %{hfld17}] [%{hfld18}] [%{hfld19}] %{messageid->} %{hfld21->} %{payload}");
+      
+      var all2 = all_match({
+      	processors: [
+      		dup6,
+      		dup60,
+      		part3,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","0034"),
+      	]),
+      });
+      
+      var part4 = match("HEADER#19:0035/1_0", "nwparser.p0", "%{hpriority}] [%{p0}");
+      
+      var select2 = linear_select([
+      	part4,
+      	dup2,
+      	dup3,
+      ]);
+      
+      var part5 = match("HEADER#19:0035/2", "nwparser.p0", "Thread: %{hfld17}] [%{hfld18}] %{messageid->} %{hfld21->} %{payload}");
+      
+      var all3 = all_match({
+      	processors: [
+      		dup1,
+      		select2,
+      		part5,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","0035"),
+      	]),
+      });
+      
+      var hdr18 = match("HEADER#20:0004", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0004"),
+      	dup5,
+      ]));
+      
+      var part6 = match("HEADER#21:0032/2", "nwparser.p0", "Thread: %{hfld17}] [Silo ID: %{hfld18}] [Report: %{hobj_name}] [%{messageid->} Config ID: %{hfld19}] %{payload}");
+      
+      var all4 = all_match({
+      	processors: [
+      		dup6,
+      		dup60,
+      		part6,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","0032"),
+      	]),
+      });
+      
+      var hdr19 = match("HEADER#22:0038", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{messageid}: %{hfld1->} %{payload}", processor_chain([
+      	setc("header_id","0038"),
+      	dup9,
+      ]));
+      
+      var hdr20 = match("HEADER#23:0039", "message", "%NEXPOSE-%{hfld49}: %{messageid}: %{hfld1->} %{payload}", processor_chain([
+      	setc("header_id","0039"),
+      	dup9,
+      ]));
+      
+      var hdr21 = match("HEADER#24:0005", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] %{hfld48->} %{hfld41->} %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0005"),
+      	dup5,
+      ]));
+      
+      var hdr22 = match("HEADER#25:0006", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] [%{messageid}] %{payload}", processor_chain([
+      	setc("header_id","0006"),
+      ]));
+      
+      var part7 = match("HEADER#26:0033/2", "nwparser.p0", "Thread: %{hfld17}] [%{hfld18}] [%{hfld19}] [%{p0}");
+      
+      var part8 = match("HEADER#26:0033/3_0", "nwparser.p0", "%{hfld20}] [%{hfld21}] [%{hfld22}] [%{hfld23}]%{p0}");
+      
+      var part9 = match("HEADER#26:0033/3_1", "nwparser.p0", "%{hfld20}] [%{hfld21}]%{p0}");
+      
+      var part10 = match("HEADER#26:0033/3_2", "nwparser.p0", "%{hfld20}]%{p0}");
+      
+      var select3 = linear_select([
+      	part8,
+      	part9,
+      	part10,
+      ]);
+      
+      var part11 = match("HEADER#26:0033/4", "nwparser.p0", "%{} %{messageid->} %{hfld24->} %{payload}");
+      
+      var all5 = all_match({
+      	processors: [
+      		dup6,
+      		dup60,
+      		part7,
+      		select3,
+      		part11,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","0033"),
+      	]),
+      });
+      
+      var hdr23 = match("HEADER#27:0007", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0007"),
+      	dup5,
+      ]));
+      
+      var hdr24 = match("HEADER#28:0008", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] (%{messageid}) %{payload}", processor_chain([
+      	setc("header_id","0008"),
+      ]));
+      
+      var hdr25 = match("HEADER#29:0009", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] %{fld41->} %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0009"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("fld41"),
+      			constant(" "),
+      			field("messageid"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr26 = match("HEADER#30:0010", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0010"),
+      	dup4,
+      ]));
+      
+      var hdr27 = match("HEADER#31:0011", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} %{messageid}(%{hobj_name}): %{payload}", processor_chain([
+      	setc("header_id","0011"),
+      ]));
+      
+      var hdr28 = match("HEADER#32:0012", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} %{hfld41->} %{hfld42->} %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0012"),
+      	dup5,
+      ]));
+      
+      var hdr29 = match("HEADER#33:0013", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] %{hfld45->} (%{hfld46}) - %{msgIdPart1->} %{msgIdPart2->} %{msgIdPart3->} %{payload}", processor_chain([
+      	setc("header_id","0013"),
+      	call({
+      		dest: "nwparser.messageid",
+      		fn: STRCAT,
+      		args: [
+      			field("msgIdPart1"),
+      			constant("_"),
+      			field("msgIdPart2"),
+      			constant("_"),
+      			field("msgIdPart3"),
+      		],
+      	}),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld45"),
+      			constant(" ("),
+      			field("hfld46"),
+      			constant(") - "),
+      			field("msgIdPart1"),
+      			constant(" "),
+      			field("msgIdPart2"),
+      			constant(" "),
+      			field("msgIdPart3"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr30 = match("HEADER#34:0014", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] %{hfld45->} (%{hfld46}) - %{msgIdPart1->} %{msgIdPart2->} %{payload}", processor_chain([
+      	setc("header_id","0014"),
+      	dup10,
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld45"),
+      			constant(" ("),
+      			field("hfld46"),
+      			constant(") - "),
+      			field("msgIdPart1"),
+      			constant(" "),
+      			field("msgIdPart2"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr31 = match("HEADER#35:0015", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] %{hfld45->} (%{hfld46}) - %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0015"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld45"),
+      			constant(" ("),
+      			field("hfld46"),
+      			constant(") - "),
+      			field("messageid"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr32 = match("HEADER#36:0016", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] %{hfld45->} (%{hfld46}) - %{msgIdPart1->} %{msgIdPart2}(U) %{payload}", processor_chain([
+      	setc("header_id","0016"),
+      	dup10,
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld45"),
+      			constant(" ("),
+      			field("hfld46"),
+      			constant(") - "),
+      			field("msgIdPart1"),
+      			constant(" "),
+      			field("msgIdPart2"),
+      			constant("(U) "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr33 = match("HEADER#37:0026", "message", "%NEXPOSE-%{hfld49}: %{messageid->} Constructor threw %{payload}", processor_chain([
+      	setc("header_id","0026"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant(" Constructor threw "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr34 = match("HEADER#38:0027", "message", "%NEXPOSE-%{hfld49}: %{messageid->} Called method %{payload}", processor_chain([
+      	setc("header_id","0027"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant(" Called method "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr35 = match("HEADER#39:0025", "message", "%NEXPOSE-%{hfld49}: %{hfld41->} %{hfld42->} %{messageid->} frames %{payload}", processor_chain([
+      	setc("header_id","0025"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant(" frames "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr36 = match("HEADER#40:9999", "message", "%NEXPOSE-%{hfld49}: %{payload}", processor_chain([
+      	setc("header_id","9999"),
+      	setc("messageid","NEXPOSE_GENERIC"),
+      ]));
+      
+      var select4 = linear_select([
+      	hdr1,
+      	all1,
+      	hdr2,
+      	hdr3,
+      	hdr4,
+      	hdr5,
+      	hdr6,
+      	hdr7,
+      	hdr8,
+      	hdr9,
+      	hdr10,
+      	hdr11,
+      	hdr12,
+      	hdr13,
+      	hdr14,
+      	hdr15,
+      	hdr16,
+      	hdr17,
+      	all2,
+      	all3,
+      	hdr18,
+      	all4,
+      	hdr19,
+      	hdr20,
+      	hdr21,
+      	hdr22,
+      	all5,
+      	hdr23,
+      	hdr24,
+      	hdr25,
+      	hdr26,
+      	hdr27,
+      	hdr28,
+      	hdr29,
+      	hdr30,
+      	hdr31,
+      	hdr32,
+      	hdr33,
+      	hdr34,
+      	hdr35,
+      	hdr36,
+      ]);
+      
+      var part12 = match("MESSAGE#0:NOT_VULNERABLE_VERSION", "nwparser.payload", "%{signame->} - NOT VULNERABLE VERSION .", processor_chain([
+      	dup11,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg1 = msg("NOT_VULNERABLE_VERSION", part12);
+      
+      var part13 = match("MESSAGE#1:VULNERABLE_VERSION", "nwparser.payload", "%{signame->} - VULNERABLE VERSION .", processor_chain([
+      	dup11,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg2 = msg("VULNERABLE_VERSION", part13);
+      
+      var part14 = match("MESSAGE#2:NOT_VULNERABLE", "nwparser.payload", "%{signame->} - NOT VULNERABLE [UNIQUE ID: %{fld45}]", processor_chain([
+      	dup11,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg3 = msg("NOT_VULNERABLE", part14);
+      
+      var part15 = match("MESSAGE#3:NOT_VULNERABLE:01", "nwparser.payload", "%{signame->} - NOT VULNERABLE(U) [UNIQUE ID: %{fld45}]", processor_chain([
+      	dup11,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg4 = msg("NOT_VULNERABLE:01", part15);
+      
+      var part16 = match("MESSAGE#4:NOT_VULNERABLE:02", "nwparser.payload", "%{signame->} - NOT VULNERABLE .", processor_chain([
+      	dup11,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg5 = msg("NOT_VULNERABLE:02", part16);
+      
+      var select5 = linear_select([
+      	msg3,
+      	msg4,
+      	msg5,
+      ]);
+      
+      var part17 = match("MESSAGE#5:VULNERABLE", "nwparser.payload", "%{signame->} - VULNERABLE [UNIQUE ID: %{fld45}]", processor_chain([
+      	dup11,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg6 = msg("VULNERABLE", part17);
+      
+      var part18 = match("MESSAGE#6:VULNERABLE:01", "nwparser.payload", "%{signame->} - VULNERABLE .", processor_chain([
+      	dup11,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg7 = msg("VULNERABLE:01", part18);
+      
+      var select6 = linear_select([
+      	msg6,
+      	msg7,
+      ]);
+      
+      var part19 = match("MESSAGE#7:ERROR", "nwparser.payload", "%{signame->} - ERROR [UNIQUE ID: %{fld45}] - %{context}", processor_chain([
+      	dup18,
+      	dup12,
+      	dup13,
+      	dup19,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg8 = msg("ERROR", part19);
+      
+      var part20 = match("MESSAGE#8:ERROR:01", "nwparser.payload", "%{signame->} - ERROR - %{context}", processor_chain([
+      	dup18,
+      	dup12,
+      	dup13,
+      	dup19,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg9 = msg("ERROR:01", part20);
+      
+      var select7 = linear_select([
+      	msg8,
+      	msg9,
+      ]);
+      
+      var part21 = match("MESSAGE#9:ExtMgr", "nwparser.payload", "Initialization successful.%{}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup13,
+      	dup22,
+      	dup14,
+      	dup15,
+      	setc("event_description","Initialization successful"),
+      ]));
+      
+      var msg10 = msg("ExtMgr", part21);
+      
+      var part22 = match("MESSAGE#10:ExtMgr:01", "nwparser.payload", "initializing...%{}", processor_chain([
+      	dup20,
+      	dup21,
+      	dup13,
+      	dup14,
+      	dup15,
+      	setc("event_description","initializing"),
+      ]));
+      
+      var msg11 = msg("ExtMgr:01", part22);
+      
+      var part23 = match("MESSAGE#11:ExtMgr:02", "nwparser.payload", "Shutdown successful.%{}", processor_chain([
+      	dup23,
+      	dup24,
+      	dup13,
+      	dup22,
+      	dup14,
+      	dup15,
+      	setc("event_description","Shutdown successful."),
+      ]));
+      
+      var msg12 = msg("ExtMgr:02", part23);
+      
+      var part24 = match("MESSAGE#12:ExtMgr:03", "nwparser.payload", "Shutting down...%{}", processor_chain([
+      	dup23,
+      	dup24,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup25,
+      ]));
+      
+      var msg13 = msg("ExtMgr:03", part24);
+      
+      var select8 = linear_select([
+      	msg10,
+      	msg11,
+      	msg12,
+      	msg13,
+      ]);
+      
+      var part25 = match("MESSAGE#13:ScanMgr", "nwparser.payload", "Shutting down %{info}", processor_chain([
+      	dup20,
+      	dup24,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup25,
+      ]));
+      
+      var msg14 = msg("ScanMgr", part25);
+      
+      var part26 = match("MESSAGE#14:ScanMgr:01", "nwparser.payload", "shutting down...%{}", processor_chain([
+      	dup23,
+      	dup24,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup26,
+      ]));
+      
+      var msg15 = msg("ScanMgr:01", part26);
+      
+      var part27 = match("MESSAGE#15:ScanMgr:02", "nwparser.payload", "Scan %{fld30->} is being stopped.", processor_chain([
+      	dup20,
+      	dup12,
+      	dup13,
+      	dup27,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg16 = msg("ScanMgr:02", part27);
+      
+      var select9 = linear_select([
+      	msg14,
+      	msg15,
+      	msg16,
+      ]);
+      
+      var part28 = match("MESSAGE#16:NSE", "nwparser.payload", "Logging initialized %{fld30}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Logging initialized"),
+      ]));
+      
+      var msg17 = msg("NSE", part28);
+      
+      var part29 = match("MESSAGE#17:NSE:01/1_0", "nwparser.p0", "Initializing %{p0}");
+      
+      var part30 = match("MESSAGE#17:NSE:01/1_1", "nwparser.p0", "initializing %{p0}");
+      
+      var select10 = linear_select([
+      	part29,
+      	part30,
+      ]);
+      
+      var part31 = match("MESSAGE#17:NSE:01/2", "nwparser.p0", "%{} %{fld30}");
+      
+      var all6 = all_match({
+      	processors: [
+      		dup28,
+      		select10,
+      		part31,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup14,
+      		dup15,
+      		setc("action","Initializing"),
+      	]),
+      });
+      
+      var msg18 = msg("NSE:01", all6);
+      
+      var part32 = match("MESSAGE#18:NSE:02", "nwparser.payload", "shutting down %{fld30}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup26,
+      ]));
+      
+      var msg19 = msg("NSE:02", part32);
+      
+      var part33 = match("MESSAGE#19:NSE:03", "nwparser.payload", "NeXpose scan engine initialization completed.%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","NeXpose scan engine initialization completed."),
+      ]));
+      
+      var msg20 = msg("NSE:03", part33);
+      
+      var part34 = match("MESSAGE#20:NSE:04", "nwparser.payload", "disabling promiscuous on all devices...%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","disabling promiscuous on all devices"),
+      ]));
+      
+      var msg21 = msg("NSE:04", part34);
+      
+      var part35 = match("MESSAGE#213:NSE:05", "nwparser.payload", "NSE connection failure%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg22 = msg("NSE:05", part35);
+      
+      var part36 = match("MESSAGE#328:NSE:07", "nwparser.payload", "NSE DN is %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg23 = msg("NSE:07", part36);
+      
+      var select11 = linear_select([
+      	msg17,
+      	msg18,
+      	msg19,
+      	msg20,
+      	msg21,
+      	msg22,
+      	msg23,
+      ]);
+      
+      var part37 = match("MESSAGE#21:Console", "nwparser.payload", "NSE Name: %{fld30}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg24 = msg("Console", part37);
+      
+      var part38 = match("MESSAGE#22:Console:01", "nwparser.payload", "NSE Identifier: %{fld30}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg25 = msg("Console:01", part38);
+      
+      var part39 = match("MESSAGE#23:Console:02", "nwparser.payload", "NSE version: %{fld30}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg26 = msg("Console:02", part39);
+      
+      var part40 = match("MESSAGE#24:Console:03", "nwparser.payload", "Last update: %{fld30}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg27 = msg("Console:03", part40);
+      
+      var part41 = match("MESSAGE#25:Console:04", "nwparser.payload", "VM version: %{fld30}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg28 = msg("Console:04", part41);
+      
+      var part42 = match("MESSAGE#26:Console:05", "nwparser.payload", "log rotation completed%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","log rotation completed"),
+      ]));
+      
+      var msg29 = msg("Console:05", part42);
+      
+      var part43 = match("MESSAGE#27:Console:06", "nwparser.payload", "rotating logs...%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","rotating logs"),
+      ]));
+      
+      var msg30 = msg("Console:06", part43);
+      
+      var select12 = linear_select([
+      	msg24,
+      	msg25,
+      	msg26,
+      	msg27,
+      	msg28,
+      	msg29,
+      	msg30,
+      ]);
+      
+      var part44 = match("MESSAGE#28:ProtocolFper", "nwparser.payload", "Loaded %{fld30}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Loaded"),
+      ]));
+      
+      var msg31 = msg("ProtocolFper", part44);
+      
+      var part45 = match("MESSAGE#29:Nexpose", "nwparser.payload", "Closing service: %{fld30}", processor_chain([
+      	dup20,
+      	dup35,
+      	dup24,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      	setc("action","Closing service"),
+      ]));
+      
+      var msg32 = msg("Nexpose", part45);
+      
+      var part46 = match("MESSAGE#30:Nexpose:01", "nwparser.payload", "Freeing %{fld30}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      	setc("action","Freeing"),
+      ]));
+      
+      var msg33 = msg("Nexpose:01", part46);
+      
+      var part47 = match("MESSAGE#31:Nexpose:02", "nwparser.payload", "starting %{fld30}", processor_chain([
+      	dup11,
+      	dup12,
+      	dup13,
+      	dup22,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      	setc("action","starting"),
+      ]));
+      
+      var msg34 = msg("Nexpose:02", part47);
+      
+      var part48 = match("MESSAGE#32:Nexpose:03", "nwparser.payload", "%{fld31->} nodes completed, %{fld32->} active, %{fld33->} pending.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg35 = msg("Nexpose:03", part48);
+      
+      var part49 = match("MESSAGE#373:Backup_completed", "nwparser.payload", "Nexpose system backup completed successfully in %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Backup completed"),
+      ]));
+      
+      var msg36 = msg("Backup_completed", part49);
+      
+      var part50 = match("MESSAGE#408:Nexpose:04", "nwparser.payload", "Nexpose is changing the database port number from %{change_old->} to %{change_new}. DONE.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup36,
+      	dup37,
+      ]));
+      
+      var msg37 = msg("Nexpose:04", part50);
+      
+      var part51 = match("MESSAGE#409:Nexpose:05", "nwparser.payload", "Nexpose is changing the database port number from %{change_old->} to %{change_new}.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup36,
+      ]));
+      
+      var msg38 = msg("Nexpose:05", part51);
+      
+      var part52 = match("MESSAGE#410:Nexpose:06", "nwparser.payload", "Nexpose is executing the data transfer process from %{change_old->} to %{change_new->} DONE.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup38,
+      	dup37,
+      ]));
+      
+      var msg39 = msg("Nexpose:06", part52);
+      
+      var part53 = match("MESSAGE#411:Nexpose:07", "nwparser.payload", "Nexpose is executing the data transfer process from %{change_old->} to %{change_new}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup38,
+      ]));
+      
+      var msg40 = msg("Nexpose:07", part53);
+      
+      var part54 = match("MESSAGE#412:Nexpose:08", "nwparser.payload", "Nexpose is installing the %{db_name->} database. DONE.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup39,
+      	dup37,
+      ]));
+      
+      var msg41 = msg("Nexpose:08", part54);
+      
+      var part55 = match("MESSAGE#413:Nexpose:09", "nwparser.payload", "Nexpose is installing the %{db_name->} database to %{directory->} using PostgreSQL binaries from package %{filename}.%{fld1}.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup39,
+      ]));
+      
+      var msg42 = msg("Nexpose:09", part55);
+      
+      var part56 = match("MESSAGE#414:Nexpose:10", "nwparser.payload", "Nexpose is moving %{change_old->} to %{change_new}.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Nexpose is moving a directory"),
+      ]));
+      
+      var msg43 = msg("Nexpose:10", part56);
+      
+      var part57 = match("MESSAGE#415:Nexpose:11", "nwparser.payload", "%{event_description->} DONE.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup37,
+      ]));
+      
+      var msg44 = msg("Nexpose:11", part57);
+      
+      var msg45 = msg("Nexpose:12", dup61);
+      
+      var select13 = linear_select([
+      	msg32,
+      	msg33,
+      	msg34,
+      	msg35,
+      	msg36,
+      	msg37,
+      	msg38,
+      	msg39,
+      	msg40,
+      	msg41,
+      	msg42,
+      	msg43,
+      	msg44,
+      	msg45,
+      ]);
+      
+      var part58 = match("MESSAGE#33:Shutting", "nwparser.payload", "Shutting down %{fld30}", processor_chain([
+      	dup23,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      	dup25,
+      ]));
+      
+      var msg46 = msg("Shutting", part58);
+      
+      var part59 = match("MESSAGE#34:shutting:01", "nwparser.payload", "Interrupted, %{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg47 = msg("shutting:01", part59);
+      
+      var part60 = match("MESSAGE#35:shutting", "nwparser.payload", "shutting down %{fld30}", processor_chain([
+      	dup23,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      	dup26,
+      ]));
+      
+      var msg48 = msg("shutting", part60);
+      
+      var part61 = match("MESSAGE#36:Shutdown", "nwparser.payload", "Shutdown successful.%{}", processor_chain([
+      	dup23,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      	dup25,
+      ]));
+      
+      var msg49 = msg("Shutdown", part61);
+      
+      var part62 = match("MESSAGE#37:Security", "nwparser.payload", "Security Console shutting down.%{}", processor_chain([
+      	dup23,
+      	dup14,
+      	dup15,
+      	dup29,
+      	dup25,
+      ]));
+      
+      var msg50 = msg("Security", part62);
+      
+      var part63 = match("MESSAGE#261:Security:02", "nwparser.payload", "Security Console restarting from an auto-update%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg51 = msg("Security:02", part63);
+      
+      var part64 = match("MESSAGE#296:Security:06", "nwparser.payload", "Started: %{fld1}] [Duration: %{fld2}] Security Console started", processor_chain([
+      	dup20,
+      	dup15,
+      ]));
+      
+      var msg52 = msg("Security:06", part64);
+      
+      var part65 = match("MESSAGE#297:Security:03/0", "nwparser.payload", "%{}Security Console %{p0}");
+      
+      var part66 = match("MESSAGE#297:Security:03/1_0", "nwparser.p0", "started %{}");
+      
+      var part67 = match("MESSAGE#297:Security:03/1_1", "nwparser.p0", "web interface ready. %{info->} ");
+      
+      var select14 = linear_select([
+      	part66,
+      	part67,
+      ]);
+      
+      var all7 = all_match({
+      	processors: [
+      		part65,
+      		select14,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup15,
+      	]),
+      });
+      
+      var msg53 = msg("Security:03", all7);
+      
+      var part68 = match("MESSAGE#426:Security:04", "nwparser.payload", "Security Console is launching in Maintenance Mode. %{action}.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Security Console is launching in Maintenance Mode"),
+      ]));
+      
+      var msg54 = msg("Security:04", part68);
+      
+      var part69 = match("MESSAGE#427:Security:05", "nwparser.payload", "Security Console update failed.%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Security Console update failed"),
+      ]));
+      
+      var msg55 = msg("Security:05", part69);
+      
+      var select15 = linear_select([
+      	msg50,
+      	msg51,
+      	msg52,
+      	msg53,
+      	msg54,
+      	msg55,
+      ]);
+      
+      var part70 = match("MESSAGE#38:Web", "nwparser.payload", "Web server stopped%{}", processor_chain([
+      	dup23,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      	setc("action","Stopped"),
+      ]));
+      
+      var msg56 = msg("Web", part70);
+      
+      var part71 = match("MESSAGE#304:Web:02", "nwparser.payload", "Web %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg57 = msg("Web:02", part71);
+      
+      var select16 = linear_select([
+      	msg56,
+      	msg57,
+      ]);
+      
+      var part72 = match("MESSAGE#39:Done", "nwparser.payload", "Done shutting down.%{}", processor_chain([
+      	dup23,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      	dup26,
+      ]));
+      
+      var msg58 = msg("Done", part72);
+      
+      var part73 = match("MESSAGE#282:Done:02", "nwparser.payload", "Done with statistics generation [Started: %{fld1}] [Duration: %{fld2}].", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg59 = msg("Done:02", part73);
+      
+      var select17 = linear_select([
+      	msg58,
+      	msg59,
+      ]);
+      
+      var part74 = match("MESSAGE#40:Queueing:01", "nwparser.payload", "Queueing %{protocol->} port scan", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg60 = msg("Queueing:01", part74);
+      
+      var part75 = match("MESSAGE#41:Queueing", "nwparser.payload", "Queueing %{fld30}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      	setc("action","Queueing"),
+      ]));
+      
+      var msg61 = msg("Queueing", part75);
+      
+      var select18 = linear_select([
+      	msg60,
+      	msg61,
+      ]);
+      
+      var part76 = match("MESSAGE#42:Performing/0", "nwparser.payload", "Performing %{p0}");
+      
+      var part77 = match("MESSAGE#42:Performing/1_0", "nwparser.p0", "form %{p0}");
+      
+      var part78 = match("MESSAGE#42:Performing/1_1", "nwparser.p0", "query %{p0}");
+      
+      var select19 = linear_select([
+      	part77,
+      	part78,
+      ]);
+      
+      var part79 = match("MESSAGE#42:Performing/2", "nwparser.p0", "%{}injection against %{info}");
+      
+      var all8 = all_match({
+      	processors: [
+      		part76,
+      		select19,
+      		part79,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup12,
+      		dup13,
+      		dup14,
+      		dup15,
+      		dup16,
+      		dup17,
+      		setc("action","Performing injection"),
+      	]),
+      });
+      
+      var msg62 = msg("Performing", all8);
+      
+      var part80 = match("MESSAGE#43:Performing:01", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup20,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg63 = msg("Performing:01", part80);
+      
+      var select20 = linear_select([
+      	msg62,
+      	msg63,
+      ]);
+      
+      var part81 = match("MESSAGE#44:Trying", "nwparser.payload", "Trying %{fld30->} injection %{fld31}", processor_chain([
+      	dup20,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      	setc("action","Trying injection"),
+      ]));
+      
+      var msg64 = msg("Trying", part81);
+      
+      var part82 = match("MESSAGE#45:Rewrote", "nwparser.payload", "Rewrote to %{url}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg65 = msg("Rewrote", part82);
+      
+      var msg66 = msg("SPIDER", dup62);
+      
+      var msg67 = msg("Preparing", dup62);
+      
+      var part83 = match("MESSAGE#48:Scan", "nwparser.payload", "Scan started by: \"%{username}\" %{fld34}", processor_chain([
+      	dup11,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	setc("action","scan started"),
+      ]));
+      
+      var msg68 = msg("Scan", part83);
+      
+      var part84 = match("MESSAGE#49:Scan:01", "nwparser.payload", "Scan [%{fld35}] completed in %{fld36}", processor_chain([
+      	dup11,
+      	dup12,
+      	dup13,
+      	dup22,
+      	dup14,
+      	dup15,
+      	setc("action","scan completed"),
+      ]));
+      
+      var msg69 = msg("Scan:01", part84);
+      
+      var part85 = match("MESSAGE#50:Scan:03", "nwparser.payload", "Scan for site %{fld11->} started by Schedule[%{info}].", processor_chain([
+      	dup11,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg70 = msg("Scan:03", part85);
+      
+      var part86 = match("MESSAGE#51:Scan:04", "nwparser.payload", "Scan startup took %{fld24->} seconds", processor_chain([
+      	dup11,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg71 = msg("Scan:04", part86);
+      
+      var part87 = match("MESSAGE#52:Scan:06/2", "nwparser.p0", "] %{fld12->} (%{info}) - VULNERABLE VERSION");
+      
+      var all9 = all_match({
+      	processors: [
+      		dup40,
+      		dup63,
+      		part87,
+      	],
+      	on_success: processor_chain([
+      		dup11,
+      		dup12,
+      		dup13,
+      		dup14,
+      		dup15,
+      		dup29,
+      		dup30,
+      		dup31,
+      		dup32,
+      		dup33,
+      		dup34,
+      	]),
+      });
+      
+      var msg72 = msg("Scan:06", all9);
+      
+      var part88 = match("MESSAGE#53:Scan:05/2", "nwparser.p0", "] %{fld12->} (%{info}) - VULNERABLE");
+      
+      var all10 = all_match({
+      	processors: [
+      		dup40,
+      		dup63,
+      		part88,
+      	],
+      	on_success: processor_chain([
+      		dup11,
+      		dup12,
+      		dup13,
+      		dup14,
+      		dup15,
+      		dup29,
+      		dup30,
+      		dup31,
+      		dup32,
+      		dup33,
+      		dup34,
+      	]),
+      });
+      
+      var msg73 = msg("Scan:05", all10);
+      
+      var part89 = match("MESSAGE#54:Scan:07/2", "nwparser.p0", "] %{fld12->} (%{info}) - NOT VULNERABLE VERSION");
+      
+      var all11 = all_match({
+      	processors: [
+      		dup40,
+      		dup63,
+      		part89,
+      	],
+      	on_success: processor_chain([
+      		dup11,
+      		dup12,
+      		dup13,
+      		dup14,
+      		dup15,
+      		dup29,
+      		dup30,
+      		dup31,
+      		dup32,
+      		dup33,
+      		dup34,
+      	]),
+      });
+      
+      var msg74 = msg("Scan:07", all11);
+      
+      var part90 = match("MESSAGE#55:Scan:09/2", "nwparser.p0", "] %{fld12->} (%{info}) - NOT VULNERABLE [UNIQUE ID: %{fld13}]");
+      
+      var all12 = all_match({
+      	processors: [
+      		dup40,
+      		dup63,
+      		part90,
+      	],
+      	on_success: processor_chain([
+      		dup11,
+      		dup12,
+      		dup13,
+      		dup14,
+      		dup15,
+      		dup29,
+      		dup30,
+      		dup31,
+      		dup32,
+      		dup33,
+      		dup34,
+      	]),
+      });
+      
+      var msg75 = msg("Scan:09", all12);
+      
+      var part91 = match("MESSAGE#56:Scan:08/2", "nwparser.p0", "] %{fld12->} (%{info}) - NOT VULNERABLE");
+      
+      var all13 = all_match({
+      	processors: [
+      		dup40,
+      		dup63,
+      		part91,
+      	],
+      	on_success: processor_chain([
+      		dup11,
+      		dup12,
+      		dup13,
+      		dup14,
+      		dup15,
+      		dup29,
+      		dup30,
+      		dup31,
+      		dup32,
+      		dup33,
+      		dup34,
+      	]),
+      });
+      
+      var msg76 = msg("Scan:08", all13);
+      
+      var part92 = match("MESSAGE#57:Scan:10", "nwparser.payload", "Scan for site %{fld12->} started by \"%{username}\".", processor_chain([
+      	dup11,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg77 = msg("Scan:10", part92);
+      
+      var part93 = match("MESSAGE#58:Scan:11", "nwparser.payload", "Scan stopped: \"%{username}\"", processor_chain([
+      	dup18,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg78 = msg("Scan:11", part93);
+      
+      var part94 = match("MESSAGE#59:Scan:12", "nwparser.payload", "Scan Engine shutting down...%{}", processor_chain([
+      	dup23,
+      	dup12,
+      	dup13,
+      	dup19,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg79 = msg("Scan:12", part94);
+      
+      var part95 = match("MESSAGE#60:Scan:13", "nwparser.payload", "Scan ID: %{fld1}] [Started: %{fld2}T%{fld3}] [Duration: %{fld4}] Scan synopsis inconsistency resolved.", processor_chain([
+      	dup11,
+      	dup12,
+      	dup13,
+      	dup22,
+      	dup14,
+      	dup15,
+      	setc("event_description","Scan synopsis inconsistency resolved"),
+      ]));
+      
+      var msg80 = msg("Scan:13", part95);
+      
+      var part96 = match("MESSAGE#62:Scan:15/0", "nwparser.payload", "Silo ID: %{fld1}] [Scan ID: %{fld2}] Scan for site %{audit_object->} - %{p0}");
+      
+      var part97 = match("MESSAGE#62:Scan:15/1_0", "nwparser.p0", "Non-Windows Systems Audit%{p0}");
+      
+      var part98 = match("MESSAGE#62:Scan:15/1_1", "nwparser.p0", "Audit%{p0}");
+      
+      var select21 = linear_select([
+      	part97,
+      	part98,
+      ]);
+      
+      var part99 = match("MESSAGE#62:Scan:15/2", "nwparser.p0", "%{}restored. %{info}");
+      
+      var all14 = all_match({
+      	processors: [
+      		part96,
+      		select21,
+      		part99,
+      	],
+      	on_success: processor_chain([
+      		dup11,
+      		dup12,
+      		dup13,
+      		dup22,
+      		dup14,
+      		dup15,
+      		setc("event_description","Scan for site restored"),
+      	]),
+      });
+      
+      var msg81 = msg("Scan:15", all14);
+      
+      var part100 = match("MESSAGE#63:Scan:02", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup11,
+      	dup12,
+      	dup13,
+      	dup22,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg82 = msg("Scan:02", part100);
+      
+      var select22 = linear_select([
+      	msg68,
+      	msg69,
+      	msg70,
+      	msg71,
+      	msg72,
+      	msg73,
+      	msg74,
+      	msg75,
+      	msg76,
+      	msg77,
+      	msg78,
+      	msg79,
+      	msg80,
+      	msg81,
+      	msg82,
+      ]);
+      
+      var part101 = match("MESSAGE#61:Scan:14", "nwparser.payload", "Scan ID: %{fld1}] Inconsistency discovered for scan. %{info}", processor_chain([
+      	dup18,
+      	dup12,
+      	dup13,
+      	dup43,
+      	dup14,
+      	dup15,
+      	setc("event_description","Inconsistency discovered for scan"),
+      ]));
+      
+      var msg83 = msg("Scan:14", part101);
+      
+      var part102 = match("MESSAGE#64:Site", "nwparser.payload", "Site saved.%{}", processor_chain([
+      	dup44,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg84 = msg("Site", part102);
+      
+      var part103 = match("MESSAGE#65:Authenticated", "nwparser.payload", "Authenticated: %{username}", processor_chain([
+      	setc("eventcategory","1401060000"),
+      	dup45,
+      	dup46,
+      	dup47,
+      	dup22,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg85 = msg("Authenticated", part103);
+      
+      var part104 = match("MESSAGE#66:Authentication", "nwparser.payload", "Authentication failed. Login information is missing.%{}", processor_chain([
+      	dup48,
+      	dup45,
+      	dup46,
+      	dup47,
+      	dup27,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg86 = msg("Authentication", part104);
+      
+      var part105 = match("MESSAGE#67:Authentication:01", "nwparser.payload", "Authentication failed for %{username}: Access denied.", processor_chain([
+      	dup48,
+      	dup45,
+      	dup46,
+      	dup47,
+      	dup27,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg87 = msg("Authentication:01", part105);
+      
+      var part106 = match("MESSAGE#68:Authentication:02", "nwparser.payload", "Authentication failed. User account may be invalid or disabled.%{}", processor_chain([
+      	dup48,
+      	dup45,
+      	dup46,
+      	dup47,
+      	dup27,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg88 = msg("Authentication:02", part106);
+      
+      var part107 = match("MESSAGE#69:Authentication:03", "nwparser.payload", "%{info}", processor_chain([
+      	setc("eventcategory","1304000000"),
+      	dup45,
+      	dup46,
+      	dup47,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      ]));
+      
+      var msg89 = msg("Authentication:03", part107);
+      
+      var select23 = linear_select([
+      	msg86,
+      	msg87,
+      	msg88,
+      	msg89,
+      ]);
+      
+      var part108 = match("MESSAGE#70:User", "nwparser.payload", "User (%{username}) is over the limit (%{fld12}) for failed login attempts.", processor_chain([
+      	dup48,
+      	dup45,
+      	dup46,
+      	dup47,
+      	dup27,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg90 = msg("User", part108);
+      
+      var part109 = match("MESSAGE#265:User:04", "nwparser.payload", "User name: %{username}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg91 = msg("User:04", part109);
+      
+      var select24 = linear_select([
+      	msg90,
+      	msg91,
+      ]);
+      
+      var msg92 = msg("persistent-xss", dup61);
+      
+      var part110 = match("MESSAGE#72:Adding:01", "nwparser.payload", "Adding user to datastore: %{username}", processor_chain([
+      	setc("eventcategory","1402020200"),
+      	dup45,
+      	setc("ec_activity","Create"),
+      	dup47,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      	setc("obj_type","User"),
+      ]));
+      
+      var msg93 = msg("Adding:01", part110);
+      
+      var msg94 = msg("Adding", dup62);
+      
+      var select25 = linear_select([
+      	msg93,
+      	msg94,
+      ]);
+      
+      var msg95 = msg("credentials", dup62);
+      
+      var msg96 = msg("SPIDER-XSS", dup62);
+      
+      var msg97 = msg("Processing", dup62);
+      
+      var msg98 = msg("but", dup62);
+      
+      var msg99 = msg("j_password", dup62);
+      
+      var msg100 = msg("j_username", dup62);
+      
+      var msg101 = msg("osspi_defaultTargetLocation", dup62);
+      
+      var part111 = match("MESSAGE#81:spider-parse-robot-exclusions", "nwparser.payload", "spider-parse-robot-exclusions: %{fld40->} Malformed HTTP %{fld41}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg102 = msg("spider-parse-robot-exclusions", part111);
+      
+      var msg103 = msg("Cataloged", dup62);
+      
+      var msg104 = msg("Dumping", dup62);
+      
+      var msg105 = msg("Form", dup62);
+      
+      var msg106 = msg("Relaunching", dup62);
+      
+      var msg107 = msg("main", dup62);
+      
+      var msg108 = msg("SystemFingerprint", dup62);
+      
+      var part112 = match("MESSAGE#88:Searching", "nwparser.payload", "Searching for %{service->} domain %{fld11}...", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg109 = msg("Searching", part112);
+      
+      var msg110 = msg("TCPSocket", dup62);
+      
+      var part113 = match("MESSAGE#90:connected", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup20,
+      	dup49,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg111 = msg("connected", part113);
+      
+      var part114 = match("MESSAGE#91:Failed", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup20,
+      	dup49,
+      	dup27,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg112 = msg("Failed", part114);
+      
+      var part115 = match("MESSAGE#92:Attempting:01", "nwparser.payload", "Attempting to authenticate user %{username->} from %{saddr}.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg113 = msg("Attempting:01", part115);
+      
+      var msg114 = msg("Attempting", dup64);
+      
+      var select26 = linear_select([
+      	msg113,
+      	msg114,
+      ]);
+      
+      var part116 = match("MESSAGE#94:Recursively:01", "nwparser.payload", "Recursively listing files on %{service}[%{info}]", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg115 = msg("Recursively:01", part116);
+      
+      var msg116 = msg("Recursively", dup62);
+      
+      var select27 = linear_select([
+      	msg115,
+      	msg116,
+      ]);
+      
+      var msg117 = msg("building", dup62);
+      
+      var msg118 = msg("Sending", dup62);
+      
+      var msg119 = msg("sending", dup64);
+      
+      var part117 = match("MESSAGE#99:creating", "nwparser.payload", "creating new connection to %{obj_name}", processor_chain([
+      	dup20,
+      	dup49,
+      	dup14,
+      	dup15,
+      	dup17,
+      ]));
+      
+      var msg120 = msg("creating", part117);
+      
+      var part118 = match("MESSAGE#100:Trusted", "nwparser.payload", "Trusted MAC address checking is disabled%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg121 = msg("Trusted", part118);
+      
+      var part119 = match("MESSAGE#101:signon_type", "nwparser.payload", "signon_type: %{fld40}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg122 = msg("signon_type", part119);
+      
+      var msg123 = msg("list-user-directory", dup62);
+      
+      var msg124 = msg("dcerpc-get-ms-blaster-codes", dup62);
+      
+      var msg125 = msg("Could", dup62);
+      
+      var part120 = match("MESSAGE#105:Asserting", "nwparser.payload", "Asserting software fingerprint name=%{obj_name}, version=%{version}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      	setc("obj_type","Software Fingerprint"),
+      ]));
+      
+      var msg126 = msg("Asserting", part120);
+      
+      var part121 = match("MESSAGE#106:Asserting:01", "nwparser.payload", "Asserting run entry: %{service}: %{filename}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg127 = msg("Asserting:01", part121);
+      
+      var part122 = match("MESSAGE#107:Asserting:02", "nwparser.payload", "Asserting network interface: %{sinterface->} with IP: %{saddr->} and netmask: %{fld12}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg128 = msg("Asserting:02", part122);
+      
+      var part123 = match("MESSAGE#108:Asserting:03", "nwparser.payload", "Asserting highest MDAC version of %{version}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg129 = msg("Asserting:03", part123);
+      
+      var msg130 = msg("Asserting:04", dup62);
+      
+      var select28 = linear_select([
+      	msg126,
+      	msg127,
+      	msg128,
+      	msg129,
+      	msg130,
+      ]);
+      
+      var part124 = match("MESSAGE#110:Determining:01", "nwparser.payload", "Determining version of file %{filename->} (%{application})", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg131 = msg("Determining:01", part124);
+      
+      var msg132 = msg("Determining", dup62);
+      
+      var select29 = linear_select([
+      	msg131,
+      	msg132,
+      ]);
+      
+      var part125 = match("MESSAGE#112:Webmin", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup20,
+      	dup35,
+      	dup27,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg133 = msg("Webmin", part125);
+      
+      var part126 = match("MESSAGE#113:Running:02", "nwparser.payload", "Running unresolved %{service}", processor_chain([
+      	dup20,
+      	dup35,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg134 = msg("Running:02", part126);
+      
+      var part127 = match("MESSAGE#114:Running:01", "nwparser.payload", "Running %{protocol->} service %{service}", processor_chain([
+      	dup20,
+      	dup35,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg135 = msg("Running:01", part127);
+      
+      var part128 = match("MESSAGE#115:Running", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup20,
+      	dup35,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg136 = msg("Running", part128);
+      
+      var select30 = linear_select([
+      	msg134,
+      	msg135,
+      	msg136,
+      ]);
+      
+      var part129 = match("MESSAGE#116:path:/0_0", "nwparser.payload", "Service path:%{p0}");
+      
+      var part130 = match("MESSAGE#116:path:/0_1", "nwparser.payload", "path:%{p0}");
+      
+      var select31 = linear_select([
+      	part129,
+      	part130,
+      ]);
+      
+      var part131 = match("MESSAGE#116:path:/1", "nwparser.p0", "%{} %{filename}");
+      
+      var all15 = all_match({
+      	processors: [
+      		select31,
+      		part131,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup15,
+      	]),
+      });
+      
+      var msg137 = msg("path:", all15);
+      
+      var part132 = match("MESSAGE#117:path:01", "nwparser.payload", "Service path is insecure.%{}", processor_chain([
+      	dup20,
+      	dup15,
+      	setc("info","Service path is insecure."),
+      ]));
+      
+      var msg138 = msg("path:01", part132);
+      
+      var part133 = match("MESSAGE#118:Service", "nwparser.payload", "Service %{service->} %{action->} on Provider: %{fld2}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg139 = msg("Service", part133);
+      
+      var part134 = match("MESSAGE#119:ServiceFingerprint", "nwparser.payload", "Service running: %{event_description}", processor_chain([
+      	dup20,
+      	dup35,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg140 = msg("ServiceFingerprint", part134);
+      
+      var msg141 = msg("path", dup65);
+      
+      var select32 = linear_select([
+      	msg137,
+      	msg138,
+      	msg139,
+      	msg140,
+      	msg141,
+      ]);
+      
+      var msg142 = msg("using", dup61);
+      
+      var part135 = match("MESSAGE#122:Found:01", "nwparser.payload", "Found group: CIFS Group %{group}", processor_chain([
+      	dup20,
+      	dup50,
+      	dup51,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg143 = msg("Found:01", part135);
+      
+      var part136 = match("MESSAGE#123:Found:02", "nwparser.payload", "Found user: CIFS User %{username}", processor_chain([
+      	dup20,
+      	dup45,
+      	dup51,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg144 = msg("Found:02", part136);
+      
+      var part137 = match("MESSAGE#124:Found:03", "nwparser.payload", "Found user %{username}", processor_chain([
+      	dup20,
+      	dup45,
+      	dup51,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg145 = msg("Found:03", part137);
+      
+      var part138 = match("MESSAGE#125:Found:04", "nwparser.payload", "Found interface %{sinterface}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg146 = msg("Found:04", part138);
+      
+      var part139 = match("MESSAGE#126:Found:05", "nwparser.payload", "Found DHCP-assigned WINS server: %{saddr}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg147 = msg("Found:05", part139);
+      
+      var msg148 = msg("Found", dup62);
+      
+      var select33 = linear_select([
+      	msg143,
+      	msg144,
+      	msg145,
+      	msg146,
+      	msg147,
+      	msg148,
+      ]);
+      
+      var part140 = match("MESSAGE#128:FTP", "nwparser.payload", "FTP name: %{fld40}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var msg149 = msg("FTP", part140);
+      
+      var part141 = match("MESSAGE#129:Starting:02", "nwparser.payload", "Starting Office fingerprinting with dir %{directory}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg150 = msg("Starting:02", part141);
+      
+      var part142 = match("MESSAGE#130:Starting:01", "nwparser.payload", "Starting scan against %{fld11->} (%{fld12}) with scan template: %{fld13}.", processor_chain([
+      	dup20,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg151 = msg("Starting:01", part142);
+      
+      var msg152 = msg("Starting", dup62);
+      
+      var select34 = linear_select([
+      	msg150,
+      	msg151,
+      	msg152,
+      ]);
+      
+      var msg153 = msg("loading", dup61);
+      
+      var part143 = match("MESSAGE#133:trying", "nwparser.payload", "trying the next key: %{fld11}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg154 = msg("trying", part143);
+      
+      var msg155 = msg("Retrieving", dup64);
+      
+      var part144 = match("MESSAGE#135:Got", "nwparser.payload", "Got version: %{version}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      ]));
+      
+      var msg156 = msg("Got", part144);
+      
+      var msg157 = msg("unexpected", dup64);
+      
+      var part145 = match("MESSAGE#137:checking:03", "nwparser.payload", "checking version of '%{directory}'", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg158 = msg("checking:03", part145);
+      
+      var part146 = match("MESSAGE#138:No", "nwparser.payload", "No closed UDP ports, IP fingerprinting may be less accurate%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg159 = msg("No", part146);
+      
+      var part147 = match("MESSAGE#139:No:01", "nwparser.payload", "No credentials available%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg160 = msg("No:01", part147);
+      
+      var part148 = match("MESSAGE#140:No:02", "nwparser.payload", "No access to %{directory->} with %{service}[%{info}]", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg161 = msg("No:02", part148);
+      
+      var part149 = match("MESSAGE#141:No:03", "nwparser.payload", "No approved updates found for processing.%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg162 = msg("No:03", part149);
+      
+      var msg163 = msg("No:04", dup61);
+      
+      var select35 = linear_select([
+      	msg159,
+      	msg160,
+      	msg161,
+      	msg162,
+      	msg163,
+      ]);
+      
+      var part150 = match("MESSAGE#142:Applying", "nwparser.payload", "Applying update ID %{fld12}.", processor_chain([
+      	dup44,
+      	dup52,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg164 = msg("Applying", part150);
+      
+      var part151 = match("MESSAGE#143:Update", "nwparser.payload", "Update ID %{fld12->} applied successfully.", processor_chain([
+      	dup44,
+      	dup52,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg165 = msg("Update", part151);
+      
+      var part152 = match("MESSAGE#227:Update:02", "nwparser.payload", "Update ID %{fld1}, for product ID %{id}, %{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg166 = msg("Update:02", part152);
+      
+      var msg167 = msg("Update:03", dup61);
+      
+      var select36 = linear_select([
+      	msg165,
+      	msg166,
+      	msg167,
+      ]);
+      
+      var part153 = match("MESSAGE#144:Installing", "nwparser.payload", "Installing directory %{directory}.", processor_chain([
+      	dup20,
+      	dup52,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg168 = msg("Installing", part153);
+      
+      var part154 = match("MESSAGE#145:Installing:01", "nwparser.payload", "Installing file, %{filename}.", processor_chain([
+      	dup20,
+      	dup52,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg169 = msg("Installing:01", part154);
+      
+      var part155 = match("MESSAGE#405:Installing:02", "nwparser.payload", "Installing Postgres files into %{directory->} from %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Installing Postgres files"),
+      ]));
+      
+      var msg170 = msg("Installing:02", part155);
+      
+      var select37 = linear_select([
+      	msg168,
+      	msg169,
+      	msg170,
+      ]);
+      
+      var part156 = match("MESSAGE#146:Resolving", "nwparser.payload", "Resolving additional DNS records%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg171 = msg("Resolving", part156);
+      
+      var part157 = match("MESSAGE#147:DNS", "nwparser.payload", "DNS name: %{obj_name}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      	setc("obj_type","DNS"),
+      ]));
+      
+      var msg172 = msg("DNS", part157);
+      
+      var part158 = match("MESSAGE#148:Scanning", "nwparser.payload", "Scanning %{fld23->} %{protocol->} ports", processor_chain([
+      	dup11,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg173 = msg("Scanning", part158);
+      
+      var msg174 = msg("param:", dup64);
+      
+      var part159 = match("MESSAGE#150:Windows", "nwparser.payload", "Windows %{obj_name->} dir is: '%{directory}'", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg175 = msg("Windows", part159);
+      
+      var part160 = match("MESSAGE#151:Windows:01", "nwparser.payload", "Windows Media Player version: %{version}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg176 = msg("Windows:01", part160);
+      
+      var msg177 = msg("Windows:02", dup61);
+      
+      var select38 = linear_select([
+      	msg175,
+      	msg176,
+      	msg177,
+      ]);
+      
+      var msg178 = msg("Parsed", dup64);
+      
+      var part161 = match("MESSAGE#153:JRE", "nwparser.payload", "JRE version %{version->} is installed", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg179 = msg("JRE", part161);
+      
+      var msg180 = msg("Microsoft", dup64);
+      
+      var part162 = match("MESSAGE#155:MDAC", "nwparser.payload", "MDAC version: %{version}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg181 = msg("MDAC", part162);
+      
+      var part163 = match("MESSAGE#156:Name", "nwparser.payload", "Name Server: %{saddr}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg182 = msg("Name", part163);
+      
+      var msg183 = msg("Flash", dup64);
+      
+      var msg184 = msg("Skipping", dup64);
+      
+      var part164 = match("MESSAGE#159:Closing", "nwparser.payload", "Closing service: %{service->} (source: %{info})", processor_chain([
+      	dup20,
+      	dup35,
+      	dup24,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg185 = msg("Closing", part164);
+      
+      var part165 = match("MESSAGE#238:Closing:03", "nwparser.payload", "Engine: %{fld1}] [Engine ID: %{fld3}] Closing connection to scan engine.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Closing connection to scan engine"),
+      ]));
+      
+      var msg186 = msg("Closing:03", part165);
+      
+      var msg187 = msg("Closing:02", dup61);
+      
+      var select39 = linear_select([
+      	msg185,
+      	msg186,
+      	msg187,
+      ]);
+      
+      var part166 = match("MESSAGE#160:key", "nwparser.payload", "key does not exist: %{fld11}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg188 = msg("key", part166);
+      
+      var part167 = match("MESSAGE#161:Listing", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup20,
+      	dup50,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg189 = msg("Listing", part167);
+      
+      var msg190 = msg("Getting", dup64);
+      
+      var part168 = match("MESSAGE#163:Version:", "nwparser.payload", "Version: %{version}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg191 = msg("Version:", part168);
+      
+      var msg192 = msg("IE", dup64);
+      
+      var part169 = match("MESSAGE#165:Completed", "nwparser.payload", "Completed %{protocol->} port scan (%{dclass_counter1->} open ports): %{fld11->} seconds", processor_chain([
+      	dup20,
+      	dup12,
+      	dup13,
+      	dup22,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      	setc("dclass_counter1_string","No. of Open ports"),
+      ]));
+      
+      var msg193 = msg("Completed", part169);
+      
+      var part170 = match("MESSAGE#291:Completed:01", "nwparser.payload", "Completed %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg194 = msg("Completed:01", part170);
+      
+      var part171 = match("MESSAGE#344:Completed:02", "nwparser.payload", "Scan ID: %{fld1}] [Started: %{fld2}T%{fld3}] [Duration: %{fld4}] Completed computation of asset group synopses.", processor_chain([
+      	dup53,
+      	dup14,
+      	dup15,
+      	setc("event_description","Completed computation of asset group synopses"),
+      ]));
+      
+      var msg195 = msg("Completed:02", part171);
+      
+      var part172 = match("MESSAGE#345:Completed:03", "nwparser.payload", "Scan ID: %{fld1}] [Started: %{fld2}T%{fld3}] [Duration: %{fld4}] Completed computation of site synopsis.", processor_chain([
+      	dup53,
+      	dup14,
+      	dup15,
+      	setc("event_description","Completed computation of site synopsis"),
+      ]));
+      
+      var msg196 = msg("Completed:03", part172);
+      
+      var part173 = match("MESSAGE#346:Completed:04", "nwparser.payload", "Scan ID: %{fld1}] [Started: %{fld2}T%{fld3}] [Duration: %{fld4}] Completed recomputation of synopsis data.", processor_chain([
+      	dup53,
+      	dup14,
+      	dup15,
+      	setc("event_description","Completed recomputation of synopsis data"),
+      ]));
+      
+      var msg197 = msg("Completed:04", part173);
+      
+      var part174 = match("MESSAGE#347:Completed:05", "nwparser.payload", "Scan ID: %{fld1}] [Started: %{fld2}T%{fld3}] [Duration: %{fld4}] %{event_description}", processor_chain([
+      	dup18,
+      	dup12,
+      	dup13,
+      	dup43,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg198 = msg("Completed:05", part174);
+      
+      var part175 = match("MESSAGE#348:Completed:06", "nwparser.payload", "Started: %{fld2}T%{fld3}] [Duration: %{fld4}] %{event_description}", processor_chain([
+      	dup18,
+      	dup12,
+      	dup13,
+      	dup43,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg199 = msg("Completed:06", part175);
+      
+      var part176 = match("MESSAGE#460:Completed:07", "nwparser.payload", "%{fld1}] [%{fld2}] [%{fld3}] [%{fld4}] [Started: %{fld5}T%{fld6}] [Duration: %{fld7}] Completed purging sub-scan results.", processor_chain([
+      	dup53,
+      	dup14,
+      	dup15,
+      	setc("event_description","Completed purging sub-scan results"),
+      ]));
+      
+      var msg200 = msg("Completed:07", part176);
+      
+      var part177 = match("MESSAGE#461:Completed:08", "nwparser.payload", "SiteID: %{fld1}] [Scan ID: %{fld2}] [Started: %{fld3}T%{fld4}] [Duration: %{fld5}] Completed computation of synopsis.", processor_chain([
+      	dup53,
+      	dup14,
+      	dup15,
+      	setc("event_description","Completed computation of synopsis"),
+      ]));
+      
+      var msg201 = msg("Completed:08", part177);
+      
+      var select40 = linear_select([
+      	msg193,
+      	msg194,
+      	msg195,
+      	msg196,
+      	msg197,
+      	msg198,
+      	msg199,
+      	msg200,
+      	msg201,
+      ]);
+      
+      var part178 = match("MESSAGE#166:Retrieved", "nwparser.payload", "Retrieved XML version %{version->} for file %{filename}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg202 = msg("Retrieved", part178);
+      
+      var part179 = match("MESSAGE#167:CIFS", "nwparser.payload", "CIFS Name Service name: %{service}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg203 = msg("CIFS", part179);
+      
+      var msg204 = msg("Cached:", dup64);
+      
+      var msg205 = msg("Enumerating", dup64);
+      
+      var part180 = match("MESSAGE#170:Checking:01", "nwparser.payload", "Checking for approved updates.%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg206 = msg("Checking:01", part180);
+      
+      var msg207 = msg("Checking:02", dup64);
+      
+      var select41 = linear_select([
+      	msg206,
+      	msg207,
+      ]);
+      
+      var part181 = match("MESSAGE#172:CSIDL_SYSTEMX86", "nwparser.payload", "CSIDL_SYSTEMX86 dir is: '%{directory}'", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg208 = msg("CSIDL_SYSTEMX86", part181);
+      
+      var part182 = match("MESSAGE#173:CSIDL_SYSTEM", "nwparser.payload", "CSIDL_SYSTEM dir is: '%{directory}'", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg209 = msg("CSIDL_SYSTEM", part182);
+      
+      var part183 = match("MESSAGE#174:office", "nwparser.payload", "office root dir is: '%{directory}'", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg210 = msg("office", part183);
+      
+      var part184 = match("MESSAGE#175:Exchange", "nwparser.payload", "Exchange root dir is: '%{directory}'", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg211 = msg("Exchange", part184);
+      
+      var part185 = match("MESSAGE#176:SQL", "nwparser.payload", "SQL Server root dir is: '%{directory}'", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg212 = msg("SQL", part185);
+      
+      var part186 = match("MESSAGE#177:starting", "nwparser.payload", "starting %{service}", processor_chain([
+      	dup20,
+      	dup12,
+      	dup13,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg213 = msg("starting", part186);
+      
+      var part187 = match("MESSAGE#178:Host", "nwparser.payload", "Host type (from MAC %{smacaddr}): %{fld11}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg214 = msg("Host", part187);
+      
+      var part188 = match("MESSAGE#268:Host:01", "nwparser.payload", "Host Address: %{saddr}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg215 = msg("Host:01", part188);
+      
+      var part189 = match("MESSAGE#269:Host:02", "nwparser.payload", "Host FQDN: %{fqdn}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg216 = msg("Host:02", part189);
+      
+      var select42 = linear_select([
+      	msg214,
+      	msg215,
+      	msg216,
+      ]);
+      
+      var part190 = match("MESSAGE#179:Advertising", "nwparser.payload", "Advertising %{service->} service", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg217 = msg("Advertising", part190);
+      
+      var part191 = match("MESSAGE#180:IP", "nwparser.payload", "IP fingerprint:%{fld11}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg218 = msg("IP", part191);
+      
+      var part192 = match("MESSAGE#181:Updating:01", "nwparser.payload", "Updating file, %{filename}.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg219 = msg("Updating:01", part192);
+      
+      var part193 = match("MESSAGE#182:Updating", "nwparser.payload", "Updating %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg220 = msg("Updating", part193);
+      
+      var select43 = linear_select([
+      	msg219,
+      	msg220,
+      ]);
+      
+      var part194 = match("MESSAGE#183:Updated", "nwparser.payload", "Updated risk scores for %{dclass_counter1->} vulnerabilities in %{fld12}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      	setc("dclass_counter1_string","Number of vulnerabilities"),
+      ]));
+      
+      var msg221 = msg("Updated", part194);
+      
+      var part195 = match("MESSAGE#184:Updated:01", "nwparser.payload", "Updated risk scores for %{dclass_counter1->} assets in %{fld12}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      	setc("dclass_counter1_string","Number of assets"),
+      ]));
+      
+      var msg222 = msg("Updated:01", part195);
+      
+      var part196 = match("MESSAGE#185:Updated:02", "nwparser.payload", "Updated risk scores for %{dclass_counter1->} sites in %{fld12}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      	setc("dclass_counter1_string","Number of sites"),
+      ]));
+      
+      var msg223 = msg("Updated:02", part196);
+      
+      var part197 = match("MESSAGE#186:Updated:03", "nwparser.payload", "Updated risk scores for %{dclass_counter1->} groups in %{fld12}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      	setc("dclass_counter1_string","Number of groups"),
+      ]));
+      
+      var msg224 = msg("Updated:03", part197);
+      
+      var part198 = match("MESSAGE#260:Updated:04/0", "nwparser.payload", "Started: %{fld2}] [Duration: %{fld3}] Updated risk scores for %{fld1->} %{p0}");
+      
+      var part199 = match("MESSAGE#260:Updated:04/1_0", "nwparser.p0", "vulnerabilities.%{}");
+      
+      var part200 = match("MESSAGE#260:Updated:04/1_1", "nwparser.p0", "assets.%{}");
+      
+      var part201 = match("MESSAGE#260:Updated:04/1_2", "nwparser.p0", "sites.%{}");
+      
+      var part202 = match("MESSAGE#260:Updated:04/1_3", "nwparser.p0", "groups.%{}");
+      
+      var select44 = linear_select([
+      	part199,
+      	part200,
+      	part201,
+      	part202,
+      ]);
+      
+      var all16 = all_match({
+      	processors: [
+      		part198,
+      		select44,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup15,
+      	]),
+      });
+      
+      var msg225 = msg("Updated:04", all16);
+      
+      var part203 = match("MESSAGE#311:Updated:06/0", "nwparser.payload", "%{fld1}] [Started: %{fld2}] [Duration: %{fld3}] Updated %{p0}");
+      
+      var part204 = match("MESSAGE#311:Updated:06/1_0", "nwparser.p0", "scan risk scores%{p0}");
+      
+      var part205 = match("MESSAGE#311:Updated:06/1_1", "nwparser.p0", "risk scores for site%{p0}");
+      
+      var select45 = linear_select([
+      	part204,
+      	part205,
+      ]);
+      
+      var part206 = match("MESSAGE#311:Updated:06/2", "nwparser.p0", ".%{}");
+      
+      var all17 = all_match({
+      	processors: [
+      		part203,
+      		select45,
+      		part206,
+      	],
+      	on_success: processor_chain([
+      		dup11,
+      		dup14,
+      		dup15,
+      		setc("event_description","Updated risk scores"),
+      	]),
+      });
+      
+      var msg226 = msg("Updated:06", all17);
+      
+      var msg227 = msg("Updated:05", dup65);
+      
+      var select46 = linear_select([
+      	msg221,
+      	msg222,
+      	msg223,
+      	msg224,
+      	msg225,
+      	msg226,
+      	msg227,
+      ]);
+      
+      var part207 = match("MESSAGE#187:Started", "nwparser.payload", "Started auto-update.%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg228 = msg("Started", part207);
+      
+      var msg229 = msg("Started:02", dup61);
+      
+      var select47 = linear_select([
+      	msg228,
+      	msg229,
+      ]);
+      
+      var part208 = match("MESSAGE#188:Executing", "nwparser.payload", "Executing job JobID[%{info}] Risk and daily history updater for silo %{fld12}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg230 = msg("Executing", part208);
+      
+      var part209 = match("MESSAGE#189:Executing:01", "nwparser.payload", "Executing job JobID[%{info}] Auto-update retriever", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg231 = msg("Executing:01", part209);
+      
+      var part210 = match("MESSAGE#190:Executing:02", "nwparser.payload", "Executing job JobID[%{info}] %{fld1->} retention updater-default", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg232 = msg("Executing:02", part210);
+      
+      var part211 = match("MESSAGE#191:Executing:04", "nwparser.payload", "Executing job JobID[%{info}] %{obj_type}: %{obj_name}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg233 = msg("Executing:04", part211);
+      
+      var part212 = match("MESSAGE#326:Executing:03", "nwparser.payload", "Executing SQL: %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg234 = msg("Executing:03", part212);
+      
+      var select48 = linear_select([
+      	msg230,
+      	msg231,
+      	msg232,
+      	msg233,
+      	msg234,
+      ]);
+      
+      var part213 = match("MESSAGE#192:A", "nwparser.payload", "A set of SSH administrative credentials have failed verification.%{}", processor_chain([
+      	dup48,
+      	dup45,
+      	dup46,
+      	dup47,
+      	dup27,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg235 = msg("A", part213);
+      
+      var part214 = match("MESSAGE#193:Administrative:01", "nwparser.payload", "Administrative credentials failed (access denied).%{}", processor_chain([
+      	dup48,
+      	dup45,
+      	dup46,
+      	dup47,
+      	dup27,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg236 = msg("Administrative:01", part214);
+      
+      var part215 = match("MESSAGE#194:Administrative", "nwparser.payload", "Administrative credentials for %{service->} will be used.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg237 = msg("Administrative", part215);
+      
+      var select49 = linear_select([
+      	msg236,
+      	msg237,
+      ]);
+      
+      var part216 = match("MESSAGE#195:Initializing:01", "nwparser.payload", "Engine: %{fld1}] [Engine ID: %{fld2}] Initializing remote scan engine (%{dhost}).", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Initializing remote scan engine"),
+      ]));
+      
+      var msg238 = msg("Initializing:01", part216);
+      
+      var part217 = match("MESSAGE#196:Initializing/1_0", "nwparser.p0", "Initializing %{service}.");
+      
+      var part218 = match("MESSAGE#196:Initializing/1_1", "nwparser.p0", "Initializing JDBC drivers %{}");
+      
+      var part219 = match("MESSAGE#196:Initializing/1_2", "nwparser.p0", "%{event_description}");
+      
+      var select50 = linear_select([
+      	part217,
+      	part218,
+      	part219,
+      ]);
+      
+      var all18 = all_match({
+      	processors: [
+      		dup28,
+      		select50,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup14,
+      		dup15,
+      		dup16,
+      		dup29,
+      		dup30,
+      		dup31,
+      		dup32,
+      		dup33,
+      		dup34,
+      	]),
+      });
+      
+      var msg239 = msg("Initializing", all18);
+      
+      var select51 = linear_select([
+      	msg238,
+      	msg239,
+      ]);
+      
+      var msg240 = msg("Creating", dup64);
+      
+      var msg241 = msg("Loading", dup64);
+      
+      var part220 = match("MESSAGE#199:Loaded", "nwparser.payload", "Loaded %{dclass_counter1->} policy checks for scan.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      	setc("dclass_counter1_string","No. of policies"),
+      ]));
+      
+      var msg242 = msg("Loaded", part220);
+      
+      var msg243 = msg("Loaded:01", dup66);
+      
+      var select52 = linear_select([
+      	msg242,
+      	msg243,
+      ]);
+      
+      var part221 = match("MESSAGE#200:Finished", "nwparser.payload", "Finished locating %{dclass_counter1->} live nodes. [Started: %{fld11}] [Duration: %{fld12}]", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      	setc("dclass_counter1_string","No. of live nodes"),
+      ]));
+      
+      var msg244 = msg("Finished", part221);
+      
+      var part222 = match("MESSAGE#201:Finished:01", "nwparser.payload", "Finished loading %{service}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg245 = msg("Finished:01", part222);
+      
+      var part223 = match("MESSAGE#202:Finished:02", "nwparser.payload", "Finished resolving DNS records%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg246 = msg("Finished:02", part223);
+      
+      var msg247 = msg("Finished:03", dup67);
+      
+      var select53 = linear_select([
+      	msg244,
+      	msg245,
+      	msg246,
+      	msg247,
+      ]);
+      
+      var msg248 = msg("CheckProcessor:", dup64);
+      
+      var msg249 = msg("Locating", dup64);
+      
+      var part224 = match("MESSAGE#205:TCP", "nwparser.payload", "TCP port scanner is using: %{fld11}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg250 = msg("TCP", part224);
+      
+      var part225 = match("MESSAGE#206:UDP", "nwparser.payload", "UDP port scanner is using: %{fld11}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg251 = msg("UDP", part225);
+      
+      var part226 = match("MESSAGE#207:Queued", "nwparser.payload", "Queued live nodes for scanning: %{dclass_counter1}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      	setc("dclass_counter1_string","Live nodes"),
+      ]));
+      
+      var msg252 = msg("Queued", part226);
+      
+      var msg253 = msg("Reading", dup64);
+      
+      var msg254 = msg("Registering", dup64);
+      
+      var part227 = match("MESSAGE#210:Registered", "nwparser.payload", "Registered session [%{fld12}] for IP [%{saddr}]", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg255 = msg("Registered", part227);
+      
+      var part228 = match("MESSAGE#219:Registered:02", "nwparser.payload", "Registered session for principal name [%{username}] for IP [%{saddr}]", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg256 = msg("Registered:02", part228);
+      
+      var select54 = linear_select([
+      	msg255,
+      	msg256,
+      ]);
+      
+      var part229 = match("MESSAGE#211:Seeing", "nwparser.payload", "Seeing if %{saddr->} is a valid network node", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var msg257 = msg("Seeing", part229);
+      
+      var part230 = match("MESSAGE#212:Logging", "nwparser.payload", "Logging initialized. [Name = %{obj_name}] [Level = %{fld11}] [Timezone = %{fld12}]", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      ]));
+      
+      var msg258 = msg("Logging", part230);
+      
+      var msg259 = msg("Firefox", dup64);
+      
+      var msg260 = msg("nodes", dup64);
+      
+      var msg261 = msg("common", dup67);
+      
+      var msg262 = msg("jess.JessException:", dup67);
+      
+      var part231 = match("MESSAGE#218:Successfully", "nwparser.payload", "Successfully %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg263 = msg("Successfully", part231);
+      
+      var msg264 = msg("Establishing", dup61);
+      
+      var msg265 = msg("Response", dup61);
+      
+      var msg266 = msg("Auto-update", dup61);
+      
+      var msg267 = msg("Approved:03", dup61);
+      
+      var msg268 = msg("HHH000436:", dup61);
+      
+      var msg269 = msg("Staged", dup61);
+      
+      var msg270 = msg("Refreshing", dup61);
+      
+      var msg271 = msg("Activation", dup61);
+      
+      var msg272 = msg("Acknowledging", dup61);
+      
+      var msg273 = msg("Acknowledged", dup61);
+      
+      var msg274 = msg("Validating", dup61);
+      
+      var msg275 = msg("Patching", dup61);
+      
+      var msg276 = msg("JAR", dup61);
+      
+      var msg277 = msg("Destroying", dup61);
+      
+      var msg278 = msg("Invocation", dup61);
+      
+      var msg279 = msg("Using", dup61);
+      
+      var part232 = match("MESSAGE#243:Route:01", "nwparser.payload", "Route: %{fld1->} shutdown complete, %{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg280 = msg("Route:01", part232);
+      
+      var part233 = match("MESSAGE#244:Route:02", "nwparser.payload", "Route: %{fld1->} started and consuming from: %{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg281 = msg("Route:02", part233);
+      
+      var select55 = linear_select([
+      	msg280,
+      	msg281,
+      ]);
+      
+      var msg282 = msg("Deploying", dup61);
+      
+      var msg283 = msg("Generating", dup61);
+      
+      var msg284 = msg("Staging", dup61);
+      
+      var msg285 = msg("Removing", dup61);
+      
+      var msg286 = msg("At", dup61);
+      
+      var msg287 = msg("An", dup61);
+      
+      var msg288 = msg("The", dup61);
+      
+      var msg289 = msg("Downloading", dup61);
+      
+      var msg290 = msg("Downloaded", dup61);
+      
+      var msg291 = msg("Restarting", dup61);
+      
+      var msg292 = msg("Requested", dup61);
+      
+      var part234 = match("MESSAGE#257:Freeing", "nwparser.payload", "Freeing session for principal name [%{username}]", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg293 = msg("Freeing", part234);
+      
+      var part235 = match("MESSAGE#258:Freeing:01", "nwparser.payload", "Freeing %{dclass_counter1->} current sessions.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg294 = msg("Freeing:01", part235);
+      
+      var select56 = linear_select([
+      	msg293,
+      	msg294,
+      ]);
+      
+      var part236 = match("MESSAGE#259:Kill", "nwparser.payload", "Kill session for principal name [%{username}]", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg295 = msg("Kill", part236);
+      
+      var part237 = match("MESSAGE#262:Created:01", "nwparser.payload", "Created temporary directory %{filename}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg296 = msg("Created:01", part237);
+      
+      var part238 = match("MESSAGE#331:Created:02", "nwparser.payload", "Created %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg297 = msg("Created:02", part238);
+      
+      var select57 = linear_select([
+      	msg296,
+      	msg297,
+      ]);
+      
+      var part239 = match("MESSAGE#263:Product", "nwparser.payload", "Product Version: %{version}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg298 = msg("Product", part239);
+      
+      var part240 = match("MESSAGE#264:Current", "nwparser.payload", "Current directory: %{filename}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg299 = msg("Current", part240);
+      
+      var part241 = match("MESSAGE#308:Current:01", "nwparser.payload", "Current DB_VERSION = %{version}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg300 = msg("Current:01", part241);
+      
+      var select58 = linear_select([
+      	msg299,
+      	msg300,
+      ]);
+      
+      var part242 = match("MESSAGE#266:Super", "nwparser.payload", "Super user: %{result}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg301 = msg("Super", part242);
+      
+      var part243 = match("MESSAGE#267:Computer", "nwparser.payload", "Computer name: %{hostname}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg302 = msg("Computer", part243);
+      
+      var part244 = match("MESSAGE#270:Operating", "nwparser.payload", "Operating system: %{os}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg303 = msg("Operating", part244);
+      
+      var part245 = match("MESSAGE#271:CPU", "nwparser.payload", "CPU speed: %{fld1}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg304 = msg("CPU", part245);
+      
+      var part246 = match("MESSAGE#272:Number", "nwparser.payload", "Number of CPUs: %{dclass_counter1}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg305 = msg("Number", part246);
+      
+      var part247 = match("MESSAGE#273:Total", "nwparser.payload", "Total %{fld1}: %{fld2}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg306 = msg("Total", part247);
+      
+      var part248 = match("MESSAGE#320:Total:02", "nwparser.payload", "Total %{dclass_counter1->} routes, of which %{dclass_counter2->} is started.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg307 = msg("Total:02", part248);
+      
+      var select59 = linear_select([
+      	msg306,
+      	msg307,
+      ]);
+      
+      var part249 = match("MESSAGE#274:Available", "nwparser.payload", "Available %{fld1}: %{fld2}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg308 = msg("Available", part249);
+      
+      var part250 = match("MESSAGE#275:Disk", "nwparser.payload", "Disk space used by %{fld1}: %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg309 = msg("Disk", part250);
+      
+      var part251 = match("MESSAGE#276:JVM", "nwparser.payload", "JVM %{fld1}: %{info}", processor_chain([
+      	dup20,
+      	dup15,
+      ]));
+      
+      var msg310 = msg("JVM", part251);
+      
+      var part252 = match("MESSAGE#277:Pausing", "nwparser.payload", "Pausing ProtocolHandler [%{info}]", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg311 = msg("Pausing", part252);
+      
+      var part253 = match("MESSAGE#278:Policy", "nwparser.payload", "Policy %{policyname->} replaces %{fld1}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg312 = msg("Policy", part253);
+      
+      var part254 = match("MESSAGE#420:Policy:01", "nwparser.payload", "Policy benchmark %{policyname->} in %{info->} with hash %{fld1->} is not valid builtin content and will not load.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Policy benchmark is not valid builtin content and will not load"),
+      ]));
+      
+      var msg313 = msg("Policy:01", part254);
+      
+      var select60 = linear_select([
+      	msg312,
+      	msg313,
+      ]);
+      
+      var part255 = match("MESSAGE#279:Bulk", "nwparser.payload", "Bulk %{action->} %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg314 = msg("Bulk", part255);
+      
+      var part256 = match("MESSAGE#280:Importing", "nwparser.payload", "%{action->} %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg315 = msg("Importing", part256);
+      
+      var part257 = match("MESSAGE#281:Imported", "nwparser.payload", "%{action->} %{dclass_counter1->} new categories, categorized %{fld1->} vulnerabilities and %{fld2->} tags.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg316 = msg("Imported", part257);
+      
+      var msg317 = msg("Imported:01", dup65);
+      
+      var select61 = linear_select([
+      	msg316,
+      	msg317,
+      ]);
+      
+      var part258 = match("MESSAGE#283:Compiling", "nwparser.payload", "Compiling %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg318 = msg("Compiling", part258);
+      
+      var part259 = match("MESSAGE#284:Vulnerability", "nwparser.payload", "Vulnerability %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg319 = msg("Vulnerability", part259);
+      
+      var part260 = match("MESSAGE#285:Truncating", "nwparser.payload", "Truncating %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg320 = msg("Truncating", part260);
+      
+      var part261 = match("MESSAGE#286:Synchronizing", "nwparser.payload", "Synchronizing %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg321 = msg("Synchronizing", part261);
+      
+      var part262 = match("MESSAGE#287:Parsing", "nwparser.payload", "Parsing %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg322 = msg("Parsing", part262);
+      
+      var part263 = match("MESSAGE#288:Remapping", "nwparser.payload", "Remapping %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg323 = msg("Remapping", part263);
+      
+      var part264 = match("MESSAGE#289:Remapped", "nwparser.payload", "Started: %{fld1}] [Duration: %{fld2}] Remapped %{info}", processor_chain([
+      	dup20,
+      	dup15,
+      ]));
+      
+      var msg324 = msg("Remapped", part264);
+      
+      var part265 = match("MESSAGE#290:Database", "nwparser.payload", "Started: %{fld1}] [Duration: %{fld2}] Database %{info}", processor_chain([
+      	dup20,
+      	dup15,
+      ]));
+      
+      var msg325 = msg("Database", part265);
+      
+      var part266 = match("MESSAGE#428:Database:01", "nwparser.payload", "Database %{info}", processor_chain([
+      	dup20,
+      	dup15,
+      ]));
+      
+      var msg326 = msg("Database:01", part266);
+      
+      var select62 = linear_select([
+      	msg325,
+      	msg326,
+      ]);
+      
+      var part267 = match("MESSAGE#292:Accepting", "nwparser.payload", "Accepting %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg327 = msg("Accepting", part267);
+      
+      var part268 = match("MESSAGE#293:VERSION:03", "nwparser.payload", "VERSION %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg328 = msg("VERSION:03", part268);
+      
+      var part269 = match("MESSAGE#294:Detected", "nwparser.payload", "Detected %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg329 = msg("Detected", part269);
+      
+      var part270 = match("MESSAGE#295:Telling", "nwparser.payload", "Telling %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg330 = msg("Telling", part270);
+      
+      var part271 = match("MESSAGE#298:Stopping", "nwparser.payload", "Stopping %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg331 = msg("Stopping", part271);
+      
+      var part272 = match("MESSAGE#299:removing", "nwparser.payload", "removing %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg332 = msg("removing", part272);
+      
+      var part273 = match("MESSAGE#300:Enabling", "nwparser.payload", "Enabling %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg333 = msg("Enabling", part273);
+      
+      var part274 = match("MESSAGE#301:Granting", "nwparser.payload", "Granting %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg334 = msg("Granting", part274);
+      
+      var part275 = match("MESSAGE#302:Version", "nwparser.payload", "Version %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg335 = msg("Version", part275);
+      
+      var part276 = match("MESSAGE#303:Configuring", "nwparser.payload", "Configuring %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg336 = msg("Configuring", part276);
+      
+      var part277 = match("MESSAGE#305:Scheduler", "nwparser.payload", "Scheduler %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg337 = msg("Scheduler", part277);
+      
+      var part278 = match("MESSAGE#341:Scheduler:01", "nwparser.payload", "Silo: %{fld1}] [Started: %{fld2}] [Duration: %{fld3}] Scheduler started.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Scheduler started"),
+      ]));
+      
+      var msg338 = msg("Scheduler:01", part278);
+      
+      var part279 = match("MESSAGE#429:Scheduler:02", "nwparser.payload", "%{fld1}: %{fld2}] Scheduler %{info}", processor_chain([
+      	dup20,
+      	dup15,
+      ]));
+      
+      var msg339 = msg("Scheduler:02", part279);
+      
+      var select63 = linear_select([
+      	msg337,
+      	msg338,
+      	msg339,
+      ]);
+      
+      var part280 = match("MESSAGE#306:PostgreSQL", "nwparser.payload", "PostgreSQL %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg340 = msg("PostgreSQL", part280);
+      
+      var part281 = match("MESSAGE#307:Cleaning", "nwparser.payload", "Cleaning %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg341 = msg("Cleaning", part281);
+      
+      var part282 = match("MESSAGE#462:Cleaning:01", "nwparser.payload", "%{fld1}] [%{fld2}] [%{fld3}] [%{fld4}] Cleaning up sub-scan results.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Cleaning up sub-scan results"),
+      ]));
+      
+      var msg342 = msg("Cleaning:01", part282);
+      
+      var select64 = linear_select([
+      	msg341,
+      	msg342,
+      ]);
+      
+      var part283 = match("MESSAGE#309:Installed:01/0", "nwparser.payload", "Installed DB%{p0}");
+      
+      var part284 = match("MESSAGE#309:Installed:01/1_0", "nwparser.p0", "_VERSION after upgrade%{p0}");
+      
+      var part285 = match("MESSAGE#309:Installed:01/1_1", "nwparser.p0", " VERSION %{p0}");
+      
+      var select65 = linear_select([
+      	part284,
+      	part285,
+      ]);
+      
+      var part286 = match("MESSAGE#309:Installed:01/2", "nwparser.p0", "%{}= %{version}");
+      
+      var all19 = all_match({
+      	processors: [
+      		part283,
+      		select65,
+      		part286,
+      	],
+      	on_success: processor_chain([
+      		dup20,
+      		dup14,
+      		dup15,
+      	]),
+      });
+      
+      var msg343 = msg("Installed:01", all19);
+      
+      var part287 = match("MESSAGE#310:Inserted", "nwparser.payload", "Inserted %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg344 = msg("Inserted", part287);
+      
+      var part288 = match("MESSAGE#313:Deleted", "nwparser.payload", "Started: %{fld1}] [Duration: %{fld2}] Deleted %{info}", processor_chain([
+      	dup20,
+      	dup15,
+      ]));
+      
+      var msg345 = msg("Deleted", part288);
+      
+      var msg346 = msg("Default", dup66);
+      
+      var msg347 = msg("Apache", dup66);
+      
+      var msg348 = msg("JMX", dup66);
+      
+      var msg349 = msg("AllowUseOriginalMessage", dup66);
+      
+      var part289 = match("MESSAGE#321:Initialized", "nwparser.payload", "Initialized PolicyCheckService with %{dclass_counter1->} benchmarks, containing %{fld1->} policies. The total check count is %{dclass_counter2}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg350 = msg("Initialized", part289);
+      
+      var part290 = match("MESSAGE#322:Initialized:01", "nwparser.payload", "Initialized %{dclass_counter1->} policy benchmarks in total.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg351 = msg("Initialized:01", part290);
+      
+      var part291 = match("MESSAGE#379:Initialized_Scheduler", "nwparser.payload", "Initialized Scheduler Signaller of type: %{obj_type->} %{obj_name}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Initialized Scheduler Signaller"),
+      ]));
+      
+      var msg352 = msg("Initialized_Scheduler", part291);
+      
+      var select66 = linear_select([
+      	msg350,
+      	msg351,
+      	msg352,
+      ]);
+      
+      var msg353 = msg("Error", dup66);
+      
+      var part292 = match("MESSAGE#324:Graceful", "nwparser.payload", "Graceful shutdown of %{dclass_counter1->} routes completed in %{dclass_counter2->} seconds", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg354 = msg("Graceful", part292);
+      
+      var msg355 = msg("StreamCaching", dup61);
+      
+      var msg356 = msg("Local", dup66);
+      
+      var part293 = match("MESSAGE#329:DB_VERSION", "nwparser.payload", "DB_VERSION = %{version}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg357 = msg("DB_VERSION", part293);
+      
+      var part294 = match("MESSAGE#330:Populating", "nwparser.payload", "Populating %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg358 = msg("Populating", part294);
+      
+      var part295 = match("MESSAGE#332:EventLog", "nwparser.payload", "EventLog %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg359 = msg("EventLog", part295);
+      
+      var part296 = match("MESSAGE#333:Making", "nwparser.payload", "Making %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg360 = msg("Making", part296);
+      
+      var part297 = match("MESSAGE#334:Setting", "nwparser.payload", "Setting %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg361 = msg("Setting", part297);
+      
+      var part298 = match("MESSAGE#335:initdb", "nwparser.payload", "initdb %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg362 = msg("initdb", part298);
+      
+      var part299 = match("MESSAGE#336:Verifying", "nwparser.payload", "Verifying %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg363 = msg("Verifying", part299);
+      
+      var msg364 = msg("OS", dup66);
+      
+      var part300 = match("MESSAGE#338:Benchmark", "nwparser.payload", "Benchmark %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg365 = msg("Benchmark", part300);
+      
+      var part301 = match("MESSAGE#339:Report:01", "nwparser.payload", "Report Config ID: %{fld1}] [Started: %{fld2}T%{fld3}] [Duration: %{fld4}] %{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup29,
+      	dup54,
+      	dup16,
+      ]));
+      
+      var msg366 = msg("Report:01", part301);
+      
+      var part302 = match("MESSAGE#340:Report", "nwparser.payload", "Report Config ID: %{fld1}] %{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup29,
+      	dup54,
+      	dup16,
+      ]));
+      
+      var msg367 = msg("Report", part302);
+      
+      var select67 = linear_select([
+      	msg366,
+      	msg367,
+      ]);
+      
+      var part303 = match("MESSAGE#342:Cannot_preload", "nwparser.payload", "Engine ID: %{fld1}] [Engine Name: %{fld2}] Cannot preload incremental pool with a connection %{fld3}", processor_chain([
+      	dup53,
+      	dup14,
+      	dup15,
+      	dup55,
+      ]));
+      
+      var msg368 = msg("Cannot_preload", part303);
+      
+      var part304 = match("MESSAGE#343:Cannot_preload:01", "nwparser.payload", "Cannot preload incremental pool with a connection%{fld3}", processor_chain([
+      	dup53,
+      	dup14,
+      	dup15,
+      	dup55,
+      ]));
+      
+      var msg369 = msg("Cannot_preload:01", part304);
+      
+      var select68 = linear_select([
+      	msg368,
+      	msg369,
+      ]);
+      
+      var part305 = match("MESSAGE#349:ERROR:02", "nwparser.payload", "ERROR: syntax error at or near \"%{fld1}\"", processor_chain([
+      	dup53,
+      	dup14,
+      	dup15,
+      	setc("event_description","Syntax error"),
+      ]));
+      
+      var msg370 = msg("ERROR:02", part305);
+      
+      var part306 = match("MESSAGE#350:QuartzRepeaterBuilder", "nwparser.payload", "QuartzRepeaterBuilder failed to add schedule to ScanConfig: null%{}", processor_chain([
+      	dup53,
+      	dup14,
+      	dup15,
+      	setc("event_description","QuartzRepeaterBuilder failed to add schedule"),
+      ]));
+      
+      var msg371 = msg("QuartzRepeaterBuilder", part306);
+      
+      var part307 = match("MESSAGE#351:Backing_up", "nwparser.payload", "Backing up %{event_source}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Backing up"),
+      ]));
+      
+      var msg372 = msg("Backing_up", part307);
+      
+      var part308 = match("MESSAGE#352:Not_configured", "nwparser.payload", "com.rapid.nexpose.scanpool.stateInterval is not configured - returning default value %{resultcode}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid.nexpose.scanpool.stateInterval is not configured"),
+      ]));
+      
+      var msg373 = msg("Not_configured", part308);
+      
+      var part309 = match("MESSAGE#353:Not_configured:01", "nwparser.payload", "com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout is not configured - returning default value %{resultcode}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout is not configured"),
+      ]));
+      
+      var msg374 = msg("Not_configured:01", part309);
+      
+      var part310 = match("MESSAGE#354:Not_configured:02", "nwparser.payload", "com.rapid7.nexpose.comms.clientConnectionProvider.getConnectionTimeout is not configured - returning default value %{resultcode}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.comms.clientConnectionProvider.getConnectionTimeout is not configured"),
+      ]));
+      
+      var msg375 = msg("Not_configured:02", part310);
+      
+      var part311 = match("MESSAGE#355:Not_configured:03", "nwparser.payload", "com.rapid7.nexpose.datastore.connection.evictionThreadTime is not configured - returning default value %{resultcode}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.datastore.connection.evictionThreadTime is not configured"),
+      ]));
+      
+      var msg376 = msg("Not_configured:03", part311);
+      
+      var part312 = match("MESSAGE#356:Not_configured:04", "nwparser.payload", "com.rapid7.nexpose.datastore.eviction.connection.threadIdleTimeout is not configured - returning default value %{resultcode}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.datastore.eviction.connection.threadIdleTimeout is not configured"),
+      ]));
+      
+      var msg377 = msg("Not_configured:04", part312);
+      
+      var part313 = match("MESSAGE#357:Not_configured:05", "nwparser.payload", "com.rapid7.nexpose.nsc.dbcc is not configured - returning default value %{result}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.nsc.dbcc is not configured"),
+      ]));
+      
+      var msg378 = msg("Not_configured:05", part313);
+      
+      var part314 = match("MESSAGE#358:Not_configured:06", "nwparser.payload", "com.rapid7.nexpose.nsc.scanExecutorService.maximumCorePoolSize is not configured - returning default value %{resultcode}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.nsc.scanExecutorService.maximumCorePoolSize is not configured"),
+      ]));
+      
+      var msg379 = msg("Not_configured:06", part314);
+      
+      var part315 = match("MESSAGE#359:Not_configured:07", "nwparser.payload", "com.rapid7.nexpose.nsc.scanExecutorService.minimumCorePoolSize is not configured - returning default value %{resultcode}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.nsc.scanExecutorService.minimumCorePoolSize is not configured"),
+      ]));
+      
+      var msg380 = msg("Not_configured:07", part315);
+      
+      var part316 = match("MESSAGE#360:Not_configured:08", "nwparser.payload", "com.rapid7.nexpose.nsc.scanExecutorService.monitorCorePoolSizeIncreaseOnSaturation is not configured - returning default value %{resultcode}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.nsc.scanExecutorService.monitorCorePoolSizeIncreaseOnSaturation is not configured"),
+      ]));
+      
+      var msg381 = msg("Not_configured:08", part316);
+      
+      var part317 = match("MESSAGE#361:Not_configured:09", "nwparser.payload", "com.rapid7.nexpose.nsc.scanExecutorService.monitorEnabled is not configured - returning default value %{result}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.nsc.scanExecutorService.monitorEnabled is not configured"),
+      ]));
+      
+      var msg382 = msg("Not_configured:09", part317);
+      
+      var part318 = match("MESSAGE#362:Not_configured:10", "nwparser.payload", "com.rapid7.nexpose.nsc.scanExecutorService.monitorInterval is not configured - returning default value %{resultcode}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.nsc.scanExecutorService.monitorInterval is not configured"),
+      ]));
+      
+      var msg383 = msg("Not_configured:10", part318);
+      
+      var part319 = match("MESSAGE#363:Not_configured:11", "nwparser.payload", "com.rapid7.nexpose.nse.nscClient.connectTimeout is not configured - returning default value %{resultcode}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.nse.nscClient.connectTimeout is not configured"),
+      ]));
+      
+      var msg384 = msg("Not_configured:11", part319);
+      
+      var part320 = match("MESSAGE#364:Not_configured:12", "nwparser.payload", "com.rapid7.nexpose.nse.nscClient.readTimeout is not configured - returning default value %{resultcode}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.nse.nscClient.readTimeout is not configured"),
+      ]));
+      
+      var msg385 = msg("Not_configured:12", part320);
+      
+      var part321 = match("MESSAGE#365:Not_configured:13", "nwparser.payload", "com.rapid7.nexpose.reportGenerator.assetCollectionUpdateTimeout is not configured - returning default value %{resultcode}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.reportGenerator.assetCollectionUpdateTimeout is not configured"),
+      ]));
+      
+      var msg386 = msg("Not_configured:13", part321);
+      
+      var part322 = match("MESSAGE#366:Not_configured:14", "nwparser.payload", "com.rapid7.nexpose.scan.consolidation.delay is not configured - returning default value %{resultcode}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.scan.consolidation.delay is not configured"),
+      ]));
+      
+      var msg387 = msg("Not_configured:14", part322);
+      
+      var part323 = match("MESSAGE#367:Not_configured:15", "nwparser.payload", "com.rapid7.nexpose.scan.lifecyclemonitor.delay is not configured - returning default value %{resultcode}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.scan.lifecyclemonitor.delay is not configured"),
+      ]));
+      
+      var msg388 = msg("Not_configured:15", part323);
+      
+      var part324 = match("MESSAGE#368:Not_configured:16", "nwparser.payload", "com.rapid7.nexpose.scan.usescanpool is not configured - returning default value %{result}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.scan.usescanpool is not configured"),
+      ]));
+      
+      var msg389 = msg("Not_configured:16", part324);
+      
+      var part325 = match("MESSAGE#369:Not_configured:17", "nwparser.payload", "com.rapid7.nsc.workflow.timeout is not configured - returning default value %{resultcode}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nsc.workflow.timeout is not configured"),
+      ]));
+      
+      var msg390 = msg("Not_configured:17", part325);
+      
+      var part326 = match("MESSAGE#370:Delivered", "nwparser.payload", "Delivered mail to %{to}: %{fld1->} %{fld2->} %{mail_id->} [InternalId=%{fld3}] Queued mail for delivery", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("action","Queued mail for delivery"),
+      ]));
+      
+      var msg391 = msg("Delivered", part326);
+      
+      var part327 = match("MESSAGE#371:Engine_update", "nwparser.payload", "Engine update thread pool shutting down.%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Engine update thread pool shutting down"),
+      ]));
+      
+      var msg392 = msg("Engine_update", part327);
+      
+      var part328 = match("MESSAGE#372:Freed_triggers", "nwparser.payload", "Freed %{fld1->} triggers from 'acquired' / 'blocked' state.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Freed triggers from 'acquired' / 'blocked' state"),
+      ]));
+      
+      var msg393 = msg("Freed_triggers", part328);
+      
+      var part329 = match("MESSAGE#374:Upgrade_completed", "nwparser.payload", "PG Upgrade has completed succesfully%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Upgrade has completed succesfully"),
+      ]));
+      
+      var msg394 = msg("Upgrade_completed", part329);
+      
+      var part330 = match("MESSAGE#375:PG", "nwparser.payload", "%{fld1}: %{process->} %{param}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg395 = msg("PG", part330);
+      
+      var select69 = linear_select([
+      	msg394,
+      	msg395,
+      ]);
+      
+      var part331 = match("MESSAGE#376:DEFAULT_SCHEDULER", "nwparser.payload", "DEFAULT SCHEDULER: %{obj_name}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","DEFAULT SCHEDULER"),
+      ]));
+      
+      var msg396 = msg("DEFAULT_SCHEDULER", part331);
+      
+      var part332 = match("MESSAGE#377:Context_loader", "nwparser.payload", "Context loader config file is jar:file:%{filename}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Context loader config file"),
+      ]));
+      
+      var msg397 = msg("Context_loader", part332);
+      
+      var part333 = match("MESSAGE#378:Copied_file", "nwparser.payload", "Copied %{filename->} file from %{directory->} to %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Copied file"),
+      ]));
+      
+      var msg398 = msg("Copied_file", part333);
+      
+      var part334 = match("MESSAGE#380:Java", "nwparser.payload", "Java HotSpot(TM) %{info}", processor_chain([
+      	dup20,
+      	dup15,
+      	setc("event_description","Console VM version"),
+      ]));
+      
+      var msg399 = msg("Java", part334);
+      
+      var part335 = match("MESSAGE#381:Changing", "nwparser.payload", "Changing permissions of %{obj_type->} '%{obj_name}' to %{change_new}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Changing permissions"),
+      ]));
+      
+      var msg400 = msg("Changing", part335);
+      
+      var part336 = match("MESSAGE#382:Changing:01", "nwparser.payload", "Changing the new database AUTH method to %{change_new}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Changing new database AUTH method"),
+      ]));
+      
+      var msg401 = msg("Changing:01", part336);
+      
+      var select70 = linear_select([
+      	msg400,
+      	msg401,
+      ]);
+      
+      var part337 = match("MESSAGE#383:Job_execution", "nwparser.payload", "Job execution threads will use class loader of thread: %{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Job execution threads will use class loader"),
+      ]));
+      
+      var msg402 = msg("Job_execution", part337);
+      
+      var part338 = match("MESSAGE#384:Initialized:02", "nwparser.payload", "JobStoreCMT initialized.%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","JobStoreCMT initialized"),
+      ]));
+      
+      var msg403 = msg("Initialized:02", part338);
+      
+      var part339 = match("MESSAGE#385:Initialized:03", "nwparser.payload", "Quartz scheduler '%{obj_name}' %{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Quartz scheduler initialized"),
+      ]));
+      
+      var msg404 = msg("Initialized:03", part339);
+      
+      var part340 = match("MESSAGE#386:Created:03", "nwparser.payload", "Quartz Scheduler %{version->} created.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Quartz Scheduler created."),
+      ]));
+      
+      var msg405 = msg("Created:03", part340);
+      
+      var part341 = match("MESSAGE#387:Scheduler_version", "nwparser.payload", "Quartz scheduler version: %{version}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg406 = msg("Scheduler_version", part341);
+      
+      var select71 = linear_select([
+      	msg404,
+      	msg405,
+      	msg406,
+      ]);
+      
+      var part342 = match("MESSAGE#388:Recovering", "nwparser.payload", "Recovering %{fld1->} %{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Recovering jobs"),
+      ]));
+      
+      var msg407 = msg("Recovering", part342);
+      
+      var part343 = match("MESSAGE#389:Recovery", "nwparser.payload", "Recovery complete.%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Recovery"),
+      	setc("disposition","Complete"),
+      ]));
+      
+      var msg408 = msg("Recovery", part343);
+      
+      var part344 = match("MESSAGE#390:Removed", "nwparser.payload", "Removed %{fld1->} 'complete' triggers.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Removed triggers"),
+      ]));
+      
+      var msg409 = msg("Removed", part344);
+      
+      var part345 = match("MESSAGE#391:Removed:01", "nwparser.payload", "Removed %{fld1->} stale fired job entries.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Removed job entries"),
+      ]));
+      
+      var msg410 = msg("Removed:01", part345);
+      
+      var select72 = linear_select([
+      	msg409,
+      	msg410,
+      ]);
+      
+      var part346 = match("MESSAGE#392:Restoring", "nwparser.payload", "%{action}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg411 = msg("Restoring", part346);
+      
+      var part347 = match("MESSAGE#393:Upgrading", "nwparser.payload", "Upgrading database%{fld1}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Upgrading database"),
+      ]));
+      
+      var msg412 = msg("Upgrading", part347);
+      
+      var part348 = match("MESSAGE#394:Exploits", "nwparser.payload", "Exploits are up to date.%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Exploits are up to date"),
+      ]));
+      
+      var msg413 = msg("Exploits", part348);
+      
+      var part349 = match("MESSAGE#395:Failure", "nwparser.payload", "Failure communicating with NSE @ %{dhost}:%{dport}.", processor_chain([
+      	dup53,
+      	dup49,
+      	dup27,
+      	dup14,
+      	dup15,
+      	setc("event_description","Failure communicating with NSE"),
+      ]));
+      
+      var msg414 = msg("Failure", part349);
+      
+      var part350 = match("MESSAGE#396:Renamed", "nwparser.payload", "Renamed %{filename->} to %{info}", processor_chain([
+      	dup20,
+      	dup57,
+      	dup22,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg415 = msg("Renamed", part350);
+      
+      var part351 = match("MESSAGE#397:Reinitializing", "nwparser.payload", "Reinitializing web server for maintenance mode...%{}", processor_chain([
+      	dup20,
+      	dup57,
+      	dup22,
+      	dup14,
+      	dup15,
+      	setc("event_description","Reinitializing web server for maintenance mode"),
+      ]));
+      
+      var msg416 = msg("Reinitializing", part351);
+      
+      var part352 = match("MESSAGE#398:Replaced", "nwparser.payload", "Replaced %{change_old->} values from %{filename->} file with new auth method: %{change_new}.", processor_chain([
+      	dup20,
+      	dup57,
+      	dup22,
+      	dup14,
+      	dup15,
+      	dup58,
+      ]));
+      
+      var msg417 = msg("Replaced", part352);
+      
+      var part353 = match("MESSAGE#399:Replaced:01", "nwparser.payload", "Replaced %{change_old->} values from %{filename->} with new setting values", processor_chain([
+      	dup20,
+      	dup57,
+      	dup22,
+      	dup14,
+      	dup15,
+      	dup58,
+      ]));
+      
+      var msg418 = msg("Replaced:01", part353);
+      
+      var select73 = linear_select([
+      	msg417,
+      	msg418,
+      ]);
+      
+      var part354 = match("MESSAGE#400:System", "nwparser.payload", "System is running low on memory: %{fld1}MB total (%{fld2}MB free)", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","System is running low on memory"),
+      ]));
+      
+      var msg419 = msg("System", part354);
+      
+      var part355 = match("MESSAGE#401:System:01", "nwparser.payload", "%{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      ]));
+      
+      var msg420 = msg("System:01", part355);
+      
+      var select74 = linear_select([
+      	msg419,
+      	msg420,
+      ]);
+      
+      var part356 = match("MESSAGE#402:Analyzing", "nwparser.payload", "Analyzing the database.%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Analyzing the database"),
+      ]));
+      
+      var msg421 = msg("Analyzing", part356);
+      
+      var part357 = match("MESSAGE#403:Connection", "nwparser.payload", "Connection to the new database was successful. %{action}.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Connection to the new database was successful"),
+      ]));
+      
+      var msg422 = msg("Connection", part357);
+      
+      var part358 = match("MESSAGE#404:Handling", "nwparser.payload", "Handling %{fld1->} trigger(s) that missed their scheduled fire-time.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Handling trigger(s) that missed their scheduled fire-time"),
+      ]));
+      
+      var msg423 = msg("Handling", part358);
+      
+      var part359 = match("MESSAGE#406:LDAP", "nwparser.payload", "LDAP authentication requires resolution%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","LDAP authentication requires resolution"),
+      ]));
+      
+      var msg424 = msg("LDAP", part359);
+      
+      var part360 = match("MESSAGE#407:Maintenance", "nwparser.payload", "Maintenance Task Started%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Maintenance Task Started"),
+      ]));
+      
+      var msg425 = msg("Maintenance", part360);
+      
+      var msg426 = msg("Migration", dup61);
+      
+      var msg427 = msg("Mobile", dup68);
+      
+      var msg428 = msg("ConsoleScanImporter", dup68);
+      
+      var part361 = match("MESSAGE#421:Postgres:01", "nwparser.payload", "%{event_description}. Cleaning up. %{directory}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Cleaning up"),
+      ]));
+      
+      var msg429 = msg("Postgres:01", part361);
+      
+      var part362 = match("MESSAGE#422:Succesfully", "nwparser.payload", "Succesfully %{event_description->} to %{dport}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg430 = msg("Succesfully", part362);
+      
+      var part363 = match("MESSAGE#423:Unzipped", "nwparser.payload", "%{action->} %{fld1->} bytes into %{directory}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg431 = msg("Unzipped", part363);
+      
+      var part364 = match("MESSAGE#424:vacuumdb", "nwparser.payload", "%{process->} executed with a return value of %{resultcode}.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg432 = msg("vacuumdb", part364);
+      
+      var part365 = match("MESSAGE#425:Processed_vuln", "nwparser.payload", "Started: %{fld2}T%{fld3}] [Duration: %{fld4}] Processed vuln check types for %{fld5->} vuln checks.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Processed vuln check types"),
+      ]));
+      
+      var msg433 = msg("Processed_vuln", part365);
+      
+      var part366 = match("MESSAGE#430:Reflections", "nwparser.payload", "Reflections %{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg434 = msg("Reflections", part366);
+      
+      var part367 = match("MESSAGE#431:CorrelationAttributes", "nwparser.payload", "0.16: %{info}", processor_chain([
+      	dup20,
+      	dup15,
+      ]));
+      
+      var msg435 = msg("CorrelationAttributes", part367);
+      
+      var part368 = match("MESSAGE#432:CorrelationAttributes:01", "nwparser.payload", "0.49: %{info}", processor_chain([
+      	dup20,
+      	dup15,
+      ]));
+      
+      var msg436 = msg("CorrelationAttributes:01", part368);
+      
+      var part369 = match("MESSAGE#433:CorrelationAttributes:02", "nwparser.payload", "0.245: %{info}", processor_chain([
+      	dup20,
+      	dup15,
+      ]));
+      
+      var msg437 = msg("CorrelationAttributes:02", part369);
+      
+      var part370 = match("MESSAGE#434:CorrelationAttributes:03", "nwparser.payload", "0.325: %{info}", processor_chain([
+      	dup20,
+      	dup15,
+      ]));
+      
+      var msg438 = msg("CorrelationAttributes:03", part370);
+      
+      var msg439 = msg("ConsoleProductInfoProvider", dup69);
+      
+      var msg440 = msg("NSXAssetEventHandler", dup69);
+      
+      var msg441 = msg("ProductNotificationService", dup69);
+      
+      var msg442 = msg("AssetEventHandler", dup69);
+      
+      var msg443 = msg("SiteEventHandler", dup69);
+      
+      var msg444 = msg("UserEventHandler", dup69);
+      
+      var msg445 = msg("VulnerabilityExceptionEventHandler", dup69);
+      
+      var msg446 = msg("TagEventHandler", dup69);
+      
+      var msg447 = msg("AssetGroupEventHandler", dup69);
+      
+      var msg448 = msg("ScanEventHandler", dup69);
+      
+      var part371 = match("MESSAGE#445:Not_configured:18", "nwparser.payload", "com.rapid7.nexpose.nsc.critical.task.executor.core.thread.pool.size is not configured - returning default value %{result}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.nsc.critical.task.executor.core.thread.pool.size is not configured"),
+      ]));
+      
+      var msg449 = msg("Not_configured:18", part371);
+      
+      var part372 = match("MESSAGE#446:Not_configured:19", "nwparser.payload", "com.rapid7.nexpose.nsc.scan.multiengine.scanHaltTimeoutMilliSecond is not configured - returning default value %{result}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.nsc.scan.multiengine.scanHaltTimeoutMilliSecond is not configured"),
+      ]));
+      
+      var msg450 = msg("Not_configured:19", part372);
+      
+      var part373 = match("MESSAGE#447:Not_configured:20", "nwparser.payload", "com.rapid7.nexpose.nsc.scan.scan.event.monitor.poll.duration is not configured - returning default value %{result}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.nsc.scan.scan.event.monitor.poll.duration is not configured"),
+      ]));
+      
+      var msg451 = msg("Not_configured:20", part373);
+      
+      var part374 = match("MESSAGE#448:Not_configured:21", "nwparser.payload", "com.rapid7.nexpose.nse.excludedFileSystems is not configured - returning default value %{result}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.nse.excludedFileSystems is not configured"),
+      ]));
+      
+      var msg452 = msg("Not_configured:21", part374);
+      
+      var part375 = match("MESSAGE#449:Not_configured:22", "nwparser.payload", "com.rapid7.nexpose.scan.logCPUMemoryToMemLog.enable is not configured - returning default value %{result}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.scan.logCPUMemoryToMemLog.enable is not configured"),
+      ]));
+      
+      var msg453 = msg("Not_configured:22", part375);
+      
+      var part376 = match("MESSAGE#450:Not_configured:23", "nwparser.payload", "com.rapid7.nexpose.scan.logMemory.interval is not configured - returning default value %{result}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.scan.logMemory.interval is not configured"),
+      ]));
+      
+      var msg454 = msg("Not_configured:23", part376);
+      
+      var part377 = match("MESSAGE#451:Not_configured:24", "nwparser.payload", "com.rapid7.nexpose.scan.monitor.numberSavedAssetDurations is not configured - returning default value %{result}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.scan.monitor.numberSavedAssetDurations is not configured"),
+      ]));
+      
+      var msg455 = msg("Not_configured:24", part377);
+      
+      var part378 = match("MESSAGE#452:Not_configured:25", "nwparser.payload", "com.rapid7.scan.perTestDurationLogging is not configured - returning default value %{result}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.scan.perTestDurationLogging is not configured"),
+      ]));
+      
+      var msg456 = msg("Not_configured:25", part378);
+      
+      var part379 = match("MESSAGE#453:Not_configured:26", "nwparser.payload", "com.rapid7.thread.threadPoolNonBlockingOpsProviderParallelism is not configured - returning default value %{result}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.thread.threadPoolNonBlockingOpsProviderParallelism is not configured"),
+      ]));
+      
+      var msg457 = msg("Not_configured:26", part379);
+      
+      var part380 = match("MESSAGE#454:Not_configured:27", "nwparser.payload", "com.rapid7.nexpose.nsc.critical.task.executor.max.thread.pool.size is not configured - returning default value %{result}.", processor_chain([
+      	dup56,
+      	dup14,
+      	dup15,
+      	setc("event_description","com.rapid7.nexpose.nsc.critical.task.executor.max.thread.pool.size is not configured"),
+      ]));
+      
+      var msg458 = msg("Not_configured:27", part380);
+      
+      var part381 = match("MESSAGE#455:Spring", "nwparser.payload", "%{process->} detected on classpath: [%{fld2}]", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","detected"),
+      ]));
+      
+      var msg459 = msg("Spring", part381);
+      
+      var part382 = match("MESSAGE#456:Storing", "nwparser.payload", "%{fld1}] [%{fld2}] Storing scan details for %{event_type}.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Storing scan details"),
+      ]));
+      
+      var msg460 = msg("Storing", part382);
+      
+      var part383 = match("MESSAGE#457:Clearing", "nwparser.payload", "Clearing object tracker after %{dclass_counter1->} hits and %{dclass_counter2->} misses.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","Clearing object tracker"),
+      ]));
+      
+      var msg461 = msg("Clearing", part383);
+      
+      var part384 = match("MESSAGE#458:All", "nwparser.payload", "%{fld1}] [%{fld2}] All scan engines are up to date.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("result","All scan engines are up to date"),
+      ]));
+      
+      var msg462 = msg("All", part384);
+      
+      var part385 = match("MESSAGE#459:New", "nwparser.payload", "New Provider %{audit_object->} discovered.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("action","New Provider discovered"),
+      ]));
+      
+      var msg463 = msg("New", part385);
+      
+      var part386 = match("MESSAGE#463:Session", "nwparser.payload", "%{fld1}] [%{fld2}] [%{fld3}] Session created.", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Session created"),
+      ]));
+      
+      var msg464 = msg("Session", part386);
+      
+      var part387 = match("MESSAGE#464:Debug", "nwparser.payload", "Debug logging is not enabled for this scan.%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Debug logging is not enabled"),
+      ]));
+      
+      var msg465 = msg("Debug", part387);
+      
+      var msg466 = msg("Debug:01", dup61);
+      
+      var select75 = linear_select([
+      	msg465,
+      	msg466,
+      ]);
+      
+      var part388 = match("MESSAGE#466:ACES", "nwparser.payload", "ACES logging is not enabled.%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","ACES logging is not enabled"),
+      ]));
+      
+      var msg467 = msg("ACES", part388);
+      
+      var msg468 = msg("ACES:01", dup61);
+      
+      var select76 = linear_select([
+      	msg467,
+      	msg468,
+      ]);
+      
+      var part389 = match("MESSAGE#468:Invulnerable", "nwparser.payload", "Invulnerable Data Storage is on.%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Invulnerable Data Storage is on"),
+      ]));
+      
+      var msg469 = msg("Invulnerable", part389);
+      
+      var part390 = match("MESSAGE#469:Nmap", "nwparser.payload", "Nmap ARP Ping for local networks%{}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	setc("event_description","Nmap ARP Ping for local networks"),
+      ]));
+      
+      var msg470 = msg("Nmap", part390);
+      
+      var part391 = match("MESSAGE#470:Nmap:01", "nwparser.payload", "%{event_description}", processor_chain([
+      	setc("eventcategory","1801000000"),
+      	dup14,
+      	dup15,
+      ]));
+      
+      var msg471 = msg("Nmap:01", part391);
+      
+      var select77 = linear_select([
+      	msg470,
+      	msg471,
+      ]);
+      
+      var part392 = match("MESSAGE#471:Cause/0_0", "nwparser.payload", "Authentication %{result->} for principal %{fld}] %{info}");
+      
+      var part393 = match("MESSAGE#471:Cause/0_1", "nwparser.payload", " %{result}] %{info}");
+      
+      var select78 = linear_select([
+      	part392,
+      	part393,
+      ]);
+      
+      var all20 = all_match({
+      	processors: [
+      		select78,
+      	],
+      	on_success: processor_chain([
+      		setc("eventcategory","1301000000"),
+      		dup14,
+      		dup15,
+      	]),
+      });
+      
+      var msg472 = msg("Cause", all20);
+      
+      var part394 = match("MESSAGE#472:NEXPOSE_GENERIC", "nwparser.payload", "%{fld1}", processor_chain([
+      	setc("eventcategory","1901000000"),
+      	dup15,
+      ]));
+      
+      var msg473 = msg("NEXPOSE_GENERIC", part394);
+      
+      var chain1 = processor_chain([
+      	select4,
+      	msgid_select({
+      		"0.16": msg435,
+      		"0.245": msg437,
+      		"0.325": msg438,
+      		"0.49": msg436,
+      		"A": msg235,
+      		"ACES": select76,
+      		"Accepting": msg327,
+      		"Acknowledged": msg273,
+      		"Acknowledging": msg272,
+      		"Activation": msg271,
+      		"Adding": select25,
+      		"Administrative": select49,
+      		"Advertising": msg217,
+      		"All": msg462,
+      		"AllowUseOriginalMessage": msg349,
+      		"An": msg287,
+      		"Analyzing": msg421,
+      		"Apache": msg347,
+      		"Applying": msg164,
+      		"Approved": msg267,
+      		"Asserting": select28,
+      		"AssetEventHandler": msg442,
+      		"AssetGroupEventHandler": msg447,
+      		"At": msg286,
+      		"Attempting": select26,
+      		"Authenticated": msg85,
+      		"Authentication": select23,
+      		"Auto-update": msg266,
+      		"Available": msg308,
+      		"Backing": msg372,
+      		"Benchmark": msg365,
+      		"Bulk": msg314,
+      		"CIFS": msg203,
+      		"CPU": msg304,
+      		"CSIDL_SYSTEM": msg209,
+      		"CSIDL_SYSTEMX86": msg208,
+      		"Cached:": msg204,
+      		"Cannot": select68,
+      		"Cataloged": msg103,
+      		"Cause": msg472,
+      		"Changing": select70,
+      		"CheckProcessor:": msg248,
+      		"Checking": select41,
+      		"Cleaning": select64,
+      		"Clearing": msg461,
+      		"Closing": select39,
+      		"Compiling": msg318,
+      		"Completed": select40,
+      		"Computer": msg302,
+      		"Configuring": msg336,
+      		"Connection": msg422,
+      		"Console": select12,
+      		"ConsoleProductInfoProvider": msg439,
+      		"ConsoleScanImporter": msg428,
+      		"Context": msg397,
+      		"Copied": msg398,
+      		"Could": msg125,
+      		"Created": select57,
+      		"Creating": msg240,
+      		"Current": select58,
+      		"DB_VERSION": msg357,
+      		"DEFAULT": msg396,
+      		"DNS": msg172,
+      		"Database": select62,
+      		"Debug": select75,
+      		"Default": msg346,
+      		"Deleted": msg345,
+      		"Delivered": msg391,
+      		"Deploying": msg282,
+      		"Destroying": msg277,
+      		"Detected": msg329,
+      		"Determining": select29,
+      		"Disk": msg309,
+      		"Done": select17,
+      		"Downloaded": msg290,
+      		"Downloading": msg289,
+      		"Dumping": msg104,
+      		"ERROR": select7,
+      		"ERROR:": msg370,
+      		"Enabling": msg333,
+      		"Engine": msg392,
+      		"Enumerating": msg205,
+      		"Error": msg353,
+      		"Establishing": msg264,
+      		"EventLog": msg359,
+      		"Exchange": msg211,
+      		"Executing": select48,
+      		"Exploits": msg413,
+      		"ExtMgr": select8,
+      		"FTP": msg149,
+      		"Failed": msg112,
+      		"Failure": msg414,
+      		"Finished": select53,
+      		"Firefox": msg259,
+      		"Flash": msg183,
+      		"Form": msg105,
+      		"Found": select33,
+      		"Freed": msg393,
+      		"Freeing": select56,
+      		"Generating": msg283,
+      		"Getting": msg190,
+      		"Got": msg156,
+      		"Graceful": msg354,
+      		"Granting": msg334,
+      		"HHH000436:": msg268,
+      		"Handling": msg423,
+      		"Host": select42,
+      		"IE": msg192,
+      		"IP": msg218,
+      		"Imported": select61,
+      		"Importing": msg315,
+      		"Inconsistency": msg83,
+      		"Initialized": select66,
+      		"Initializing": select51,
+      		"Inserted": msg344,
+      		"Installed": msg343,
+      		"Installing": select37,
+      		"Interrupted,": msg47,
+      		"Invocation": msg278,
+      		"Invulnerable": msg469,
+      		"JAR": msg276,
+      		"JMX": msg348,
+      		"JRE": msg179,
+      		"JVM": msg310,
+      		"Java": msg399,
+      		"Job": msg402,
+      		"JobStoreCMT": msg403,
+      		"Kill": msg295,
+      		"LDAP": msg424,
+      		"Listing": msg189,
+      		"Loaded": select52,
+      		"Loading": msg241,
+      		"Local": msg356,
+      		"Locating": msg249,
+      		"Logging": msg258,
+      		"MDAC": msg181,
+      		"Maintenance": msg425,
+      		"Making": msg360,
+      		"Microsoft": msg180,
+      		"Migration": msg426,
+      		"Mobile": msg427,
+      		"NEXPOSE_GENERIC": msg473,
+      		"NOT_VULNERABLE": select5,
+      		"NOT_VULNERABLE_VERSION": msg1,
+      		"NSE": select11,
+      		"NSXAssetEventHandler": msg440,
+      		"Name": msg182,
+      		"New": msg463,
+      		"Nexpose": select13,
+      		"Nmap": select77,
+      		"No": select35,
+      		"Number": msg305,
+      		"OS": msg364,
+      		"Operating": msg303,
+      		"PG": select69,
+      		"Parsed": msg178,
+      		"Parsing": msg322,
+      		"Patching": msg275,
+      		"Pausing": msg311,
+      		"Performing": select20,
+      		"Policy": select60,
+      		"Populating": msg358,
+      		"PostgreSQL": msg340,
+      		"Postgres": msg429,
+      		"Preparing": msg67,
+      		"Processed": msg433,
+      		"Processing": msg97,
+      		"Product": msg298,
+      		"ProductNotificationService": msg441,
+      		"ProtocolFper": msg31,
+      		"Quartz": select71,
+      		"QuartzRepeaterBuilder": msg371,
+      		"Queued": msg252,
+      		"Queueing": select18,
+      		"Reading": msg253,
+      		"Recovering": msg407,
+      		"Recovery": msg408,
+      		"Recursively": select27,
+      		"Reflections": msg434,
+      		"Refreshing": msg270,
+      		"Registered": select54,
+      		"Registering": msg254,
+      		"Reinitializing": msg416,
+      		"Relaunching": msg106,
+      		"Remapped": msg324,
+      		"Remapping": msg323,
+      		"Removed": select72,
+      		"Removing": msg285,
+      		"Renamed": msg415,
+      		"Replaced": select73,
+      		"Report": select67,
+      		"Requested": msg292,
+      		"Resolving": msg171,
+      		"Response": msg265,
+      		"Restarting": msg291,
+      		"Restoring": msg411,
+      		"Retrieved": msg202,
+      		"Retrieving": msg155,
+      		"Rewrote": msg65,
+      		"Route:": select55,
+      		"Running": select30,
+      		"SPIDER": msg66,
+      		"SPIDER-XSS": msg96,
+      		"SQL": msg212,
+      		"Scan": select22,
+      		"ScanEventHandler": msg448,
+      		"ScanMgr": select9,
+      		"Scanning": msg173,
+      		"Scheduler": select63,
+      		"Searching": msg109,
+      		"Security": select15,
+      		"Seeing": msg257,
+      		"Sending": msg118,
+      		"Service": select32,
+      		"Session": msg464,
+      		"Setting": msg361,
+      		"Shutdown": msg49,
+      		"Shutting": msg46,
+      		"Site": msg84,
+      		"SiteEventHandler": msg443,
+      		"Skipping": msg184,
+      		"Spring": msg459,
+      		"Staged": msg269,
+      		"Staging": msg284,
+      		"Started": select47,
+      		"Starting": select34,
+      		"Stopping": msg331,
+      		"Storing": msg460,
+      		"StreamCaching": msg355,
+      		"Succesfully": msg430,
+      		"Successfully": msg263,
+      		"Super": msg301,
+      		"Synchronizing": msg321,
+      		"System": select74,
+      		"SystemFingerprint": msg108,
+      		"TCP": msg250,
+      		"TCPSocket": msg110,
+      		"TagEventHandler": msg446,
+      		"Telling": msg330,
+      		"The": msg288,
+      		"Total": select59,
+      		"Truncating": msg320,
+      		"Trusted": msg121,
+      		"Trying": msg64,
+      		"UDP": msg251,
+      		"Unzipped": msg431,
+      		"Update": select36,
+      		"Updated": select46,
+      		"Updating": select43,
+      		"Upgrading": msg412,
+      		"User": select24,
+      		"UserEventHandler": msg444,
+      		"Using": msg279,
+      		"VERSION": msg328,
+      		"VULNERABLE": select6,
+      		"VULNERABLE_VERSION": msg2,
+      		"Validating": msg274,
+      		"Verifying": msg363,
+      		"Version": msg335,
+      		"Version:": msg191,
+      		"Vulnerability": msg319,
+      		"VulnerabilityExceptionEventHandler": msg445,
+      		"Web": select16,
+      		"Webmin": msg133,
+      		"Windows": select38,
+      		"building": msg117,
+      		"but": msg98,
+      		"checking": msg158,
+      		"com.rapid.nexpose.scanpool.stateInterval": msg373,
+      		"com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout": msg374,
+      		"com.rapid7.nexpose.comms.clientConnectionProvider.getConnectionTimeout": msg375,
+      		"com.rapid7.nexpose.datastore.connection.evictionThreadTime": msg376,
+      		"com.rapid7.nexpose.datastore.eviction.connection.threadIdleTimeout": msg377,
+      		"com.rapid7.nexpose.nsc.critical.task.executor.core.thread.pool.size": msg449,
+      		"com.rapid7.nexpose.nsc.critical.task.executor.max.thread.pool.size": msg458,
+      		"com.rapid7.nexpose.nsc.dbcc": msg378,
+      		"com.rapid7.nexpose.nsc.scan.multiengine.scanHaltTimeoutMilliSecond": msg450,
+      		"com.rapid7.nexpose.nsc.scan.scan.event.monitor.poll.duration": msg451,
+      		"com.rapid7.nexpose.nsc.scanExecutorService.maximumCorePoolSize": msg379,
+      		"com.rapid7.nexpose.nsc.scanExecutorService.minimumCorePoolSize": msg380,
+      		"com.rapid7.nexpose.nsc.scanExecutorService.monitorCorePoolSizeIncreaseOnSaturation": msg381,
+      		"com.rapid7.nexpose.nsc.scanExecutorService.monitorEnabled": msg382,
+      		"com.rapid7.nexpose.nsc.scanExecutorService.monitorInterval": msg383,
+      		"com.rapid7.nexpose.nse.excludedFileSystems": msg452,
+      		"com.rapid7.nexpose.nse.nscClient.connectTimeout": msg384,
+      		"com.rapid7.nexpose.nse.nscClient.readTimeout": msg385,
+      		"com.rapid7.nexpose.reportGenerator.assetCollectionUpdateTimeout": msg386,
+      		"com.rapid7.nexpose.scan.consolidation.delay": msg387,
+      		"com.rapid7.nexpose.scan.lifecyclemonitor.delay": msg388,
+      		"com.rapid7.nexpose.scan.logCPUMemoryToMemLog.enable": msg453,
+      		"com.rapid7.nexpose.scan.logMemory.interval": msg454,
+      		"com.rapid7.nexpose.scan.monitor.numberSavedAssetDurations": msg455,
+      		"com.rapid7.nexpose.scan.usescanpool": msg389,
+      		"com.rapid7.nsc.workflow.timeout": msg390,
+      		"com.rapid7.scan.perTestDurationLogging": msg456,
+      		"com.rapid7.thread.threadPoolNonBlockingOpsProviderParallelism": msg457,
+      		"common": msg261,
+      		"connected": msg111,
+      		"creating": msg120,
+      		"credentials": msg95,
+      		"dcerpc-get-ms-blaster-codes": msg124,
+      		"initdb": msg362,
+      		"j_password": msg99,
+      		"j_username": msg100,
+      		"jess.JessException:": msg262,
+      		"key": msg188,
+      		"list-user-directory": msg123,
+      		"loading": msg153,
+      		"main": msg107,
+      		"nodes": msg260,
+      		"office": msg210,
+      		"osspi_defaultTargetLocation": msg101,
+      		"param:": msg174,
+      		"persistent-xss": msg92,
+      		"removing": msg332,
+      		"sending": msg119,
+      		"shutting": msg48,
+      		"signon_type": msg122,
+      		"spider-parse-robot-exclusions": msg102,
+      		"starting": msg213,
+      		"trying": msg154,
+      		"unexpected": msg157,
+      		"using": msg142,
+      		"vacuumdb": msg432,
+      	}),
+      ]);
+      
+      var hdr37 = match("HEADER#1:0022/0", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{p0}");
+      
+      var part395 = match("HEADER#1:0022/1_1", "nwparser.p0", "%{hpriority}][%{p0}");
+      
+      var part396 = match("HEADER#1:0022/1_2", "nwparser.p0", "%{hpriority}[%{p0}");
+      
+      var hdr38 = match("HEADER#18:0034/0", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}]%{p0}");
+      
+      var part397 = match("HEADER#18:0034/1_0", "nwparser.p0", " [%{p0}");
+      
+      var part398 = match("HEADER#18:0034/1_1", "nwparser.p0", "[%{p0}");
+      
+      var part399 = match("MESSAGE#17:NSE:01/0", "nwparser.payload", "%{} %{p0}");
+      
+      var part400 = match("MESSAGE#52:Scan:06/0", "nwparser.payload", "Scan: [ %{p0}");
+      
+      var part401 = match("MESSAGE#52:Scan:06/1_0", "nwparser.p0", "%{saddr}:%{sport->} %{p0}");
+      
+      var part402 = match("MESSAGE#52:Scan:06/1_1", "nwparser.p0", "%{saddr->} %{p0}");
+      
+      var select79 = linear_select([
+      	dup7,
+      	dup8,
+      ]);
+      
+      var part403 = match("MESSAGE#416:Nexpose:12", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var part404 = match("MESSAGE#46:SPIDER", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup17,
+      ]));
+      
+      var select80 = linear_select([
+      	dup41,
+      	dup42,
+      ]);
+      
+      var part405 = match("MESSAGE#93:Attempting", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup16,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup33,
+      	dup34,
+      ]));
+      
+      var part406 = match("MESSAGE#120:path", "nwparser.payload", "%{info}", processor_chain([
+      	dup20,
+      	dup15,
+      ]));
+      
+      var part407 = match("MESSAGE#318:Loaded:01", "nwparser.payload", "%{info}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      ]));
+      
+      var part408 = match("MESSAGE#236:Finished:03", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup20,
+      	dup15,
+      ]));
+      
+      var part409 = match("MESSAGE#418:Mobile", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup25,
+      ]));
+      
+      var part410 = match("MESSAGE#435:ConsoleProductInfoProvider", "nwparser.payload", "%{fld1->} %{action}", processor_chain([
+      	dup20,
+      	dup14,
+      	dup15,
+      	dup59,
+      ]));
+      
+- community_id:
+- add_locale: ~
+- add_fields:
+    target: ''
+    fields:
+        ecs.version: 1.5.0
diff --git a/packages/rapid7/0.1.0/dataset/nexpose/elasticsearch/ingest_pipeline/default.yml b/packages/rapid7/0.1.0/dataset/nexpose/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 0000000000..d558e7071e
--- /dev/null
+++ b/packages/rapid7/0.1.0/dataset/nexpose/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,55 @@
+---
+description: Pipeline for Rapid7 NeXpose
+
+processors:
+  # User agent
+  - user_agent:
+        field: user_agent.original
+        ignore_missing: true
+  # IP Geolocation Lookup
+  - geoip:
+        field: source.ip
+        target_field: source.geo
+        ignore_missing: true
+  - geoip:
+        field: destination.ip
+        target_field: destination.geo
+        ignore_missing: true
+
+  # IP Autonomous System (AS) Lookup
+  - geoip:
+        database_file: GeoLite2-ASN.mmdb
+        field: source.ip
+        target_field: source.as
+        properties:
+            - asn
+            - organization_name
+        ignore_missing: true
+  - geoip:
+        database_file: GeoLite2-ASN.mmdb
+        field: destination.ip
+        target_field: destination.as
+        properties:
+            - asn
+            - organization_name
+        ignore_missing: true
+  - rename:
+        field: source.as.asn
+        target_field: source.as.number
+        ignore_missing: true
+  - rename:
+        field: source.as.organization_name
+        target_field: source.as.organization.name
+        ignore_missing: true
+  - rename:
+        field: destination.as.asn
+        target_field: destination.as.number
+        ignore_missing: true
+  - rename:
+        field: destination.as.organization_name
+        target_field: destination.as.organization.name
+        ignore_missing: true
+on_failure:
+  - append:
+        field: error.message
+        value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/rapid7/0.1.0/dataset/nexpose/fields/base-fields.yml b/packages/rapid7/0.1.0/dataset/nexpose/fields/base-fields.yml
new file mode 100644
index 0000000000..b294eaf20e
--- /dev/null
+++ b/packages/rapid7/0.1.0/dataset/nexpose/fields/base-fields.yml
@@ -0,0 +1,26 @@
+- name: datastream.type
+  type: constant_keyword
+  description: Datastream type.
+- name: datastream.dataset
+  type: constant_keyword
+  description: Datastream dataset.
+- name: datastream.namespace
+  type: constant_keyword
+  description: Datastream namespace.
+
+- name: dataset.type
+  type: constant_keyword
+  description: >
+    Dataset type.
+- name: dataset.name
+  type: constant_keyword
+  description: >
+    Dataset name.
+- name: dataset.namespace
+  type: constant_keyword
+  description: >
+    Dataset namespace.
+- name: "@timestamp"
+  type: date
+  description: >
+    Event timestamp.
diff --git a/packages/rapid7/0.1.0/dataset/nexpose/fields/ecs.yml b/packages/rapid7/0.1.0/dataset/nexpose/fields/ecs.yml
new file mode 100644
index 0000000000..92af91c339
--- /dev/null
+++ b/packages/rapid7/0.1.0/dataset/nexpose/fields/ecs.yml
@@ -0,0 +1,836 @@
+- name: log
+  type: group
+  fields:
+  - name: original
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'This is the original log message and contains the full log message
+      before splitting it up in multiple parts.
+
+      In contrast to the `message` field which can contain an extracted part of the
+      log message, this field contains the original, full log message. It can have
+      already some modifications applied like encoding or new lines removed to clean
+      up the log message.
+
+      This field is not indexed and doc_values are disabled so it can''t be queried
+      but the value can be retrieved from `_source`.'
+    example: Sep 19 08:26:10 localhost My log
+  - name: level
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Original log level of the log event.
+
+      If the source of the event provides a log level or textual severity, this is
+      the one that goes in `log.level`. If your source doesn''t specify one, you may
+      put your event transport''s severity here (e.g. Syslog severity).
+
+      Some examples are `warn`, `err`, `i`, `informational`.'
+    example: error
+  - name: syslog
+    type: group
+    fields:
+    - name: priority
+      level: extended
+      type: long
+      format: string
+      description: 'Syslog numeric priority of the event, if available.
+
+        According to RFCs 5424 and 3164, the priority is 8 * facility + severity.
+        This number is therefore expected to contain a value between 0 and 191.'
+      example: 135
+    - name: facility
+      type: group
+      fields:
+      - name: code
+        level: extended
+        type: long
+        format: string
+        description: 'The Syslog numeric facility of the log event, if available.
+
+          According to RFCs 5424 and 3164, this value should be an integer between
+          0 and 23.'
+        example: 23
+    - name: severity
+      type: group
+      fields:
+      - name: code
+        level: extended
+        type: long
+        description: 'The Syslog numeric severity of the log event, if available.
+
+          If the event source publishing via Syslog provides a different numeric severity
+          value (e.g. firewall, IDS), your source''s numeric severity should go to
+          `event.severity`. If the event source does not specify a distinct severity,
+          you can optionally copy the Syslog severity to `event.severity`.'
+        example: 3
+- name: event
+  type: group
+  fields:
+  - name: code
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Identification code for this event, if one exists.
+
+      Some event sources use event codes to identify messages unambiguously, regardless
+      of message language or wording adjustments over time. An example of this is
+      the Windows Event ID.'
+    example: 4648
+  - name: action
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'The action captured by the event.
+
+      This describes the information in the event. It is more specific than `event.category`.
+      Examples are `group-add`, `process-started`, `file-created`. The value is normally
+      defined by the implementer.'
+    example: user-password-change
+  - name: outcome
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'This is one of four ECS Categorization Fields, and indicates the
+      lowest level in the ECS category hierarchy.
+
+      `event.outcome` simply denotes whether the event represents a success or a failure
+      from the perspective of the entity that produced the event.
+
+      Note that when a single transaction is described in multiple events, each event
+      may populate different values of `event.outcome`, according to their perspective.
+
+      Also note that in the case of a compound event (a single event that contains
+      multiple logical events), this field should be populated with the value that
+      best captures the overall success or failure from the perspective of the event
+      producer.
+
+      Further note that not all events will have an associated outcome. For example,
+      this field is generally not populated for metric events, events with `event.type:info`,
+      or any events for which an outcome does not make logical sense.'
+    example: success
+  - name: category
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'This is one of four ECS Categorization Fields, and indicates the
+      second level in the ECS category hierarchy.
+
+      `event.category` represents the "big buckets" of ECS categories. For example,
+      filtering on `event.category:process` yields all events relating to process
+      activity. This field is closely related to `event.type`, which is used as a
+      subcategory.
+
+      This field is an array. This will allow proper categorization of some events
+      that fall in multiple categories.'
+    example: authentication
+  - name: timezone
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'This field should be populated when the event''s timestamp does
+      not include timezone information already (e.g. default Syslog timestamps). It''s
+      optional otherwise.
+
+      Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated
+      (e.g. "EST") or an HH:mm differential (e.g. "-05:00").'
+- name: '@timestamp'
+  level: core
+  required: true
+  type: date
+  description: 'Date/time when the event originated.
+
+    This is the date/time extracted from the event, typically representing when the
+    event was generated by the source.
+
+    If the event source has no original timestamp, this value is typically populated
+    by the first time the event was received by the pipeline.
+
+    Required field for all events.'
+  example: '2016-05-23T08:05:34.853Z'
+- name: user
+  type: group
+  fields:
+  - name: name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: Short name or login of the user.
+    example: albert
+  - name: full_name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: User's full name, if available.
+    example: Albert Einstein
+  - name: domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Name of the directory the user is a member of.
+
+      For example, an LDAP or Active Directory domain name.'
+  - name: id
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Unique identifiers of the user.
+- name: message
+  level: core
+  type: text
+  description: 'For log events the message field contains the log message, optimized
+    for viewing in a log viewer.
+
+    For structured logs without an original message field, other fields can be concatenated
+    to form a human-readable summary of the event.
+
+    If multiple messages exist, they can be combined into one message.'
+  example: Hello World
+- name: source
+  type: group
+  fields:
+  - name: ip
+    level: core
+    type: ip
+    description: 'IP address of the source.
+
+      Can be one or multiple IPv4 or IPv6 addresses.'
+  - name: port
+    level: core
+    type: long
+    format: string
+    description: Port of the source.
+  - name: address
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Some event source addresses are defined ambiguously. The event will
+      sometimes list an IP, a domain or a unix socket.  You should always store the
+      raw address in the `.address` field.
+
+      Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+      is.'
+  - name: mac
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: MAC address of the source.
+  - name: bytes
+    level: core
+    type: long
+    format: bytes
+    description: Bytes sent from the source to the destination.
+    example: 184
+  - name: nat
+    type: group
+    fields:
+    - name: ip
+      level: extended
+      type: ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+    - name: port
+      level: extended
+      type: long
+      format: string
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+  - name: domain
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Source domain.
+  - name: geo
+    type: group
+    fields:
+    - name: country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+    - name: location
+      type: group
+      fields:
+      - type: double
+        name: lat
+      - type: double
+        name: lon
+    - name: city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+- name: host
+  type: group
+  fields:
+  - name: name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Name of the host.
+
+      It can contain what `hostname` returns on Unix systems, the fully qualified
+      domain name, or a name specified by the user. The sender decides which value
+      to use.'
+  - name: ip
+    level: core
+    type: ip
+    description: Host ip addresses.
+  - name: hostname
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Hostname of the host.
+
+      It normally contains what the `hostname` command returns on the host machine.'
+  - name: mac
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Host mac addresses.
+- name: destination
+  type: group
+  fields:
+  - name: ip
+    level: core
+    type: ip
+    description: 'IP address of the destination.
+
+      Can be one or multiple IPv4 or IPv6 addresses.'
+  - name: port
+    level: core
+    type: long
+    format: string
+    description: Port of the destination.
+  - name: address
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Some event destination addresses are defined ambiguously. The event
+      will sometimes list an IP, a domain or a unix socket.  You should always store
+      the raw address in the `.address` field.
+
+      Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+      is.'
+  - name: bytes
+    level: core
+    type: long
+    format: bytes
+    description: Bytes sent from the destination to the source.
+    example: 184
+  - name: mac
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: MAC address of the destination.
+  - name: nat
+    type: group
+    fields:
+    - name: ip
+      level: extended
+      type: ip
+      description: 'Translated ip of destination based NAT sessions (e.g. internet
+        to private DMZ)
+
+        Typically used with load balancers, firewalls, or routers.'
+    - name: port
+      level: extended
+      type: long
+      format: string
+      description: 'Port the source session is translated to by NAT Device.
+
+        Typically used with load balancers, firewalls, or routers.'
+  - name: domain
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Destination domain.
+  - name: geo
+    type: group
+    fields:
+    - name: country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+    - name: location
+      type: group
+      fields:
+      - type: double
+        name: lat
+      - type: double
+        name: lon
+    - name: city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+- name: network
+  type: group
+  fields:
+  - name: protocol
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'L7 Network protocol name. ex. http, lumberjack, transport protocol.
+
+      The field value must be normalized to lowercase for querying. See the documentation
+      section "Implementing ECS".'
+    example: http
+  - name: application
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'A name given to an application level protocol. This can be arbitrarily
+      assigned for things like microservices, but also apply to things like skype,
+      icq, facebook, twitter. This would be used in situations where the vendor or
+      service can be decoded such as from the source/dest IP owners, ports, or wire
+      format.
+
+      The field value must be normalized to lowercase for querying. See the documentation
+      section "Implementing ECS".'
+    example: aim
+  - name: interface
+    type: group
+    fields:
+    - type: keyword
+      name: name
+  - name: bytes
+    level: core
+    type: long
+    format: bytes
+    description: 'Total bytes transferred in both directions.
+
+      If `source.bytes` and `destination.bytes` are known, `network.bytes` is their
+      sum.'
+    example: 368
+  - name: direction
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: "Direction of the network traffic.\nRecommended values are:\n  *\
+      \ inbound\n  * outbound\n  * internal\n  * external\n  * unknown\n\nWhen mapping\
+      \ events from a host-based monitoring context, populate this field from the\
+      \ host's point of view.\nWhen mapping events from a network or perimeter-based\
+      \ monitoring context, populate this field from the point of view of your network\
+      \ perimeter."
+    example: inbound
+  - name: packets
+    level: core
+    type: long
+    description: 'Total packets transferred in both directions.
+
+      If `source.packets` and `destination.packets` are known, `network.packets` is
+      their sum.'
+    example: 24
+  - name: forwarded_ip
+    level: core
+    type: ip
+    description: Host IP address when the source IP address is the proxy.
+    example: 192.1.1.2
+- name: observer
+  type: group
+  fields:
+  - name: version
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Observer version.
+  - name: product
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: The product name of the observer.
+    example: s200
+  - name: ingress
+    type: group
+    fields:
+    - name: interface
+      type: group
+      fields:
+      - name: name
+        level: extended
+        type: keyword
+        ignore_above: 1024
+        description: Interface name as reported by the system.
+        example: eth0
+        default_field: false
+  - name: egress
+    type: group
+    fields:
+    - name: interface
+      type: group
+      fields:
+      - name: name
+        level: extended
+        type: keyword
+        ignore_above: 1024
+        description: Interface name as reported by the system.
+        example: eth0
+        default_field: false
+- name: file
+  type: group
+  fields:
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: Name of the file including the extension, without the directory.
+    example: example.png
+  - name: directory
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: Directory where the file is located. It should include the drive
+      letter, when appropriate.
+    example: /home/alice
+  - name: size
+    level: extended
+    type: long
+    description: 'File size in bytes.
+
+      Only relevant when `file.type` is "file".'
+    example: 16384
+  - name: type
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: File type (file, dir, or symlink).
+    example: file
+  - name: extension
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: File extension.
+    example: png
+  - name: path
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: Full path to the file, including the file name. It should include
+      the drive letter, when appropriate.
+    example: /home/alice/example.png
+  - name: attributes
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Array of file attributes.
+
+      Attributes names will vary by platform. Here''s a non-exhaustive list of values
+      that are expected in this field: archive, compressed, directory, encrypted,
+      execute, hidden, read, readonly, system, write.'
+    example: '["readonly", "system"]'
+    default_field: false
+- name: url
+  type: group
+  fields:
+  - name: original
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: 'Unmodified original url as seen in the event source.
+
+      Note that in network monitoring, the observed URL may be a full URL, whereas
+      in access logs, the URL is often just represented as a path.
+
+      This field is meant to represent the URL as it was observed, complete or not.'
+    example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
+  - name: query
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'The query field describes the query string of the request, such
+      as "q=elasticsearch".
+
+      The `?` is excluded from the query string. If a URL contains no `?`, there is
+      no query field. If there is a `?` but no query, the query field exists with
+      an empty string. The `exists` query can be used to differentiate between the
+      two cases.'
+  - name: domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Domain of the url, such as "www.elastic.co".
+
+      In some cases a URL may refer to an IP and/or port directly, without a domain
+      name. In this case, the IP address would go to the `domain` field.'
+    example: www.elastic.co
+  - name: path
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: Path of the request, such as "/search".
+  - name: top_level_domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'The effective top level domain (eTLD), also known as the domain
+      suffix, is the last part of the domain name. For example, the top level domain
+      for google.com is "com".
+
+      This value can be determined precisely with a list like the public suffix list
+      (http://publicsuffix.org). Trying to approximate this by simply taking the last
+      label will not work well for effective TLDs such as "co.uk".'
+    example: co.uk
+  - name: registered_domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'The highest registered url domain, stripped of the subdomain.
+
+      For example, the registered domain for "foo.google.com" is "google.com".
+
+      This value can be determined precisely with a list like the public suffix list
+      (http://publicsuffix.org). Trying to approximate this by simply taking the last
+      two labels will not work well for TLDs such as "co.uk".'
+    example: google.com
+- name: service
+  type: group
+  fields:
+  - name: name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Name of the service data is collected from.
+
+      The name of the service is normally user given. This allows for distributed
+      services that run on multiple hosts to correlate the related instances based
+      on the name.
+
+      In the case of Elasticsearch the `service.name` could contain the cluster name.
+      For Beats the `service.name` is by default a copy of the `service.type` field
+      if no name is specified.'
+    example: elasticsearch-metrics
+- name: server
+  type: group
+  fields:
+  - name: domain
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Server domain.
+- name: process
+  type: group
+  fields:
+  - name: pid
+    level: core
+    type: long
+    format: string
+    description: Process id.
+    example: 4242
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: 'Process name.
+
+      Sometimes called program name or similar.'
+    example: ssh
+  - name: ppid
+    level: extended
+    type: long
+    format: string
+    description: Parent process' pid.
+    example: 4241
+  - name: parent
+    type: group
+    fields:
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      default_field: false
+    - name: title
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      default_field: false
+  - name: title
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: 'Process title.
+
+      The proctitle, some times the same as process name. Can also be different: for
+      example a browser setting its title to the web page currently opened.'
+- name: rule
+  type: group
+  fields:
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: The name of the rule or signature generating the event.
+    example: BLOCK_DNS_over_TLS
+    default_field: false
+- name: user_agent
+  type: group
+  fields:
+  - name: original
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+    description: Unparsed user_agent string.
+    example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15
+      (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
+- name: http
+  type: group
+  fields:
+  - name: response
+    type: group
+    fields:
+    - name: body
+      type: group
+      fields:
+      - name: content
+        level: extended
+        type: keyword
+        ignore_above: 1024
+        multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+        description: The full HTTP response body.
+        example: Hello world
+  - name: request
+    type: group
+    fields:
+    - name: referrer
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Referrer for this HTTP request.
+      example: https://blog.example.com/
+    - name: method
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'HTTP request method.
+
+        The field value must be normalized to lowercase for querying. See the documentation
+        section "Implementing ECS".'
+      example: get, post, put
+- name: geo
+  type: group
+  fields:
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'User-defined description of a location, at the level of granularity
+      they care about.
+
+      Could be the name of their data centers, the floor number, if this describes
+      a local physical entity, city names.
+
+      Not typically used in automated geolocation.'
+    example: boston-dc
+  - name: country_name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Country name.
+    example: Canada
+  - name: city_name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: City name.
+    example: Montreal
+  - name: region_name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Region name.
+    example: Quebec
+- name: dns
+  type: group
+  fields:
+  - name: question
+    type: group
+    fields:
+    - name: type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The type of record being queried.
+      example: AAAA
+  - name: answers
+    type: group
+    fields:
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The domain name to which this resource record pertains.
+
+        If a chain of CNAME is being resolved, each answer''s `name` should be the
+        one that corresponds with the answer''s `data`. It should not simply be the
+        original `question.name` repeated.'
+      example: www.google.com
+    - name: type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The type of data contained in this resource record.
+      example: CNAME
diff --git a/packages/rapid7/0.1.0/dataset/nexpose/fields/fields.yml b/packages/rapid7/0.1.0/dataset/nexpose/fields/fields.yml
new file mode 100644
index 0000000000..2abc947fe7
--- /dev/null
+++ b/packages/rapid7/0.1.0/dataset/nexpose/fields/fields.yml
@@ -0,0 +1,1939 @@
+- name: rsa
+  type: group
+  fields:
+  - name: internal
+    type: group
+    fields:
+    - name: msg
+      type: keyword
+      description: This key is used to capture the raw message that comes into the
+        Log Decoder
+    - name: messageid
+      type: keyword
+    - name: event_desc
+      type: keyword
+    - name: message
+      type: keyword
+      description: This key captures the contents of instant messages
+    - name: time
+      type: date
+      description: This is the time at which a session hits a NetWitness Decoder.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness.
+    - name: level
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: msg_id
+      type: keyword
+      description: This is the Message ID1 value that identifies the exact log parser
+        definition which parses a particular log session. This key should never be
+        used to parse Meta data from a session (Logs/Packets) Directly, this is a
+        Reserved key in NetWitness
+    - name: msg_vid
+      type: keyword
+      description: This is the Message ID2 value that identifies the exact log parser
+        definition which parses a particular log session. This key should never be
+        used to parse Meta data from a session (Logs/Packets) Directly, this is a
+        Reserved key in NetWitness
+    - name: data
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: obj_server
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: obj_val
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: resource
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: obj_id
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: statement
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: audit_class
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: entry
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: hcode
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: inode
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: resource_class
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: dead
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: feed_desc
+      type: keyword
+      description: This is used to capture the description of the feed. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: feed_name
+      type: keyword
+      description: This is used to capture the name of the feed. This key should never
+        be used to parse Meta data from a session (Logs/Packets) Directly, this is
+        a Reserved key in NetWitness
+    - name: cid
+      type: keyword
+      description: This is the unique identifier used to identify a NetWitness Concentrator.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: device_class
+      type: keyword
+      description: This is the Classification of the Log Event Source under a predefined
+        fixed set of Event Source Classifications. This key should never be used to
+        parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
+        key in NetWitness
+    - name: device_group
+      type: keyword
+      description: This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_host
+      type: keyword
+      description: This is the Hostname of the log Event Source sending the logs to
+        NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_ip
+      type: ip
+      description: This is the IPv4 address of the Log Event Source sending the logs
+        to NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_ipv6
+      type: ip
+      description: This is the IPv6 address of the Log Event Source sending the logs
+        to NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_type
+      type: keyword
+      description: This is the name of the log parser which parsed a given session.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: device_type_id
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: did
+      type: keyword
+      description: This is the unique identifier used to identify a NetWitness Decoder.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: entropy_req
+      type: long
+      description: This key is only used by the Entropy Parser, the Meta Type can
+        be either UInt16 or Float32 based on the configuration
+    - name: entropy_res
+      type: long
+      description: This key is only used by the Entropy Parser, the Meta Type can
+        be either UInt16 or Float32 based on the configuration
+    - name: event_name
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: feed_category
+      type: keyword
+      description: This is used to capture the category of the feed. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: forward_ip
+      type: ip
+      description: This key should be used to capture the IPV4 address of a relay
+        system which forwarded the events from the original system to NetWitness.
+    - name: forward_ipv6
+      type: ip
+      description: This key is used to capture the IPV6 address of a relay system
+        which forwarded the events from the original system to NetWitness. This key
+        should never be used to parse Meta data from a session (Logs/Packets) Directly,
+        this is a Reserved key in NetWitness
+    - name: header_id
+      type: keyword
+      description: This is the Header ID value that identifies the exact log parser
+        header definition that parses a particular log session. This key should never
+        be used to parse Meta data from a session (Logs/Packets) Directly, this is
+        a Reserved key in NetWitness
+    - name: lc_cid
+      type: keyword
+      description: This is a unique Identifier of a Log Collector. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: lc_ctime
+      type: date
+      description: This is the time at which a log is collected in a NetWitness Log
+        Collector. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: mcb_req
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        request is simply which byte for each side (0 thru 255) was seen the most
+    - name: mcb_res
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        response is simply which byte for each side (0 thru 255) was seen the most
+    - name: mcbc_req
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        count is the number of times the most common byte (above) was seen in the
+        session streams
+    - name: mcbc_res
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        count is the number of times the most common byte (above) was seen in the
+        session streams
+    - name: medium
+      type: long
+      description: "This key is used to identify if it\u2019s a log/packet session\
+        \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
+        \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
+        \ 32 = log, 33 = correlation session, &lt; 32 is packet session"
+    - name: node_name
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: nwe_callback_id
+      type: keyword
+      description: This key denotes that event is endpoint related
+    - name: parse_error
+      type: keyword
+      description: This is a special key that stores any Meta key validation error
+        found while parsing a log session. This key should never be used to parse
+        Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
+        NetWitness
+    - name: payload_req
+      type: long
+      description: This key is only used by the Entropy Parser, the payload size metrics
+        are the payload sizes of each session side at the time of parsing. However,
+        in order to keep
+    - name: payload_res
+      type: long
+      description: This key is only used by the Entropy Parser, the payload size metrics
+        are the payload sizes of each session side at the time of parsing. However,
+        in order to keep
+    - name: process_vid_dst
+      type: keyword
+      description: Endpoint generates and uses a unique virtual ID to identify any
+        similar group of process. This ID represents the target process.
+    - name: process_vid_src
+      type: keyword
+      description: Endpoint generates and uses a unique virtual ID to identify any
+        similar group of process. This ID represents the source process.
+    - name: rid
+      type: long
+      description: This is a special ID of the Remote Session created by NetWitness
+        Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: session_split
+      type: keyword
+      description: This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: site
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: size
+      type: long
+      description: This is the size of the session as seen by the NetWitness Decoder.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: sourcefile
+      type: keyword
+      description: This is the name of the log file or PCAPs that can be imported
+        into NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: ubc_req
+      type: long
+      description: This key is only used by the Entropy Parser, Unique byte count
+        is the number of unique bytes seen in each stream. 256 would mean all byte
+        values of 0 thru 255 were seen at least once
+    - name: ubc_res
+      type: long
+      description: This key is only used by the Entropy Parser, Unique byte count
+        is the number of unique bytes seen in each stream. 256 would mean all byte
+        values of 0 thru 255 were seen at least once
+    - name: word
+      type: keyword
+      description: This is used by the Word Parsing technology to capture the first
+        5 character of every word in an unparsed log
+  - name: time
+    type: group
+    fields:
+    - name: event_time
+      type: date
+      description: This key is used to capture the time mentioned in a raw session
+        that represents the actual time an event occured in a standard normalized
+        form
+    - name: duration_time
+      type: double
+      description: This key is used to capture the normalized duration/lifetime in
+        seconds.
+    - name: event_time_str
+      type: keyword
+      description: This key is used to capture the incomplete time mentioned in a
+        session as a string
+    - name: starttime
+      type: date
+      description: This key is used to capture the Start time mentioned in a session
+        in a standard form
+    - name: month
+      type: keyword
+    - name: day
+      type: keyword
+    - name: endtime
+      type: date
+      description: This key is used to capture the End time mentioned in a session
+        in a standard form
+    - name: timezone
+      type: keyword
+      description: This key is used to capture the timezone of the Event Time
+    - name: duration_str
+      type: keyword
+      description: A text string version of the duration
+    - name: date
+      type: keyword
+    - name: year
+      type: keyword
+    - name: recorded_time
+      type: date
+      description: The event time as recorded by the system the event is collected
+        from. The usage scenario is a multi-tier application where the management
+        layer of the system records it's own timestamp at the time of collection from
+        its child nodes. Must be in timestamp format.
+    - name: datetime
+      type: keyword
+    - name: effective_time
+      type: date
+      description: This key is the effective time referenced by an individual event
+        in a Standard Timestamp format
+    - name: expire_time
+      type: date
+      description: This key is the timestamp that explicitly refers to an expiration.
+    - name: process_time
+      type: keyword
+      description: Deprecated, use duration.time
+    - name: hour
+      type: keyword
+    - name: min
+      type: keyword
+    - name: timestamp
+      type: keyword
+    - name: event_queue_time
+      type: date
+      description: This key is the Time that the event was queued.
+    - name: p_time1
+      type: keyword
+    - name: tzone
+      type: keyword
+    - name: eventtime
+      type: keyword
+    - name: gmtdate
+      type: keyword
+    - name: gmttime
+      type: keyword
+    - name: p_date
+      type: keyword
+    - name: p_month
+      type: keyword
+    - name: p_time
+      type: keyword
+    - name: p_time2
+      type: keyword
+    - name: p_year
+      type: keyword
+    - name: expire_time_str
+      type: keyword
+      description: This key is used to capture incomplete timestamp that explicitly
+        refers to an expiration.
+    - name: stamp
+      type: date
+      description: Deprecated key defined only in table map.
+  - name: misc
+    type: group
+    fields:
+    - name: action
+      type: keyword
+    - name: result
+      type: keyword
+      description: This key is used to capture the outcome/result string value of
+        an action in a session.
+    - name: severity
+      type: keyword
+      description: This key is used to capture the severity given the session
+    - name: event_type
+      type: keyword
+      description: This key captures the event category type as specified by the event
+        source.
+    - name: reference_id
+      type: keyword
+      description: This key is used to capture an event id from the session directly
+    - name: version
+      type: keyword
+      description: This key captures Version of the application or OS which is generating
+        the event.
+    - name: disposition
+      type: keyword
+      description: This key captures the The end state of an action.
+    - name: result_code
+      type: keyword
+      description: This key is used to capture the outcome/result numeric value of
+        an action in a session
+    - name: category
+      type: keyword
+      description: This key is used to capture the category of an event given by the
+        vendor in the session
+    - name: obj_name
+      type: keyword
+      description: This is used to capture name of object
+    - name: obj_type
+      type: keyword
+      description: This is used to capture type of object
+    - name: event_source
+      type: keyword
+      description: "This key captures Source of the event that\u2019s not a hostname"
+    - name: log_session_id
+      type: keyword
+      description: This key is used to capture a sessionid from the session directly
+    - name: group
+      type: keyword
+      description: This key captures the Group Name value
+    - name: policy_name
+      type: keyword
+      description: This key is used to capture the Policy Name only.
+    - name: rule_name
+      type: keyword
+      description: This key captures the Rule Name
+    - name: context
+      type: keyword
+      description: This key captures Information which adds additional context to
+        the event.
+    - name: change_new
+      type: keyword
+      description: "This key is used to capture the new values of the attribute that\u2019\
+        s changing in a session"
+    - name: space
+      type: keyword
+    - name: client
+      type: keyword
+      description: This key is used to capture only the name of the client application
+        requesting resources of the server. See the user.agent meta key for capture
+        of the specific user agent identifier or browser identification string.
+    - name: msgIdPart1
+      type: keyword
+    - name: msgIdPart2
+      type: keyword
+    - name: change_old
+      type: keyword
+      description: "This key is used to capture the old value of the attribute that\u2019\
+        s changing in a session"
+    - name: operation_id
+      type: keyword
+      description: An alert number or operation number. The values should be unique
+        and non-repeating.
+    - name: event_state
+      type: keyword
+      description: This key captures the current state of the object/item referenced
+        within the event. Describing an on-going event.
+    - name: group_object
+      type: keyword
+      description: This key captures a collection/grouping of entities. Specific usage
+    - name: node
+      type: keyword
+      description: Common use case is the node name within a cluster. The cluster
+        name is reflected by the host name.
+    - name: rule
+      type: keyword
+      description: This key captures the Rule number
+    - name: device_name
+      type: keyword
+      description: 'This is used to capture name of the Device associated with the
+        node Like: a physical disk, printer, etc'
+    - name: param
+      type: keyword
+      description: This key is the parameters passed as part of a command or application,
+        etc.
+    - name: change_attrib
+      type: keyword
+      description: "This key is used to capture the name of the attribute that\u2019\
+        s changing in a session"
+    - name: event_computer
+      type: keyword
+      description: This key is a windows only concept, where this key is used to capture
+        fully qualified domain name in a windows log.
+    - name: reference_id1
+      type: keyword
+      description: This key is for Linked ID to be used as an addition to "reference.id"
+    - name: event_log
+      type: keyword
+      description: This key captures the Name of the event log
+    - name: OS
+      type: keyword
+      description: This key captures the Name of the Operating System
+    - name: terminal
+      type: keyword
+      description: This key captures the Terminal Names only
+    - name: msgIdPart3
+      type: keyword
+    - name: filter
+      type: keyword
+      description: This key captures Filter used to reduce result set
+    - name: serial_number
+      type: keyword
+      description: This key is the Serial number associated with a physical asset.
+    - name: checksum
+      type: keyword
+      description: This key is used to capture the checksum or hash of the entity
+        such as a file or process. Checksum should be used over checksum.src or checksum.dst
+        when it is unclear whether the entity is a source or target of an action.
+    - name: event_user
+      type: keyword
+      description: This key is a windows only concept, where this key is used to capture
+        combination of domain name and username in a windows log.
+    - name: virusname
+      type: keyword
+      description: This key captures the name of the virus
+    - name: content_type
+      type: keyword
+      description: This key is used to capture Content Type only.
+    - name: group_id
+      type: keyword
+      description: This key captures Group ID Number (related to the group name)
+    - name: policy_id
+      type: keyword
+      description: This key is used to capture the Policy ID only, this should be
+        a numeric value, use policy.name otherwise
+    - name: vsys
+      type: keyword
+      description: This key captures Virtual System Name
+    - name: connection_id
+      type: keyword
+      description: This key captures the Connection ID
+    - name: reference_id2
+      type: keyword
+      description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
+        or "reference.id1" value but should not be used unless the other two variables
+        are in play.
+    - name: sensor
+      type: keyword
+      description: This key captures Name of the sensor. Typically used in IDS/IPS
+        based devices
+    - name: sig_id
+      type: long
+      description: This key captures IDS/IPS Int Signature ID
+    - name: port_name
+      type: keyword
+      description: 'This key is used for Physical or logical port connection but does
+        NOT include a network port. (Example: Printer port name).'
+    - name: rule_group
+      type: keyword
+      description: This key captures the Rule group name
+    - name: risk_num
+      type: double
+      description: This key captures a Numeric Risk value
+    - name: trigger_val
+      type: keyword
+      description: This key captures the Value of the trigger or threshold condition.
+    - name: log_session_id1
+      type: keyword
+      description: This key is used to capture a Linked (Related) Session ID from
+        the session directly
+    - name: comp_version
+      type: keyword
+      description: This key captures the Version level of a sub-component of a product.
+    - name: content_version
+      type: keyword
+      description: This key captures Version level of a signature or database content.
+    - name: hardware_id
+      type: keyword
+      description: This key is used to capture unique identifier for a device or system
+        (NOT a Mac address)
+    - name: risk
+      type: keyword
+      description: This key captures the non-numeric risk value
+    - name: event_id
+      type: keyword
+    - name: reason
+      type: keyword
+    - name: status
+      type: keyword
+    - name: mail_id
+      type: keyword
+      description: This key is used to capture the mailbox id/name
+    - name: rule_uid
+      type: keyword
+      description: This key is the Unique Identifier for a rule.
+    - name: trigger_desc
+      type: keyword
+      description: This key captures the Description of the trigger or threshold condition.
+    - name: inout
+      type: keyword
+    - name: p_msgid
+      type: keyword
+    - name: data_type
+      type: keyword
+    - name: msgIdPart4
+      type: keyword
+    - name: error
+      type: keyword
+      description: This key captures All non successful Error codes or responses
+    - name: index
+      type: keyword
+    - name: listnum
+      type: keyword
+      description: This key is used to capture listname or listnumber, primarily for
+        collecting access-list
+    - name: ntype
+      type: keyword
+    - name: observed_val
+      type: keyword
+      description: This key captures the Value observed (from the perspective of the
+        device generating the log).
+    - name: policy_value
+      type: keyword
+      description: This key captures the contents of the policy. This contains details
+        about the policy
+    - name: pool_name
+      type: keyword
+      description: This key captures the name of a resource pool
+    - name: rule_template
+      type: keyword
+      description: A default set of parameters which are overlayed onto a rule (or
+        rulename) which efffectively constitutes a template
+    - name: count
+      type: keyword
+    - name: number
+      type: keyword
+    - name: sigcat
+      type: keyword
+    - name: type
+      type: keyword
+    - name: comments
+      type: keyword
+      description: Comment information provided in the log message
+    - name: doc_number
+      type: long
+      description: This key captures File Identification number
+    - name: expected_val
+      type: keyword
+      description: This key captures the Value expected (from the perspective of the
+        device generating the log).
+    - name: job_num
+      type: keyword
+      description: This key captures the Job Number
+    - name: spi_dst
+      type: keyword
+      description: Destination SPI Index
+    - name: spi_src
+      type: keyword
+      description: Source SPI Index
+    - name: code
+      type: keyword
+    - name: agent_id
+      type: keyword
+      description: This key is used to capture agent id
+    - name: message_body
+      type: keyword
+      description: This key captures the The contents of the message body.
+    - name: phone
+      type: keyword
+    - name: sig_id_str
+      type: keyword
+      description: This key captures a string object of the sigid variable.
+    - name: cmd
+      type: keyword
+    - name: misc
+      type: keyword
+    - name: name
+      type: keyword
+    - name: cpu
+      type: long
+      description: This key is the CPU time used in the execution of the event being
+        recorded.
+    - name: event_desc
+      type: keyword
+      description: This key is used to capture a description of an event available
+        directly or inferred
+    - name: sig_id1
+      type: long
+      description: This key captures IDS/IPS Int Signature ID. This must be linked
+        to the sig.id
+    - name: im_buddyid
+      type: keyword
+    - name: im_client
+      type: keyword
+    - name: im_userid
+      type: keyword
+    - name: pid
+      type: keyword
+    - name: priority
+      type: keyword
+    - name: context_subject
+      type: keyword
+      description: This key is to be used in an audit context where the subject is
+        the object being identified
+    - name: context_target
+      type: keyword
+    - name: cve
+      type: keyword
+      description: This key captures CVE (Common Vulnerabilities and Exposures) -
+        an identifier for known information security vulnerabilities.
+    - name: fcatnum
+      type: keyword
+      description: This key captures Filter Category Number. Legacy Usage
+    - name: library
+      type: keyword
+      description: This key is used to capture library information in mainframe devices
+    - name: parent_node
+      type: keyword
+      description: This key captures the Parent Node Name. Must be related to node
+        variable.
+    - name: risk_info
+      type: keyword
+      description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: tcp_flags
+      type: long
+      description: This key is captures the TCP flags set in any packet of session
+    - name: tos
+      type: long
+      description: This key describes the type of service
+    - name: vm_target
+      type: keyword
+      description: VMWare Target **VMWARE** only varaible.
+    - name: workspace
+      type: keyword
+      description: This key captures Workspace Description
+    - name: command
+      type: keyword
+    - name: event_category
+      type: keyword
+    - name: facilityname
+      type: keyword
+    - name: forensic_info
+      type: keyword
+    - name: jobname
+      type: keyword
+    - name: mode
+      type: keyword
+    - name: policy
+      type: keyword
+    - name: policy_waiver
+      type: keyword
+    - name: second
+      type: keyword
+    - name: space1
+      type: keyword
+    - name: subcategory
+      type: keyword
+    - name: tbdstr2
+      type: keyword
+    - name: alert_id
+      type: keyword
+      description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: checksum_dst
+      type: keyword
+      description: This key is used to capture the checksum or hash of the the target
+        entity such as a process or file.
+    - name: checksum_src
+      type: keyword
+      description: This key is used to capture the checksum or hash of the source
+        entity such as a file or process.
+    - name: fresult
+      type: long
+      description: This key captures the Filter Result
+    - name: payload_dst
+      type: keyword
+      description: This key is used to capture destination payload
+    - name: payload_src
+      type: keyword
+      description: This key is used to capture source payload
+    - name: pool_id
+      type: keyword
+      description: This key captures the identifier (typically numeric field) of a
+        resource pool
+    - name: process_id_val
+      type: keyword
+      description: This key is a failure key for Process ID when it is not an integer
+        value
+    - name: risk_num_comm
+      type: double
+      description: This key captures Risk Number Community
+    - name: risk_num_next
+      type: double
+      description: This key captures Risk Number NextGen
+    - name: risk_num_sand
+      type: double
+      description: This key captures Risk Number SandBox
+    - name: risk_num_static
+      type: double
+      description: This key captures Risk Number Static
+    - name: risk_suspicious
+      type: keyword
+      description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: risk_warning
+      type: keyword
+      description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: snmp_oid
+      type: keyword
+      description: SNMP Object Identifier
+    - name: sql
+      type: keyword
+      description: This key captures the SQL query
+    - name: vuln_ref
+      type: keyword
+      description: This key captures the Vulnerability Reference details
+    - name: acl_id
+      type: keyword
+    - name: acl_op
+      type: keyword
+    - name: acl_pos
+      type: keyword
+    - name: acl_table
+      type: keyword
+    - name: admin
+      type: keyword
+    - name: alarm_id
+      type: keyword
+    - name: alarmname
+      type: keyword
+    - name: app_id
+      type: keyword
+    - name: audit
+      type: keyword
+    - name: audit_object
+      type: keyword
+    - name: auditdata
+      type: keyword
+    - name: benchmark
+      type: keyword
+    - name: bypass
+      type: keyword
+    - name: cache
+      type: keyword
+    - name: cache_hit
+      type: keyword
+    - name: cefversion
+      type: keyword
+    - name: cfg_attr
+      type: keyword
+    - name: cfg_obj
+      type: keyword
+    - name: cfg_path
+      type: keyword
+    - name: changes
+      type: keyword
+    - name: client_ip
+      type: keyword
+    - name: clustermembers
+      type: keyword
+    - name: cn_acttimeout
+      type: keyword
+    - name: cn_asn_src
+      type: keyword
+    - name: cn_bgpv4nxthop
+      type: keyword
+    - name: cn_ctr_dst_code
+      type: keyword
+    - name: cn_dst_tos
+      type: keyword
+    - name: cn_dst_vlan
+      type: keyword
+    - name: cn_engine_id
+      type: keyword
+    - name: cn_engine_type
+      type: keyword
+    - name: cn_f_switch
+      type: keyword
+    - name: cn_flowsampid
+      type: keyword
+    - name: cn_flowsampintv
+      type: keyword
+    - name: cn_flowsampmode
+      type: keyword
+    - name: cn_inacttimeout
+      type: keyword
+    - name: cn_inpermbyts
+      type: keyword
+    - name: cn_inpermpckts
+      type: keyword
+    - name: cn_invalid
+      type: keyword
+    - name: cn_ip_proto_ver
+      type: keyword
+    - name: cn_ipv4_ident
+      type: keyword
+    - name: cn_l_switch
+      type: keyword
+    - name: cn_log_did
+      type: keyword
+    - name: cn_log_rid
+      type: keyword
+    - name: cn_max_ttl
+      type: keyword
+    - name: cn_maxpcktlen
+      type: keyword
+    - name: cn_min_ttl
+      type: keyword
+    - name: cn_minpcktlen
+      type: keyword
+    - name: cn_mpls_lbl_1
+      type: keyword
+    - name: cn_mpls_lbl_10
+      type: keyword
+    - name: cn_mpls_lbl_2
+      type: keyword
+    - name: cn_mpls_lbl_3
+      type: keyword
+    - name: cn_mpls_lbl_4
+      type: keyword
+    - name: cn_mpls_lbl_5
+      type: keyword
+    - name: cn_mpls_lbl_6
+      type: keyword
+    - name: cn_mpls_lbl_7
+      type: keyword
+    - name: cn_mpls_lbl_8
+      type: keyword
+    - name: cn_mpls_lbl_9
+      type: keyword
+    - name: cn_mplstoplabel
+      type: keyword
+    - name: cn_mplstoplabip
+      type: keyword
+    - name: cn_mul_dst_byt
+      type: keyword
+    - name: cn_mul_dst_pks
+      type: keyword
+    - name: cn_muligmptype
+      type: keyword
+    - name: cn_sampalgo
+      type: keyword
+    - name: cn_sampint
+      type: keyword
+    - name: cn_seqctr
+      type: keyword
+    - name: cn_spackets
+      type: keyword
+    - name: cn_src_tos
+      type: keyword
+    - name: cn_src_vlan
+      type: keyword
+    - name: cn_sysuptime
+      type: keyword
+    - name: cn_template_id
+      type: keyword
+    - name: cn_totbytsexp
+      type: keyword
+    - name: cn_totflowexp
+      type: keyword
+    - name: cn_totpcktsexp
+      type: keyword
+    - name: cn_unixnanosecs
+      type: keyword
+    - name: cn_v6flowlabel
+      type: keyword
+    - name: cn_v6optheaders
+      type: keyword
+    - name: comp_class
+      type: keyword
+    - name: comp_name
+      type: keyword
+    - name: comp_rbytes
+      type: keyword
+    - name: comp_sbytes
+      type: keyword
+    - name: cpu_data
+      type: keyword
+    - name: criticality
+      type: keyword
+    - name: cs_agency_dst
+      type: keyword
+    - name: cs_analyzedby
+      type: keyword
+    - name: cs_av_other
+      type: keyword
+    - name: cs_av_primary
+      type: keyword
+    - name: cs_av_secondary
+      type: keyword
+    - name: cs_bgpv6nxthop
+      type: keyword
+    - name: cs_bit9status
+      type: keyword
+    - name: cs_context
+      type: keyword
+    - name: cs_control
+      type: keyword
+    - name: cs_data
+      type: keyword
+    - name: cs_datecret
+      type: keyword
+    - name: cs_dst_tld
+      type: keyword
+    - name: cs_eth_dst_ven
+      type: keyword
+    - name: cs_eth_src_ven
+      type: keyword
+    - name: cs_event_uuid
+      type: keyword
+    - name: cs_filetype
+      type: keyword
+    - name: cs_fld
+      type: keyword
+    - name: cs_if_desc
+      type: keyword
+    - name: cs_if_name
+      type: keyword
+    - name: cs_ip_next_hop
+      type: keyword
+    - name: cs_ipv4dstpre
+      type: keyword
+    - name: cs_ipv4srcpre
+      type: keyword
+    - name: cs_lifetime
+      type: keyword
+    - name: cs_log_medium
+      type: keyword
+    - name: cs_loginname
+      type: keyword
+    - name: cs_modulescore
+      type: keyword
+    - name: cs_modulesign
+      type: keyword
+    - name: cs_opswatresult
+      type: keyword
+    - name: cs_payload
+      type: keyword
+    - name: cs_registrant
+      type: keyword
+    - name: cs_registrar
+      type: keyword
+    - name: cs_represult
+      type: keyword
+    - name: cs_rpayload
+      type: keyword
+    - name: cs_sampler_name
+      type: keyword
+    - name: cs_sourcemodule
+      type: keyword
+    - name: cs_streams
+      type: keyword
+    - name: cs_targetmodule
+      type: keyword
+    - name: cs_v6nxthop
+      type: keyword
+    - name: cs_whois_server
+      type: keyword
+    - name: cs_yararesult
+      type: keyword
+    - name: description
+      type: keyword
+    - name: devvendor
+      type: keyword
+    - name: distance
+      type: keyword
+    - name: dstburb
+      type: keyword
+    - name: edomain
+      type: keyword
+    - name: edomaub
+      type: keyword
+    - name: euid
+      type: keyword
+    - name: facility
+      type: keyword
+    - name: finterface
+      type: keyword
+    - name: flags
+      type: keyword
+    - name: gaddr
+      type: keyword
+    - name: id3
+      type: keyword
+    - name: im_buddyname
+      type: keyword
+    - name: im_croomid
+      type: keyword
+    - name: im_croomtype
+      type: keyword
+    - name: im_members
+      type: keyword
+    - name: im_username
+      type: keyword
+    - name: ipkt
+      type: keyword
+    - name: ipscat
+      type: keyword
+    - name: ipspri
+      type: keyword
+    - name: latitude
+      type: keyword
+    - name: linenum
+      type: keyword
+    - name: list_name
+      type: keyword
+    - name: load_data
+      type: keyword
+    - name: location_floor
+      type: keyword
+    - name: location_mark
+      type: keyword
+    - name: log_id
+      type: keyword
+    - name: log_type
+      type: keyword
+    - name: logid
+      type: keyword
+    - name: logip
+      type: keyword
+    - name: logname
+      type: keyword
+    - name: longitude
+      type: keyword
+    - name: lport
+      type: keyword
+    - name: mbug_data
+      type: keyword
+    - name: misc_name
+      type: keyword
+    - name: msg_type
+      type: keyword
+    - name: msgid
+      type: keyword
+    - name: netsessid
+      type: keyword
+    - name: num
+      type: keyword
+    - name: number1
+      type: keyword
+    - name: number2
+      type: keyword
+    - name: nwwn
+      type: keyword
+    - name: object
+      type: keyword
+    - name: operation
+      type: keyword
+    - name: opkt
+      type: keyword
+    - name: orig_from
+      type: keyword
+    - name: owner_id
+      type: keyword
+    - name: p_action
+      type: keyword
+    - name: p_filter
+      type: keyword
+    - name: p_group_object
+      type: keyword
+    - name: p_id
+      type: keyword
+    - name: p_msgid1
+      type: keyword
+    - name: p_msgid2
+      type: keyword
+    - name: p_result1
+      type: keyword
+    - name: password_chg
+      type: keyword
+    - name: password_expire
+      type: keyword
+    - name: permgranted
+      type: keyword
+    - name: permwanted
+      type: keyword
+    - name: pgid
+      type: keyword
+    - name: policyUUID
+      type: keyword
+    - name: prog_asp_num
+      type: keyword
+    - name: program
+      type: keyword
+    - name: real_data
+      type: keyword
+    - name: rec_asp_device
+      type: keyword
+    - name: rec_asp_num
+      type: keyword
+    - name: rec_library
+      type: keyword
+    - name: recordnum
+      type: keyword
+    - name: ruid
+      type: keyword
+    - name: sburb
+      type: keyword
+    - name: sdomain_fld
+      type: keyword
+    - name: sec
+      type: keyword
+    - name: sensorname
+      type: keyword
+    - name: seqnum
+      type: keyword
+    - name: session
+      type: keyword
+    - name: sessiontype
+      type: keyword
+    - name: sigUUID
+      type: keyword
+    - name: spi
+      type: keyword
+    - name: srcburb
+      type: keyword
+    - name: srcdom
+      type: keyword
+    - name: srcservice
+      type: keyword
+    - name: state
+      type: keyword
+    - name: status1
+      type: keyword
+    - name: svcno
+      type: keyword
+    - name: system
+      type: keyword
+    - name: tbdstr1
+      type: keyword
+    - name: tgtdom
+      type: keyword
+    - name: tgtdomain
+      type: keyword
+    - name: threshold
+      type: keyword
+    - name: type1
+      type: keyword
+    - name: udb_class
+      type: keyword
+    - name: url_fld
+      type: keyword
+    - name: user_div
+      type: keyword
+    - name: userid
+      type: keyword
+    - name: username_fld
+      type: keyword
+    - name: utcstamp
+      type: keyword
+    - name: v_instafname
+      type: keyword
+    - name: virt_data
+      type: keyword
+    - name: vpnid
+      type: keyword
+    - name: autorun_type
+      type: keyword
+      description: This is used to capture Auto Run type
+    - name: cc_number
+      type: long
+      description: Valid Credit Card Numbers only
+    - name: content
+      type: keyword
+      description: This key captures the content type from protocol headers
+    - name: ein_number
+      type: long
+      description: Employee Identification Numbers only
+    - name: found
+      type: keyword
+      description: This is used to capture the results of regex match
+    - name: language
+      type: keyword
+      description: This is used to capture list of languages the client support and
+        what it prefers
+    - name: lifetime
+      type: long
+      description: This key is used to capture the session lifetime in seconds.
+    - name: link
+      type: keyword
+      description: This key is used to link the sessions together. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: match
+      type: keyword
+      description: This key is for regex match name from search.ini
+    - name: param_dst
+      type: keyword
+      description: This key captures the command line/launch argument of the target
+        process or file
+    - name: param_src
+      type: keyword
+      description: This key captures source parameter
+    - name: search_text
+      type: keyword
+      description: This key captures the Search Text used
+    - name: sig_name
+      type: keyword
+      description: This key is used to capture the Signature Name only.
+    - name: snmp_value
+      type: keyword
+      description: SNMP set request value
+    - name: streams
+      type: long
+      description: This key captures number of streams in session
+  - name: db
+    type: group
+    fields:
+    - name: index
+      type: keyword
+      description: This key captures IndexID of the index.
+    - name: instance
+      type: keyword
+      description: This key is used to capture the database server instance name
+    - name: database
+      type: keyword
+      description: This key is used to capture the name of a database or an instance
+        as seen in a session
+    - name: transact_id
+      type: keyword
+      description: This key captures the SQL transantion ID of the current session
+    - name: permissions
+      type: keyword
+      description: This key captures permission or privilege level assigned to a resource.
+    - name: table_name
+      type: keyword
+      description: This key is used to capture the table name
+    - name: db_id
+      type: keyword
+      description: This key is used to capture the unique identifier for a database
+    - name: db_pid
+      type: long
+      description: This key captures the process id of a connection with database
+        server
+    - name: lread
+      type: long
+      description: This key is used for the number of logical reads
+    - name: lwrite
+      type: long
+      description: This key is used for the number of logical writes
+    - name: pread
+      type: long
+      description: This key is used for the number of physical writes
+  - name: network
+    type: group
+    fields:
+    - name: alias_host
+      type: keyword
+      description: This key should be used when the source or destination context
+        of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
+        that isnt ad.computer.
+    - name: domain
+      type: keyword
+    - name: host_dst
+      type: keyword
+      description: "This key should only be used when it\u2019s a Destination Hostname"
+    - name: network_service
+      type: keyword
+      description: This is used to capture layer 7 protocols/service names
+    - name: interface
+      type: keyword
+      description: This key should be used when the source or destination context
+        of an interface is not clear
+    - name: network_port
+      type: long
+      description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
+        used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
+    - name: eth_host
+      type: keyword
+      description: Deprecated, use alias.mac
+    - name: sinterface
+      type: keyword
+      description: "This key should only be used when it\u2019s a Source Interface"
+    - name: dinterface
+      type: keyword
+      description: "This key should only be used when it\u2019s a Destination Interface"
+    - name: vlan
+      type: long
+      description: This key should only be used to capture the ID of the Virtual LAN
+    - name: zone_src
+      type: keyword
+      description: "This key should only be used when it\u2019s a Source Zone."
+    - name: zone
+      type: keyword
+      description: This key should be used when the source or destination context
+        of a Zone is not clear
+    - name: zone_dst
+      type: keyword
+      description: "This key should only be used when it\u2019s a Destination Zone."
+    - name: gateway
+      type: keyword
+      description: This key is used to capture the IP Address of the gateway
+    - name: icmp_type
+      type: long
+      description: This key is used to capture the ICMP type only
+    - name: mask
+      type: keyword
+      description: This key is used to capture the device network IPmask.
+    - name: icmp_code
+      type: long
+      description: This key is used to capture the ICMP code only
+    - name: protocol_detail
+      type: keyword
+      description: This key should be used to capture additional protocol information
+    - name: dmask
+      type: keyword
+      description: This key is used for Destionation Device network mask
+    - name: port
+      type: long
+      description: This key should only be used to capture a Network Port when the
+        directionality is not clear
+    - name: smask
+      type: keyword
+      description: This key is used for capturing source Network Mask
+    - name: netname
+      type: keyword
+      description: This key is used to capture the network name associated with an
+        IP range. This is configured by the end user.
+    - name: paddr
+      type: ip
+      description: Deprecated
+    - name: faddr
+      type: keyword
+    - name: lhost
+      type: keyword
+    - name: origin
+      type: keyword
+    - name: remote_domain_id
+      type: keyword
+    - name: addr
+      type: keyword
+    - name: dns_a_record
+      type: keyword
+    - name: dns_ptr_record
+      type: keyword
+    - name: fhost
+      type: keyword
+    - name: fport
+      type: keyword
+    - name: laddr
+      type: keyword
+    - name: linterface
+      type: keyword
+    - name: phost
+      type: keyword
+    - name: ad_computer_dst
+      type: keyword
+      description: Deprecated, use host.dst
+    - name: eth_type
+      type: long
+      description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
+        Only
+    - name: ip_proto
+      type: long
+      description: This key should be used to capture the Protocol number, all the
+        protocol nubers are converted into string in UI
+    - name: dns_cname_record
+      type: keyword
+    - name: dns_id
+      type: keyword
+    - name: dns_opcode
+      type: keyword
+    - name: dns_resp
+      type: keyword
+    - name: dns_type
+      type: keyword
+    - name: domain1
+      type: keyword
+    - name: host_type
+      type: keyword
+    - name: packet_length
+      type: keyword
+    - name: host_orig
+      type: keyword
+      description: This is used to capture the original hostname in case of a Forwarding
+        Agent or a Proxy in between.
+    - name: rpayload
+      type: keyword
+      description: This key is used to capture the total number of payload bytes seen
+        in the retransmitted packets.
+    - name: vlan_name
+      type: keyword
+      description: This key should only be used to capture the name of the Virtual
+        LAN
+  - name: investigations
+    type: group
+    fields:
+    - name: ec_activity
+      type: keyword
+      description: This key captures the particular event activity(Ex:Logoff)
+    - name: ec_theme
+      type: keyword
+      description: This key captures the Theme of a particular Event(Ex:Authentication)
+    - name: ec_subject
+      type: keyword
+      description: This key captures the Subject of a particular Event(Ex:User)
+    - name: ec_outcome
+      type: keyword
+      description: This key captures the outcome of a particular Event(Ex:Success)
+    - name: event_cat
+      type: long
+      description: This key captures the Event category number
+    - name: event_cat_name
+      type: keyword
+      description: This key captures the event category name corresponding to the
+        event cat code
+    - name: event_vcat
+      type: keyword
+      description: This is a vendor supplied category. This should be used in situations
+        where the vendor has adopted their own event_category taxonomy.
+    - name: analysis_file
+      type: keyword
+      description: This is used to capture all indicators used in a File Analysis.
+        This key should be used to capture an analysis of a file
+    - name: analysis_service
+      type: keyword
+      description: This is used to capture all indicators used in a Service Analysis.
+        This key should be used to capture an analysis of a service
+    - name: analysis_session
+      type: keyword
+      description: This is used to capture all indicators used for a Session Analysis.
+        This key should be used to capture an analysis of a session
+    - name: boc
+      type: keyword
+      description: This is used to capture behaviour of compromise
+    - name: eoc
+      type: keyword
+      description: This is used to capture Enablers of Compromise
+    - name: inv_category
+      type: keyword
+      description: This used to capture investigation category
+    - name: inv_context
+      type: keyword
+      description: This used to capture investigation context
+    - name: ioc
+      type: keyword
+      description: This is key capture indicator of compromise
+  - name: counters
+    type: group
+    fields:
+    - name: dclass_c1
+      type: long
+      description: This is a generic counter key that should be used with the label
+        dclass.c1.str only
+    - name: dclass_c2
+      type: long
+      description: This is a generic counter key that should be used with the label
+        dclass.c2.str only
+    - name: event_counter
+      type: long
+      description: This is used to capture the number of times an event repeated
+    - name: dclass_r1
+      type: keyword
+      description: This is a generic ratio key that should be used with the label
+        dclass.r1.str only
+    - name: dclass_c3
+      type: long
+      description: This is a generic counter key that should be used with the label
+        dclass.c3.str only
+    - name: dclass_c1_str
+      type: keyword
+      description: This is a generic counter string key that should be used with the
+        label dclass.c1 only
+    - name: dclass_c2_str
+      type: keyword
+      description: This is a generic counter string key that should be used with the
+        label dclass.c2 only
+    - name: dclass_r1_str
+      type: keyword
+      description: This is a generic ratio string key that should be used with the
+        label dclass.r1 only
+    - name: dclass_r2
+      type: keyword
+      description: This is a generic ratio key that should be used with the label
+        dclass.r2.str only
+    - name: dclass_c3_str
+      type: keyword
+      description: This is a generic counter string key that should be used with the
+        label dclass.c3 only
+    - name: dclass_r3
+      type: keyword
+      description: This is a generic ratio key that should be used with the label
+        dclass.r3.str only
+    - name: dclass_r2_str
+      type: keyword
+      description: This is a generic ratio string key that should be used with the
+        label dclass.r2 only
+    - name: dclass_r3_str
+      type: keyword
+      description: This is a generic ratio string key that should be used with the
+        label dclass.r3 only
+  - name: identity
+    type: group
+    fields:
+    - name: auth_method
+      type: keyword
+      description: This key is used to capture authentication methods used only
+    - name: user_role
+      type: keyword
+      description: This key is used to capture the Role of a user only
+    - name: dn
+      type: keyword
+      description: X.500 (LDAP) Distinguished Name
+    - name: logon_type
+      type: keyword
+      description: This key is used to capture the type of logon method used.
+    - name: profile
+      type: keyword
+      description: This key is used to capture the user profile
+    - name: accesses
+      type: keyword
+      description: This key is used to capture actual privileges used in accessing
+        an object
+    - name: realm
+      type: keyword
+      description: Radius realm or similar grouping of accounts
+    - name: user_sid_dst
+      type: keyword
+      description: This key captures Destination User Session ID
+    - name: dn_src
+      type: keyword
+      description: An X.500 (LDAP) Distinguished name that is used in a context that
+        indicates a Source dn
+    - name: org
+      type: keyword
+      description: This key captures the User organization
+    - name: dn_dst
+      type: keyword
+      description: An X.500 (LDAP) Distinguished name that used in a context that
+        indicates a Destination dn
+    - name: firstname
+      type: keyword
+      description: This key is for First Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: lastname
+      type: keyword
+      description: This key is for Last Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: user_dept
+      type: keyword
+      description: User's Department Names only
+    - name: user_sid_src
+      type: keyword
+      description: This key captures Source User Session ID
+    - name: federated_sp
+      type: keyword
+      description: This key is the Federated Service Provider. This is the application
+        requesting authentication.
+    - name: federated_idp
+      type: keyword
+      description: This key is the federated Identity Provider. This is the server
+        providing the authentication.
+    - name: logon_type_desc
+      type: keyword
+      description: This key is used to capture the textual description of an integer
+        logon type as stored in the meta key 'logon.type'.
+    - name: middlename
+      type: keyword
+      description: This key is for Middle Names only, this is used for Healthcare
+        predominantly to capture Patients information
+    - name: password
+      type: keyword
+      description: This key is for Passwords seen in any session, plain text or encrypted
+    - name: host_role
+      type: keyword
+      description: This key should only be used to capture the role of a Host Machine
+    - name: ldap
+      type: keyword
+      description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
+        t have a clear query or response context"
+    - name: ldap_query
+      type: keyword
+      description: This key is the Search criteria from an LDAP search
+    - name: ldap_response
+      type: keyword
+      description: This key is to capture Results from an LDAP search
+    - name: owner
+      type: keyword
+      description: This is used to capture username the process or service is running
+        as, the author of the task
+    - name: service_account
+      type: keyword
+      description: This key is a windows specific key, used for capturing name of
+        the account a service (referenced in the event) is running under. Legacy Usage
+  - name: email
+    type: group
+    fields:
+    - name: email_dst
+      type: keyword
+      description: This key is used to capture the Destination email address only,
+        when the destination context is not clear use email
+    - name: email_src
+      type: keyword
+      description: This key is used to capture the source email address only, when
+        the source context is not clear use email
+    - name: subject
+      type: keyword
+      description: This key is used to capture the subject string from an Email only.
+    - name: email
+      type: keyword
+      description: This key is used to capture a generic email address where the source
+        or destination context is not clear
+    - name: trans_from
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: trans_to
+      type: keyword
+      description: Deprecated key defined only in table map.
+  - name: file
+    type: group
+    fields:
+    - name: privilege
+      type: keyword
+      description: Deprecated, use permissions
+    - name: attachment
+      type: keyword
+      description: This key captures the attachment file name
+    - name: filesystem
+      type: keyword
+    - name: binary
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: filename_dst
+      type: keyword
+      description: This is used to capture name of the file targeted by the action
+    - name: filename_src
+      type: keyword
+      description: This is used to capture name of the parent filename, the file which
+        performed the action
+    - name: filename_tmp
+      type: keyword
+    - name: directory_dst
+      type: keyword
+      description: <span>This key is used to capture the directory of the target process
+        or file</span>
+    - name: directory_src
+      type: keyword
+      description: This key is used to capture the directory of the source process
+        or file
+    - name: file_entropy
+      type: double
+      description: This is used to capture entropy vale of a file
+    - name: file_vendor
+      type: keyword
+      description: This is used to capture Company name of file located in version_info
+    - name: task_name
+      type: keyword
+      description: This is used to capture name of the task
+  - name: web
+    type: group
+    fields:
+    - name: fqdn
+      type: keyword
+      description: Fully Qualified Domain Names
+    - name: web_cookie
+      type: keyword
+      description: This key is used to capture the Web cookies specifically.
+    - name: alias_host
+      type: keyword
+    - name: reputation_num
+      type: double
+      description: Reputation Number of an entity. Typically used for Web Domains
+    - name: web_ref_domain
+      type: keyword
+      description: Web referer's domain
+    - name: web_ref_query
+      type: keyword
+      description: This key captures Web referer's query portion of the URL
+    - name: remote_domain
+      type: keyword
+    - name: web_ref_page
+      type: keyword
+      description: This key captures Web referer's page information
+    - name: web_ref_root
+      type: keyword
+      description: Web referer's root URL path
+    - name: cn_asn_dst
+      type: keyword
+    - name: cn_rpackets
+      type: keyword
+    - name: urlpage
+      type: keyword
+    - name: urlroot
+      type: keyword
+    - name: p_url
+      type: keyword
+    - name: p_user_agent
+      type: keyword
+    - name: p_web_cookie
+      type: keyword
+    - name: p_web_method
+      type: keyword
+    - name: p_web_referer
+      type: keyword
+    - name: web_extension_tmp
+      type: keyword
+    - name: web_page
+      type: keyword
+  - name: threat
+    type: group
+    fields:
+    - name: threat_category
+      type: keyword
+      description: This key captures Threat Name/Threat Category/Categorization of
+        alert
+    - name: threat_desc
+      type: keyword
+      description: This key is used to capture the threat description from the session
+        directly or inferred
+    - name: alert
+      type: keyword
+      description: This key is used to capture name of the alert
+    - name: threat_source
+      type: keyword
+      description: This key is used to capture source of the threat
+  - name: crypto
+    type: group
+    fields:
+    - name: crypto
+      type: keyword
+      description: This key is used to capture the Encryption Type or Encryption Key
+        only
+    - name: cipher_src
+      type: keyword
+      description: This key is for Source (Client) Cipher
+    - name: cert_subject
+      type: keyword
+      description: This key is used to capture the Certificate organization only
+    - name: peer
+      type: keyword
+      description: This key is for Encryption peer's IP Address
+    - name: cipher_size_src
+      type: long
+      description: This key captures Source (Client) Cipher Size
+    - name: ike
+      type: keyword
+      description: IKE negotiation phase.
+    - name: scheme
+      type: keyword
+      description: This key captures the Encryption scheme used
+    - name: peer_id
+      type: keyword
+      description: "This key is for Encryption peer\u2019s identity"
+    - name: sig_type
+      type: keyword
+      description: This key captures the Signature Type
+    - name: cert_issuer
+      type: keyword
+    - name: cert_host_name
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: cert_error
+      type: keyword
+      description: This key captures the Certificate Error String
+    - name: cipher_dst
+      type: keyword
+      description: This key is for Destination (Server) Cipher
+    - name: cipher_size_dst
+      type: long
+      description: This key captures Destination (Server) Cipher Size
+    - name: ssl_ver_src
+      type: keyword
+      description: Deprecated, use version
+    - name: d_certauth
+      type: keyword
+    - name: s_certauth
+      type: keyword
+    - name: ike_cookie1
+      type: keyword
+      description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
+    - name: ike_cookie2
+      type: keyword
+      description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
+    - name: cert_checksum
+      type: keyword
+    - name: cert_host_cat
+      type: keyword
+      description: This key is used for the hostname category value of a certificate
+    - name: cert_serial
+      type: keyword
+      description: This key is used to capture the Certificate serial number only
+    - name: cert_status
+      type: keyword
+      description: This key captures Certificate validation status
+    - name: ssl_ver_dst
+      type: keyword
+      description: Deprecated, use version
+    - name: cert_keysize
+      type: keyword
+    - name: cert_username
+      type: keyword
+    - name: https_insact
+      type: keyword
+    - name: https_valid
+      type: keyword
+    - name: cert_ca
+      type: keyword
+      description: This key is used to capture the Certificate signing authority only
+    - name: cert_common
+      type: keyword
+      description: This key is used to capture the Certificate common name only
+  - name: wireless
+    type: group
+    fields:
+    - name: wlan_ssid
+      type: keyword
+      description: This key is used to capture the ssid of a Wireless Session
+    - name: access_point
+      type: keyword
+      description: This key is used to capture the access point name.
+    - name: wlan_channel
+      type: long
+      description: This is used to capture the channel names
+    - name: wlan_name
+      type: keyword
+      description: This key captures either WLAN number/name
+  - name: storage
+    type: group
+    fields:
+    - name: disk_volume
+      type: keyword
+      description: A unique name assigned to logical units (volumes) within a physical
+        disk
+    - name: lun
+      type: keyword
+      description: Logical Unit Number.This key is a very useful concept in Storage.
+    - name: pwwn
+      type: keyword
+      description: This uniquely identifies a port on a HBA.
+  - name: physical
+    type: group
+    fields:
+    - name: org_dst
+      type: keyword
+      description: This is used to capture the destination organization based on the
+        GEOPIP Maxmind database.
+    - name: org_src
+      type: keyword
+      description: This is used to capture the source organization based on the GEOPIP
+        Maxmind database.
+  - name: healthcare
+    type: group
+    fields:
+    - name: patient_fname
+      type: keyword
+      description: This key is for First Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: patient_id
+      type: keyword
+      description: This key captures the unique ID for a patient
+    - name: patient_lname
+      type: keyword
+      description: This key is for Last Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: patient_mname
+      type: keyword
+      description: This key is for Middle Names only, this is used for Healthcare
+        predominantly to capture Patients information
+  - name: endpoint
+    type: group
+    fields:
+    - name: host_state
+      type: keyword
+      description: This key is used to capture the current state of the machine, such
+        as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
+        disabled</strong> and so on
+    - name: registry_key
+      type: keyword
+      description: This key captures the path to the registry key
+    - name: registry_value
+      type: keyword
+      description: This key captures values or decorators used within a registry entry
diff --git a/packages/rapid7/0.1.0/dataset/nexpose/manifest.yml b/packages/rapid7/0.1.0/dataset/nexpose/manifest.yml
new file mode 100644
index 0000000000..c0c331eedd
--- /dev/null
+++ b/packages/rapid7/0.1.0/dataset/nexpose/manifest.yml
@@ -0,0 +1,155 @@
+title: Rapid7 NeXpose logs
+release: experimental
+type: logs
+streams:
+- input: udp
+  title: Rapid7 NeXpose logs
+  description: Collect Rapid7 NeXpose logs
+  template_path: udp.yml.hbs
+  vars:
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - rapid7-nexpose
+      - forwarded
+  - name: udp_host
+    type: text
+    title: UDP host to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: localhost
+  - name: udp_port
+    type: integer
+    title: UDP port to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: 9516
+  - name: tz_offset
+    type: text
+    title: Timezone offset (+HH:mm format)
+    required: false
+    show_user: true
+    default: "local"
+  - name: rsa_fields
+    type: bool
+    title: Add non-ECS fields
+    required: false
+    show_user: true
+    default: true
+  - name: keep_raw_fields
+    type: bool
+    title: Keep raw parser fields
+    required: false
+    show_user: false
+    default: false
+  - name: debug
+    type: bool
+    title: Enable debug logging
+    required: false
+    show_user: false
+    default: false
+
+- input: tcp
+  title: Rapid7 NeXpose logs
+  description: Collect Rapid7 NeXpose logs
+  template_path: tcp.yml.hbs
+  vars:
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - rapid7-nexpose
+      - forwarded
+  - name: tcp_host
+    type: text
+    title: TCP host to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: localhost
+  - name: tcp_port
+    type: integer
+    title: TCP port to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: 9516
+  - name: tz_offset
+    type: text
+    title: Timezone offset (+HH:mm format)
+    required: false
+    show_user: true
+    default: "local"
+  - name: rsa_fields
+    type: bool
+    title: Add non-ECS fields
+    required: false
+    show_user: true
+    default: true
+  - name: keep_raw_fields
+    type: bool
+    title: Keep raw parser fields
+    required: false
+    show_user: false
+    default: false
+  - name: debug
+    type: bool
+    title: Enable debug logging
+    required: false
+    show_user: false
+    default: false
+
+- input: file
+  title: Rapid7 NeXpose logs
+  description: Collect Rapid7 NeXpose logs from file
+  vars:
+  - name: paths
+    type: text
+    title: Paths
+    multi: true
+    required: true
+    show_user: true
+    default:
+      - /var/log/rapid7-nexpose.log
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - rapid7-nexpose
+      - forwarded
+  - name: tz_offset
+    type: text
+    title: Timezone offset (+HH:mm format)
+    required: false
+    show_user: true
+    default: "local"
+  - name: rsa_fields
+    type: bool
+    title: Add non-ECS fields
+    required: false
+    show_user: true
+    default: true
+  - name: keep_raw_fields
+    type: bool
+    title: Keep raw parser fields
+    required: false
+    show_user: false
+    default: false
+  - name: debug
+    type: bool
+    title: Enable debug logging
+    required: false
+    show_user: false
+    default: false
diff --git a/packages/rapid7/0.1.0/docs/README.md b/packages/rapid7/0.1.0/docs/README.md
new file mode 100644
index 0000000000..06c6557dd2
--- /dev/null
+++ b/packages/rapid7/0.1.0/docs/README.md
@@ -0,0 +1,780 @@
+# Rapid7 integration
+
+This integration is for Rapid7 device's logs. It includes the following
+datasets for receiving logs over syslog or read from a file:
+- `nexpose` dataset: supports Rapid7 NeXpose logs.
+
+### Nexpose
+
+The `nexpose` dataset collects Rapid7 NeXpose logs.
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
+| dataset.name | Dataset name. | constant_keyword |
+| dataset.namespace | Dataset namespace. | constant_keyword |
+| dataset.type | Dataset type. | constant_keyword |
+| datastream.dataset | Datastream dataset. | constant_keyword |
+| datastream.namespace | Datastream namespace. | constant_keyword |
+| datastream.type | Datastream type. | constant_keyword |
+| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| destination.bytes | Bytes sent from the destination to the source. | long |
+| destination.domain | Destination domain. | keyword |
+| destination.geo.city_name | City name. | keyword |
+| destination.geo.country_name | Country name. | keyword |
+| destination.geo.location.lat |  | double |
+| destination.geo.location.lon |  | double |
+| destination.ip | IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses. | ip |
+| destination.mac | MAC address of the destination. | keyword |
+| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip |
+| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long |
+| destination.port | Port of the destination. | long |
+| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword |
+| dns.answers.type | The type of data contained in this resource record. | keyword |
+| dns.question.type | The type of record being queried. | keyword |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword |
+| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword |
+| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword |
+| file.extension | File extension. | keyword |
+| file.name | Name of the file including the extension, without the directory. | keyword |
+| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword |
+| file.size | File size in bytes. Only relevant when `file.type` is "file". | long |
+| file.type | File type (file, dir, or symlink). | keyword |
+| geo.city_name | City name. | keyword |
+| geo.country_name | Country name. | keyword |
+| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| geo.region_name | Region name. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| http.request.method | HTTP request method. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| http.request.referrer | Referrer for this HTTP request. | keyword |
+| http.response.body.content | The full HTTP response body. | keyword |
+| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword |
+| log.original | This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. | keyword |
+| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long |
+| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. | long |
+| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text |
+| network.application | A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long |
+| network.direction | Direction of the network traffic. Recommended values are: * inbound * outbound * internal * external * unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view. When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. | keyword |
+| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip |
+| network.interface.name |  | keyword |
+| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long |
+| network.protocol | L7 Network protocol name. ex. http, lumberjack, transport protocol. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| observer.egress.interface.name | Interface name as reported by the system. | keyword |
+| observer.ingress.interface.name | Interface name as reported by the system. | keyword |
+| observer.product | The product name of the observer. | keyword |
+| observer.version | Observer version. | keyword |
+| process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.parent.name | Process name. Sometimes called program name or similar. | keyword |
+| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword |
+| process.pid | Process id. | long |
+| process.ppid | Parent process' pid. | long |
+| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword |
+| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long |
+| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword |
+| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long |
+| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword |
+| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long |
+| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword |
+| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword |
+| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword |
+| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword |
+| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword |
+| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword |
+| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword |
+| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long |
+| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword |
+| rsa.crypto.cert_checksum |  | keyword |
+| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword |
+| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword |
+| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword |
+| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword |
+| rsa.crypto.cert_issuer |  | keyword |
+| rsa.crypto.cert_keysize |  | keyword |
+| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword |
+| rsa.crypto.cert_status | This key captures Certificate validation status | keyword |
+| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword |
+| rsa.crypto.cert_username |  | keyword |
+| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword |
+| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long |
+| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long |
+| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword |
+| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword |
+| rsa.crypto.d_certauth |  | keyword |
+| rsa.crypto.https_insact |  | keyword |
+| rsa.crypto.https_valid |  | keyword |
+| rsa.crypto.ike | IKE negotiation phase. | keyword |
+| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword |
+| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword |
+| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword |
+| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword |
+| rsa.crypto.s_certauth |  | keyword |
+| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword |
+| rsa.crypto.sig_type | This key captures the Signature Type | keyword |
+| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword |
+| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword |
+| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword |
+| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword |
+| rsa.db.db_pid | This key captures the process id of a connection with database server | long |
+| rsa.db.index | This key captures IndexID of the index. | keyword |
+| rsa.db.instance | This key is used to capture the database server instance name | keyword |
+| rsa.db.lread | This key is used for the number of logical reads | long |
+| rsa.db.lwrite | This key is used for the number of logical writes | long |
+| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword |
+| rsa.db.pread | This key is used for the number of physical writes | long |
+| rsa.db.table_name | This key is used to capture the table name | keyword |
+| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword |
+| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword |
+| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword |
+| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword |
+| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword |
+| rsa.email.trans_from | Deprecated key defined only in table map. | keyword |
+| rsa.email.trans_to | Deprecated key defined only in table map. | keyword |
+| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall disabled</strong> and so on | keyword |
+| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword |
+| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword |
+| rsa.file.attachment | This key captures the attachment file name | keyword |
+| rsa.file.binary | Deprecated key defined only in table map. | keyword |
+| rsa.file.directory_dst | <span>This key is used to capture the directory of the target process or file</span> | keyword |
+| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword |
+| rsa.file.file_entropy | This is used to capture entropy vale of a file | double |
+| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword |
+| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword |
+| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword |
+| rsa.file.filename_tmp |  | keyword |
+| rsa.file.filesystem |  | keyword |
+| rsa.file.privilege | Deprecated, use permissions | keyword |
+| rsa.file.task_name | This is used to capture name of the task | keyword |
+| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword |
+| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword |
+| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword |
+| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword |
+| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword |
+| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword |
+| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword |
+| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword |
+| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword |
+| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword |
+| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword |
+| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword |
+| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword |
+| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword |
+| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.org | This key captures the User organization | keyword |
+| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword |
+| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword |
+| rsa.identity.profile | This key is used to capture the user profile | keyword |
+| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword |
+| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword |
+| rsa.identity.user_dept | User's Department Names only | keyword |
+| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword |
+| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword |
+| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword |
+| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword |
+| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.data | Deprecated key defined only in table map. | keyword |
+| rsa.internal.dead | Deprecated key defined only in table map. | long |
+| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_type_id | Deprecated key defined only in table map. | long |
+| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long |
+| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long |
+| rsa.internal.entry | Deprecated key defined only in table map. | keyword |
+| rsa.internal.event_desc |  | keyword |
+| rsa.internal.event_name | Deprecated key defined only in table map. | keyword |
+| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip |
+| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.hcode | Deprecated key defined only in table map. | keyword |
+| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.inode | Deprecated key defined only in table map. | long |
+| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date |
+| rsa.internal.level | Deprecated key defined only in table map. | long |
+| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long |
+| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long |
+| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long |
+| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long |
+| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, &lt; 32 is packet session | long |
+| rsa.internal.message | This key captures the contents of instant messages | keyword |
+| rsa.internal.messageid |  | keyword |
+| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword |
+| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.node_name | Deprecated key defined only in table map. | keyword |
+| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword |
+| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword |
+| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword |
+| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword |
+| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long |
+| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long |
+| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword |
+| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword |
+| rsa.internal.resource | Deprecated key defined only in table map. | keyword |
+| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword |
+| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long |
+| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.site | Deprecated key defined only in table map. | keyword |
+| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long |
+| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.statement | Deprecated key defined only in table map. | keyword |
+| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date |
+| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long |
+| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long |
+| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword |
+| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword |
+| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword |
+| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword |
+| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword |
+| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword |
+| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword |
+| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword |
+| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword |
+| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword |
+| rsa.investigations.event_cat | This key captures the Event category number | long |
+| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword |
+| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword |
+| rsa.investigations.inv_category | This used to capture investigation category | keyword |
+| rsa.investigations.inv_context | This used to capture investigation context | keyword |
+| rsa.investigations.ioc | This is key capture indicator of compromise | keyword |
+| rsa.misc.OS | This key captures the Name of the Operating System | keyword |
+| rsa.misc.acl_id |  | keyword |
+| rsa.misc.acl_op |  | keyword |
+| rsa.misc.acl_pos |  | keyword |
+| rsa.misc.acl_table |  | keyword |
+| rsa.misc.action |  | keyword |
+| rsa.misc.admin |  | keyword |
+| rsa.misc.agent_id | This key is used to capture agent id | keyword |
+| rsa.misc.alarm_id |  | keyword |
+| rsa.misc.alarmname |  | keyword |
+| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.app_id |  | keyword |
+| rsa.misc.audit |  | keyword |
+| rsa.misc.audit_object |  | keyword |
+| rsa.misc.auditdata |  | keyword |
+| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword |
+| rsa.misc.benchmark |  | keyword |
+| rsa.misc.bypass |  | keyword |
+| rsa.misc.cache |  | keyword |
+| rsa.misc.cache_hit |  | keyword |
+| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword |
+| rsa.misc.cc_number | Valid Credit Card Numbers only | long |
+| rsa.misc.cefversion |  | keyword |
+| rsa.misc.cfg_attr |  | keyword |
+| rsa.misc.cfg_obj |  | keyword |
+| rsa.misc.cfg_path |  | keyword |
+| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword |
+| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword |
+| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword |
+| rsa.misc.changes |  | keyword |
+| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword |
+| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword |
+| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword |
+| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword |
+| rsa.misc.client_ip |  | keyword |
+| rsa.misc.clustermembers |  | keyword |
+| rsa.misc.cmd |  | keyword |
+| rsa.misc.cn_acttimeout |  | keyword |
+| rsa.misc.cn_asn_src |  | keyword |
+| rsa.misc.cn_bgpv4nxthop |  | keyword |
+| rsa.misc.cn_ctr_dst_code |  | keyword |
+| rsa.misc.cn_dst_tos |  | keyword |
+| rsa.misc.cn_dst_vlan |  | keyword |
+| rsa.misc.cn_engine_id |  | keyword |
+| rsa.misc.cn_engine_type |  | keyword |
+| rsa.misc.cn_f_switch |  | keyword |
+| rsa.misc.cn_flowsampid |  | keyword |
+| rsa.misc.cn_flowsampintv |  | keyword |
+| rsa.misc.cn_flowsampmode |  | keyword |
+| rsa.misc.cn_inacttimeout |  | keyword |
+| rsa.misc.cn_inpermbyts |  | keyword |
+| rsa.misc.cn_inpermpckts |  | keyword |
+| rsa.misc.cn_invalid |  | keyword |
+| rsa.misc.cn_ip_proto_ver |  | keyword |
+| rsa.misc.cn_ipv4_ident |  | keyword |
+| rsa.misc.cn_l_switch |  | keyword |
+| rsa.misc.cn_log_did |  | keyword |
+| rsa.misc.cn_log_rid |  | keyword |
+| rsa.misc.cn_max_ttl |  | keyword |
+| rsa.misc.cn_maxpcktlen |  | keyword |
+| rsa.misc.cn_min_ttl |  | keyword |
+| rsa.misc.cn_minpcktlen |  | keyword |
+| rsa.misc.cn_mpls_lbl_1 |  | keyword |
+| rsa.misc.cn_mpls_lbl_10 |  | keyword |
+| rsa.misc.cn_mpls_lbl_2 |  | keyword |
+| rsa.misc.cn_mpls_lbl_3 |  | keyword |
+| rsa.misc.cn_mpls_lbl_4 |  | keyword |
+| rsa.misc.cn_mpls_lbl_5 |  | keyword |
+| rsa.misc.cn_mpls_lbl_6 |  | keyword |
+| rsa.misc.cn_mpls_lbl_7 |  | keyword |
+| rsa.misc.cn_mpls_lbl_8 |  | keyword |
+| rsa.misc.cn_mpls_lbl_9 |  | keyword |
+| rsa.misc.cn_mplstoplabel |  | keyword |
+| rsa.misc.cn_mplstoplabip |  | keyword |
+| rsa.misc.cn_mul_dst_byt |  | keyword |
+| rsa.misc.cn_mul_dst_pks |  | keyword |
+| rsa.misc.cn_muligmptype |  | keyword |
+| rsa.misc.cn_sampalgo |  | keyword |
+| rsa.misc.cn_sampint |  | keyword |
+| rsa.misc.cn_seqctr |  | keyword |
+| rsa.misc.cn_spackets |  | keyword |
+| rsa.misc.cn_src_tos |  | keyword |
+| rsa.misc.cn_src_vlan |  | keyword |
+| rsa.misc.cn_sysuptime |  | keyword |
+| rsa.misc.cn_template_id |  | keyword |
+| rsa.misc.cn_totbytsexp |  | keyword |
+| rsa.misc.cn_totflowexp |  | keyword |
+| rsa.misc.cn_totpcktsexp |  | keyword |
+| rsa.misc.cn_unixnanosecs |  | keyword |
+| rsa.misc.cn_v6flowlabel |  | keyword |
+| rsa.misc.cn_v6optheaders |  | keyword |
+| rsa.misc.code |  | keyword |
+| rsa.misc.command |  | keyword |
+| rsa.misc.comments | Comment information provided in the log message | keyword |
+| rsa.misc.comp_class |  | keyword |
+| rsa.misc.comp_name |  | keyword |
+| rsa.misc.comp_rbytes |  | keyword |
+| rsa.misc.comp_sbytes |  | keyword |
+| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword |
+| rsa.misc.connection_id | This key captures the Connection ID | keyword |
+| rsa.misc.content | This key captures the content type from protocol headers | keyword |
+| rsa.misc.content_type | This key is used to capture Content Type only. | keyword |
+| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword |
+| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword |
+| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword |
+| rsa.misc.context_target |  | keyword |
+| rsa.misc.count |  | keyword |
+| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long |
+| rsa.misc.cpu_data |  | keyword |
+| rsa.misc.criticality |  | keyword |
+| rsa.misc.cs_agency_dst |  | keyword |
+| rsa.misc.cs_analyzedby |  | keyword |
+| rsa.misc.cs_av_other |  | keyword |
+| rsa.misc.cs_av_primary |  | keyword |
+| rsa.misc.cs_av_secondary |  | keyword |
+| rsa.misc.cs_bgpv6nxthop |  | keyword |
+| rsa.misc.cs_bit9status |  | keyword |
+| rsa.misc.cs_context |  | keyword |
+| rsa.misc.cs_control |  | keyword |
+| rsa.misc.cs_data |  | keyword |
+| rsa.misc.cs_datecret |  | keyword |
+| rsa.misc.cs_dst_tld |  | keyword |
+| rsa.misc.cs_eth_dst_ven |  | keyword |
+| rsa.misc.cs_eth_src_ven |  | keyword |
+| rsa.misc.cs_event_uuid |  | keyword |
+| rsa.misc.cs_filetype |  | keyword |
+| rsa.misc.cs_fld |  | keyword |
+| rsa.misc.cs_if_desc |  | keyword |
+| rsa.misc.cs_if_name |  | keyword |
+| rsa.misc.cs_ip_next_hop |  | keyword |
+| rsa.misc.cs_ipv4dstpre |  | keyword |
+| rsa.misc.cs_ipv4srcpre |  | keyword |
+| rsa.misc.cs_lifetime |  | keyword |
+| rsa.misc.cs_log_medium |  | keyword |
+| rsa.misc.cs_loginname |  | keyword |
+| rsa.misc.cs_modulescore |  | keyword |
+| rsa.misc.cs_modulesign |  | keyword |
+| rsa.misc.cs_opswatresult |  | keyword |
+| rsa.misc.cs_payload |  | keyword |
+| rsa.misc.cs_registrant |  | keyword |
+| rsa.misc.cs_registrar |  | keyword |
+| rsa.misc.cs_represult |  | keyword |
+| rsa.misc.cs_rpayload |  | keyword |
+| rsa.misc.cs_sampler_name |  | keyword |
+| rsa.misc.cs_sourcemodule |  | keyword |
+| rsa.misc.cs_streams |  | keyword |
+| rsa.misc.cs_targetmodule |  | keyword |
+| rsa.misc.cs_v6nxthop |  | keyword |
+| rsa.misc.cs_whois_server |  | keyword |
+| rsa.misc.cs_yararesult |  | keyword |
+| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword |
+| rsa.misc.data_type |  | keyword |
+| rsa.misc.description |  | keyword |
+| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword |
+| rsa.misc.devvendor |  | keyword |
+| rsa.misc.disposition | This key captures the The end state of an action. | keyword |
+| rsa.misc.distance |  | keyword |
+| rsa.misc.doc_number | This key captures File Identification number | long |
+| rsa.misc.dstburb |  | keyword |
+| rsa.misc.edomain |  | keyword |
+| rsa.misc.edomaub |  | keyword |
+| rsa.misc.ein_number | Employee Identification Numbers only | long |
+| rsa.misc.error | This key captures All non successful Error codes or responses | keyword |
+| rsa.misc.euid |  | keyword |
+| rsa.misc.event_category |  | keyword |
+| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword |
+| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword |
+| rsa.misc.event_id |  | keyword |
+| rsa.misc.event_log | This key captures the Name of the event log | keyword |
+| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword |
+| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword |
+| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword |
+| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword |
+| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword |
+| rsa.misc.facility |  | keyword |
+| rsa.misc.facilityname |  | keyword |
+| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword |
+| rsa.misc.filter | This key captures Filter used to reduce result set | keyword |
+| rsa.misc.finterface |  | keyword |
+| rsa.misc.flags |  | keyword |
+| rsa.misc.forensic_info |  | keyword |
+| rsa.misc.found | This is used to capture the results of regex match | keyword |
+| rsa.misc.fresult | This key captures the Filter Result | long |
+| rsa.misc.gaddr |  | keyword |
+| rsa.misc.group | This key captures the Group Name value | keyword |
+| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword |
+| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword |
+| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword |
+| rsa.misc.id3 |  | keyword |
+| rsa.misc.im_buddyid |  | keyword |
+| rsa.misc.im_buddyname |  | keyword |
+| rsa.misc.im_client |  | keyword |
+| rsa.misc.im_croomid |  | keyword |
+| rsa.misc.im_croomtype |  | keyword |
+| rsa.misc.im_members |  | keyword |
+| rsa.misc.im_userid |  | keyword |
+| rsa.misc.im_username |  | keyword |
+| rsa.misc.index |  | keyword |
+| rsa.misc.inout |  | keyword |
+| rsa.misc.ipkt |  | keyword |
+| rsa.misc.ipscat |  | keyword |
+| rsa.misc.ipspri |  | keyword |
+| rsa.misc.job_num | This key captures the Job Number | keyword |
+| rsa.misc.jobname |  | keyword |
+| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword |
+| rsa.misc.latitude |  | keyword |
+| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword |
+| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long |
+| rsa.misc.linenum |  | keyword |
+| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.misc.list_name |  | keyword |
+| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword |
+| rsa.misc.load_data |  | keyword |
+| rsa.misc.location_floor |  | keyword |
+| rsa.misc.location_mark |  | keyword |
+| rsa.misc.log_id |  | keyword |
+| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword |
+| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword |
+| rsa.misc.log_type |  | keyword |
+| rsa.misc.logid |  | keyword |
+| rsa.misc.logip |  | keyword |
+| rsa.misc.logname |  | keyword |
+| rsa.misc.longitude |  | keyword |
+| rsa.misc.lport |  | keyword |
+| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword |
+| rsa.misc.match | This key is for regex match name from search.ini | keyword |
+| rsa.misc.mbug_data |  | keyword |
+| rsa.misc.message_body | This key captures the The contents of the message body. | keyword |
+| rsa.misc.misc |  | keyword |
+| rsa.misc.misc_name |  | keyword |
+| rsa.misc.mode |  | keyword |
+| rsa.misc.msgIdPart1 |  | keyword |
+| rsa.misc.msgIdPart2 |  | keyword |
+| rsa.misc.msgIdPart3 |  | keyword |
+| rsa.misc.msgIdPart4 |  | keyword |
+| rsa.misc.msg_type |  | keyword |
+| rsa.misc.msgid |  | keyword |
+| rsa.misc.name |  | keyword |
+| rsa.misc.netsessid |  | keyword |
+| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword |
+| rsa.misc.ntype |  | keyword |
+| rsa.misc.num |  | keyword |
+| rsa.misc.number |  | keyword |
+| rsa.misc.number1 |  | keyword |
+| rsa.misc.number2 |  | keyword |
+| rsa.misc.nwwn |  | keyword |
+| rsa.misc.obj_name | This is used to capture name of object | keyword |
+| rsa.misc.obj_type | This is used to capture type of object | keyword |
+| rsa.misc.object |  | keyword |
+| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword |
+| rsa.misc.operation |  | keyword |
+| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword |
+| rsa.misc.opkt |  | keyword |
+| rsa.misc.orig_from |  | keyword |
+| rsa.misc.owner_id |  | keyword |
+| rsa.misc.p_action |  | keyword |
+| rsa.misc.p_filter |  | keyword |
+| rsa.misc.p_group_object |  | keyword |
+| rsa.misc.p_id |  | keyword |
+| rsa.misc.p_msgid |  | keyword |
+| rsa.misc.p_msgid1 |  | keyword |
+| rsa.misc.p_msgid2 |  | keyword |
+| rsa.misc.p_result1 |  | keyword |
+| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword |
+| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword |
+| rsa.misc.param_src | This key captures source parameter | keyword |
+| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword |
+| rsa.misc.password_chg |  | keyword |
+| rsa.misc.password_expire |  | keyword |
+| rsa.misc.payload_dst | This key is used to capture destination payload | keyword |
+| rsa.misc.payload_src | This key is used to capture source payload | keyword |
+| rsa.misc.permgranted |  | keyword |
+| rsa.misc.permwanted |  | keyword |
+| rsa.misc.pgid |  | keyword |
+| rsa.misc.phone |  | keyword |
+| rsa.misc.pid |  | keyword |
+| rsa.misc.policy |  | keyword |
+| rsa.misc.policyUUID |  | keyword |
+| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword |
+| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword |
+| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword |
+| rsa.misc.policy_waiver |  | keyword |
+| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword |
+| rsa.misc.pool_name | This key captures the name of a resource pool | keyword |
+| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword |
+| rsa.misc.priority |  | keyword |
+| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword |
+| rsa.misc.prog_asp_num |  | keyword |
+| rsa.misc.program |  | keyword |
+| rsa.misc.real_data |  | keyword |
+| rsa.misc.reason |  | keyword |
+| rsa.misc.rec_asp_device |  | keyword |
+| rsa.misc.rec_asp_num |  | keyword |
+| rsa.misc.rec_library |  | keyword |
+| rsa.misc.recordnum |  | keyword |
+| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword |
+| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword |
+| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword |
+| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword |
+| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword |
+| rsa.misc.risk | This key captures the non-numeric risk value | keyword |
+| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.risk_num | This key captures a Numeric Risk value | double |
+| rsa.misc.risk_num_comm | This key captures Risk Number Community | double |
+| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double |
+| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double |
+| rsa.misc.risk_num_static | This key captures Risk Number Static | double |
+| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.ruid |  | keyword |
+| rsa.misc.rule | This key captures the Rule number | keyword |
+| rsa.misc.rule_group | This key captures the Rule group name | keyword |
+| rsa.misc.rule_name | This key captures the Rule Name | keyword |
+| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword |
+| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword |
+| rsa.misc.sburb |  | keyword |
+| rsa.misc.sdomain_fld |  | keyword |
+| rsa.misc.search_text | This key captures the Search Text used | keyword |
+| rsa.misc.sec |  | keyword |
+| rsa.misc.second |  | keyword |
+| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword |
+| rsa.misc.sensorname |  | keyword |
+| rsa.misc.seqnum |  | keyword |
+| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword |
+| rsa.misc.session |  | keyword |
+| rsa.misc.sessiontype |  | keyword |
+| rsa.misc.severity | This key is used to capture the severity given the session | keyword |
+| rsa.misc.sigUUID |  | keyword |
+| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long |
+| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long |
+| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword |
+| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword |
+| rsa.misc.sigcat |  | keyword |
+| rsa.misc.snmp_oid | SNMP Object Identifier | keyword |
+| rsa.misc.snmp_value | SNMP set request value | keyword |
+| rsa.misc.space |  | keyword |
+| rsa.misc.space1 |  | keyword |
+| rsa.misc.spi |  | keyword |
+| rsa.misc.spi_dst | Destination SPI Index | keyword |
+| rsa.misc.spi_src | Source SPI Index | keyword |
+| rsa.misc.sql | This key captures the SQL query | keyword |
+| rsa.misc.srcburb |  | keyword |
+| rsa.misc.srcdom |  | keyword |
+| rsa.misc.srcservice |  | keyword |
+| rsa.misc.state |  | keyword |
+| rsa.misc.status |  | keyword |
+| rsa.misc.status1 |  | keyword |
+| rsa.misc.streams | This key captures number of streams in session | long |
+| rsa.misc.subcategory |  | keyword |
+| rsa.misc.svcno |  | keyword |
+| rsa.misc.system |  | keyword |
+| rsa.misc.tbdstr1 |  | keyword |
+| rsa.misc.tbdstr2 |  | keyword |
+| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long |
+| rsa.misc.terminal | This key captures the Terminal Names only | keyword |
+| rsa.misc.tgtdom |  | keyword |
+| rsa.misc.tgtdomain |  | keyword |
+| rsa.misc.threshold |  | keyword |
+| rsa.misc.tos | This key describes the type of service | long |
+| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword |
+| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword |
+| rsa.misc.type |  | keyword |
+| rsa.misc.type1 |  | keyword |
+| rsa.misc.udb_class |  | keyword |
+| rsa.misc.url_fld |  | keyword |
+| rsa.misc.user_div |  | keyword |
+| rsa.misc.userid |  | keyword |
+| rsa.misc.username_fld |  | keyword |
+| rsa.misc.utcstamp |  | keyword |
+| rsa.misc.v_instafname |  | keyword |
+| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword |
+| rsa.misc.virt_data |  | keyword |
+| rsa.misc.virusname | This key captures the name of the virus | keyword |
+| rsa.misc.vm_target | VMWare Target **VMWARE** only varaible. | keyword |
+| rsa.misc.vpnid |  | keyword |
+| rsa.misc.vsys | This key captures Virtual System Name | keyword |
+| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword |
+| rsa.misc.workspace | This key captures Workspace Description | keyword |
+| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword |
+| rsa.network.addr |  | keyword |
+| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword |
+| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword |
+| rsa.network.dmask | This key is used for Destionation Device network mask | keyword |
+| rsa.network.dns_a_record |  | keyword |
+| rsa.network.dns_cname_record |  | keyword |
+| rsa.network.dns_id |  | keyword |
+| rsa.network.dns_opcode |  | keyword |
+| rsa.network.dns_ptr_record |  | keyword |
+| rsa.network.dns_resp |  | keyword |
+| rsa.network.dns_type |  | keyword |
+| rsa.network.domain |  | keyword |
+| rsa.network.domain1 |  | keyword |
+| rsa.network.eth_host | Deprecated, use alias.mac | keyword |
+| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long |
+| rsa.network.faddr |  | keyword |
+| rsa.network.fhost |  | keyword |
+| rsa.network.fport |  | keyword |
+| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword |
+| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword |
+| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword |
+| rsa.network.host_type |  | keyword |
+| rsa.network.icmp_code | This key is used to capture the ICMP code only | long |
+| rsa.network.icmp_type | This key is used to capture the ICMP type only | long |
+| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword |
+| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long |
+| rsa.network.laddr |  | keyword |
+| rsa.network.lhost |  | keyword |
+| rsa.network.linterface |  | keyword |
+| rsa.network.mask | This key is used to capture the device network IPmask. | keyword |
+| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword |
+| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long |
+| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword |
+| rsa.network.origin |  | keyword |
+| rsa.network.packet_length |  | keyword |
+| rsa.network.paddr | Deprecated | ip |
+| rsa.network.phost |  | keyword |
+| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long |
+| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword |
+| rsa.network.remote_domain_id |  | keyword |
+| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword |
+| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword |
+| rsa.network.smask | This key is used for capturing source Network Mask | keyword |
+| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long |
+| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword |
+| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword |
+| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword |
+| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword |
+| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword |
+| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword |
+| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword |
+| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword |
+| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword |
+| rsa.threat.alert | This key is used to capture name of the alert | keyword |
+| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword |
+| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword |
+| rsa.threat.threat_source | This key is used to capture source of the threat | keyword |
+| rsa.time.date |  | keyword |
+| rsa.time.datetime |  | keyword |
+| rsa.time.day |  | keyword |
+| rsa.time.duration_str | A text string version of the duration | keyword |
+| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double |
+| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date |
+| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date |
+| rsa.time.event_queue_time | This key is the Time that the event was queued. | date |
+| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date |
+| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword |
+| rsa.time.eventtime |  | keyword |
+| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date |
+| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword |
+| rsa.time.gmtdate |  | keyword |
+| rsa.time.gmttime |  | keyword |
+| rsa.time.hour |  | keyword |
+| rsa.time.min |  | keyword |
+| rsa.time.month |  | keyword |
+| rsa.time.p_date |  | keyword |
+| rsa.time.p_month |  | keyword |
+| rsa.time.p_time |  | keyword |
+| rsa.time.p_time1 |  | keyword |
+| rsa.time.p_time2 |  | keyword |
+| rsa.time.p_year |  | keyword |
+| rsa.time.process_time | Deprecated, use duration.time | keyword |
+| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date |
+| rsa.time.stamp | Deprecated key defined only in table map. | date |
+| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date |
+| rsa.time.timestamp |  | keyword |
+| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword |
+| rsa.time.tzone |  | keyword |
+| rsa.time.year |  | keyword |
+| rsa.web.alias_host |  | keyword |
+| rsa.web.cn_asn_dst |  | keyword |
+| rsa.web.cn_rpackets |  | keyword |
+| rsa.web.fqdn | Fully Qualified Domain Names | keyword |
+| rsa.web.p_url |  | keyword |
+| rsa.web.p_user_agent |  | keyword |
+| rsa.web.p_web_cookie |  | keyword |
+| rsa.web.p_web_method |  | keyword |
+| rsa.web.p_web_referer |  | keyword |
+| rsa.web.remote_domain |  | keyword |
+| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double |
+| rsa.web.urlpage |  | keyword |
+| rsa.web.urlroot |  | keyword |
+| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword |
+| rsa.web.web_extension_tmp |  | keyword |
+| rsa.web.web_page |  | keyword |
+| rsa.web.web_ref_domain | Web referer's domain | keyword |
+| rsa.web.web_ref_page | This key captures Web referer's page information | keyword |
+| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword |
+| rsa.web.web_ref_root | Web referer's root URL path | keyword |
+| rsa.wireless.access_point | This key is used to capture the access point name. | keyword |
+| rsa.wireless.wlan_channel | This is used to capture the channel names | long |
+| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword |
+| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword |
+| rule.name | The name of the rule or signature generating the event. | keyword |
+| server.domain | Server domain. | keyword |
+| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword |
+| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.bytes | Bytes sent from the source to the destination. | long |
+| source.domain | Source domain. | keyword |
+| source.geo.city_name | City name. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location.lat |  | double |
+| source.geo.location.lon |  | double |
+| source.ip | IP address of the source. Can be one or multiple IPv4 or IPv6 addresses. | ip |
+| source.mac | MAC address of the source. | keyword |
+| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip |
+| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long |
+| source.port | Port of the source. | long |
+| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. | keyword |
+| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | keyword |
+| url.path | Path of the request, such as "/search". | keyword |
+| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword |
+| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.google.com" is "google.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword |
+| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword |
+| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| user.full_name | User's full name, if available. | keyword |
+| user.id | Unique identifiers of the user. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user_agent.original | Unparsed user_agent string. | keyword |
diff --git a/packages/rapid7/0.1.0/manifest.yml b/packages/rapid7/0.1.0/manifest.yml
new file mode 100644
index 0000000000..81cd8df108
--- /dev/null
+++ b/packages/rapid7/0.1.0/manifest.yml
@@ -0,0 +1,31 @@
+format_version: 1.0.0
+name: rapid7
+title: Rapid7 NeXpose
+version: 0.1.0
+description: Rapid7 NeXpose Integration
+categories: ["security"]
+release: experimental
+removable: true
+license: basic
+type: integration
+conditions:
+    kibana:
+        version: '>=7.9.0'
+    elasticsearch:
+        version: '>=7.9.0'
+config_templates:
+- name: nexpose
+  title: Rapid7 NeXpose
+  description: Collect Rapid7 NeXpose logs from syslog or a file.
+  inputs:
+      - type: udp
+        title: Collect logs from Rapid7 NeXpose via UDP
+        description: Collecting syslog from Rapid7 NeXpose via UDP
+      - type: tcp
+        title: Collect logs from Rapid7 NeXpose via TCP
+        description: Collecting syslog from Rapid7 NeXpose via TCP
+      - type: file
+        title: Collect logs from Rapid7 NeXpose via file
+        description: Collecting syslog from Rapid7 NeXpose via file.
+# No icon
+icons:
diff --git a/packages/sonicwall/0.1.0/dataset/firewall/agent/stream/stream.yml.hbs b/packages/sonicwall/0.1.0/dataset/firewall/agent/stream/stream.yml.hbs
new file mode 100644
index 0000000000..ab3e4cfcf6
--- /dev/null
+++ b/packages/sonicwall/0.1.0/dataset/firewall/agent/stream/stream.yml.hbs
@@ -0,0 +1,9581 @@
+paths:
+{{#each paths as |path i|}}
+  - {{path}}
+{{/each}}
+exclude_files: [".gz$"]
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "Sonicwall"
+        product: "Firewalls"
+        type: "Firewall"
+publisher_pipeline.disable_host: true
+
+processors:
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.error(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(populate_fields);
+      	builder.Add(restore_flags);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var dup1 = setc("eventcategory","1605000000");
+      
+      var dup2 = setc("eventcategory","1603090000");
+      
+      var dup3 = setc("eventcategory","1605030000");
+      
+      var dup4 = setc("eventcategory","1603060000");
+      
+      var dup5 = setc("eventcategory","1603000000");
+      
+      var dup6 = setc("eventcategory","1204020000");
+      
+      var dup7 = match("MESSAGE#14:14:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{p0}");
+      
+      var dup8 = match("MESSAGE#14:14:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}");
+      
+      var dup9 = match("MESSAGE#14:14:01/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst= %{p0}");
+      
+      var dup10 = match("MESSAGE#14:14:01/2", "nwparser.p0", "%{} %{p0}");
+      
+      var dup11 = date_time({
+      	dest: "event_time",
+      	args: ["hdate","htime"],
+      	fmts: [
+      		[dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup12 = setc("eventcategory","1502010000");
+      
+      var dup13 = setc("eventcategory","1502020000");
+      
+      var dup14 = setc("eventcategory","1002010000");
+      
+      var dup15 = match("MESSAGE#28:23:01/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}");
+      
+      var dup16 = match("MESSAGE#28:23:01/1_1", "nwparser.p0", "%{daddr->} %{p0}");
+      
+      var dup17 = setf("hostip","hhostip");
+      
+      var dup18 = setf("id","hid");
+      
+      var dup19 = setf("serial_number","hserial_number");
+      
+      var dup20 = setf("category","hcategory");
+      
+      var dup21 = setf("severity","hseverity");
+      
+      var dup22 = setc("eventcategory","1805010000");
+      
+      var dup23 = call({
+      	dest: "nwparser.msg",
+      	fn: RMQ,
+      	args: [
+      		field("msg"),
+      	],
+      });
+      
+      var dup24 = setc("eventcategory","1302000000");
+      
+      var dup25 = match("MESSAGE#38:29:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}");
+      
+      var dup26 = match("MESSAGE#38:29:01/1_1", "nwparser.p0", " %{saddr->} dst= %{p0}");
+      
+      var dup27 = match("MESSAGE#38:29:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} ");
+      
+      var dup28 = match("MESSAGE#38:29:01/3_1", "nwparser.p0", "%{daddr->} ");
+      
+      var dup29 = setc("eventcategory","1401050100");
+      
+      var dup30 = setc("eventcategory","1401030000");
+      
+      var dup31 = match("MESSAGE#40:30:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} src=%{p0}");
+      
+      var dup32 = setc("eventcategory","1301020000");
+      
+      var dup33 = match("MESSAGE#49:33:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{p0}");
+      
+      var dup34 = match("MESSAGE#54:36:01/2_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{p0}");
+      
+      var dup35 = match("MESSAGE#54:36:01/2_1", "nwparser.p0", "%{saddr->} %{p0}");
+      
+      var dup36 = match("MESSAGE#54:36:01/3", "nwparser.p0", "%{}dst= %{p0}");
+      
+      var dup37 = date_time({
+      	dest: "event_time",
+      	args: ["date","time"],
+      	fmts: [
+      		[dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup38 = match("MESSAGE#55:36:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src= %{p0}");
+      
+      var dup39 = match("MESSAGE#55:36:02/1_1", "nwparser.p0", "%{saddr->} dst= %{p0}");
+      
+      var dup40 = match("MESSAGE#57:37:01/1_1", "nwparser.p0", "n=%{fld1->} src=%{p0}");
+      
+      var dup41 = match("MESSAGE#59:37:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto= %{p0}");
+      
+      var dup42 = match("MESSAGE#59:37:03/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}");
+      
+      var dup43 = match("MESSAGE#59:37:03/4", "nwparser.p0", "%{} %{protocol->} npcs=%{info}");
+      
+      var dup44 = match("MESSAGE#62:38:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src= %{p0}");
+      
+      var dup45 = match("MESSAGE#62:38:01/5_1", "nwparser.p0", "rule=%{rule->} ");
+      
+      var dup46 = match("MESSAGE#63:38:02/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} type= %{p0}");
+      
+      var dup47 = match("MESSAGE#63:38:02/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} type= %{p0}");
+      
+      var dup48 = match("MESSAGE#64:38:03/0", "nwparser.payload", "msg=\"%{p0}");
+      
+      var dup49 = match("MESSAGE#64:38:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}");
+      
+      var dup50 = match("MESSAGE#64:38:03/3_1", "nwparser.p0", "%{daddr->} srcMac=%{p0}");
+      
+      var dup51 = setc("ec_subject","NetworkComm");
+      
+      var dup52 = setc("ec_activity","Deny");
+      
+      var dup53 = setc("ec_theme","Communication");
+      
+      var dup54 = setf("msg","$MSG");
+      
+      var dup55 = setc("action","dropped");
+      
+      var dup56 = setc("eventcategory","1608010000");
+      
+      var dup57 = setc("eventcategory","1302010000");
+      
+      var dup58 = setc("eventcategory","1301000000");
+      
+      var dup59 = setc("eventcategory","1001000000");
+      
+      var dup60 = setc("eventcategory","1003030000");
+      
+      var dup61 = setc("eventcategory","1003050000");
+      
+      var dup62 = setc("eventcategory","1103000000");
+      
+      var dup63 = setc("eventcategory","1603110000");
+      
+      var dup64 = setc("eventcategory","1605020000");
+      
+      var dup65 = match("MESSAGE#135:97:01/0", "nwparser.payload", "n=%{fld1->} src= %{p0}");
+      
+      var dup66 = match("MESSAGE#135:97:01/7_1", "nwparser.p0", "dstname=%{name->} ");
+      
+      var dup67 = match("MESSAGE#137:97:03/0", "nwparser.payload", "sess=%{fld1->} n=%{fld2->} src= %{p0}");
+      
+      var dup68 = match("MESSAGE#140:97:06/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{p0}");
+      
+      var dup69 = match("MESSAGE#140:97:06/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}dst=%{p0}");
+      
+      var dup70 = setc("eventcategory","1801000000");
+      
+      var dup71 = match("MESSAGE#145:98/2_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} %{p0}");
+      
+      var dup72 = match("MESSAGE#145:98/3_0", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} fw_action=\"%{action}\"");
+      
+      var dup73 = match("MESSAGE#147:98:01/4_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{p0}");
+      
+      var dup74 = match("MESSAGE#147:98:01/4_2", "nwparser.p0", "%{saddr}dst=%{p0}");
+      
+      var dup75 = match("MESSAGE#147:98:01/6_1", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} %{p0}");
+      
+      var dup76 = match("MESSAGE#147:98:01/6_2", "nwparser.p0", " %{daddr->} %{p0}");
+      
+      var dup77 = match("MESSAGE#148:98:06/5_2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}");
+      
+      var dup78 = match("MESSAGE#148:98:06/5_3", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} proto=%{p0}");
+      
+      var dup79 = match("MESSAGE#149:98:02/4", "nwparser.p0", "%{}proto=%{protocol}");
+      
+      var dup80 = match("MESSAGE#154:427/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{p0}");
+      
+      var dup81 = match("MESSAGE#155:428/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}");
+      
+      var dup82 = setf("id","hfld1");
+      
+      var dup83 = setc("eventcategory","1001020309");
+      
+      var dup84 = setc("eventcategory","1303000000");
+      
+      var dup85 = setc("eventcategory","1801010100");
+      
+      var dup86 = setc("eventcategory","1604010000");
+      
+      var dup87 = setc("eventcategory","1002020000");
+      
+      var dup88 = match("MESSAGE#240:171:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} npcs= %{p0}");
+      
+      var dup89 = match("MESSAGE#240:171:03/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} npcs= %{p0}");
+      
+      var dup90 = match("MESSAGE#240:171:03/4", "nwparser.p0", "%{} %{info}");
+      
+      var dup91 = setc("eventcategory","1001010000");
+      
+      var dup92 = match("MESSAGE#256:180:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} note= %{p0}");
+      
+      var dup93 = match("MESSAGE#256:180:01/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note= %{p0}");
+      
+      var dup94 = match("MESSAGE#256:180:01/4", "nwparser.p0", "%{}\"%{fld3}\" npcs=%{info}");
+      
+      var dup95 = match("MESSAGE#260:194/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} sport=%{sport->} dport=%{dport->} %{p0}");
+      
+      var dup96 = match("MESSAGE#260:194/1_0", "nwparser.p0", "sent=%{sbytes->} ");
+      
+      var dup97 = match("MESSAGE#260:194/1_1", "nwparser.p0", " rcvd=%{rbytes}");
+      
+      var dup98 = match("MESSAGE#262:196/1_0", "nwparser.p0", "sent=%{sbytes->} cmd=%{p0}");
+      
+      var dup99 = match("MESSAGE#262:196/2", "nwparser.p0", "%{method}");
+      
+      var dup100 = setc("eventcategory","1401060000");
+      
+      var dup101 = setc("eventcategory","1804000000");
+      
+      var dup102 = match("MESSAGE#280:261:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{p0}");
+      
+      var dup103 = setc("eventcategory","1401070000");
+      
+      var dup104 = match("MESSAGE#283:273/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{p0}");
+      
+      var dup105 = setc("eventcategory","1801030000");
+      
+      var dup106 = setc("eventcategory","1402020300");
+      
+      var dup107 = match("MESSAGE#302:401/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} %{p0}");
+      
+      var dup108 = match("MESSAGE#302:401/1_1", "nwparser.p0", " %{space}");
+      
+      var dup109 = setc("eventcategory","1402000000");
+      
+      var dup110 = match("MESSAGE#313:446/3_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=\"%{p0}");
+      
+      var dup111 = match("MESSAGE#313:446/3_1", "nwparser.p0", "%{protocol->} fw_action=\"%{p0}");
+      
+      var dup112 = match("MESSAGE#313:446/4", "nwparser.p0", "%{action}\"");
+      
+      var dup113 = setc("eventcategory","1803020000");
+      
+      var dup114 = match("MESSAGE#318:522:01/4", "nwparser.p0", "%{}proto=%{protocol->} npcs=%{info}");
+      
+      var dup115 = match("MESSAGE#321:524/5_0", "nwparser.p0", "proto=%{protocol->} ");
+      
+      var dup116 = match("MESSAGE#330:537:01/0", "nwparser.payload", "msg=\"%{action}\" f=%{fld1->} n=%{fld2->} src= %{p0}");
+      
+      var dup117 = match("MESSAGE#332:537:08/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld51->} appName=\"%{application}\"n=%{p0}");
+      
+      var dup118 = match("MESSAGE#332:537:08/0_1", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld51->} sess=\"%{fld4}\" n=%{p0}");
+      
+      var dup119 = match("MESSAGE#332:537:08/0_2", "nwparser.payload", " msg=\"%{event_description}\" app=%{fld51}n=%{p0}");
+      
+      var dup120 = match("MESSAGE#332:537:08/0_3", "nwparser.payload", "msg=\"%{event_description}\"n=%{p0}");
+      
+      var dup121 = match("MESSAGE#332:537:08/1_0", "nwparser.p0", "%{fld1->} usr=\"%{username}\"src=%{p0}");
+      
+      var dup122 = match("MESSAGE#332:537:08/1_1", "nwparser.p0", "%{fld1}src=%{p0}");
+      
+      var dup123 = match("MESSAGE#332:537:08/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{p0}");
+      
+      var dup124 = match("MESSAGE#332:537:08/5_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{p0}");
+      
+      var dup125 = match("MESSAGE#332:537:08/5_1", "nwparser.p0", " proto=%{protocol->} sent=%{p0}");
+      
+      var dup126 = match("MESSAGE#333:537:09/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{p0}");
+      
+      var dup127 = match("MESSAGE#333:537:09/5_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} %{p0}");
+      
+      var dup128 = match("MESSAGE#333:537:09/5_1", "nwparser.p0", "%{sbytes->} %{p0}");
+      
+      var dup129 = match("MESSAGE#333:537:09/6_0", "nwparser.p0", " spkt=%{fld3->} cdur=%{fld7->} fw_action=\"%{action}\"");
+      
+      var dup130 = match("MESSAGE#333:537:09/6_1", "nwparser.p0", "spkt=%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} ");
+      
+      var dup131 = match("MESSAGE#333:537:09/6_2", "nwparser.p0", "spkt=%{fld3->} cdur=%{fld7->} ");
+      
+      var dup132 = match("MESSAGE#333:537:09/6_3", "nwparser.p0", " spkt=%{fld3}");
+      
+      var dup133 = match("MESSAGE#336:537:04/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} src= %{p0}");
+      
+      var dup134 = match("MESSAGE#336:537:04/3_2", "nwparser.p0", "%{daddr->} proto= %{p0}");
+      
+      var dup135 = match("MESSAGE#338:537:10/1_0", "nwparser.p0", "%{fld2->} usr=\"%{username}\" %{p0}");
+      
+      var dup136 = match("MESSAGE#338:537:10/1_1", "nwparser.p0", "%{fld2->} %{p0}");
+      
+      var dup137 = match("MESSAGE#338:537:10/2", "nwparser.p0", "%{}src=%{p0}");
+      
+      var dup138 = match("MESSAGE#338:537:10/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{p0}");
+      
+      var dup139 = match("MESSAGE#338:537:10/3_1", "nwparser.p0", "%{saddr->} dst=%{p0}");
+      
+      var dup140 = match("MESSAGE#338:537:10/6_0", "nwparser.p0", "npcs=%{info->} ");
+      
+      var dup141 = match("MESSAGE#338:537:10/6_1", "nwparser.p0", "cdur=%{fld12->} ");
+      
+      var dup142 = setc("event_description","Connection Closed");
+      
+      var dup143 = setc("eventcategory","1801020000");
+      
+      var dup144 = setc("ec_activity","Permit");
+      
+      var dup145 = setc("action","allowed");
+      
+      var dup146 = match("MESSAGE#355:598:01/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}");
+      
+      var dup147 = match("MESSAGE#361:606/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}");
+      
+      var dup148 = match("MESSAGE#361:606/1_1", "nwparser.p0", "%{daddr}:%{dport->} srcMac=%{p0}");
+      
+      var dup149 = match("MESSAGE#361:606/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr}proto=%{p0}");
+      
+      var dup150 = setc("eventcategory","1001030500");
+      
+      var dup151 = match("MESSAGE#366:712:02/0", "nwparser.payload", "msg=\"%{action}\" %{p0}");
+      
+      var dup152 = match("MESSAGE#366:712:02/1_0", "nwparser.p0", "app=%{fld21->} appName=\"%{application}\" n=%{fld1->} src=%{p0}");
+      
+      var dup153 = match("MESSAGE#366:712:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}");
+      
+      var dup154 = match("MESSAGE#366:712:02/3_0", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}");
+      
+      var dup155 = match("MESSAGE#366:712:02/3_1", "nwparser.p0", "%{smacaddr->} proto=%{p0}");
+      
+      var dup156 = match("MESSAGE#366:712:02/4_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=%{p0}");
+      
+      var dup157 = match("MESSAGE#366:712:02/4_1", "nwparser.p0", "%{protocol->} fw_action=%{p0}");
+      
+      var dup158 = match("MESSAGE#366:712:02/5", "nwparser.p0", "%{fld51}");
+      
+      var dup159 = setc("eventcategory","1801010000");
+      
+      var dup160 = match("MESSAGE#391:908/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{p0}");
+      
+      var dup161 = match("MESSAGE#391:908/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}");
+      
+      var dup162 = setc("eventcategory","1003010000");
+      
+      var dup163 = setc("eventcategory","1609000000");
+      
+      var dup164 = setc("eventcategory","1204000000");
+      
+      var dup165 = setc("eventcategory","1602000000");
+      
+      var dup166 = match("MESSAGE#439:1199/2", "nwparser.p0", "%{} %{daddr}:%{dport}:%{dinterface->} npcs=%{info}");
+      
+      var dup167 = setc("eventcategory","1803000000");
+      
+      var dup168 = match("MESSAGE#444:1198/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}\" sess=%{fld1->} n=%{fld2->} src=%{p0}");
+      
+      var dup169 = match("MESSAGE#461:1220/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note=%{p0}");
+      
+      var dup170 = match("MESSAGE#461:1220/3_1", "nwparser.p0", "%{daddr}:%{dport->} note=%{p0}");
+      
+      var dup171 = match("MESSAGE#461:1220/4", "nwparser.p0", "%{}\"%{info}\" fw_action=\"%{action}\"");
+      
+      var dup172 = match("MESSAGE#471:1369/1_0", "nwparser.p0", "%{protocol}/%{fld3}fw_action=\"%{p0}");
+      
+      var dup173 = match("MESSAGE#471:1369/1_1", "nwparser.p0", "%{protocol}fw_action=\"%{p0}");
+      
+      var dup174 = linear_select([
+      	dup8,
+      	dup9,
+      ]);
+      
+      var dup175 = linear_select([
+      	dup15,
+      	dup16,
+      ]);
+      
+      var dup176 = match("MESSAGE#403:24:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([
+      	dup1,
+      	dup23,
+      ]));
+      
+      var dup177 = linear_select([
+      	dup25,
+      	dup26,
+      ]);
+      
+      var dup178 = linear_select([
+      	dup27,
+      	dup28,
+      ]);
+      
+      var dup179 = linear_select([
+      	dup34,
+      	dup35,
+      ]);
+      
+      var dup180 = linear_select([
+      	dup25,
+      	dup39,
+      ]);
+      
+      var dup181 = linear_select([
+      	dup41,
+      	dup42,
+      ]);
+      
+      var dup182 = linear_select([
+      	dup46,
+      	dup47,
+      ]);
+      
+      var dup183 = linear_select([
+      	dup49,
+      	dup50,
+      ]);
+      
+      var dup184 = match("MESSAGE#116:82:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([
+      	dup62,
+      ]));
+      
+      var dup185 = match("MESSAGE#118:83:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([
+      	dup5,
+      ]));
+      
+      var dup186 = linear_select([
+      	dup71,
+      	dup75,
+      	dup76,
+      ]);
+      
+      var dup187 = linear_select([
+      	dup8,
+      	dup25,
+      ]);
+      
+      var dup188 = match("MESSAGE#168:111:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=%{shost}", processor_chain([
+      	dup1,
+      ]));
+      
+      var dup189 = linear_select([
+      	dup88,
+      	dup89,
+      ]);
+      
+      var dup190 = match("MESSAGE#253:178", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([
+      	dup5,
+      ]));
+      
+      var dup191 = linear_select([
+      	dup92,
+      	dup93,
+      ]);
+      
+      var dup192 = linear_select([
+      	dup96,
+      	dup97,
+      ]);
+      
+      var dup193 = match("MESSAGE#277:252", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([
+      	dup87,
+      ]));
+      
+      var dup194 = match("MESSAGE#293:355", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([
+      	dup87,
+      ]));
+      
+      var dup195 = match("MESSAGE#295:356", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([
+      	dup1,
+      ]));
+      
+      var dup196 = match("MESSAGE#298:358", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([
+      	dup1,
+      ]));
+      
+      var dup197 = match("MESSAGE#414:371:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} note=\"%{event_description}\"", processor_chain([
+      	dup1,
+      	dup23,
+      ]));
+      
+      var dup198 = linear_select([
+      	dup66,
+      	dup108,
+      ]);
+      
+      var dup199 = linear_select([
+      	dup110,
+      	dup111,
+      ]);
+      
+      var dup200 = linear_select([
+      	dup115,
+      	dup45,
+      ]);
+      
+      var dup201 = linear_select([
+      	dup8,
+      	dup26,
+      ]);
+      
+      var dup202 = linear_select([
+      	dup8,
+      	dup25,
+      	dup39,
+      ]);
+      
+      var dup203 = linear_select([
+      	dup71,
+      	dup15,
+      	dup16,
+      ]);
+      
+      var dup204 = linear_select([
+      	dup121,
+      	dup122,
+      ]);
+      
+      var dup205 = linear_select([
+      	dup68,
+      	dup69,
+      	dup74,
+      ]);
+      
+      var dup206 = linear_select([
+      	dup127,
+      	dup128,
+      ]);
+      
+      var dup207 = linear_select([
+      	dup41,
+      	dup42,
+      	dup134,
+      ]);
+      
+      var dup208 = linear_select([
+      	dup135,
+      	dup136,
+      ]);
+      
+      var dup209 = linear_select([
+      	dup138,
+      	dup139,
+      ]);
+      
+      var dup210 = linear_select([
+      	dup140,
+      	dup141,
+      ]);
+      
+      var dup211 = linear_select([
+      	dup49,
+      	dup148,
+      ]);
+      
+      var dup212 = match("MESSAGE#365:710", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([
+      	dup150,
+      ]));
+      
+      var dup213 = linear_select([
+      	dup152,
+      	dup40,
+      ]);
+      
+      var dup214 = linear_select([
+      	dup154,
+      	dup155,
+      ]);
+      
+      var dup215 = linear_select([
+      	dup156,
+      	dup157,
+      ]);
+      
+      var dup216 = match("MESSAGE#375:766", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([
+      	dup5,
+      ]));
+      
+      var dup217 = match("MESSAGE#377:860:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{ntype}", processor_chain([
+      	dup5,
+      ]));
+      
+      var dup218 = match("MESSAGE#393:914", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{host->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{shost}", processor_chain([
+      	dup5,
+      	dup23,
+      ]));
+      
+      var dup219 = match("MESSAGE#399:994", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([
+      	dup1,
+      	dup23,
+      ]));
+      
+      var dup220 = match("MESSAGE#406:1110", "nwparser.payload", "msg=\"%{msg}\" %{space->} n=%{fld1}", processor_chain([
+      	dup1,
+      	dup23,
+      ]));
+      
+      var dup221 = match("MESSAGE#420:614", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([
+      	dup163,
+      	dup37,
+      ]));
+      
+      var dup222 = match("MESSAGE#454:654", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2}", processor_chain([
+      	dup1,
+      ]));
+      
+      var dup223 = linear_select([
+      	dup169,
+      	dup170,
+      ]);
+      
+      var dup224 = linear_select([
+      	dup172,
+      	dup173,
+      ]);
+      
+      var dup225 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([
+      	dup1,
+      	dup54,
+      	dup17,
+      	dup82,
+      	dup19,
+      	dup20,
+      	dup21,
+      	dup37,
+      ]));
+      
+      var dup226 = all_match({
+      	processors: [
+      		dup31,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup30,
+      	]),
+      });
+      
+      var dup227 = all_match({
+      	processors: [
+      		dup31,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup85,
+      	]),
+      });
+      
+      var dup228 = all_match({
+      	processors: [
+      		dup31,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup59,
+      	]),
+      });
+      
+      var dup229 = all_match({
+      	processors: [
+      		dup95,
+      		dup192,
+      	],
+      	on_success: processor_chain([
+      		dup59,
+      	]),
+      });
+      
+      var dup230 = all_match({
+      	processors: [
+      		dup31,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup100,
+      	]),
+      });
+      
+      var dup231 = all_match({
+      	processors: [
+      		dup31,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup29,
+      	]),
+      });
+      
+      var dup232 = all_match({
+      	processors: [
+      		dup102,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup103,
+      	]),
+      });
+      
+      var dup233 = all_match({
+      	processors: [
+      		dup104,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup106,
+      	]),
+      });
+      
+      var dup234 = all_match({
+      	processors: [
+      		dup107,
+      		dup198,
+      	],
+      	on_success: processor_chain([
+      		dup87,
+      	]),
+      });
+      
+      var dup235 = all_match({
+      	processors: [
+      		dup104,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup109,
+      	]),
+      });
+      
+      var dup236 = all_match({
+      	processors: [
+      		dup44,
+      		dup179,
+      		dup36,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      	]),
+      });
+      
+      var dup237 = all_match({
+      	processors: [
+      		dup80,
+      		dup177,
+      		dup10,
+      		dup175,
+      		dup79,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var dup238 = all_match({
+      	processors: [
+      		dup151,
+      		dup213,
+      		dup153,
+      		dup214,
+      		dup215,
+      		dup158,
+      	],
+      	on_success: processor_chain([
+      		dup150,
+      		dup51,
+      		dup52,
+      		dup53,
+      		dup54,
+      		dup37,
+      		dup55,
+      		dup17,
+      		dup18,
+      		dup19,
+      		dup20,
+      		dup21,
+      	]),
+      });
+      
+      var dup239 = all_match({
+      	processors: [
+      		dup7,
+      		dup174,
+      		dup10,
+      		dup191,
+      		dup94,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var dup240 = all_match({
+      	processors: [
+      		dup7,
+      		dup174,
+      		dup10,
+      		dup189,
+      		dup90,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var hdr1 = match("HEADER#0:0001", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{date->} %{time}\" fw=%{hhostip->} pri=%{hseverity->} c=%{hcategory->} m=%{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0001"),
+      ]));
+      
+      var hdr2 = match("HEADER#1:0002", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{date->} %{time}\" fw=%{hhostip->} pri=%{hseverity->} %{messageid}= %{payload}", processor_chain([
+      	setc("header_id","0002"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant("= "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr3 = match("HEADER#2:0003", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{hdate->} %{htime}\" fw=%{hhostip->} pri=%{hseverity->} c=%{hcategory->} m=%{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0003"),
+      ]));
+      
+      var hdr4 = match("HEADER#3:0004", "message", "%{hfld20->} id=%{hfld1->} sn=%{hserial_number->} time=\"%{hdate->} %{htime}\" fw=%{hhostip->} pri=%{hseverity->} c=%{hcategory->} m=%{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0004"),
+      ]));
+      
+      var select1 = linear_select([
+      	hdr1,
+      	hdr2,
+      	hdr3,
+      	hdr4,
+      ]);
+      
+      var part1 = match("MESSAGE#0:4", "nwparser.payload", "SonicWALL activated%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg1 = msg("4", part1);
+      
+      var part2 = match("MESSAGE#1:5", "nwparser.payload", "Log Cleared%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg2 = msg("5", part2);
+      
+      var part3 = match("MESSAGE#2:5:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg3 = msg("5:01", part3);
+      
+      var select2 = linear_select([
+      	msg2,
+      	msg3,
+      ]);
+      
+      var part4 = match("MESSAGE#3:6", "nwparser.payload", "Log successfully sent via email%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg4 = msg("6", part4);
+      
+      var part5 = match("MESSAGE#4:6:01", "nwparser.payload", "msg=\"Log successfully sent via email\" n=%{fld1}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg5 = msg("6:01", part5);
+      
+      var select3 = linear_select([
+      	msg4,
+      	msg5,
+      ]);
+      
+      var part6 = match("MESSAGE#5:7", "nwparser.payload", "Log full; deactivating SonicWALL%{}", processor_chain([
+      	dup2,
+      ]));
+      
+      var msg6 = msg("7", part6);
+      
+      var part7 = match("MESSAGE#6:8", "nwparser.payload", "New Filter list loaded%{}", processor_chain([
+      	dup3,
+      ]));
+      
+      var msg7 = msg("8", part7);
+      
+      var part8 = match("MESSAGE#7:9", "nwparser.payload", "No new Filter list available%{}", processor_chain([
+      	dup4,
+      ]));
+      
+      var msg8 = msg("9", part8);
+      
+      var part9 = match("MESSAGE#8:10", "nwparser.payload", "Problem loading the Filter list; check Filter settings%{}", processor_chain([
+      	dup4,
+      ]));
+      
+      var msg9 = msg("10", part9);
+      
+      var part10 = match("MESSAGE#9:11", "nwparser.payload", "Problem loading the Filter list; check your DNS server%{}", processor_chain([
+      	dup4,
+      ]));
+      
+      var msg10 = msg("11", part10);
+      
+      var part11 = match("MESSAGE#10:12", "nwparser.payload", "Problem sending log email; check log settings%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg11 = msg("12", part11);
+      
+      var part12 = match("MESSAGE#11:12:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg12 = msg("12:01", part12);
+      
+      var select4 = linear_select([
+      	msg11,
+      	msg12,
+      ]);
+      
+      var part13 = match("MESSAGE#12:13", "nwparser.payload", "Restarting SonicWALL; dumping log to email%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg13 = msg("13", part13);
+      
+      var part14 = match("MESSAGE#13:14/0", "nwparser.payload", "%{} %{p0}");
+      
+      var part15 = match("MESSAGE#13:14/1_0", "nwparser.p0", "msg=\"Web site access denied\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} dstname=%{dhost->} arg=%{fld2->} code=%{icmpcode->} ");
+      
+      var part16 = match("MESSAGE#13:14/1_1", "nwparser.p0", "Web site blocked %{}");
+      
+      var select5 = linear_select([
+      	part15,
+      	part16,
+      ]);
+      
+      var all1 = all_match({
+      	processors: [
+      		part14,
+      		select5,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		setc("action","Web site access denied"),
+      	]),
+      });
+      
+      var msg14 = msg("14", all1);
+      
+      var part17 = match("MESSAGE#14:14:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} code= %{p0}");
+      
+      var part18 = match("MESSAGE#14:14:01/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} code= %{p0}");
+      
+      var select6 = linear_select([
+      	part17,
+      	part18,
+      ]);
+      
+      var part19 = match("MESSAGE#14:14:01/4", "nwparser.p0", "%{} %{fld3->} Category=%{fld4->} npcs=%{info}");
+      
+      var all2 = all_match({
+      	processors: [
+      		dup7,
+      		dup174,
+      		dup10,
+      		select6,
+      		part19,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      	]),
+      });
+      
+      var msg15 = msg("14:01", all2);
+      
+      var part20 = match("MESSAGE#15:14:02", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{name->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([
+      	dup6,
+      	dup11,
+      ]));
+      
+      var msg16 = msg("14:02", part20);
+      
+      var part21 = match("MESSAGE#16:14:03", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([
+      	dup6,
+      	dup11,
+      ]));
+      
+      var msg17 = msg("14:03", part21);
+      
+      var part22 = match("MESSAGE#17:14:04", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{name->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([
+      	dup6,
+      	dup11,
+      ]));
+      
+      var msg18 = msg("14:04", part22);
+      
+      var part23 = match("MESSAGE#18:14:05", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr}dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{dhost->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([
+      	dup6,
+      	dup11,
+      ]));
+      
+      var msg19 = msg("14:05", part23);
+      
+      var select7 = linear_select([
+      	msg14,
+      	msg15,
+      	msg16,
+      	msg17,
+      	msg18,
+      	msg19,
+      ]);
+      
+      var part24 = match("MESSAGE#19:15", "nwparser.payload", "Newsgroup blocked%{}", processor_chain([
+      	dup12,
+      ]));
+      
+      var msg20 = msg("15", part24);
+      
+      var part25 = match("MESSAGE#20:16", "nwparser.payload", "Web site accessed%{}", processor_chain([
+      	dup13,
+      ]));
+      
+      var msg21 = msg("16", part25);
+      
+      var part26 = match("MESSAGE#21:17", "nwparser.payload", "Newsgroup accessed%{}", processor_chain([
+      	dup13,
+      ]));
+      
+      var msg22 = msg("17", part26);
+      
+      var part27 = match("MESSAGE#22:18", "nwparser.payload", "ActiveX blocked%{}", processor_chain([
+      	dup12,
+      ]));
+      
+      var msg23 = msg("18", part27);
+      
+      var part28 = match("MESSAGE#23:19", "nwparser.payload", "Java blocked%{}", processor_chain([
+      	dup12,
+      ]));
+      
+      var msg24 = msg("19", part28);
+      
+      var part29 = match("MESSAGE#24:20", "nwparser.payload", "ActiveX or Java archive blocked%{}", processor_chain([
+      	dup12,
+      ]));
+      
+      var msg25 = msg("20", part29);
+      
+      var part30 = match("MESSAGE#25:21", "nwparser.payload", "Cookie removed%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg26 = msg("21", part30);
+      
+      var part31 = match("MESSAGE#26:22", "nwparser.payload", "Ping of death blocked%{}", processor_chain([
+      	dup14,
+      ]));
+      
+      var msg27 = msg("22", part31);
+      
+      var part32 = match("MESSAGE#27:23", "nwparser.payload", "IP spoof detected%{}", processor_chain([
+      	dup14,
+      ]));
+      
+      var msg28 = msg("23", part32);
+      
+      var part33 = match("MESSAGE#28:23:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}");
+      
+      var part34 = match("MESSAGE#28:23:01/3_0", "nwparser.p0", "- MAC address: %{p0}");
+      
+      var part35 = match("MESSAGE#28:23:01/3_1", "nwparser.p0", "mac= %{p0}");
+      
+      var select8 = linear_select([
+      	part34,
+      	part35,
+      ]);
+      
+      var part36 = match("MESSAGE#28:23:01/4", "nwparser.p0", "%{} %{smacaddr}");
+      
+      var all3 = all_match({
+      	processors: [
+      		part33,
+      		dup175,
+      		dup10,
+      		select8,
+      		part36,
+      	],
+      	on_success: processor_chain([
+      		dup14,
+      	]),
+      });
+      
+      var msg29 = msg("23:01", all3);
+      
+      var part37 = match("MESSAGE#29:23:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} - MAC address: %{smacaddr}", processor_chain([
+      	dup14,
+      ]));
+      
+      var msg30 = msg("23:02", part37);
+      
+      var part38 = match("MESSAGE#30:23:03/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}");
+      
+      var part39 = match("MESSAGE#30:23:03/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac= %{p0}");
+      
+      var part40 = match("MESSAGE#30:23:03/1_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} srcMac= %{p0}");
+      
+      var select9 = linear_select([
+      	part39,
+      	part40,
+      ]);
+      
+      var part41 = match("MESSAGE#30:23:03/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol}");
+      
+      var all4 = all_match({
+      	processors: [
+      		part38,
+      		select9,
+      		part41,
+      	],
+      	on_success: processor_chain([
+      		dup14,
+      		dup11,
+      		dup17,
+      		dup18,
+      		dup19,
+      		dup20,
+      		dup21,
+      	]),
+      });
+      
+      var msg31 = msg("23:03", all4);
+      
+      var select10 = linear_select([
+      	msg28,
+      	msg29,
+      	msg30,
+      	msg31,
+      ]);
+      
+      var part42 = match("MESSAGE#31:24", "nwparser.payload", "Illegal LAN address in use%{}", processor_chain([
+      	dup22,
+      ]));
+      
+      var msg32 = msg("24", part42);
+      
+      var msg33 = msg("24:01", dup176);
+      
+      var select11 = linear_select([
+      	msg32,
+      	msg33,
+      ]);
+      
+      var part43 = match("MESSAGE#32:25", "nwparser.payload", "Possible SYN flood attack%{}", processor_chain([
+      	dup14,
+      ]));
+      
+      var msg34 = msg("25", part43);
+      
+      var part44 = match("MESSAGE#33:26", "nwparser.payload", "Probable SYN flood attack%{}", processor_chain([
+      	dup14,
+      ]));
+      
+      var msg35 = msg("26", part44);
+      
+      var part45 = match("MESSAGE#34:27", "nwparser.payload", "Land Attack Dropped%{}", processor_chain([
+      	dup14,
+      ]));
+      
+      var msg36 = msg("27", part45);
+      
+      var part46 = match("MESSAGE#35:28", "nwparser.payload", "Fragmented Packet Dropped%{}", processor_chain([
+      	dup14,
+      ]));
+      
+      var msg37 = msg("28", part46);
+      
+      var part47 = match("MESSAGE#36:28:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([
+      	dup14,
+      ]));
+      
+      var msg38 = msg("28:01", part47);
+      
+      var select12 = linear_select([
+      	msg37,
+      	msg38,
+      ]);
+      
+      var part48 = match("MESSAGE#37:29", "nwparser.payload", "Successful administrator login%{}", processor_chain([
+      	dup24,
+      ]));
+      
+      var msg39 = msg("29", part48);
+      
+      var part49 = match("MESSAGE#38:29:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} usr=%{username->} src=%{p0}");
+      
+      var all5 = all_match({
+      	processors: [
+      		part49,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup29,
+      	]),
+      });
+      
+      var msg40 = msg("29:01", all5);
+      
+      var select13 = linear_select([
+      	msg39,
+      	msg40,
+      ]);
+      
+      var part50 = match("MESSAGE#39:30", "nwparser.payload", "Administrator login failed - incorrect password%{}", processor_chain([
+      	dup30,
+      ]));
+      
+      var msg41 = msg("30", part50);
+      
+      var msg42 = msg("30:01", dup226);
+      
+      var select14 = linear_select([
+      	msg41,
+      	msg42,
+      ]);
+      
+      var part51 = match("MESSAGE#41:31", "nwparser.payload", "Successful user login%{}", processor_chain([
+      	dup24,
+      ]));
+      
+      var msg43 = msg("31", part51);
+      
+      var all6 = all_match({
+      	processors: [
+      		dup31,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup24,
+      	]),
+      });
+      
+      var msg44 = msg("31:01", all6);
+      
+      var part52 = match("MESSAGE#43:31:02", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([
+      	dup24,
+      	dup11,
+      ]));
+      
+      var msg45 = msg("31:02", part52);
+      
+      var part53 = match("MESSAGE#44:31:03", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration}n=%{fld1}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}proto=%{protocol}note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([
+      	dup24,
+      	dup11,
+      ]));
+      
+      var msg46 = msg("31:03", part53);
+      
+      var part54 = match("MESSAGE#45:31:04", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([
+      	dup24,
+      	dup11,
+      ]));
+      
+      var msg47 = msg("31:04", part54);
+      
+      var select15 = linear_select([
+      	msg43,
+      	msg44,
+      	msg45,
+      	msg46,
+      	msg47,
+      ]);
+      
+      var part55 = match("MESSAGE#46:32", "nwparser.payload", "User login failed - incorrect password%{}", processor_chain([
+      	dup30,
+      ]));
+      
+      var msg48 = msg("32", part55);
+      
+      var msg49 = msg("32:01", dup226);
+      
+      var select16 = linear_select([
+      	msg48,
+      	msg49,
+      ]);
+      
+      var part56 = match("MESSAGE#48:33", "nwparser.payload", "Unknown user attempted to log in%{}", processor_chain([
+      	dup32,
+      ]));
+      
+      var msg50 = msg("33", part56);
+      
+      var all7 = all_match({
+      	processors: [
+      		dup33,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup30,
+      	]),
+      });
+      
+      var msg51 = msg("33:01", all7);
+      
+      var select17 = linear_select([
+      	msg50,
+      	msg51,
+      ]);
+      
+      var part57 = match("MESSAGE#50:34", "nwparser.payload", "Login screen timed out%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg52 = msg("34", part57);
+      
+      var part58 = match("MESSAGE#51:35", "nwparser.payload", "Attempted administrator login from WAN%{}", processor_chain([
+      	setc("eventcategory","1401040000"),
+      ]));
+      
+      var msg53 = msg("35", part58);
+      
+      var part59 = match("MESSAGE#52:35:01/3_1", "nwparser.p0", "%{daddr}");
+      
+      var select18 = linear_select([
+      	dup27,
+      	part59,
+      ]);
+      
+      var all8 = all_match({
+      	processors: [
+      		dup31,
+      		dup177,
+      		dup10,
+      		select18,
+      	],
+      	on_success: processor_chain([
+      		setc("eventcategory","1401050200"),
+      	]),
+      });
+      
+      var msg54 = msg("35:01", all8);
+      
+      var select19 = linear_select([
+      	msg53,
+      	msg54,
+      ]);
+      
+      var part60 = match("MESSAGE#53:36", "nwparser.payload", "TCP connection dropped%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg55 = msg("36", part60);
+      
+      var part61 = match("MESSAGE#54:36:01/0", "nwparser.payload", "msg=\"%{msg}\" %{p0}");
+      
+      var part62 = match("MESSAGE#54:36:01/1_0", "nwparser.p0", "app=%{fld51->} appName=\"%{application}\" n=%{fld1->} src= %{p0}");
+      
+      var part63 = match("MESSAGE#54:36:01/1_1", "nwparser.p0", "n=%{fld1->} src= %{p0}");
+      
+      var select20 = linear_select([
+      	part62,
+      	part63,
+      ]);
+      
+      var part64 = match("MESSAGE#54:36:01/6_0", "nwparser.p0", "srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\" ");
+      
+      var part65 = match("MESSAGE#54:36:01/6_1", "nwparser.p0", " rule=%{rule->} ");
+      
+      var part66 = match("MESSAGE#54:36:01/6_2", "nwparser.p0", " proto=%{protocol->} ");
+      
+      var select21 = linear_select([
+      	part64,
+      	part65,
+      	part66,
+      ]);
+      
+      var all9 = all_match({
+      	processors: [
+      		part61,
+      		select20,
+      		dup179,
+      		dup36,
+      		dup175,
+      		dup10,
+      		select21,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		dup37,
+      	]),
+      });
+      
+      var msg56 = msg("36:01", all9);
+      
+      var part67 = match("MESSAGE#55:36:02/5_0", "nwparser.p0", "rule=%{rule->} %{p0}");
+      
+      var part68 = match("MESSAGE#55:36:02/5_1", "nwparser.p0", "proto=%{protocol->} %{p0}");
+      
+      var select22 = linear_select([
+      	part67,
+      	part68,
+      ]);
+      
+      var part69 = match("MESSAGE#55:36:02/6", "nwparser.p0", "%{}npcs=%{info}");
+      
+      var all10 = all_match({
+      	processors: [
+      		dup38,
+      		dup180,
+      		dup10,
+      		dup175,
+      		dup10,
+      		select22,
+      		part69,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      	]),
+      });
+      
+      var msg57 = msg("36:02", all10);
+      
+      var select23 = linear_select([
+      	msg55,
+      	msg56,
+      	msg57,
+      ]);
+      
+      var part70 = match("MESSAGE#56:37", "nwparser.payload", "UDP packet dropped%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg58 = msg("37", part70);
+      
+      var part71 = match("MESSAGE#57:37:01/0", "nwparser.payload", "msg=\"UDP packet dropped\" %{p0}");
+      
+      var part72 = match("MESSAGE#57:37:01/1_0", "nwparser.p0", "app=%{fld51->} appName=\"%{application}\" n=%{fld1->} src=%{p0}");
+      
+      var select24 = linear_select([
+      	part72,
+      	dup40,
+      ]);
+      
+      var part73 = match("MESSAGE#57:37:01/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{p0}");
+      
+      var part74 = match("MESSAGE#57:37:01/3_0", "nwparser.p0", "%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} %{p0}");
+      
+      var part75 = match("MESSAGE#57:37:01/3_1", "nwparser.p0", "%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} %{p0}");
+      
+      var part76 = match("MESSAGE#57:37:01/3_2", "nwparser.p0", "%{dport}:%{dinterface->} %{p0}");
+      
+      var select25 = linear_select([
+      	part74,
+      	part75,
+      	part76,
+      ]);
+      
+      var part77 = match("MESSAGE#57:37:01/4_0", "nwparser.p0", "proto=%{protocol->} fw_action=\"%{fld3}\" ");
+      
+      var part78 = match("MESSAGE#57:37:01/4_1", "nwparser.p0", " rule=%{rule}");
+      
+      var select26 = linear_select([
+      	part77,
+      	part78,
+      ]);
+      
+      var all11 = all_match({
+      	processors: [
+      		part71,
+      		select24,
+      		part73,
+      		select25,
+      		select26,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		dup37,
+      	]),
+      });
+      
+      var msg59 = msg("37:01", all11);
+      
+      var part79 = match("MESSAGE#58:37:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} rule=%{rule}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg60 = msg("37:02", part79);
+      
+      var all12 = all_match({
+      	processors: [
+      		dup7,
+      		dup174,
+      		dup10,
+      		dup181,
+      		dup43,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      	]),
+      });
+      
+      var msg61 = msg("37:03", all12);
+      
+      var part80 = match("MESSAGE#60:37:04", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([
+      	dup5,
+      	dup11,
+      ]));
+      
+      var msg62 = msg("37:04", part80);
+      
+      var select27 = linear_select([
+      	msg58,
+      	msg59,
+      	msg60,
+      	msg61,
+      	msg62,
+      ]);
+      
+      var part81 = match("MESSAGE#61:38", "nwparser.payload", "ICMP packet dropped%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg63 = msg("38", part81);
+      
+      var part82 = match("MESSAGE#62:38:01/5_0", "nwparser.p0", "type=%{type->} code=%{code->} ");
+      
+      var select28 = linear_select([
+      	part82,
+      	dup45,
+      ]);
+      
+      var all13 = all_match({
+      	processors: [
+      		dup44,
+      		dup179,
+      		dup36,
+      		dup175,
+      		dup10,
+      		select28,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      	]),
+      });
+      
+      var msg64 = msg("38:01", all13);
+      
+      var part83 = match("MESSAGE#63:38:02/4", "nwparser.p0", "%{} %{fld3->} icmpCode=%{fld4->} npcs=%{info}");
+      
+      var all14 = all_match({
+      	processors: [
+      		dup7,
+      		dup174,
+      		dup10,
+      		dup182,
+      		part83,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      	]),
+      });
+      
+      var msg65 = msg("38:02", all14);
+      
+      var part84 = match("MESSAGE#64:38:03/1_0", "nwparser.p0", "%{event_description}\" app=%{fld2->} appName=\"%{application}\"%{p0}");
+      
+      var part85 = match("MESSAGE#64:38:03/1_1", "nwparser.p0", "%{event_description}\"%{p0}");
+      
+      var select29 = linear_select([
+      	part84,
+      	part85,
+      ]);
+      
+      var part86 = match("MESSAGE#64:38:03/2", "nwparser.p0", "%{}n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}");
+      
+      var part87 = match("MESSAGE#64:38:03/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"");
+      
+      var all15 = all_match({
+      	processors: [
+      		dup48,
+      		select29,
+      		part86,
+      		dup183,
+      		part87,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		dup11,
+      		dup18,
+      		dup19,
+      		dup20,
+      		dup21,
+      	]),
+      });
+      
+      var msg66 = msg("38:03", all15);
+      
+      var select30 = linear_select([
+      	msg63,
+      	msg64,
+      	msg65,
+      	msg66,
+      ]);
+      
+      var part88 = match("MESSAGE#65:39", "nwparser.payload", "PPTP packet dropped%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg67 = msg("39", part88);
+      
+      var part89 = match("MESSAGE#66:40", "nwparser.payload", "IPSec packet dropped%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg68 = msg("40", part89);
+      
+      var part90 = match("MESSAGE#67:41:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} note=\"IP Protocol: %{dclass_counter1}\"", processor_chain([
+      	dup5,
+      	dup51,
+      	dup52,
+      	dup53,
+      	dup54,
+      	dup11,
+      	dup55,
+      	dup17,
+      	dup18,
+      	dup19,
+      	dup20,
+      	dup21,
+      ]));
+      
+      var msg69 = msg("41:01", part90);
+      
+      var part91 = match("MESSAGE#68:41:02", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport}:%{sinterface->} dst=%{dtransaddr}:%{dtransport}::%{dinterface}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg70 = msg("41:02", part91);
+      
+      var part92 = match("MESSAGE#69:41:03", "nwparser.payload", "Unknown protocol dropped%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg71 = msg("41:03", part92);
+      
+      var select31 = linear_select([
+      	msg69,
+      	msg70,
+      	msg71,
+      ]);
+      
+      var part93 = match("MESSAGE#70:42", "nwparser.payload", "IPSec packet dropped; waiting for pending IPSec connection%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg72 = msg("42", part93);
+      
+      var part94 = match("MESSAGE#71:43", "nwparser.payload", "IPSec connection interrupt%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg73 = msg("43", part94);
+      
+      var part95 = match("MESSAGE#72:44", "nwparser.payload", "NAT could not remap incoming packet%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg74 = msg("44", part95);
+      
+      var part96 = match("MESSAGE#73:45", "nwparser.payload", "ARP timeout%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg75 = msg("45", part96);
+      
+      var part97 = match("MESSAGE#74:45:01", "nwparser.payload", "msg=\"ARP timeout\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg76 = msg("45:01", part97);
+      
+      var part98 = match("MESSAGE#75:45:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr->} dst=%{daddr->} npcs=%{info}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg77 = msg("45:02", part98);
+      
+      var select32 = linear_select([
+      	msg75,
+      	msg76,
+      	msg77,
+      ]);
+      
+      var part99 = match("MESSAGE#76:46:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} proto=%{protocol}/%{fld4}", processor_chain([
+      	dup5,
+      	dup51,
+      	dup52,
+      	dup53,
+      	dup54,
+      	dup11,
+      	dup55,
+      	dup17,
+      	dup18,
+      	dup19,
+      	dup20,
+      	dup21,
+      ]));
+      
+      var msg78 = msg("46:01", part99);
+      
+      var part100 = match("MESSAGE#77:46:02", "nwparser.payload", "msg=\"Broadcast packet dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg79 = msg("46:02", part100);
+      
+      var part101 = match("MESSAGE#78:46", "nwparser.payload", "Broadcast packet dropped%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg80 = msg("46", part101);
+      
+      var part102 = match("MESSAGE#79:46:03/0", "nwparser.payload", "msg=\"Broadcast packet dropped\" sess=%{fld1->} n=%{fld2->} src=%{p0}");
+      
+      var all16 = all_match({
+      	processors: [
+      		part102,
+      		dup174,
+      		dup10,
+      		dup181,
+      		dup43,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      	]),
+      });
+      
+      var msg81 = msg("46:03", all16);
+      
+      var select33 = linear_select([
+      	msg78,
+      	msg79,
+      	msg80,
+      	msg81,
+      ]);
+      
+      var part103 = match("MESSAGE#80:47", "nwparser.payload", "No ICMP redirect sent%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg82 = msg("47", part103);
+      
+      var part104 = match("MESSAGE#81:48", "nwparser.payload", "Out-of-order command packet dropped%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg83 = msg("48", part104);
+      
+      var part105 = match("MESSAGE#82:49", "nwparser.payload", "Failure to add data channel%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg84 = msg("49", part105);
+      
+      var part106 = match("MESSAGE#83:50", "nwparser.payload", "RealAudio decode failure%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg85 = msg("50", part106);
+      
+      var part107 = match("MESSAGE#84:51", "nwparser.payload", "Duplicate packet dropped%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg86 = msg("51", part107);
+      
+      var part108 = match("MESSAGE#85:52", "nwparser.payload", "No HOST tag found in HTTP request%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg87 = msg("52", part108);
+      
+      var part109 = match("MESSAGE#86:53", "nwparser.payload", "The cache is full; too many open connections; some will be dropped%{}", processor_chain([
+      	dup2,
+      ]));
+      
+      var msg88 = msg("53", part109);
+      
+      var part110 = match("MESSAGE#87:58", "nwparser.payload", "License exceeded: Connection dropped because too many IP addresses are in use on your LAN%{}", processor_chain([
+      	dup56,
+      ]));
+      
+      var msg89 = msg("58", part110);
+      
+      var part111 = match("MESSAGE#88:60", "nwparser.payload", "Access to Proxy Server Blocked%{}", processor_chain([
+      	dup12,
+      ]));
+      
+      var msg90 = msg("60", part111);
+      
+      var part112 = match("MESSAGE#89:61", "nwparser.payload", "Diagnostic Code E%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg91 = msg("61", part112);
+      
+      var part113 = match("MESSAGE#90:62", "nwparser.payload", "Dynamic IPSec client connected%{}", processor_chain([
+      	dup57,
+      ]));
+      
+      var msg92 = msg("62", part113);
+      
+      var part114 = match("MESSAGE#91:63", "nwparser.payload", "IPSec packet too big%{}", processor_chain([
+      	dup58,
+      ]));
+      
+      var msg93 = msg("63", part114);
+      
+      var part115 = match("MESSAGE#92:63:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([
+      	dup58,
+      ]));
+      
+      var msg94 = msg("63:01", part115);
+      
+      var select34 = linear_select([
+      	msg93,
+      	msg94,
+      ]);
+      
+      var part116 = match("MESSAGE#93:64", "nwparser.payload", "Diagnostic Code D%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg95 = msg("64", part116);
+      
+      var part117 = match("MESSAGE#94:65", "nwparser.payload", "Illegal IPSec SPI%{}", processor_chain([
+      	dup58,
+      ]));
+      
+      var msg96 = msg("65", part117);
+      
+      var part118 = match("MESSAGE#95:66", "nwparser.payload", "Unknown IPSec SPI%{}", processor_chain([
+      	dup58,
+      ]));
+      
+      var msg97 = msg("66", part118);
+      
+      var part119 = match("MESSAGE#96:67", "nwparser.payload", "IPSec Authentication Failed%{}", processor_chain([
+      	dup58,
+      ]));
+      
+      var msg98 = msg("67", part119);
+      
+      var all17 = all_match({
+      	processors: [
+      		dup31,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      	]),
+      });
+      
+      var msg99 = msg("67:01", all17);
+      
+      var select35 = linear_select([
+      	msg98,
+      	msg99,
+      ]);
+      
+      var part120 = match("MESSAGE#98:68", "nwparser.payload", "IPSec Decryption Failed%{}", processor_chain([
+      	dup58,
+      ]));
+      
+      var msg100 = msg("68", part120);
+      
+      var part121 = match("MESSAGE#99:69", "nwparser.payload", "Incompatible IPSec Security Association%{}", processor_chain([
+      	dup58,
+      ]));
+      
+      var msg101 = msg("69", part121);
+      
+      var part122 = match("MESSAGE#100:70", "nwparser.payload", "IPSec packet from illegal host%{}", processor_chain([
+      	dup58,
+      ]));
+      
+      var msg102 = msg("70", part122);
+      
+      var part123 = match("MESSAGE#101:70:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} %{p0}");
+      
+      var part124 = match("MESSAGE#101:70:01/1_0", "nwparser.p0", "dst=%{daddr->} ");
+      
+      var part125 = match("MESSAGE#101:70:01/1_1", "nwparser.p0", " dstname=%{name}");
+      
+      var select36 = linear_select([
+      	part124,
+      	part125,
+      ]);
+      
+      var all18 = all_match({
+      	processors: [
+      		part123,
+      		select36,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      	]),
+      });
+      
+      var msg103 = msg("70:01", all18);
+      
+      var select37 = linear_select([
+      	msg102,
+      	msg103,
+      ]);
+      
+      var part126 = match("MESSAGE#102:72", "nwparser.payload", "NetBus Attack Dropped%{}", processor_chain([
+      	dup59,
+      ]));
+      
+      var msg104 = msg("72", part126);
+      
+      var part127 = match("MESSAGE#103:72:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([
+      	dup59,
+      ]));
+      
+      var msg105 = msg("72:01", part127);
+      
+      var select38 = linear_select([
+      	msg104,
+      	msg105,
+      ]);
+      
+      var part128 = match("MESSAGE#104:73", "nwparser.payload", "Back Orifice Attack Dropped%{}", processor_chain([
+      	dup60,
+      ]));
+      
+      var msg106 = msg("73", part128);
+      
+      var part129 = match("MESSAGE#105:74", "nwparser.payload", "Net Spy Attack Dropped%{}", processor_chain([
+      	dup61,
+      ]));
+      
+      var msg107 = msg("74", part129);
+      
+      var part130 = match("MESSAGE#106:75", "nwparser.payload", "Sub Seven Attack Dropped%{}", processor_chain([
+      	dup60,
+      ]));
+      
+      var msg108 = msg("75", part130);
+      
+      var part131 = match("MESSAGE#107:76", "nwparser.payload", "Ripper Attack Dropped%{}", processor_chain([
+      	dup59,
+      ]));
+      
+      var msg109 = msg("76", part131);
+      
+      var part132 = match("MESSAGE#108:77", "nwparser.payload", "Striker Attack Dropped%{}", processor_chain([
+      	dup59,
+      ]));
+      
+      var msg110 = msg("77", part132);
+      
+      var part133 = match("MESSAGE#109:78", "nwparser.payload", "Senna Spy Attack Dropped%{}", processor_chain([
+      	dup61,
+      ]));
+      
+      var msg111 = msg("78", part133);
+      
+      var part134 = match("MESSAGE#110:79", "nwparser.payload", "Priority Attack Dropped%{}", processor_chain([
+      	dup59,
+      ]));
+      
+      var msg112 = msg("79", part134);
+      
+      var part135 = match("MESSAGE#111:80", "nwparser.payload", "Ini Killer Attack Dropped%{}", processor_chain([
+      	dup59,
+      ]));
+      
+      var msg113 = msg("80", part135);
+      
+      var part136 = match("MESSAGE#112:81", "nwparser.payload", "Smurf Amplification Attack Dropped%{}", processor_chain([
+      	dup14,
+      ]));
+      
+      var msg114 = msg("81", part136);
+      
+      var part137 = match("MESSAGE#113:82", "nwparser.payload", "Possible Port Scan%{}", processor_chain([
+      	dup62,
+      ]));
+      
+      var msg115 = msg("82", part137);
+      
+      var part138 = match("MESSAGE#114:82:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{info}\"", processor_chain([
+      	dup62,
+      ]));
+      
+      var msg116 = msg("82:02", part138);
+      
+      var part139 = match("MESSAGE#115:82:03", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{fld3}\" npcs=%{info}", processor_chain([
+      	dup62,
+      ]));
+      
+      var msg117 = msg("82:03", part139);
+      
+      var msg118 = msg("82:01", dup184);
+      
+      var select39 = linear_select([
+      	msg115,
+      	msg116,
+      	msg117,
+      	msg118,
+      ]);
+      
+      var part140 = match("MESSAGE#117:83", "nwparser.payload", "Probable Port Scan%{}", processor_chain([
+      	dup62,
+      ]));
+      
+      var msg119 = msg("83", part140);
+      
+      var msg120 = msg("83:01", dup185);
+      
+      var part141 = match("MESSAGE#119:83:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{fld3}\" npcs=%{info}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg121 = msg("83:02", part141);
+      
+      var select40 = linear_select([
+      	msg119,
+      	msg120,
+      	msg121,
+      ]);
+      
+      var part142 = match("MESSAGE#120:84/0_0", "nwparser.payload", "msg=\"Failed to resolve name\" n=%{fld1->} dstname=%{dhost}");
+      
+      var part143 = match("MESSAGE#120:84/0_1", "nwparser.payload", "Failed to resolve name%{}");
+      
+      var select41 = linear_select([
+      	part142,
+      	part143,
+      ]);
+      
+      var all19 = all_match({
+      	processors: [
+      		select41,
+      	],
+      	on_success: processor_chain([
+      		dup63,
+      		setc("action","Failed to resolve name"),
+      	]),
+      });
+      
+      var msg122 = msg("84", all19);
+      
+      var part144 = match("MESSAGE#121:87", "nwparser.payload", "IKE Responder: Accepting IPSec proposal%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg123 = msg("87", part144);
+      
+      var part145 = match("MESSAGE#122:87:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg124 = msg("87:01", part145);
+      
+      var select42 = linear_select([
+      	msg123,
+      	msg124,
+      ]);
+      
+      var part146 = match("MESSAGE#123:88", "nwparser.payload", "IKE Responder: IPSec proposal not acceptable%{}", processor_chain([
+      	dup58,
+      ]));
+      
+      var msg125 = msg("88", part146);
+      
+      var part147 = match("MESSAGE#124:88:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{saddr->} dst=%{daddr}", processor_chain([
+      	dup58,
+      ]));
+      
+      var msg126 = msg("88:01", part147);
+      
+      var select43 = linear_select([
+      	msg125,
+      	msg126,
+      ]);
+      
+      var part148 = match("MESSAGE#125:89", "nwparser.payload", "IKE negotiation complete. Adding IPSec SA%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg127 = msg("89", part148);
+      
+      var part149 = match("MESSAGE#126:89:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} %{p0}");
+      
+      var part150 = match("MESSAGE#126:89:01/1_0", "nwparser.p0", "src=%{saddr}:::%{sinterface->} dst=%{daddr}:::%{dinterface->} ");
+      
+      var part151 = match("MESSAGE#126:89:01/1_1", "nwparser.p0", " src=%{saddr->} dst=%{daddr->} dstname=%{name}");
+      
+      var select44 = linear_select([
+      	part150,
+      	part151,
+      ]);
+      
+      var all20 = all_match({
+      	processors: [
+      		part149,
+      		select44,
+      	],
+      	on_success: processor_chain([
+      		dup64,
+      	]),
+      });
+      
+      var msg128 = msg("89:01", all20);
+      
+      var select45 = linear_select([
+      	msg127,
+      	msg128,
+      ]);
+      
+      var part152 = match("MESSAGE#127:90", "nwparser.payload", "Starting IKE negotiation%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg129 = msg("90", part152);
+      
+      var part153 = match("MESSAGE#128:91", "nwparser.payload", "Deleting IPSec SA for destination%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg130 = msg("91", part153);
+      
+      var part154 = match("MESSAGE#129:92", "nwparser.payload", "Deleting IPSec SA%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg131 = msg("92", part154);
+      
+      var part155 = match("MESSAGE#130:93", "nwparser.payload", "Diagnostic Code A%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg132 = msg("93", part155);
+      
+      var part156 = match("MESSAGE#131:94", "nwparser.payload", "Diagnostic Code B%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg133 = msg("94", part156);
+      
+      var part157 = match("MESSAGE#132:95", "nwparser.payload", "Diagnostic Code C%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg134 = msg("95", part157);
+      
+      var part158 = match("MESSAGE#133:96", "nwparser.payload", "Status%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg135 = msg("96", part158);
+      
+      var part159 = match("MESSAGE#134:97", "nwparser.payload", "Web site hit%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg136 = msg("97", part159);
+      
+      var part160 = match("MESSAGE#135:97:01/4", "nwparser.p0", "%{}proto=%{protocol->} op=%{fld->} %{p0}");
+      
+      var part161 = match("MESSAGE#135:97:01/5_0", "nwparser.p0", "rcvd=%{rbytes->} %{p0}");
+      
+      var part162 = match("MESSAGE#135:97:01/5_1", "nwparser.p0", "sent=%{sbytes->} %{p0}");
+      
+      var select46 = linear_select([
+      	part161,
+      	part162,
+      ]);
+      
+      var part163 = match("MESSAGE#135:97:01/7_0", "nwparser.p0", "result=%{result->} dstname=%{name->} ");
+      
+      var select47 = linear_select([
+      	part163,
+      	dup66,
+      ]);
+      
+      var all21 = all_match({
+      	processors: [
+      		dup65,
+      		dup179,
+      		dup36,
+      		dup175,
+      		part160,
+      		select46,
+      		dup10,
+      		select47,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg137 = msg("97:01", all21);
+      
+      var part164 = match("MESSAGE#136:97:02/4", "nwparser.p0", "%{}proto=%{protocol->} op=%{fld->} result=%{result}");
+      
+      var all22 = all_match({
+      	processors: [
+      		dup65,
+      		dup179,
+      		dup36,
+      		dup175,
+      		part164,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg138 = msg("97:02", all22);
+      
+      var part165 = match("MESSAGE#137:97:03/4", "nwparser.p0", "%{}proto=%{protocol->} op=%{fld3->} sent=%{sbytes->} rcvd=%{rbytes->} %{p0}");
+      
+      var part166 = match("MESSAGE#137:97:03/5_0", "nwparser.p0", "result=%{result->} dstname=%{name->} %{p0}");
+      
+      var part167 = match("MESSAGE#137:97:03/5_1", "nwparser.p0", "dstname=%{name->} %{p0}");
+      
+      var select48 = linear_select([
+      	part166,
+      	part167,
+      ]);
+      
+      var part168 = match("MESSAGE#137:97:03/6", "nwparser.p0", "%{}arg=%{fld4->} code=%{fld5->} Category=\"%{category}\" npcs=%{info}");
+      
+      var all23 = all_match({
+      	processors: [
+      		dup67,
+      		dup179,
+      		dup36,
+      		dup175,
+      		part165,
+      		select48,
+      		part168,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg139 = msg("97:03", all23);
+      
+      var part169 = match("MESSAGE#138:97:04/4", "nwparser.p0", "%{}proto=%{protocol->} op=%{fld3->} %{p0}");
+      
+      var part170 = match("MESSAGE#138:97:04/5_0", "nwparser.p0", "result=%{result->} dstname=%{name->} arg= %{p0}");
+      
+      var part171 = match("MESSAGE#138:97:04/5_1", "nwparser.p0", "dstname=%{name->} arg= %{p0}");
+      
+      var select49 = linear_select([
+      	part170,
+      	part171,
+      ]);
+      
+      var part172 = match("MESSAGE#138:97:04/6", "nwparser.p0", "%{} %{fld4->} code=%{fld5->} Category=\"%{category}\" npcs=%{info}");
+      
+      var all24 = all_match({
+      	processors: [
+      		dup67,
+      		dup179,
+      		dup36,
+      		dup175,
+      		part169,
+      		select49,
+      		part172,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg140 = msg("97:04", all24);
+      
+      var part173 = match("MESSAGE#139:97:05/4", "nwparser.p0", "%{}proto=%{protocol->} op=%{fld2->} dstname=%{name->} arg=%{fld3->} code=%{fld4->} Category=%{category}");
+      
+      var all25 = all_match({
+      	processors: [
+      		dup65,
+      		dup179,
+      		dup36,
+      		dup175,
+      		part173,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg141 = msg("97:05", all25);
+      
+      var part174 = match("MESSAGE#140:97:06/0", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{p0}");
+      
+      var select50 = linear_select([
+      	dup68,
+      	dup69,
+      ]);
+      
+      var part175 = match("MESSAGE#140:97:06/2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"");
+      
+      var all26 = all_match({
+      	processors: [
+      		part174,
+      		select50,
+      		part175,
+      	],
+      	on_success: processor_chain([
+      		dup70,
+      		dup11,
+      	]),
+      });
+      
+      var msg142 = msg("97:06", all26);
+      
+      var part176 = match("MESSAGE#141:97:07/0", "nwparser.payload", "app=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{p0}");
+      
+      var part177 = match("MESSAGE#141:97:07/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{fld3->} srcMac=%{p0}");
+      
+      var select51 = linear_select([
+      	part177,
+      	dup49,
+      ]);
+      
+      var part178 = match("MESSAGE#141:97:07/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} dstname=%{dhost->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"");
+      
+      var all27 = all_match({
+      	processors: [
+      		part176,
+      		select51,
+      		part178,
+      	],
+      	on_success: processor_chain([
+      		dup70,
+      		dup11,
+      	]),
+      });
+      
+      var msg143 = msg("97:07", all27);
+      
+      var part179 = match("MESSAGE#142:97:08", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([
+      	dup70,
+      	dup11,
+      ]));
+      
+      var msg144 = msg("97:08", part179);
+      
+      var part180 = match("MESSAGE#143:97:09", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([
+      	dup70,
+      	dup11,
+      ]));
+      
+      var msg145 = msg("97:09", part180);
+      
+      var part181 = match("MESSAGE#144:97:10", "nwparser.payload", "app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([
+      	dup70,
+      	dup11,
+      ]));
+      
+      var msg146 = msg("97:10", part181);
+      
+      var select52 = linear_select([
+      	msg136,
+      	msg137,
+      	msg138,
+      	msg139,
+      	msg140,
+      	msg141,
+      	msg142,
+      	msg143,
+      	msg144,
+      	msg145,
+      	msg146,
+      ]);
+      
+      var part182 = match("MESSAGE#145:98/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld2->} appName=\"%{application}\"%{p0}");
+      
+      var part183 = match("MESSAGE#145:98/0_1", "nwparser.payload", " msg=\"%{event_description}\"%{p0}");
+      
+      var select53 = linear_select([
+      	part182,
+      	part183,
+      ]);
+      
+      var part184 = match("MESSAGE#145:98/1", "nwparser.p0", "%{}n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{p0}");
+      
+      var part185 = match("MESSAGE#145:98/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} %{p0}");
+      
+      var select54 = linear_select([
+      	part185,
+      	dup71,
+      ]);
+      
+      var part186 = match("MESSAGE#145:98/3_1", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} ");
+      
+      var part187 = match("MESSAGE#145:98/3_2", "nwparser.p0", " proto=%{protocol}");
+      
+      var select55 = linear_select([
+      	dup72,
+      	part186,
+      	part187,
+      ]);
+      
+      var all28 = all_match({
+      	processors: [
+      		select53,
+      		part184,
+      		select54,
+      		select55,
+      	],
+      	on_success: processor_chain([
+      		dup70,
+      		dup51,
+      		setc("ec_activity","Stop"),
+      		dup53,
+      		dup54,
+      		dup11,
+      		setc("action","Opened"),
+      		dup17,
+      		dup18,
+      		dup19,
+      		dup20,
+      		dup21,
+      	]),
+      });
+      
+      var msg147 = msg("98", all28);
+      
+      var part188 = match("MESSAGE#146:98:07", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} proto=%{protocol}/%{fld4->} sent=%{sbytes->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([
+      	dup1,
+      	dup11,
+      	dup17,
+      	dup18,
+      	dup19,
+      	dup20,
+      	dup21,
+      ]));
+      
+      var msg148 = msg("98:07", part188);
+      
+      var part189 = match("MESSAGE#147:98:01/1_0", "nwparser.p0", "%{msg}\" app=%{fld2->} sess=\"%{fld3}\"%{p0}");
+      
+      var part190 = match("MESSAGE#147:98:01/1_1", "nwparser.p0", "%{msg}\"%{p0}");
+      
+      var select56 = linear_select([
+      	part189,
+      	part190,
+      ]);
+      
+      var part191 = match("MESSAGE#147:98:01/2", "nwparser.p0", "%{}n=%{p0}");
+      
+      var part192 = match("MESSAGE#147:98:01/3_0", "nwparser.p0", "%{fld1->} usr=%{username->} src=%{p0}");
+      
+      var part193 = match("MESSAGE#147:98:01/3_1", "nwparser.p0", "%{fld1->} src=%{p0}");
+      
+      var select57 = linear_select([
+      	part192,
+      	part193,
+      ]);
+      
+      var select58 = linear_select([
+      	dup73,
+      	dup69,
+      	dup74,
+      ]);
+      
+      var part194 = match("MESSAGE#147:98:01/7_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} fw_action=\"%{action}\"");
+      
+      var part195 = match("MESSAGE#147:98:01/7_1", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} ");
+      
+      var part196 = match("MESSAGE#147:98:01/7_2", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} rule=\"%{rulename}\" fw_action=\"%{action}\"");
+      
+      var part197 = match("MESSAGE#147:98:01/7_4", "nwparser.p0", " proto=%{protocol->} sent=%{sbytes}");
+      
+      var part198 = match("MESSAGE#147:98:01/7_5", "nwparser.p0", "proto=%{protocol}");
+      
+      var select59 = linear_select([
+      	part194,
+      	part195,
+      	part196,
+      	dup72,
+      	part197,
+      	part198,
+      ]);
+      
+      var all29 = all_match({
+      	processors: [
+      		dup48,
+      		select56,
+      		part191,
+      		select57,
+      		select58,
+      		dup10,
+      		dup186,
+      		select59,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg149 = msg("98:01", all29);
+      
+      var part199 = match("MESSAGE#148:98:06/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld2->} appName=\"%{application}\" %{p0}");
+      
+      var part200 = match("MESSAGE#148:98:06/0_1", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld2->} %{p0}");
+      
+      var part201 = match("MESSAGE#148:98:06/0_2", "nwparser.payload", " msg=\"%{event_description}\" sess=%{fld2->} %{p0}");
+      
+      var select60 = linear_select([
+      	part199,
+      	part200,
+      	part201,
+      ]);
+      
+      var part202 = match("MESSAGE#148:98:06/1_0", "nwparser.p0", "n=%{fld1->} usr=%{username->} %{p0}");
+      
+      var part203 = match("MESSAGE#148:98:06/1_1", "nwparser.p0", " n=%{fld1->} %{p0}");
+      
+      var select61 = linear_select([
+      	part202,
+      	part203,
+      ]);
+      
+      var part204 = match("MESSAGE#148:98:06/2", "nwparser.p0", "%{}src= %{p0}");
+      
+      var part205 = match("MESSAGE#148:98:06/5_0", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{dmacaddr->} proto=%{p0}");
+      
+      var part206 = match("MESSAGE#148:98:06/5_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} proto=%{p0}");
+      
+      var select62 = linear_select([
+      	part205,
+      	part206,
+      	dup77,
+      	dup78,
+      ]);
+      
+      var part207 = match("MESSAGE#148:98:06/6", "nwparser.p0", "%{protocol->} %{p0}");
+      
+      var part208 = match("MESSAGE#148:98:06/7_0", "nwparser.p0", "sent=%{sbytes->} rule=\"%{rulename}\" fw_action=\"%{action}\"");
+      
+      var part209 = match("MESSAGE#148:98:06/7_1", "nwparser.p0", "sent=%{sbytes->} rule=\"%{rulename}\" fw_action=%{action}");
+      
+      var part210 = match("MESSAGE#148:98:06/7_2", "nwparser.p0", "sent=%{sbytes->} fw_action=\"%{action}\"");
+      
+      var part211 = match("MESSAGE#148:98:06/7_3", "nwparser.p0", "sent=%{sbytes}");
+      
+      var part212 = match("MESSAGE#148:98:06/7_4", "nwparser.p0", "fw_action=\"%{action}\"");
+      
+      var select63 = linear_select([
+      	part208,
+      	part209,
+      	part210,
+      	part211,
+      	part212,
+      ]);
+      
+      var all30 = all_match({
+      	processors: [
+      		select60,
+      		select61,
+      		part204,
+      		dup187,
+      		dup10,
+      		select62,
+      		part207,
+      		select63,
+      	],
+      	on_success: processor_chain([
+      		dup70,
+      		dup11,
+      		dup17,
+      		dup18,
+      		dup19,
+      		dup20,
+      		dup21,
+      	]),
+      });
+      
+      var msg150 = msg("98:06", all30);
+      
+      var part213 = match("MESSAGE#149:98:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} usr=%{username->} src=%{p0}");
+      
+      var all31 = all_match({
+      	processors: [
+      		part213,
+      		dup177,
+      		dup10,
+      		dup175,
+      		dup79,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg151 = msg("98:02", all31);
+      
+      var part214 = match("MESSAGE#150:98:03/0_0", "nwparser.payload", "Connection %{}");
+      
+      var part215 = match("MESSAGE#150:98:03/0_1", "nwparser.payload", " msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} ");
+      
+      var select64 = linear_select([
+      	part214,
+      	part215,
+      ]);
+      
+      var all32 = all_match({
+      	processors: [
+      		select64,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup37,
+      	]),
+      });
+      
+      var msg152 = msg("98:03", all32);
+      
+      var part216 = match("MESSAGE#151:98:04/4", "nwparser.p0", "%{}proto=%{protocol->} sent=%{sbytes->} vpnpolicy=\"%{policyname}\" npcs=%{info}");
+      
+      var all33 = all_match({
+      	processors: [
+      		dup7,
+      		dup177,
+      		dup10,
+      		dup175,
+      		part216,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg153 = msg("98:04", all33);
+      
+      var part217 = match("MESSAGE#152:98:05/4", "nwparser.p0", "%{}proto=%{protocol->} sent=%{sbytes->} npcs=%{info}");
+      
+      var all34 = all_match({
+      	processors: [
+      		dup7,
+      		dup177,
+      		dup10,
+      		dup175,
+      		part217,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg154 = msg("98:05", all34);
+      
+      var select65 = linear_select([
+      	msg147,
+      	msg148,
+      	msg149,
+      	msg150,
+      	msg151,
+      	msg152,
+      	msg153,
+      	msg154,
+      ]);
+      
+      var part218 = match("MESSAGE#153:986", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([
+      	dup30,
+      	dup11,
+      ]));
+      
+      var msg155 = msg("986", part218);
+      
+      var part219 = match("MESSAGE#154:427/4", "nwparser.p0", "%{}note=\"%{event_description}\"");
+      
+      var all35 = all_match({
+      	processors: [
+      		dup80,
+      		dup177,
+      		dup10,
+      		dup175,
+      		part219,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg156 = msg("427", all35);
+      
+      var part220 = match("MESSAGE#155:428/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"");
+      
+      var all36 = all_match({
+      	processors: [
+      		dup81,
+      		dup183,
+      		part220,
+      	],
+      	on_success: processor_chain([
+      		dup22,
+      		dup54,
+      		dup17,
+      		dup82,
+      		dup19,
+      		dup20,
+      		dup21,
+      		dup37,
+      	]),
+      });
+      
+      var msg157 = msg("428", all36);
+      
+      var part221 = match("MESSAGE#156:99", "nwparser.payload", "Retransmitting DHCP DISCOVER.%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg158 = msg("99", part221);
+      
+      var part222 = match("MESSAGE#157:100", "nwparser.payload", "Retransmitting DHCP REQUEST (Requesting).%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg159 = msg("100", part222);
+      
+      var part223 = match("MESSAGE#158:101", "nwparser.payload", "Retransmitting DHCP REQUEST (Renewing).%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg160 = msg("101", part223);
+      
+      var part224 = match("MESSAGE#159:102", "nwparser.payload", "Retransmitting DHCP REQUEST (Rebinding).%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg161 = msg("102", part224);
+      
+      var part225 = match("MESSAGE#160:103", "nwparser.payload", "Retransmitting DHCP REQUEST (Rebooting).%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg162 = msg("103", part225);
+      
+      var part226 = match("MESSAGE#161:104", "nwparser.payload", "Retransmitting DHCP REQUEST (Verifying).%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg163 = msg("104", part226);
+      
+      var part227 = match("MESSAGE#162:105", "nwparser.payload", "Sending DHCP DISCOVER.%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg164 = msg("105", part227);
+      
+      var part228 = match("MESSAGE#163:106", "nwparser.payload", "DHCP Server not available. Did not get any DHCP OFFER.%{}", processor_chain([
+      	dup63,
+      ]));
+      
+      var msg165 = msg("106", part228);
+      
+      var part229 = match("MESSAGE#164:107", "nwparser.payload", "Got DHCP OFFER. Selecting.%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg166 = msg("107", part229);
+      
+      var part230 = match("MESSAGE#165:108", "nwparser.payload", "Sending DHCP REQUEST.%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg167 = msg("108", part230);
+      
+      var part231 = match("MESSAGE#166:109", "nwparser.payload", "DHCP Client did not get DHCP ACK.%{}", processor_chain([
+      	dup63,
+      ]));
+      
+      var msg168 = msg("109", part231);
+      
+      var part232 = match("MESSAGE#167:110", "nwparser.payload", "DHCP Client got NACK.%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg169 = msg("110", part232);
+      
+      var msg170 = msg("111:01", dup188);
+      
+      var part233 = match("MESSAGE#169:111", "nwparser.payload", "DHCP Client got ACK from server.%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg171 = msg("111", part233);
+      
+      var select66 = linear_select([
+      	msg170,
+      	msg171,
+      ]);
+      
+      var part234 = match("MESSAGE#170:112", "nwparser.payload", "DHCP Client is declining address offered by the server.%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg172 = msg("112", part234);
+      
+      var part235 = match("MESSAGE#171:113", "nwparser.payload", "DHCP Client sending REQUEST and going to REBIND state.%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg173 = msg("113", part235);
+      
+      var part236 = match("MESSAGE#172:114", "nwparser.payload", "DHCP Client sending REQUEST and going to RENEW state.%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg174 = msg("114", part236);
+      
+      var msg175 = msg("115:01", dup188);
+      
+      var part237 = match("MESSAGE#174:115", "nwparser.payload", "Sending DHCP REQUEST (Renewing).%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg176 = msg("115", part237);
+      
+      var select67 = linear_select([
+      	msg175,
+      	msg176,
+      ]);
+      
+      var part238 = match("MESSAGE#175:116", "nwparser.payload", "Sending DHCP REQUEST (Rebinding).%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg177 = msg("116", part238);
+      
+      var part239 = match("MESSAGE#176:117", "nwparser.payload", "Sending DHCP REQUEST (Rebooting).%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg178 = msg("117", part239);
+      
+      var part240 = match("MESSAGE#177:118", "nwparser.payload", "Sending DHCP REQUEST (Verifying).%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg179 = msg("118", part240);
+      
+      var part241 = match("MESSAGE#178:119", "nwparser.payload", "DHCP Client failed to verify and lease has expired. Go to INIT state.%{}", processor_chain([
+      	dup63,
+      ]));
+      
+      var msg180 = msg("119", part241);
+      
+      var part242 = match("MESSAGE#179:120", "nwparser.payload", "DHCP Client failed to verify and lease is still valid. Go to BOUND state.%{}", processor_chain([
+      	dup63,
+      ]));
+      
+      var msg181 = msg("120", part242);
+      
+      var part243 = match("MESSAGE#180:121", "nwparser.payload", "DHCP Client got a new IP address lease.%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg182 = msg("121", part243);
+      
+      var part244 = match("MESSAGE#181:122", "nwparser.payload", "Access attempt from host without Anti-Virus agent installed%{}", processor_chain([
+      	dup63,
+      ]));
+      
+      var msg183 = msg("122", part244);
+      
+      var part245 = match("MESSAGE#182:123", "nwparser.payload", "Anti-Virus agent out-of-date on host%{}", processor_chain([
+      	dup63,
+      ]));
+      
+      var msg184 = msg("123", part245);
+      
+      var part246 = match("MESSAGE#183:124", "nwparser.payload", "Received AV Alert: %s%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg185 = msg("124", part246);
+      
+      var part247 = match("MESSAGE#184:125", "nwparser.payload", "Unused AV log entry.%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg186 = msg("125", part247);
+      
+      var part248 = match("MESSAGE#185:1254", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([
+      	dup83,
+      	dup11,
+      ]));
+      
+      var msg187 = msg("1254", part248);
+      
+      var part249 = match("MESSAGE#186:1256", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([
+      	dup70,
+      	dup54,
+      	dup17,
+      	dup82,
+      	dup19,
+      	dup20,
+      	dup21,
+      	dup37,
+      ]));
+      
+      var msg188 = msg("1256", part249);
+      
+      var part250 = match("MESSAGE#187:1257", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([
+      	dup83,
+      	dup11,
+      ]));
+      
+      var msg189 = msg("1257", part250);
+      
+      var part251 = match("MESSAGE#188:126", "nwparser.payload", "Starting PPPoE discovery%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg190 = msg("126", part251);
+      
+      var part252 = match("MESSAGE#189:127", "nwparser.payload", "PPPoE LCP Link Up%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg191 = msg("127", part252);
+      
+      var part253 = match("MESSAGE#190:128", "nwparser.payload", "PPPoE LCP Link Down%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg192 = msg("128", part253);
+      
+      var part254 = match("MESSAGE#191:129", "nwparser.payload", "PPPoE terminated%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg193 = msg("129", part254);
+      
+      var part255 = match("MESSAGE#192:130", "nwparser.payload", "PPPoE Network Connected%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg194 = msg("130", part255);
+      
+      var part256 = match("MESSAGE#193:131", "nwparser.payload", "PPPoE Network Disconnected%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg195 = msg("131", part256);
+      
+      var part257 = match("MESSAGE#194:132", "nwparser.payload", "PPPoE discovery process complete%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg196 = msg("132", part257);
+      
+      var part258 = match("MESSAGE#195:133", "nwparser.payload", "PPPoE starting CHAP Authentication%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg197 = msg("133", part258);
+      
+      var part259 = match("MESSAGE#196:134", "nwparser.payload", "PPPoE starting PAP Authentication%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg198 = msg("134", part259);
+      
+      var part260 = match("MESSAGE#197:135", "nwparser.payload", "PPPoE CHAP Authentication Failed%{}", processor_chain([
+      	dup84,
+      ]));
+      
+      var msg199 = msg("135", part260);
+      
+      var part261 = match("MESSAGE#198:136", "nwparser.payload", "PPPoE PAP Authentication Failed%{}", processor_chain([
+      	dup84,
+      ]));
+      
+      var msg200 = msg("136", part261);
+      
+      var part262 = match("MESSAGE#199:137", "nwparser.payload", "Wan IP Changed%{}", processor_chain([
+      	dup3,
+      ]));
+      
+      var msg201 = msg("137", part262);
+      
+      var part263 = match("MESSAGE#200:138", "nwparser.payload", "XAUTH Succeeded%{}", processor_chain([
+      	dup3,
+      ]));
+      
+      var msg202 = msg("138", part263);
+      
+      var part264 = match("MESSAGE#201:139", "nwparser.payload", "XAUTH Failed%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg203 = msg("139", part264);
+      
+      var all37 = all_match({
+      	processors: [
+      		dup31,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		setc("eventcategory","1801020100"),
+      	]),
+      });
+      
+      var msg204 = msg("139:01", all37);
+      
+      var select68 = linear_select([
+      	msg203,
+      	msg204,
+      ]);
+      
+      var msg205 = msg("140", dup227);
+      
+      var msg206 = msg("141", dup227);
+      
+      var part265 = match("MESSAGE#205:142", "nwparser.payload", "Primary firewall has transitioned to Active%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg207 = msg("142", part265);
+      
+      var part266 = match("MESSAGE#206:143", "nwparser.payload", "Backup firewall has transitioned to Active%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg208 = msg("143", part266);
+      
+      var part267 = match("MESSAGE#207:1431", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=::%{sinterface->} dstV6=%{daddr_v6->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([
+      	dup70,
+      	dup11,
+      ]));
+      
+      var msg209 = msg("1431", part267);
+      
+      var part268 = match("MESSAGE#208:144", "nwparser.payload", "Primary firewall has transitioned to Idle%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg210 = msg("144", part268);
+      
+      var part269 = match("MESSAGE#209:145", "nwparser.payload", "Backup firewall has transitioned to Idle%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg211 = msg("145", part269);
+      
+      var part270 = match("MESSAGE#210:146", "nwparser.payload", "Primary missed heartbeats from Active Backup: Primary going Active%{}", processor_chain([
+      	dup86,
+      ]));
+      
+      var msg212 = msg("146", part270);
+      
+      var part271 = match("MESSAGE#211:147", "nwparser.payload", "Backup missed heartbeats from Active Primary: Backup going Active%{}", processor_chain([
+      	dup86,
+      ]));
+      
+      var msg213 = msg("147", part271);
+      
+      var part272 = match("MESSAGE#212:148", "nwparser.payload", "Primary received error signal from Active Backup: Primary going Active%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg214 = msg("148", part272);
+      
+      var part273 = match("MESSAGE#213:1480", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([
+      	setc("eventcategory","1204010000"),
+      	dup11,
+      ]));
+      
+      var msg215 = msg("1480", part273);
+      
+      var part274 = match("MESSAGE#214:149", "nwparser.payload", "Backup received error signal from Active Primary: Backup going Active%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg216 = msg("149", part274);
+      
+      var part275 = match("MESSAGE#215:150", "nwparser.payload", "Backup firewall being preempted by Primary%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg217 = msg("150", part275);
+      
+      var part276 = match("MESSAGE#216:151", "nwparser.payload", "Primary firewall preempting Backup%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg218 = msg("151", part276);
+      
+      var part277 = match("MESSAGE#217:152", "nwparser.payload", "Active Backup detects Active Primary: Backup rebooting%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg219 = msg("152", part277);
+      
+      var part278 = match("MESSAGE#218:153", "nwparser.payload", "Imported HA hardware ID did not match this firewall%{}", processor_chain([
+      	setc("eventcategory","1603010000"),
+      ]));
+      
+      var msg220 = msg("153", part278);
+      
+      var part279 = match("MESSAGE#219:154", "nwparser.payload", "Received AV Alert: Your SonicWALL Network Anti-Virus subscription has expired. %s%{}", processor_chain([
+      	dup56,
+      ]));
+      
+      var msg221 = msg("154", part279);
+      
+      var part280 = match("MESSAGE#220:155", "nwparser.payload", "Primary received heartbeat from wrong source%{}", processor_chain([
+      	dup86,
+      ]));
+      
+      var msg222 = msg("155", part280);
+      
+      var part281 = match("MESSAGE#221:156", "nwparser.payload", "Backup received heartbeat from wrong source%{}", processor_chain([
+      	dup86,
+      ]));
+      
+      var msg223 = msg("156", part281);
+      
+      var part282 = match("MESSAGE#222:157:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg224 = msg("157:01", part282);
+      
+      var part283 = match("MESSAGE#223:157", "nwparser.payload", "HA packet processing error%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg225 = msg("157", part283);
+      
+      var select69 = linear_select([
+      	msg224,
+      	msg225,
+      ]);
+      
+      var part284 = match("MESSAGE#224:158", "nwparser.payload", "Heartbeat received from incompatible source%{}", processor_chain([
+      	dup86,
+      ]));
+      
+      var msg226 = msg("158", part284);
+      
+      var part285 = match("MESSAGE#225:159", "nwparser.payload", "Diagnostic Code F%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg227 = msg("159", part285);
+      
+      var part286 = match("MESSAGE#226:160", "nwparser.payload", "Forbidden E-mail attachment altered%{}", processor_chain([
+      	setc("eventcategory","1203000000"),
+      ]));
+      
+      var msg228 = msg("160", part286);
+      
+      var part287 = match("MESSAGE#227:161", "nwparser.payload", "PPPoE PAP Authentication success.%{}", processor_chain([
+      	dup57,
+      ]));
+      
+      var msg229 = msg("161", part287);
+      
+      var part288 = match("MESSAGE#228:162", "nwparser.payload", "PPPoE PAP Authentication Failed. Please verify PPPoE username and password%{}", processor_chain([
+      	dup32,
+      ]));
+      
+      var msg230 = msg("162", part288);
+      
+      var part289 = match("MESSAGE#229:163", "nwparser.payload", "Disconnecting PPPoE due to traffic timeout%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg231 = msg("163", part289);
+      
+      var part290 = match("MESSAGE#230:164", "nwparser.payload", "No response from ISP Disconnecting PPPoE.%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg232 = msg("164", part290);
+      
+      var part291 = match("MESSAGE#231:165", "nwparser.payload", "Backup going Active in preempt mode after reboot%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg233 = msg("165", part291);
+      
+      var part292 = match("MESSAGE#232:166", "nwparser.payload", "Denied TCP connection from LAN%{}", processor_chain([
+      	dup12,
+      ]));
+      
+      var msg234 = msg("166", part292);
+      
+      var part293 = match("MESSAGE#233:167", "nwparser.payload", "Denied UDP packet from LAN%{}", processor_chain([
+      	dup12,
+      ]));
+      
+      var msg235 = msg("167", part293);
+      
+      var part294 = match("MESSAGE#234:168", "nwparser.payload", "Denied ICMP packet from LAN%{}", processor_chain([
+      	dup12,
+      ]));
+      
+      var msg236 = msg("168", part294);
+      
+      var part295 = match("MESSAGE#235:169", "nwparser.payload", "Firewall access from LAN%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg237 = msg("169", part295);
+      
+      var part296 = match("MESSAGE#236:170", "nwparser.payload", "Received a path MTU icmp message from router/gateway%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg238 = msg("170", part296);
+      
+      var part297 = match("MESSAGE#237:171", "nwparser.payload", "Probable TCP FIN scan%{}", processor_chain([
+      	dup62,
+      ]));
+      
+      var msg239 = msg("171", part297);
+      
+      var part298 = match("MESSAGE#238:171:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([
+      	dup87,
+      ]));
+      
+      var msg240 = msg("171:01", part298);
+      
+      var part299 = match("MESSAGE#239:171:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}:%{dport}", processor_chain([
+      	dup87,
+      ]));
+      
+      var msg241 = msg("171:02", part299);
+      
+      var part300 = match("MESSAGE#240:171:03/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld1}\" sess=%{fld2->} n=%{fld3->} src=%{p0}");
+      
+      var all38 = all_match({
+      	processors: [
+      		part300,
+      		dup174,
+      		dup10,
+      		dup189,
+      		dup90,
+      	],
+      	on_success: processor_chain([
+      		dup87,
+      	]),
+      });
+      
+      var msg242 = msg("171:03", all38);
+      
+      var select70 = linear_select([
+      	msg239,
+      	msg240,
+      	msg241,
+      	msg242,
+      ]);
+      
+      var part301 = match("MESSAGE#241:172", "nwparser.payload", "Probable TCP XMAS scan%{}", processor_chain([
+      	dup62,
+      ]));
+      
+      var msg243 = msg("172", part301);
+      
+      var part302 = match("MESSAGE#242:172:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([
+      	dup62,
+      ]));
+      
+      var msg244 = msg("172:01", part302);
+      
+      var select71 = linear_select([
+      	msg243,
+      	msg244,
+      ]);
+      
+      var part303 = match("MESSAGE#243:173", "nwparser.payload", "Probable TCP NULL scan%{}", processor_chain([
+      	dup62,
+      ]));
+      
+      var msg245 = msg("173", part303);
+      
+      var part304 = match("MESSAGE#244:174", "nwparser.payload", "IPSEC Replay Detected%{}", processor_chain([
+      	dup59,
+      ]));
+      
+      var msg246 = msg("174", part304);
+      
+      var all39 = all_match({
+      	processors: [
+      		dup80,
+      		dup177,
+      		dup10,
+      		dup175,
+      		dup79,
+      	],
+      	on_success: processor_chain([
+      		dup59,
+      	]),
+      });
+      
+      var msg247 = msg("174:01", all39);
+      
+      var all40 = all_match({
+      	processors: [
+      		dup44,
+      		dup179,
+      		dup36,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      	]),
+      });
+      
+      var msg248 = msg("174:02", all40);
+      
+      var all41 = all_match({
+      	processors: [
+      		dup7,
+      		dup174,
+      		dup10,
+      		dup181,
+      		dup43,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      	]),
+      });
+      
+      var msg249 = msg("174:03", all41);
+      
+      var select72 = linear_select([
+      	msg246,
+      	msg247,
+      	msg248,
+      	msg249,
+      ]);
+      
+      var part305 = match("MESSAGE#248:175", "nwparser.payload", "TCP FIN packet dropped%{}", processor_chain([
+      	dup59,
+      ]));
+      
+      var msg250 = msg("175", part305);
+      
+      var part306 = match("MESSAGE#249:175:01", "nwparser.payload", "msg=\"ICMP packet from LAN dropped\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} type=%{type}", processor_chain([
+      	dup59,
+      ]));
+      
+      var msg251 = msg("175:01", part306);
+      
+      var part307 = match("MESSAGE#250:175:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr->} dst=%{daddr->} type=%{type->} icmpCode=%{fld3->} npcs=%{info}", processor_chain([
+      	dup59,
+      ]));
+      
+      var msg252 = msg("175:02", part307);
+      
+      var select73 = linear_select([
+      	msg250,
+      	msg251,
+      	msg252,
+      ]);
+      
+      var part308 = match("MESSAGE#251:176", "nwparser.payload", "Fraudulent Microsoft Certificate Blocked%{}", processor_chain([
+      	dup87,
+      ]));
+      
+      var msg253 = msg("176", part308);
+      
+      var msg254 = msg("177", dup185);
+      
+      var msg255 = msg("178", dup190);
+      
+      var msg256 = msg("179", dup185);
+      
+      var all42 = all_match({
+      	processors: [
+      		dup33,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup91,
+      	]),
+      });
+      
+      var msg257 = msg("180", all42);
+      
+      var all43 = all_match({
+      	processors: [
+      		dup7,
+      		dup174,
+      		dup10,
+      		dup191,
+      		dup94,
+      	],
+      	on_success: processor_chain([
+      		dup91,
+      	]),
+      });
+      
+      var msg258 = msg("180:01", all43);
+      
+      var select74 = linear_select([
+      	msg257,
+      	msg258,
+      ]);
+      
+      var msg259 = msg("181", dup184);
+      
+      var all44 = all_match({
+      	processors: [
+      		dup7,
+      		dup174,
+      		dup10,
+      		dup189,
+      		dup90,
+      	],
+      	on_success: processor_chain([
+      		dup62,
+      	]),
+      });
+      
+      var msg260 = msg("181:01", all44);
+      
+      var select75 = linear_select([
+      	msg259,
+      	msg260,
+      ]);
+      
+      var msg261 = msg("193", dup228);
+      
+      var msg262 = msg("194", dup229);
+      
+      var msg263 = msg("195", dup229);
+      
+      var part309 = match("MESSAGE#262:196/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{fld2->} dst=%{daddr}:%{fld3->} sport=%{sport->} dport=%{dport->} %{p0}");
+      
+      var part310 = match("MESSAGE#262:196/1_1", "nwparser.p0", " rcvd=%{rbytes->} cmd=%{p0}");
+      
+      var select76 = linear_select([
+      	dup98,
+      	part310,
+      ]);
+      
+      var all45 = all_match({
+      	processors: [
+      		part309,
+      		select76,
+      		dup99,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg264 = msg("196", all45);
+      
+      var part311 = match("MESSAGE#263:196:01/1_1", "nwparser.p0", "rcvd=%{rbytes->} cmd=%{p0}");
+      
+      var select77 = linear_select([
+      	dup98,
+      	part311,
+      ]);
+      
+      var all46 = all_match({
+      	processors: [
+      		dup95,
+      		select77,
+      		dup99,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg265 = msg("196:01", all46);
+      
+      var select78 = linear_select([
+      	msg264,
+      	msg265,
+      ]);
+      
+      var msg266 = msg("199", dup230);
+      
+      var msg267 = msg("200", dup226);
+      
+      var part312 = match("MESSAGE#266:235:02", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} usr=%{username->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([
+      	dup29,
+      ]));
+      
+      var msg268 = msg("235:02", part312);
+      
+      var part313 = match("MESSAGE#267:235/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} usr=%{username->} src=%{p0}");
+      
+      var all47 = all_match({
+      	processors: [
+      		part313,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup29,
+      	]),
+      });
+      
+      var msg269 = msg("235", all47);
+      
+      var msg270 = msg("235:01", dup231);
+      
+      var select79 = linear_select([
+      	msg268,
+      	msg269,
+      	msg270,
+      ]);
+      
+      var msg271 = msg("236", dup231);
+      
+      var msg272 = msg("237", dup230);
+      
+      var msg273 = msg("238", dup230);
+      
+      var part314 = match("MESSAGE#272:239", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr->} dst=%{dtransaddr}", processor_chain([
+      	dup101,
+      ]));
+      
+      var msg274 = msg("239", part314);
+      
+      var part315 = match("MESSAGE#273:240", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr->} dst=%{dtransaddr}", processor_chain([
+      	dup101,
+      ]));
+      
+      var msg275 = msg("240", part315);
+      
+      var part316 = match("MESSAGE#274:241", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([
+      	dup70,
+      ]));
+      
+      var msg276 = msg("241", part316);
+      
+      var part317 = match("MESSAGE#275:241:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([
+      	dup70,
+      ]));
+      
+      var msg277 = msg("241:01", part317);
+      
+      var select80 = linear_select([
+      	msg276,
+      	msg277,
+      ]);
+      
+      var part318 = match("MESSAGE#276:242/1_0", "nwparser.p0", "%{saddr}:%{sport}:: %{p0}");
+      
+      var part319 = match("MESSAGE#276:242/1_1", "nwparser.p0", "%{saddr}:%{sport->} %{p0}");
+      
+      var select81 = linear_select([
+      	part318,
+      	part319,
+      	dup35,
+      ]);
+      
+      var part320 = match("MESSAGE#276:242/3_0", "nwparser.p0", "%{daddr}:%{dport}:: ");
+      
+      var part321 = match("MESSAGE#276:242/3_1", "nwparser.p0", "%{daddr}:%{dport->} ");
+      
+      var select82 = linear_select([
+      	part320,
+      	part321,
+      	dup28,
+      ]);
+      
+      var all48 = all_match({
+      	processors: [
+      		dup44,
+      		select81,
+      		dup36,
+      		select82,
+      	],
+      	on_success: processor_chain([
+      		dup70,
+      	]),
+      });
+      
+      var msg278 = msg("242", all48);
+      
+      var msg279 = msg("252", dup193);
+      
+      var msg280 = msg("255", dup193);
+      
+      var msg281 = msg("257", dup193);
+      
+      var msg282 = msg("261:01", dup232);
+      
+      var msg283 = msg("261", dup193);
+      
+      var select83 = linear_select([
+      	msg282,
+      	msg283,
+      ]);
+      
+      var msg284 = msg("262", dup232);
+      
+      var all49 = all_match({
+      	processors: [
+      		dup104,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup105,
+      	]),
+      });
+      
+      var msg285 = msg("273", all49);
+      
+      var msg286 = msg("328", dup233);
+      
+      var msg287 = msg("329", dup226);
+      
+      var msg288 = msg("346", dup193);
+      
+      var msg289 = msg("350", dup193);
+      
+      var msg290 = msg("351", dup193);
+      
+      var msg291 = msg("352", dup193);
+      
+      var msg292 = msg("353:01", dup190);
+      
+      var part322 = match("MESSAGE#291:353", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr->} dst=%{dtransaddr->} dstname=%{shost->} lifeSeconds=%{misc}\"", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg293 = msg("353", part322);
+      
+      var select84 = linear_select([
+      	msg292,
+      	msg293,
+      ]);
+      
+      var part323 = match("MESSAGE#292:354", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=\"%{shost->} lifeSeconds=%{misc}\"", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg294 = msg("354", part323);
+      
+      var msg295 = msg("355", dup194);
+      
+      var msg296 = msg("355:01", dup193);
+      
+      var select85 = linear_select([
+      	msg295,
+      	msg296,
+      ]);
+      
+      var msg297 = msg("356", dup195);
+      
+      var part324 = match("MESSAGE#296:357", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} dstname=%{name}", processor_chain([
+      	dup87,
+      ]));
+      
+      var msg298 = msg("357", part324);
+      
+      var part325 = match("MESSAGE#297:357:01", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([
+      	dup87,
+      ]));
+      
+      var msg299 = msg("357:01", part325);
+      
+      var select86 = linear_select([
+      	msg298,
+      	msg299,
+      ]);
+      
+      var msg300 = msg("358", dup196);
+      
+      var part326 = match("MESSAGE#299:371", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr->} dst=%{dtransaddr->} dstname=%{shost}", processor_chain([
+      	setc("eventcategory","1503000000"),
+      ]));
+      
+      var msg301 = msg("371", part326);
+      
+      var msg302 = msg("371:01", dup197);
+      
+      var select87 = linear_select([
+      	msg301,
+      	msg302,
+      ]);
+      
+      var msg303 = msg("372", dup193);
+      
+      var msg304 = msg("373", dup195);
+      
+      var msg305 = msg("401", dup234);
+      
+      var msg306 = msg("402", dup234);
+      
+      var msg307 = msg("406", dup196);
+      
+      var part327 = match("MESSAGE#305:413", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg308 = msg("413", part327);
+      
+      var msg309 = msg("414", dup193);
+      
+      var msg310 = msg("438", dup235);
+      
+      var msg311 = msg("439", dup235);
+      
+      var all50 = all_match({
+      	processors: [
+      		dup104,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		setc("eventcategory","1501020000"),
+      	]),
+      });
+      
+      var msg312 = msg("440", all50);
+      
+      var all51 = all_match({
+      	processors: [
+      		dup104,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		setc("eventcategory","1502050000"),
+      	]),
+      });
+      
+      var msg313 = msg("441", all51);
+      
+      var part328 = match("MESSAGE#311:441:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([
+      	setc("eventcategory","1001020000"),
+      ]));
+      
+      var msg314 = msg("441:01", part328);
+      
+      var select88 = linear_select([
+      	msg313,
+      	msg314,
+      ]);
+      
+      var all52 = all_match({
+      	processors: [
+      		dup104,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		setc("eventcategory","1501030000"),
+      	]),
+      });
+      
+      var msg315 = msg("442", all52);
+      
+      var part329 = match("MESSAGE#313:446/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{p0}");
+      
+      var part330 = match("MESSAGE#313:446/1_0", "nwparser.p0", "%{fld1->} appName=\"%{application}\" n=%{p0}");
+      
+      var part331 = match("MESSAGE#313:446/1_1", "nwparser.p0", "%{fld1->} n=%{p0}");
+      
+      var select89 = linear_select([
+      	part330,
+      	part331,
+      ]);
+      
+      var part332 = match("MESSAGE#313:446/2", "nwparser.p0", "%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}");
+      
+      var all53 = all_match({
+      	processors: [
+      		part329,
+      		select89,
+      		part332,
+      		dup199,
+      		dup112,
+      	],
+      	on_success: processor_chain([
+      		dup59,
+      		dup54,
+      		dup17,
+      		dup82,
+      		dup19,
+      		dup20,
+      		dup21,
+      		dup37,
+      	]),
+      });
+      
+      var msg316 = msg("446", all53);
+      
+      var part333 = match("MESSAGE#314:477", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=\"MAC=%{smacaddr->} HostName:%{hostname}\"", processor_chain([
+      	dup113,
+      	dup51,
+      	dup52,
+      	dup53,
+      	dup54,
+      	dup11,
+      	dup55,
+      	dup17,
+      	dup18,
+      	dup19,
+      	dup20,
+      	dup21,
+      ]));
+      
+      var msg317 = msg("477", part333);
+      
+      var all54 = all_match({
+      	processors: [
+      		dup80,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup29,
+      	]),
+      });
+      
+      var msg318 = msg("509", all54);
+      
+      var all55 = all_match({
+      	processors: [
+      		dup104,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup103,
+      	]),
+      });
+      
+      var msg319 = msg("520", all55);
+      
+      var msg320 = msg("522", dup236);
+      
+      var part334 = match("MESSAGE#318:522:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} srcV6=%{saddr_v6->} src= %{p0}");
+      
+      var part335 = match("MESSAGE#318:522:01/2", "nwparser.p0", "%{}dstV6=%{daddr_v6->} dst= %{p0}");
+      
+      var all56 = all_match({
+      	processors: [
+      		part334,
+      		dup179,
+      		part335,
+      		dup175,
+      		dup114,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      	]),
+      });
+      
+      var msg321 = msg("522:01", all56);
+      
+      var part336 = match("MESSAGE#319:522:02/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{shost->} dst= %{p0}");
+      
+      var select90 = linear_select([
+      	part336,
+      	dup39,
+      ]);
+      
+      var all57 = all_match({
+      	processors: [
+      		dup38,
+      		select90,
+      		dup10,
+      		dup175,
+      		dup114,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      	]),
+      });
+      
+      var msg322 = msg("522:02", all57);
+      
+      var select91 = linear_select([
+      	msg320,
+      	msg321,
+      	msg322,
+      ]);
+      
+      var msg323 = msg("523", dup236);
+      
+      var all58 = all_match({
+      	processors: [
+      		dup80,
+      		dup177,
+      		dup10,
+      		dup175,
+      		dup10,
+      		dup200,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg324 = msg("524", all58);
+      
+      var part337 = match("MESSAGE#322:524:01/5_0", "nwparser.p0", "proto=%{protocol->} npcs= %{p0}");
+      
+      var part338 = match("MESSAGE#322:524:01/5_1", "nwparser.p0", "rule=%{rule->} npcs= %{p0}");
+      
+      var select92 = linear_select([
+      	part337,
+      	part338,
+      ]);
+      
+      var all59 = all_match({
+      	processors: [
+      		dup7,
+      		dup177,
+      		dup10,
+      		dup175,
+      		dup10,
+      		select92,
+      		dup90,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg325 = msg("524:01", all59);
+      
+      var part339 = match("MESSAGE#323:524:02/0", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol}rule=\"%{p0}");
+      
+      var part340 = match("MESSAGE#323:524:02/1_0", "nwparser.p0", "%{rule}\" note=\"%{rulename}\"%{p0}");
+      
+      var part341 = match("MESSAGE#323:524:02/1_1", "nwparser.p0", "%{rule}\"%{p0}");
+      
+      var select93 = linear_select([
+      	part340,
+      	part341,
+      ]);
+      
+      var part342 = match("MESSAGE#323:524:02/2", "nwparser.p0", "%{}fw_action=\"%{action}\"");
+      
+      var all60 = all_match({
+      	processors: [
+      		part339,
+      		select93,
+      		part342,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup11,
+      	]),
+      });
+      
+      var msg326 = msg("524:02", all60);
+      
+      var select94 = linear_select([
+      	msg324,
+      	msg325,
+      	msg326,
+      ]);
+      
+      var msg327 = msg("526", dup237);
+      
+      var part343 = match("MESSAGE#325:526:01/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{fld20->} dst= %{p0}");
+      
+      var select95 = linear_select([
+      	dup25,
+      	part343,
+      	dup39,
+      ]);
+      
+      var part344 = match("MESSAGE#325:526:01/3_1", "nwparser.p0", " %{daddr->} ");
+      
+      var select96 = linear_select([
+      	dup27,
+      	part344,
+      ]);
+      
+      var all61 = all_match({
+      	processors: [
+      		dup80,
+      		select95,
+      		dup10,
+      		select96,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg328 = msg("526:01", all61);
+      
+      var all62 = all_match({
+      	processors: [
+      		dup7,
+      		dup201,
+      		dup10,
+      		dup175,
+      		dup114,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg329 = msg("526:02", all62);
+      
+      var part345 = match("MESSAGE#327:526:03", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([
+      	dup1,
+      	dup11,
+      ]));
+      
+      var msg330 = msg("526:03", part345);
+      
+      var part346 = match("MESSAGE#328:526:04", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([
+      	dup1,
+      	dup11,
+      ]));
+      
+      var msg331 = msg("526:04", part346);
+      
+      var part347 = match("MESSAGE#329:526:05", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([
+      	dup1,
+      	dup11,
+      ]));
+      
+      var msg332 = msg("526:05", part347);
+      
+      var select97 = linear_select([
+      	msg327,
+      	msg328,
+      	msg329,
+      	msg330,
+      	msg331,
+      	msg332,
+      ]);
+      
+      var part348 = match("MESSAGE#330:537:01/4", "nwparser.p0", "%{}proto=%{protocol->} sent=%{sbytes->} rcvd=%{p0}");
+      
+      var part349 = match("MESSAGE#330:537:01/5_0", "nwparser.p0", "%{rbytes->} vpnpolicy=%{fld3->} ");
+      
+      var part350 = match("MESSAGE#330:537:01/5_1", "nwparser.p0", "%{rbytes->} ");
+      
+      var select98 = linear_select([
+      	part349,
+      	part350,
+      ]);
+      
+      var all63 = all_match({
+      	processors: [
+      		dup116,
+      		dup202,
+      		dup10,
+      		dup203,
+      		part348,
+      		select98,
+      	],
+      	on_success: processor_chain([
+      		dup105,
+      	]),
+      });
+      
+      var msg333 = msg("537:01", all63);
+      
+      var part351 = match("MESSAGE#331:537:02/4", "nwparser.p0", "%{}proto=%{protocol->} sent=%{sbytes}");
+      
+      var all64 = all_match({
+      	processors: [
+      		dup116,
+      		dup202,
+      		dup10,
+      		dup203,
+      		part351,
+      	],
+      	on_success: processor_chain([
+      		dup105,
+      	]),
+      });
+      
+      var msg334 = msg("537:02", all64);
+      
+      var select99 = linear_select([
+      	dup117,
+      	dup118,
+      	dup119,
+      	dup120,
+      ]);
+      
+      var part352 = match("MESSAGE#332:537:08/3_1", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}");
+      
+      var part353 = match("MESSAGE#332:537:08/3_2", "nwparser.p0", " %{daddr}srcMac=%{p0}");
+      
+      var select100 = linear_select([
+      	dup123,
+      	part352,
+      	part353,
+      ]);
+      
+      var part354 = match("MESSAGE#332:537:08/4", "nwparser.p0", "%{} %{smacaddr->} %{p0}");
+      
+      var select101 = linear_select([
+      	dup124,
+      	dup125,
+      ]);
+      
+      var part355 = match("MESSAGE#332:537:08/6_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{p0}");
+      
+      var part356 = match("MESSAGE#332:537:08/6_1", "nwparser.p0", "%{sbytes->} spkt=%{p0}");
+      
+      var select102 = linear_select([
+      	part355,
+      	part356,
+      ]);
+      
+      var part357 = match("MESSAGE#332:537:08/7_0", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} fw_action=\"%{action}\" ");
+      
+      var part358 = match("MESSAGE#332:537:08/7_1", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} ");
+      
+      var part359 = match("MESSAGE#332:537:08/7_2", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} fw_action=\"%{action}\" ");
+      
+      var part360 = match("MESSAGE#332:537:08/7_3", "nwparser.p0", "%{fld3->} cdur=%{fld7->} ");
+      
+      var part361 = match("MESSAGE#332:537:08/7_4", "nwparser.p0", "%{fld3}");
+      
+      var select103 = linear_select([
+      	part357,
+      	part358,
+      	part359,
+      	part360,
+      	part361,
+      ]);
+      
+      var all65 = all_match({
+      	processors: [
+      		select99,
+      		dup204,
+      		dup205,
+      		select100,
+      		part354,
+      		select101,
+      		select102,
+      		select103,
+      	],
+      	on_success: processor_chain([
+      		dup105,
+      		dup11,
+      		dup17,
+      		dup18,
+      		dup19,
+      		dup20,
+      		dup21,
+      	]),
+      });
+      
+      var msg335 = msg("537:08", all65);
+      
+      var select104 = linear_select([
+      	dup118,
+      	dup117,
+      	dup119,
+      	dup120,
+      ]);
+      
+      var part362 = match("MESSAGE#333:537:09/3_1", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} dstMac=%{p0}");
+      
+      var part363 = match("MESSAGE#333:537:09/3_2", "nwparser.p0", " %{daddr}dstMac=%{p0}");
+      
+      var select105 = linear_select([
+      	dup126,
+      	part362,
+      	part363,
+      ]);
+      
+      var part364 = match("MESSAGE#333:537:09/4", "nwparser.p0", "%{} %{dmacaddr->} proto=%{protocol->} sent=%{p0}");
+      
+      var select106 = linear_select([
+      	dup129,
+      	dup130,
+      	dup131,
+      	dup132,
+      ]);
+      
+      var all66 = all_match({
+      	processors: [
+      		select104,
+      		dup204,
+      		dup205,
+      		select105,
+      		part364,
+      		dup206,
+      		select106,
+      	],
+      	on_success: processor_chain([
+      		dup105,
+      		dup11,
+      		dup17,
+      		dup18,
+      		dup19,
+      		dup20,
+      		dup21,
+      	]),
+      });
+      
+      var msg336 = msg("537:09", all66);
+      
+      var part365 = match("MESSAGE#334:537:07/0_1", "nwparser.payload", " msg=\"%{event_description}\" app=%{fld51->} sess=\"%{fld4}\" n=%{p0}");
+      
+      var select107 = linear_select([
+      	dup117,
+      	part365,
+      	dup119,
+      	dup120,
+      ]);
+      
+      var part366 = match("MESSAGE#334:537:07/4_0", "nwparser.p0", "srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{p0}");
+      
+      var part367 = match("MESSAGE#334:537:07/4_1", "nwparser.p0", " srcMac=%{smacaddr->} proto=%{protocol->} sent=%{p0}");
+      
+      var select108 = linear_select([
+      	part366,
+      	part367,
+      	dup124,
+      	dup125,
+      ]);
+      
+      var part368 = match("MESSAGE#334:537:07/6_3", "nwparser.p0", " spkt=%{fld3->} fw_action=\"%{action}\"");
+      
+      var select109 = linear_select([
+      	dup129,
+      	dup130,
+      	dup131,
+      	part368,
+      	dup132,
+      ]);
+      
+      var all67 = all_match({
+      	processors: [
+      		select107,
+      		dup204,
+      		dup205,
+      		dup186,
+      		select108,
+      		dup206,
+      		select109,
+      	],
+      	on_success: processor_chain([
+      		dup105,
+      		dup11,
+      		dup17,
+      		dup18,
+      		dup19,
+      		dup20,
+      		dup21,
+      	]),
+      });
+      
+      var msg337 = msg("537:07", all67);
+      
+      var part369 = match("MESSAGE#335:537/1_0", "nwparser.p0", "%{action}\" app=%{fld51->} appName=\"%{application}\"%{p0}");
+      
+      var part370 = match("MESSAGE#335:537/1_1", "nwparser.p0", "%{action}\"%{p0}");
+      
+      var select110 = linear_select([
+      	part369,
+      	part370,
+      ]);
+      
+      var part371 = match("MESSAGE#335:537/2", "nwparser.p0", "%{}n=%{fld1->} src= %{p0}");
+      
+      var part372 = match("MESSAGE#335:537/4_0", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} sent=%{p0}");
+      
+      var part373 = match("MESSAGE#335:537/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}: proto=%{protocol->} sent=%{p0}");
+      
+      var part374 = match("MESSAGE#335:537/4_2", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} sent=%{p0}");
+      
+      var part375 = match("MESSAGE#335:537/4_3", "nwparser.p0", " %{daddr->} proto=%{protocol->} sent=%{p0}");
+      
+      var select111 = linear_select([
+      	part372,
+      	part373,
+      	part374,
+      	part375,
+      ]);
+      
+      var part376 = match("MESSAGE#335:537/5_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} cdur=%{fld5->} fw_action=\"%{fld6}\"");
+      
+      var part377 = match("MESSAGE#335:537/5_1", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} fw_action=\"%{fld5}\"");
+      
+      var part378 = match("MESSAGE#335:537/5_2", "nwparser.p0", "%{sbytes->} spkt=%{fld3}fw_action=\"%{fld4}\"");
+      
+      var part379 = match("MESSAGE#335:537/5_3", "nwparser.p0", "%{sbytes}rcvd=%{rbytes}");
+      
+      var part380 = match("MESSAGE#335:537/5_4", "nwparser.p0", "%{sbytes}");
+      
+      var select112 = linear_select([
+      	part376,
+      	part377,
+      	part378,
+      	part379,
+      	part380,
+      ]);
+      
+      var all68 = all_match({
+      	processors: [
+      		dup48,
+      		select110,
+      		part371,
+      		dup202,
+      		select111,
+      		select112,
+      	],
+      	on_success: processor_chain([
+      		dup105,
+      	]),
+      });
+      
+      var msg338 = msg("537", all68);
+      
+      var part381 = match("MESSAGE#336:537:04/4", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} cdur=%{fld5->} npcs=%{info}");
+      
+      var all69 = all_match({
+      	processors: [
+      		dup133,
+      		dup180,
+      		dup10,
+      		dup207,
+      		part381,
+      	],
+      	on_success: processor_chain([
+      		dup105,
+      	]),
+      });
+      
+      var msg339 = msg("537:04", all69);
+      
+      var part382 = match("MESSAGE#337:537:05/4", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} spkt=%{fld3->} cdur=%{p0}");
+      
+      var part383 = match("MESSAGE#337:537:05/5_0", "nwparser.p0", "%{fld4->} appcat=%{fld5->} appid=%{fld6->} npcs= %{p0}");
+      
+      var part384 = match("MESSAGE#337:537:05/5_1", "nwparser.p0", "%{fld4->} npcs= %{p0}");
+      
+      var select113 = linear_select([
+      	part383,
+      	part384,
+      ]);
+      
+      var all70 = all_match({
+      	processors: [
+      		dup133,
+      		dup180,
+      		dup10,
+      		dup207,
+      		part382,
+      		select113,
+      		dup90,
+      	],
+      	on_success: processor_chain([
+      		dup105,
+      	]),
+      });
+      
+      var msg340 = msg("537:05", all70);
+      
+      var part385 = match("MESSAGE#338:537:10/0", "nwparser.payload", "msg=\"%{event_description}\" sess=%{fld1->} n=%{p0}");
+      
+      var part386 = match("MESSAGE#338:537:10/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{p0}");
+      
+      var part387 = match("MESSAGE#338:537:10/4_2", "nwparser.p0", "%{daddr->} dstMac=%{p0}");
+      
+      var select114 = linear_select([
+      	dup126,
+      	part386,
+      	part387,
+      ]);
+      
+      var part388 = match("MESSAGE#338:537:10/5", "nwparser.p0", "%{} %{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld10->} rpkt=%{fld11->} %{p0}");
+      
+      var all71 = all_match({
+      	processors: [
+      		part385,
+      		dup208,
+      		dup137,
+      		dup209,
+      		select114,
+      		part388,
+      		dup210,
+      	],
+      	on_success: processor_chain([
+      		dup105,
+      		dup11,
+      		dup17,
+      		dup18,
+      		dup19,
+      		dup20,
+      		dup21,
+      	]),
+      });
+      
+      var msg341 = msg("537:10", all71);
+      
+      var part389 = match("MESSAGE#339:537:03/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{p0}");
+      
+      var part390 = match("MESSAGE#339:537:03/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto=%{p0}");
+      
+      var part391 = match("MESSAGE#339:537:03/4_2", "nwparser.p0", "%{daddr->} proto=%{p0}");
+      
+      var select115 = linear_select([
+      	dup77,
+      	part390,
+      	part391,
+      ]);
+      
+      var part392 = match("MESSAGE#339:537:03/5", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld10->} rpkt=%{fld11->} %{p0}");
+      
+      var all72 = all_match({
+      	processors: [
+      		part389,
+      		dup208,
+      		dup137,
+      		dup209,
+      		select115,
+      		part392,
+      		dup210,
+      	],
+      	on_success: processor_chain([
+      		dup105,
+      	]),
+      });
+      
+      var msg342 = msg("537:03", all72);
+      
+      var part393 = match("MESSAGE#340:537:06/4", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} spkt=%{fld3->} npcs=%{info}");
+      
+      var all73 = all_match({
+      	processors: [
+      		dup133,
+      		dup180,
+      		dup10,
+      		dup207,
+      		part393,
+      	],
+      	on_success: processor_chain([
+      		dup105,
+      	]),
+      });
+      
+      var msg343 = msg("537:06", all73);
+      
+      var part394 = match("MESSAGE#341:537:11", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}spkt=%{fld3}rpkt=%{fld4}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([
+      	dup105,
+      	dup54,
+      	dup11,
+      	dup142,
+      ]));
+      
+      var msg344 = msg("537:11", part394);
+      
+      var part395 = match("MESSAGE#342:537:12", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([
+      	dup105,
+      	dup54,
+      	dup11,
+      	dup142,
+      ]));
+      
+      var msg345 = msg("537:12", part395);
+      
+      var select116 = linear_select([
+      	msg333,
+      	msg334,
+      	msg335,
+      	msg336,
+      	msg337,
+      	msg338,
+      	msg339,
+      	msg340,
+      	msg341,
+      	msg342,
+      	msg343,
+      	msg344,
+      	msg345,
+      ]);
+      
+      var msg346 = msg("538", dup228);
+      
+      var msg347 = msg("549", dup226);
+      
+      var msg348 = msg("557", dup226);
+      
+      var all74 = all_match({
+      	processors: [
+      		dup104,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		setc("eventcategory","1402020200"),
+      	]),
+      });
+      
+      var msg349 = msg("558", all74);
+      
+      var msg350 = msg("561", dup233);
+      
+      var msg351 = msg("562", dup233);
+      
+      var msg352 = msg("563", dup233);
+      
+      var all75 = all_match({
+      	processors: [
+      		dup104,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		setc("eventcategory","1402020400"),
+      	]),
+      });
+      
+      var msg353 = msg("583", all75);
+      
+      var part396 = match("MESSAGE#351:597:01", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} type=%{icmptype->} code=%{icmpcode}", processor_chain([
+      	dup143,
+      	dup51,
+      	dup144,
+      	dup53,
+      	dup54,
+      	dup11,
+      	dup145,
+      	dup17,
+      	dup18,
+      	dup19,
+      	dup20,
+      	dup21,
+      ]));
+      
+      var msg354 = msg("597:01", part396);
+      
+      var part397 = match("MESSAGE#352:597:02", "nwparser.payload", "msg=%{msg->} n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} type=%{icmptype->} code=%{icmpcode}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg355 = msg("597:02", part397);
+      
+      var part398 = match("MESSAGE#353:597:03/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src= %{p0}");
+      
+      var all76 = all_match({
+      	processors: [
+      		part398,
+      		dup187,
+      		dup10,
+      		dup189,
+      		dup90,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg356 = msg("597:03", all76);
+      
+      var select117 = linear_select([
+      	msg354,
+      	msg355,
+      	msg356,
+      ]);
+      
+      var part399 = match("MESSAGE#354:598", "nwparser.payload", "msg=%{msg->} n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} type=%{type->} code=%{code}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg357 = msg("598", part399);
+      
+      var part400 = match("MESSAGE#355:598:01/2", "nwparser.p0", "%{} %{type->} npcs=%{info}");
+      
+      var all77 = all_match({
+      	processors: [
+      		dup146,
+      		dup182,
+      		part400,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg358 = msg("598:01", all77);
+      
+      var all78 = all_match({
+      	processors: [
+      		dup146,
+      		dup189,
+      		dup90,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg359 = msg("598:02", all78);
+      
+      var select118 = linear_select([
+      	msg357,
+      	msg358,
+      	msg359,
+      ]);
+      
+      var part401 = match("MESSAGE#357:602:01", "nwparser.payload", "msg=\"%{event_description}allowed\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} proto=%{protocol}/%{fld4}", processor_chain([
+      	dup143,
+      	dup51,
+      	dup144,
+      	dup53,
+      	dup54,
+      	dup11,
+      	dup145,
+      	dup17,
+      	dup18,
+      	dup19,
+      	dup20,
+      	dup21,
+      ]));
+      
+      var msg360 = msg("602:01", part401);
+      
+      var msg361 = msg("602:02", dup237);
+      
+      var all79 = all_match({
+      	processors: [
+      		dup7,
+      		dup177,
+      		dup10,
+      		dup175,
+      		dup79,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg362 = msg("602:03", all79);
+      
+      var select119 = linear_select([
+      	msg360,
+      	msg361,
+      	msg362,
+      ]);
+      
+      var msg363 = msg("605", dup196);
+      
+      var all80 = all_match({
+      	processors: [
+      		dup147,
+      		dup211,
+      		dup149,
+      		dup199,
+      		dup112,
+      	],
+      	on_success: processor_chain([
+      		dup87,
+      		dup54,
+      		dup17,
+      		dup82,
+      		dup19,
+      		dup20,
+      		dup21,
+      		dup37,
+      	]),
+      });
+      
+      var msg364 = msg("606", all80);
+      
+      var part402 = match("MESSAGE#362:608/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} ipscat=%{ipscat->} ipspri=%{p0}");
+      
+      var part403 = match("MESSAGE#362:608/1_0", "nwparser.p0", "%{fld66->} pktdatId=%{fld11->} n=%{p0}");
+      
+      var part404 = match("MESSAGE#362:608/1_1", "nwparser.p0", "%{ipspri->} n=%{p0}");
+      
+      var select120 = linear_select([
+      	part403,
+      	part404,
+      ]);
+      
+      var part405 = match("MESSAGE#362:608/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{p0}");
+      
+      var part406 = match("MESSAGE#362:608/3_0", "nwparser.p0", "%{sport}:%{sinterface->} dst=%{p0}");
+      
+      var part407 = match("MESSAGE#362:608/3_1", "nwparser.p0", "%{sport->} dst=%{p0}");
+      
+      var select121 = linear_select([
+      	part406,
+      	part407,
+      ]);
+      
+      var part408 = match("MESSAGE#362:608/4", "nwparser.p0", "%{daddr}:%{p0}");
+      
+      var part409 = match("MESSAGE#362:608/5_0", "nwparser.p0", "%{dport}:%{dinterface->} proto=%{protocol->} fw_action=\"%{fld2}\"");
+      
+      var part410 = match("MESSAGE#362:608/5_1", "nwparser.p0", "%{dport}:%{dinterface}");
+      
+      var part411 = match("MESSAGE#362:608/5_2", "nwparser.p0", "%{dport}");
+      
+      var select122 = linear_select([
+      	part409,
+      	part410,
+      	part411,
+      ]);
+      
+      var all81 = all_match({
+      	processors: [
+      		part402,
+      		select120,
+      		part405,
+      		select121,
+      		part408,
+      		select122,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup37,
+      	]),
+      });
+      
+      var msg365 = msg("608", all81);
+      
+      var msg366 = msg("616", dup194);
+      
+      var msg367 = msg("658", dup190);
+      
+      var msg368 = msg("710", dup212);
+      
+      var msg369 = msg("712:02", dup238);
+      
+      var msg370 = msg("712", dup212);
+      
+      var all82 = all_match({
+      	processors: [
+      		dup7,
+      		dup174,
+      		dup10,
+      		dup191,
+      		dup94,
+      	],
+      	on_success: processor_chain([
+      		dup150,
+      	]),
+      });
+      
+      var msg371 = msg("712:01", all82);
+      
+      var select123 = linear_select([
+      	msg369,
+      	msg370,
+      	msg371,
+      ]);
+      
+      var part412 = match("MESSAGE#369:713:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} note=%{info}", processor_chain([
+      	dup5,
+      	dup51,
+      	dup52,
+      	dup53,
+      	dup54,
+      	dup11,
+      	dup55,
+      	dup17,
+      	dup18,
+      	dup19,
+      	dup20,
+      	dup21,
+      ]));
+      
+      var msg372 = msg("713:01", part412);
+      
+      var msg373 = msg("713:04", dup238);
+      
+      var msg374 = msg("713:02", dup212);
+      
+      var part413 = match("MESSAGE#372:713:03", "nwparser.payload", "msg=\"%{event_description}dropped\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{action}\" npcs=%{info}", processor_chain([
+      	dup5,
+      	dup51,
+      	dup52,
+      	dup53,
+      	dup54,
+      	dup11,
+      	dup55,
+      	dup17,
+      	dup18,
+      	dup19,
+      	dup20,
+      	dup21,
+      ]));
+      
+      var msg375 = msg("713:03", part413);
+      
+      var select124 = linear_select([
+      	msg372,
+      	msg373,
+      	msg374,
+      	msg375,
+      ]);
+      
+      var part414 = match("MESSAGE#373:760", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=%{info}", processor_chain([
+      	dup113,
+      	dup51,
+      	dup52,
+      	dup53,
+      	dup54,
+      	dup11,
+      	dup55,
+      	dup17,
+      	dup18,
+      	dup19,
+      	dup20,
+      	dup21,
+      ]));
+      
+      var msg376 = msg("760", part414);
+      
+      var part415 = match("MESSAGE#374:760:01/0", "nwparser.payload", "msg=\"%{event_description}dropped\" sess=%{fld1->} n=%{fld2->} src=%{p0}");
+      
+      var part416 = match("MESSAGE#374:760:01/4", "nwparser.p0", "%{} %{action->} npcs=%{info}");
+      
+      var all83 = all_match({
+      	processors: [
+      		part415,
+      		dup174,
+      		dup10,
+      		dup191,
+      		part416,
+      	],
+      	on_success: processor_chain([
+      		dup113,
+      		dup51,
+      		dup52,
+      		dup53,
+      		dup54,
+      		dup11,
+      		dup55,
+      		dup17,
+      		dup18,
+      		dup19,
+      		dup20,
+      		dup21,
+      	]),
+      });
+      
+      var msg377 = msg("760:01", all83);
+      
+      var select125 = linear_select([
+      	msg376,
+      	msg377,
+      ]);
+      
+      var msg378 = msg("766", dup216);
+      
+      var msg379 = msg("860", dup216);
+      
+      var msg380 = msg("860:01", dup217);
+      
+      var select126 = linear_select([
+      	msg379,
+      	msg380,
+      ]);
+      
+      var part417 = match("MESSAGE#378:866/0", "nwparser.payload", "msg=\"%{msg}\" n=%{p0}");
+      
+      var part418 = match("MESSAGE#378:866/1_0", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\" ");
+      
+      var part419 = match("MESSAGE#378:866/1_1", "nwparser.p0", "%{ntype->} ");
+      
+      var select127 = linear_select([
+      	part418,
+      	part419,
+      ]);
+      
+      var all84 = all_match({
+      	processors: [
+      		part417,
+      		select127,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		dup37,
+      	]),
+      });
+      
+      var msg381 = msg("866", all84);
+      
+      var msg382 = msg("866:01", dup217);
+      
+      var select128 = linear_select([
+      	msg381,
+      	msg382,
+      ]);
+      
+      var msg383 = msg("867", dup216);
+      
+      var msg384 = msg("867:01", dup217);
+      
+      var select129 = linear_select([
+      	msg383,
+      	msg384,
+      ]);
+      
+      var part420 = match("MESSAGE#382:882", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg385 = msg("882", part420);
+      
+      var part421 = match("MESSAGE#383:882:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} npcs=%{info}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg386 = msg("882:01", part421);
+      
+      var select130 = linear_select([
+      	msg385,
+      	msg386,
+      ]);
+      
+      var part422 = match("MESSAGE#384:888", "nwparser.payload", "msg=\"%{reason};%{action}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}", processor_chain([
+      	dup159,
+      ]));
+      
+      var msg387 = msg("888", part422);
+      
+      var part423 = match("MESSAGE#385:888:01", "nwparser.payload", "msg=\"%{reason};%{action}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=%{fld3->} npcs=%{info}", processor_chain([
+      	dup159,
+      ]));
+      
+      var msg388 = msg("888:01", part423);
+      
+      var select131 = linear_select([
+      	msg387,
+      	msg388,
+      ]);
+      
+      var all85 = all_match({
+      	processors: [
+      		dup7,
+      		dup174,
+      		dup10,
+      		dup189,
+      		dup90,
+      	],
+      	on_success: processor_chain([
+      		dup159,
+      	]),
+      });
+      
+      var msg389 = msg("892", all85);
+      
+      var msg390 = msg("904", dup216);
+      
+      var msg391 = msg("905", dup216);
+      
+      var msg392 = msg("906", dup216);
+      
+      var msg393 = msg("907", dup216);
+      
+      var select132 = linear_select([
+      	dup73,
+      	dup138,
+      ]);
+      
+      var all86 = all_match({
+      	processors: [
+      		dup160,
+      		select132,
+      		dup10,
+      		dup211,
+      		dup161,
+      		dup199,
+      		dup112,
+      	],
+      	on_success: processor_chain([
+      		dup70,
+      		dup54,
+      		dup17,
+      		dup82,
+      		dup19,
+      		dup20,
+      		dup21,
+      		dup37,
+      	]),
+      });
+      
+      var msg394 = msg("908", all86);
+      
+      var msg395 = msg("909", dup216);
+      
+      var msg396 = msg("914", dup218);
+      
+      var part424 = match("MESSAGE#394:931", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg397 = msg("931", part424);
+      
+      var msg398 = msg("657", dup218);
+      
+      var all87 = all_match({
+      	processors: [
+      		dup7,
+      		dup174,
+      		dup10,
+      		dup189,
+      		dup90,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      	]),
+      });
+      
+      var msg399 = msg("657:01", all87);
+      
+      var select133 = linear_select([
+      	msg398,
+      	msg399,
+      ]);
+      
+      var msg400 = msg("403", dup197);
+      
+      var msg401 = msg("534", dup176);
+      
+      var msg402 = msg("994", dup219);
+      
+      var part425 = match("MESSAGE#400:243", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} proto=%{protocol}", processor_chain([
+      	dup1,
+      	dup23,
+      ]));
+      
+      var msg403 = msg("243", part425);
+      
+      var msg404 = msg("995", dup176);
+      
+      var part426 = match("MESSAGE#402:997", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{fld3->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld4->} note=\"%{info}\"", processor_chain([
+      	dup1,
+      	dup51,
+      	dup53,
+      	dup54,
+      	dup11,
+      	dup17,
+      	dup18,
+      	dup19,
+      	dup20,
+      	dup21,
+      ]));
+      
+      var msg405 = msg("997", part426);
+      
+      var msg406 = msg("998", dup219);
+      
+      var part427 = match("MESSAGE#405:998:01", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([
+      	dup105,
+      	dup11,
+      ]));
+      
+      var msg407 = msg("998:01", part427);
+      
+      var select134 = linear_select([
+      	msg406,
+      	msg407,
+      ]);
+      
+      var msg408 = msg("1110", dup220);
+      
+      var msg409 = msg("565", dup220);
+      
+      var part428 = match("MESSAGE#408:404", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} note=\"%{event_description}\"", processor_chain([
+      	dup1,
+      	dup54,
+      ]));
+      
+      var msg410 = msg("404", part428);
+      
+      var select135 = linear_select([
+      	dup148,
+      	dup50,
+      ]);
+      
+      var part429 = match("MESSAGE#409:267:01/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} note=\"%{fld3}\" fw_action=\"%{action}\"");
+      
+      var all88 = all_match({
+      	processors: [
+      		dup81,
+      		select135,
+      		part429,
+      	],
+      	on_success: processor_chain([
+      		dup105,
+      		dup54,
+      		dup17,
+      		dup82,
+      		dup19,
+      		dup20,
+      		dup21,
+      		dup37,
+      	]),
+      });
+      
+      var msg411 = msg("267:01", all88);
+      
+      var part430 = match("MESSAGE#410:267", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}", processor_chain([
+      	dup1,
+      	dup54,
+      ]));
+      
+      var msg412 = msg("267", part430);
+      
+      var select136 = linear_select([
+      	msg411,
+      	msg412,
+      ]);
+      
+      var part431 = match("MESSAGE#411:263", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} proto=%{protocol}", processor_chain([
+      	dup1,
+      	dup23,
+      ]));
+      
+      var msg413 = msg("263", part431);
+      
+      var part432 = match("MESSAGE#412:264", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([
+      	dup103,
+      	dup11,
+      ]));
+      
+      var msg414 = msg("264", part432);
+      
+      var msg415 = msg("412", dup197);
+      
+      var part433 = match("MESSAGE#415:793", "nwparser.payload", "msg=\"%{msg}\" af_polid=%{fld1->} af_policy=\"%{fld2}\" af_type=\"%{fld3}\" af_service=\"%{fld4}\" af_action=\"%{fld5}\" n=%{fld6->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{shost->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{dhost}", processor_chain([
+      	dup1,
+      	dup23,
+      ]));
+      
+      var msg416 = msg("793", part433);
+      
+      var part434 = match("MESSAGE#416:805", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} if=%{fld2->} ucastRx=%{fld3->} bcastRx=%{fld4->} bytesRx=%{rbytes->} ucastTx=%{fld5->} bcastTx=%{fld6->} bytesTx=%{sbytes}", processor_chain([
+      	dup1,
+      	dup23,
+      ]));
+      
+      var msg417 = msg("805", part434);
+      
+      var part435 = match("MESSAGE#417:809", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([
+      	dup162,
+      	dup11,
+      ]));
+      
+      var msg418 = msg("809", part435);
+      
+      var part436 = match("MESSAGE#418:809:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([
+      	dup162,
+      	dup11,
+      ]));
+      
+      var msg419 = msg("809:01", part436);
+      
+      var select137 = linear_select([
+      	msg418,
+      	msg419,
+      ]);
+      
+      var msg420 = msg("935", dup218);
+      
+      var msg421 = msg("614", dup221);
+      
+      var part437 = match("MESSAGE#421:748/0", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{p0}");
+      
+      var all89 = all_match({
+      	processors: [
+      		part437,
+      		dup199,
+      		dup112,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup37,
+      	]),
+      });
+      
+      var msg422 = msg("748", all89);
+      
+      var part438 = match("MESSAGE#422:794/0", "nwparser.payload", "msg=\"%{event_description}\" sid=%{sid->} spycat=%{fld1->} spypri=%{fld2->} pktdatId=%{fld3->} n=%{fld4->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{p0}");
+      
+      var part439 = match("MESSAGE#422:794/1_0", "nwparser.p0", "%{protocol}/%{fld5->} fw_action=\"%{p0}");
+      
+      var select138 = linear_select([
+      	part439,
+      	dup111,
+      ]);
+      
+      var all90 = all_match({
+      	processors: [
+      		part438,
+      		select138,
+      		dup112,
+      	],
+      	on_success: processor_chain([
+      		dup163,
+      		dup37,
+      	]),
+      });
+      
+      var msg423 = msg("794", all90);
+      
+      var msg424 = msg("1086", dup221);
+      
+      var part440 = match("MESSAGE#424:1430", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([
+      	dup163,
+      	dup37,
+      ]));
+      
+      var msg425 = msg("1430", part440);
+      
+      var msg426 = msg("1149", dup221);
+      
+      var msg427 = msg("1159", dup221);
+      
+      var part441 = match("MESSAGE#427:1195", "nwparser.payload", "n=%{fld1->} fw_action=\"%{action}\"", processor_chain([
+      	dup163,
+      	dup37,
+      ]));
+      
+      var msg428 = msg("1195", part441);
+      
+      var part442 = match("MESSAGE#428:1195:01", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}", processor_chain([
+      	dup163,
+      	dup37,
+      ]));
+      
+      var msg429 = msg("1195:01", part442);
+      
+      var select139 = linear_select([
+      	msg428,
+      	msg429,
+      ]);
+      
+      var part443 = match("MESSAGE#429:1226", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([
+      	dup5,
+      	dup37,
+      ]));
+      
+      var msg430 = msg("1226", part443);
+      
+      var part444 = match("MESSAGE#430:1222", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} note=\"%{fld3}\" fw_action=\"%{action}\"", processor_chain([
+      	dup5,
+      	dup37,
+      ]));
+      
+      var msg431 = msg("1222", part444);
+      
+      var part445 = match("MESSAGE#431:1154", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{shost->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{dhost}", processor_chain([
+      	dup1,
+      	dup23,
+      ]));
+      
+      var msg432 = msg("1154", part445);
+      
+      var part446 = match("MESSAGE#432:1154:01/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{p0}");
+      
+      var all91 = all_match({
+      	processors: [
+      		part446,
+      		dup174,
+      		dup10,
+      		dup189,
+      		dup90,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup23,
+      	]),
+      });
+      
+      var msg433 = msg("1154:01", all91);
+      
+      var part447 = match("MESSAGE#433:1154:02", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=\"%{fld1}\" appid%{fld2->} catid=%{fld3->} sess=\"%{fld4}\" n=%{fld5->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([
+      	dup164,
+      	dup11,
+      ]));
+      
+      var msg434 = msg("1154:02", part447);
+      
+      var part448 = match("MESSAGE#434:1154:03/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=\"%{fld1}\" appid=%{fld2->} catid=%{fld3->} n=%{fld4->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}");
+      
+      var select140 = linear_select([
+      	dup123,
+      	dup49,
+      ]);
+      
+      var part449 = match("MESSAGE#434:1154:03/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\"");
+      
+      var all92 = all_match({
+      	processors: [
+      		part448,
+      		select140,
+      		part449,
+      	],
+      	on_success: processor_chain([
+      		dup164,
+      		dup11,
+      	]),
+      });
+      
+      var msg435 = msg("1154:03", all92);
+      
+      var select141 = linear_select([
+      	msg432,
+      	msg433,
+      	msg434,
+      	msg435,
+      ]);
+      
+      var part450 = match("MESSAGE#435:msg", "nwparser.payload", "msg=\"%{msg}\" src=%{stransaddr->} dst=%{dtransaddr->} %{result}", processor_chain([
+      	dup165,
+      ]));
+      
+      var msg436 = msg("msg", part450);
+      
+      var part451 = match("MESSAGE#436:src", "nwparser.payload", "src=%{stransaddr->} dst=%{dtransaddr->} %{msg}", processor_chain([
+      	dup165,
+      ]));
+      
+      var msg437 = msg("src", part451);
+      
+      var all93 = all_match({
+      	processors: [
+      		dup7,
+      		dup177,
+      		dup10,
+      		dup175,
+      		dup10,
+      		dup200,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg438 = msg("1235", all93);
+      
+      var part452 = match("MESSAGE#438:1197/4", "nwparser.p0", "%{}\"%{fld3->} Protocol:%{protocol}\" npcs=%{info}");
+      
+      var all94 = all_match({
+      	processors: [
+      		dup7,
+      		dup177,
+      		dup10,
+      		dup191,
+      		part452,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg439 = msg("1197", all94);
+      
+      var part453 = match("MESSAGE#439:1199/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3->} sess=%{fld1->} n=%{fld2->} src=%{p0}");
+      
+      var all95 = all_match({
+      	processors: [
+      		part453,
+      		dup177,
+      		dup166,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg440 = msg("1199", all95);
+      
+      var part454 = match("MESSAGE#440:1199:01", "nwparser.payload", "msg=\"Responder from country blocked: Responder IP:%{fld1}Country Name:%{location_country}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([
+      	dup167,
+      	dup11,
+      ]));
+      
+      var msg441 = msg("1199:01", part454);
+      
+      var part455 = match("MESSAGE#441:1199:02", "nwparser.payload", "msg=\"Responder from country blocked: Responder IP:%{fld1}Country Name:%{location_country}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([
+      	dup167,
+      	dup11,
+      ]));
+      
+      var msg442 = msg("1199:02", part455);
+      
+      var select142 = linear_select([
+      	msg440,
+      	msg441,
+      	msg442,
+      ]);
+      
+      var part456 = match("MESSAGE#442:1155/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} catid=%{fld3->} sess=%{fld4->} n=%{fld5->} src=%{p0}");
+      
+      var all96 = all_match({
+      	processors: [
+      		part456,
+      		dup174,
+      		dup10,
+      		dup189,
+      		dup90,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg443 = msg("1155", all96);
+      
+      var part457 = match("MESSAGE#443:1155:01", "nwparser.payload", "msg=\"%{action}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}", processor_chain([
+      	dup105,
+      ]));
+      
+      var msg444 = msg("1155:01", part457);
+      
+      var select143 = linear_select([
+      	msg443,
+      	msg444,
+      ]);
+      
+      var all97 = all_match({
+      	processors: [
+      		dup168,
+      		dup201,
+      		dup166,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg445 = msg("1198", all97);
+      
+      var all98 = all_match({
+      	processors: [
+      		dup7,
+      		dup177,
+      		dup166,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg446 = msg("714", all98);
+      
+      var msg447 = msg("709", dup239);
+      
+      var msg448 = msg("1005", dup239);
+      
+      var msg449 = msg("1003", dup239);
+      
+      var msg450 = msg("1007", dup240);
+      
+      var part458 = match("MESSAGE#450:1008", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}::%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([
+      	dup103,
+      	dup11,
+      ]));
+      
+      var msg451 = msg("1008", part458);
+      
+      var msg452 = msg("708", dup240);
+      
+      var all99 = all_match({
+      	processors: [
+      		dup168,
+      		dup174,
+      		dup10,
+      		dup189,
+      		dup90,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg453 = msg("1201", all99);
+      
+      var msg454 = msg("1201:01", dup240);
+      
+      var select144 = linear_select([
+      	msg453,
+      	msg454,
+      ]);
+      
+      var msg455 = msg("654", dup222);
+      
+      var msg456 = msg("670", dup222);
+      
+      var msg457 = msg("884", dup240);
+      
+      var part459 = match("MESSAGE#457:1153", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} rcvd=%{rbytes->} note=\"%{info}\"", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg458 = msg("1153", part459);
+      
+      var part460 = match("MESSAGE#458:1153:01/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1->} sess=%{fld2->} n=%{p0}");
+      
+      var part461 = match("MESSAGE#458:1153:01/0_1", "nwparser.payload", " msg=\"%{event_description}\" sess=%{fld2->} n=%{p0}");
+      
+      var part462 = match("MESSAGE#458:1153:01/0_2", "nwparser.payload", " msg=\"%{event_description}\" n=%{p0}");
+      
+      var select145 = linear_select([
+      	part460,
+      	part461,
+      	part462,
+      ]);
+      
+      var part463 = match("MESSAGE#458:1153:01/1", "nwparser.p0", "%{fld3->} usr=\"%{username}\" src=%{p0}");
+      
+      var part464 = match("MESSAGE#458:1153:01/2_0", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}");
+      
+      var select146 = linear_select([
+      	part464,
+      	dup25,
+      ]);
+      
+      var part465 = match("MESSAGE#458:1153:01/4_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac= %{p0}");
+      
+      var part466 = match("MESSAGE#458:1153:01/4_1", "nwparser.p0", "%{daddr}:%{dport}srcMac= %{p0}");
+      
+      var part467 = match("MESSAGE#458:1153:01/4_2", "nwparser.p0", "%{daddr}srcMac= %{p0}");
+      
+      var select147 = linear_select([
+      	part465,
+      	part466,
+      	part467,
+      ]);
+      
+      var part468 = match("MESSAGE#458:1153:01/5", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} %{p0}");
+      
+      var part469 = match("MESSAGE#458:1153:01/6_0", "nwparser.p0", "sent=%{sbytes}rcvd=%{rbytes->} ");
+      
+      var part470 = match("MESSAGE#458:1153:01/6_1", "nwparser.p0", "type=%{fld4->} icmpCode=%{fld5->} rcvd=%{rbytes->} ");
+      
+      var part471 = match("MESSAGE#458:1153:01/6_2", "nwparser.p0", "rcvd=%{rbytes->} ");
+      
+      var select148 = linear_select([
+      	part469,
+      	part470,
+      	part471,
+      ]);
+      
+      var all100 = all_match({
+      	processors: [
+      		select145,
+      		part463,
+      		select146,
+      		dup10,
+      		select147,
+      		part468,
+      		select148,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup11,
+      		dup17,
+      		dup18,
+      		dup19,
+      		dup20,
+      		dup21,
+      	]),
+      });
+      
+      var msg459 = msg("1153:01", all100);
+      
+      var part472 = match("MESSAGE#459:1153:02/0", "nwparser.payload", "msg=\"%{event_description}\" %{p0}");
+      
+      var part473 = match("MESSAGE#459:1153:02/1_0", "nwparser.p0", "app=%{fld1->} n=%{fld2->} src=%{p0}");
+      
+      var part474 = match("MESSAGE#459:1153:02/1_1", "nwparser.p0", " n=%{fld2->} src=%{p0}");
+      
+      var select149 = linear_select([
+      	part473,
+      	part474,
+      ]);
+      
+      var part475 = match("MESSAGE#459:1153:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes}");
+      
+      var all101 = all_match({
+      	processors: [
+      		part472,
+      		select149,
+      		part475,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup11,
+      		dup17,
+      		dup18,
+      		dup19,
+      		dup20,
+      		dup21,
+      	]),
+      });
+      
+      var msg460 = msg("1153:02", all101);
+      
+      var select150 = linear_select([
+      	msg458,
+      	msg459,
+      	msg460,
+      ]);
+      
+      var part476 = match("MESSAGE#460:1107", "nwparser.payload", "msg=\"%{msg}\"%{space}n=%{fld1}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg461 = msg("1107", part476);
+      
+      var part477 = match("MESSAGE#461:1220/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{p0}");
+      
+      var part478 = match("MESSAGE#461:1220/1_0", "nwparser.p0", "%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}");
+      
+      var part479 = match("MESSAGE#461:1220/1_1", "nwparser.p0", "%{fld2}src=%{saddr}:%{sport->} dst=%{p0}");
+      
+      var select151 = linear_select([
+      	part478,
+      	part479,
+      ]);
+      
+      var all102 = all_match({
+      	processors: [
+      		part477,
+      		select151,
+      		dup10,
+      		dup223,
+      		dup171,
+      	],
+      	on_success: processor_chain([
+      		dup159,
+      		dup54,
+      		dup17,
+      		dup82,
+      		dup19,
+      		dup20,
+      		dup21,
+      		dup37,
+      	]),
+      });
+      
+      var msg462 = msg("1220", all102);
+      
+      var all103 = all_match({
+      	processors: [
+      		dup147,
+      		dup223,
+      		dup171,
+      	],
+      	on_success: processor_chain([
+      		dup159,
+      		dup54,
+      		dup17,
+      		dup82,
+      		dup19,
+      		dup20,
+      		dup21,
+      		dup37,
+      	]),
+      });
+      
+      var msg463 = msg("1230", all103);
+      
+      var part480 = match("MESSAGE#463:1231", "nwparser.payload", "msg=\"%{msg}\"%{space}n=%{fld1->} note=\"%{info}\"", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg464 = msg("1231", part480);
+      
+      var part481 = match("MESSAGE#464:1233", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([
+      	dup167,
+      	dup11,
+      ]));
+      
+      var msg465 = msg("1233", part481);
+      
+      var part482 = match("MESSAGE#465:1079/0", "nwparser.payload", "msg=\"User%{username}log%{p0}");
+      
+      var part483 = match("MESSAGE#465:1079/1_0", "nwparser.p0", "in%{p0}");
+      
+      var part484 = match("MESSAGE#465:1079/1_1", "nwparser.p0", "out%{p0}");
+      
+      var select152 = linear_select([
+      	part483,
+      	part484,
+      ]);
+      
+      var part485 = match("MESSAGE#465:1079/2", "nwparser.p0", "\"%{p0}");
+      
+      var part486 = match("MESSAGE#465:1079/3_0", "nwparser.p0", "dur=%{duration->} %{space}n=%{fld1}");
+      
+      var part487 = match("MESSAGE#465:1079/3_1", "nwparser.p0", "sess=\"%{fld2}\" n=%{fld1->} ");
+      
+      var part488 = match("MESSAGE#465:1079/3_2", "nwparser.p0", "n=%{fld1}");
+      
+      var select153 = linear_select([
+      	part486,
+      	part487,
+      	part488,
+      ]);
+      
+      var all104 = all_match({
+      	processors: [
+      		part482,
+      		select152,
+      		part485,
+      		select153,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg466 = msg("1079", all104);
+      
+      var part489 = match("MESSAGE#466:1079:01", "nwparser.payload", "msg=\"Client%{username}is assigned IP:%{hostip}\" %{space->} n=%{fld1}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg467 = msg("1079:01", part489);
+      
+      var part490 = match("MESSAGE#467:1079:02", "nwparser.payload", "msg=\"destination for %{daddr->} is not allowed by access control\" n=%{fld2}", processor_chain([
+      	dup1,
+      	dup11,
+      	setc("event_description","destination is not allowed by access control"),
+      	dup17,
+      	dup18,
+      	dup19,
+      	dup20,
+      	dup21,
+      ]));
+      
+      var msg468 = msg("1079:02", part490);
+      
+      var part491 = match("MESSAGE#468:1079:03", "nwparser.payload", "msg=\"SSLVPN Client %{username->} matched device profile Default Device Profile for Windows\" n=%{fld2}", processor_chain([
+      	dup1,
+      	dup11,
+      	setc("event_description","SSLVPN Client matched device profile Default Device Profile for Windows"),
+      	dup17,
+      	dup18,
+      	dup19,
+      	dup20,
+      	dup21,
+      ]));
+      
+      var msg469 = msg("1079:03", part491);
+      
+      var select154 = linear_select([
+      	msg466,
+      	msg467,
+      	msg468,
+      	msg469,
+      ]);
+      
+      var part492 = match("MESSAGE#469:1080/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} usr=\"%{username}\" src= %{p0}");
+      
+      var part493 = match("MESSAGE#469:1080/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst=%{p0}");
+      
+      var select155 = linear_select([
+      	dup73,
+      	part493,
+      ]);
+      
+      var select156 = linear_select([
+      	dup77,
+      	dup78,
+      ]);
+      
+      var part494 = match("MESSAGE#469:1080/4", "nwparser.p0", "%{} %{protocol}");
+      
+      var all105 = all_match({
+      	processors: [
+      		part492,
+      		select155,
+      		dup10,
+      		select156,
+      		part494,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg470 = msg("1080", all105);
+      
+      var part495 = match("MESSAGE#470:580", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([
+      	dup5,
+      	dup54,
+      	dup17,
+      	dup82,
+      	dup19,
+      	dup20,
+      	dup21,
+      	dup37,
+      ]));
+      
+      var msg471 = msg("580", part495);
+      
+      var part496 = match("MESSAGE#471:1369/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{p0}");
+      
+      var all106 = all_match({
+      	processors: [
+      		part496,
+      		dup224,
+      		dup112,
+      	],
+      	on_success: processor_chain([
+      		dup70,
+      		dup54,
+      		dup17,
+      		dup82,
+      		dup19,
+      		dup20,
+      		dup21,
+      		dup37,
+      	]),
+      });
+      
+      var msg472 = msg("1369", all106);
+      
+      var all107 = all_match({
+      	processors: [
+      		dup147,
+      		dup211,
+      		dup149,
+      		dup224,
+      		dup112,
+      	],
+      	on_success: processor_chain([
+      		dup70,
+      		dup54,
+      		dup17,
+      		dup82,
+      		dup19,
+      		dup20,
+      		dup21,
+      		dup37,
+      	]),
+      });
+      
+      var msg473 = msg("1370", all107);
+      
+      var all108 = all_match({
+      	processors: [
+      		dup147,
+      		dup211,
+      		dup161,
+      		dup199,
+      		dup112,
+      	],
+      	on_success: processor_chain([
+      		dup70,
+      		dup54,
+      		dup17,
+      		dup82,
+      		dup19,
+      		dup20,
+      		dup21,
+      		dup37,
+      	]),
+      });
+      
+      var msg474 = msg("1371", all108);
+      
+      var part497 = match("MESSAGE#474:1387/1_1", "nwparser.p0", "%{saddr}:%{sport}: dst=%{p0}");
+      
+      var select157 = linear_select([
+      	dup138,
+      	part497,
+      ]);
+      
+      var all109 = all_match({
+      	processors: [
+      		dup160,
+      		select157,
+      		dup10,
+      		dup211,
+      		dup161,
+      		dup199,
+      		dup112,
+      	],
+      	on_success: processor_chain([
+      		dup159,
+      		dup54,
+      		dup17,
+      		dup82,
+      		dup19,
+      		dup20,
+      		dup21,
+      		dup37,
+      	]),
+      });
+      
+      var msg475 = msg("1387", all109);
+      
+      var part498 = match("MESSAGE#475:1391/0", "nwparser.payload", "pktdatId=%{fld1}pktdatNum=\"%{fld2}\" pktdatEnc=\"%{fld3}\" n=%{fld4}src=%{p0}");
+      
+      var part499 = match("MESSAGE#475:1391/1_1", "nwparser.p0", "%{saddr}:%{sport}dst=%{p0}");
+      
+      var select158 = linear_select([
+      	dup69,
+      	part499,
+      ]);
+      
+      var part500 = match("MESSAGE#475:1391/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost}");
+      
+      var part501 = match("MESSAGE#475:1391/2_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}");
+      
+      var part502 = match("MESSAGE#475:1391/2_2", "nwparser.p0", "%{daddr}:%{dport}");
+      
+      var select159 = linear_select([
+      	part500,
+      	part501,
+      	part502,
+      ]);
+      
+      var all110 = all_match({
+      	processors: [
+      		part498,
+      		select158,
+      		select159,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup54,
+      		dup17,
+      		dup82,
+      		dup19,
+      		dup20,
+      		dup21,
+      		dup37,
+      	]),
+      });
+      
+      var msg476 = msg("1391", all110);
+      
+      var part503 = match("MESSAGE#476:1253", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1}appName=\"%{application}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\"", processor_chain([
+      	dup5,
+      	dup54,
+      	dup17,
+      	dup82,
+      	dup19,
+      	dup20,
+      	dup21,
+      	dup37,
+      ]));
+      
+      var msg477 = msg("1253", part503);
+      
+      var part504 = match("MESSAGE#477:1009", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([
+      	dup5,
+      	dup54,
+      	dup17,
+      	dup82,
+      	dup19,
+      	dup20,
+      	dup21,
+      	dup37,
+      ]));
+      
+      var msg478 = msg("1009", part504);
+      
+      var part505 = match("MESSAGE#478:910/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld2}appName=\"%{application}\" n=%{fld3}src=%{saddr}:%{sport}:%{sinterface}dst=%{p0}");
+      
+      var part506 = match("MESSAGE#478:910/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{p0}");
+      
+      var part507 = match("MESSAGE#478:910/1_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac=%{p0}");
+      
+      var select160 = linear_select([
+      	part506,
+      	part507,
+      ]);
+      
+      var part508 = match("MESSAGE#478:910/2", "nwparser.p0", "%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\"");
+      
+      var all111 = all_match({
+      	processors: [
+      		part505,
+      		select160,
+      		part508,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		dup54,
+      		dup17,
+      		dup82,
+      		dup19,
+      		dup20,
+      		dup21,
+      		dup37,
+      	]),
+      });
+      
+      var msg479 = msg("910", all111);
+      
+      var part509 = match("MESSAGE#479:m:01", "nwparser.payload", "m=%{id1}msg=\"%{event_description}\" n=%{fld2}if=%{interface}ucastRx=%{fld3}bcastRx=%{fld4}bytesRx=%{rbytes}ucastTx=%{fld5}bcastTx=%{fld6}bytesTx=%{sbytes}", processor_chain([
+      	dup1,
+      	dup54,
+      	dup17,
+      	dup82,
+      	dup19,
+      	dup21,
+      	dup37,
+      ]));
+      
+      var msg480 = msg("m:01", part509);
+      
+      var part510 = match("MESSAGE#480:1011", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([
+      	dup1,
+      	dup54,
+      	dup17,
+      	dup82,
+      	dup19,
+      	dup20,
+      	dup21,
+      	dup37,
+      ]));
+      
+      var msg481 = msg("1011", part510);
+      
+      var part511 = match("MESSAGE#481:609", "nwparser.payload", "msg=\"%{event_description}\" sid=%{sid->} ipscat=\"%{fld3}\" ipspri=%{fld4->} pktdatId=%{fld5->} n=%{fld6->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([
+      	dup164,
+      	dup54,
+      	dup17,
+      	dup82,
+      	dup19,
+      	dup20,
+      	dup21,
+      	dup37,
+      ]));
+      
+      var msg482 = msg("609", part511);
+      
+      var msg483 = msg("796", dup225);
+      
+      var part512 = match("MESSAGE#483:880", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([
+      	dup70,
+      	dup54,
+      	dup17,
+      	dup82,
+      	dup19,
+      	dup20,
+      	dup21,
+      	dup37,
+      ]));
+      
+      var msg484 = msg("880", part512);
+      
+      var part513 = match("MESSAGE#484:1309", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([
+      	dup159,
+      	dup54,
+      	dup17,
+      	dup82,
+      	dup19,
+      	dup20,
+      	dup21,
+      	dup37,
+      ]));
+      
+      var msg485 = msg("1309", part513);
+      
+      var msg486 = msg("1310", dup225);
+      
+      var part514 = match("MESSAGE#486:1232/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=\"%{p0}");
+      
+      var part515 = match("MESSAGE#486:1232/1_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note=\"%{p0}");
+      
+      var select161 = linear_select([
+      	part514,
+      	part515,
+      ]);
+      
+      var part516 = match("MESSAGE#486:1232/2", "nwparser.p0", "%{info}\" fw_action=\"%{action}\"");
+      
+      var all112 = all_match({
+      	processors: [
+      		dup81,
+      		select161,
+      		part516,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup54,
+      		dup17,
+      		dup82,
+      		dup19,
+      		dup20,
+      		dup21,
+      		dup37,
+      	]),
+      });
+      
+      var msg487 = msg("1232", all112);
+      
+      var part517 = match("MESSAGE#487:1447/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1->} appName=\"%{application}\" n=%{fld2->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}");
+      
+      var all113 = all_match({
+      	processors: [
+      		part517,
+      		dup199,
+      		dup112,
+      	],
+      	on_success: processor_chain([
+      		dup159,
+      		dup54,
+      		dup17,
+      		dup82,
+      		dup19,
+      		dup20,
+      		dup21,
+      		dup37,
+      	]),
+      });
+      
+      var msg488 = msg("1447", all113);
+      
+      var chain1 = processor_chain([
+      	select1,
+      	msgid_select({
+      		"10": msg9,
+      		"100": msg159,
+      		"1003": msg449,
+      		"1005": msg448,
+      		"1007": msg450,
+      		"1008": msg451,
+      		"1009": msg478,
+      		"101": msg160,
+      		"1011": msg481,
+      		"102": msg161,
+      		"103": msg162,
+      		"104": msg163,
+      		"105": msg164,
+      		"106": msg165,
+      		"107": msg166,
+      		"1079": select154,
+      		"108": msg167,
+      		"1080": msg470,
+      		"1086": msg424,
+      		"109": msg168,
+      		"11": msg10,
+      		"110": msg169,
+      		"1107": msg461,
+      		"111": select66,
+      		"1110": msg408,
+      		"112": msg172,
+      		"113": msg173,
+      		"114": msg174,
+      		"1149": msg426,
+      		"115": select67,
+      		"1153": select150,
+      		"1154": select141,
+      		"1155": select143,
+      		"1159": msg427,
+      		"116": msg177,
+      		"117": msg178,
+      		"118": msg179,
+      		"119": msg180,
+      		"1195": select139,
+      		"1197": msg439,
+      		"1198": msg445,
+      		"1199": select142,
+      		"12": select4,
+      		"120": msg181,
+      		"1201": select144,
+      		"121": msg182,
+      		"122": msg183,
+      		"1220": msg462,
+      		"1222": msg431,
+      		"1226": msg430,
+      		"123": msg184,
+      		"1230": msg463,
+      		"1231": msg464,
+      		"1232": msg487,
+      		"1233": msg465,
+      		"1235": msg438,
+      		"124": msg185,
+      		"125": msg186,
+      		"1253": msg477,
+      		"1254": msg187,
+      		"1256": msg188,
+      		"1257": msg189,
+      		"126": msg190,
+      		"127": msg191,
+      		"128": msg192,
+      		"129": msg193,
+      		"13": msg13,
+      		"130": msg194,
+      		"1309": msg485,
+      		"131": msg195,
+      		"1310": msg486,
+      		"132": msg196,
+      		"133": msg197,
+      		"134": msg198,
+      		"135": msg199,
+      		"136": msg200,
+      		"1369": msg472,
+      		"137": msg201,
+      		"1370": msg473,
+      		"1371": msg474,
+      		"138": msg202,
+      		"1387": msg475,
+      		"139": select68,
+      		"1391": msg476,
+      		"14": select7,
+      		"140": msg205,
+      		"141": msg206,
+      		"142": msg207,
+      		"143": msg208,
+      		"1430": msg425,
+      		"1431": msg209,
+      		"144": msg210,
+      		"1447": msg488,
+      		"145": msg211,
+      		"146": msg212,
+      		"147": msg213,
+      		"148": msg214,
+      		"1480": msg215,
+      		"149": msg216,
+      		"15": msg20,
+      		"150": msg217,
+      		"151": msg218,
+      		"152": msg219,
+      		"153": msg220,
+      		"154": msg221,
+      		"155": msg222,
+      		"156": msg223,
+      		"157": select69,
+      		"158": msg226,
+      		"159": msg227,
+      		"16": msg21,
+      		"160": msg228,
+      		"161": msg229,
+      		"162": msg230,
+      		"163": msg231,
+      		"164": msg232,
+      		"165": msg233,
+      		"166": msg234,
+      		"167": msg235,
+      		"168": msg236,
+      		"169": msg237,
+      		"17": msg22,
+      		"170": msg238,
+      		"171": select70,
+      		"172": select71,
+      		"173": msg245,
+      		"174": select72,
+      		"175": select73,
+      		"176": msg253,
+      		"177": msg254,
+      		"178": msg255,
+      		"179": msg256,
+      		"18": msg23,
+      		"180": select74,
+      		"181": select75,
+      		"19": msg24,
+      		"193": msg261,
+      		"194": msg262,
+      		"195": msg263,
+      		"196": select78,
+      		"199": msg266,
+      		"20": msg25,
+      		"200": msg267,
+      		"21": msg26,
+      		"22": msg27,
+      		"23": select10,
+      		"235": select79,
+      		"236": msg271,
+      		"237": msg272,
+      		"238": msg273,
+      		"239": msg274,
+      		"24": select11,
+      		"240": msg275,
+      		"241": select80,
+      		"242": msg278,
+      		"243": msg403,
+      		"25": msg34,
+      		"252": msg279,
+      		"255": msg280,
+      		"257": msg281,
+      		"26": msg35,
+      		"261": select83,
+      		"262": msg284,
+      		"263": msg413,
+      		"264": msg414,
+      		"267": select136,
+      		"27": msg36,
+      		"273": msg285,
+      		"28": select12,
+      		"29": select13,
+      		"30": select14,
+      		"31": select15,
+      		"32": select16,
+      		"328": msg286,
+      		"329": msg287,
+      		"33": select17,
+      		"34": msg52,
+      		"346": msg288,
+      		"35": select19,
+      		"350": msg289,
+      		"351": msg290,
+      		"352": msg291,
+      		"353": select84,
+      		"354": msg294,
+      		"355": select85,
+      		"356": msg297,
+      		"357": select86,
+      		"358": msg300,
+      		"36": select23,
+      		"37": select27,
+      		"371": select87,
+      		"372": msg303,
+      		"373": msg304,
+      		"38": select30,
+      		"39": msg67,
+      		"4": msg1,
+      		"40": msg68,
+      		"401": msg305,
+      		"402": msg306,
+      		"403": msg400,
+      		"404": msg410,
+      		"406": msg307,
+      		"41": select31,
+      		"412": msg415,
+      		"413": msg308,
+      		"414": msg309,
+      		"42": msg72,
+      		"427": msg156,
+      		"428": msg157,
+      		"43": msg73,
+      		"438": msg310,
+      		"439": msg311,
+      		"44": msg74,
+      		"440": msg312,
+      		"441": select88,
+      		"442": msg315,
+      		"446": msg316,
+      		"45": select32,
+      		"46": select33,
+      		"47": msg82,
+      		"477": msg317,
+      		"48": msg83,
+      		"49": msg84,
+      		"5": select2,
+      		"50": msg85,
+      		"509": msg318,
+      		"51": msg86,
+      		"52": msg87,
+      		"520": msg319,
+      		"522": select91,
+      		"523": msg323,
+      		"524": select94,
+      		"526": select97,
+      		"53": msg88,
+      		"534": msg401,
+      		"537": select116,
+      		"538": msg346,
+      		"549": msg347,
+      		"557": msg348,
+      		"558": msg349,
+      		"561": msg350,
+      		"562": msg351,
+      		"563": msg352,
+      		"565": msg409,
+      		"58": msg89,
+      		"580": msg471,
+      		"583": msg353,
+      		"597": select117,
+      		"598": select118,
+      		"6": select3,
+      		"60": msg90,
+      		"602": select119,
+      		"605": msg363,
+      		"606": msg364,
+      		"608": msg365,
+      		"609": msg482,
+      		"61": msg91,
+      		"614": msg421,
+      		"616": msg366,
+      		"62": msg92,
+      		"63": select34,
+      		"64": msg95,
+      		"65": msg96,
+      		"654": msg455,
+      		"657": select133,
+      		"658": msg367,
+      		"66": msg97,
+      		"67": select35,
+      		"670": msg456,
+      		"68": msg100,
+      		"69": msg101,
+      		"7": msg6,
+      		"70": select37,
+      		"708": msg452,
+      		"709": msg447,
+      		"710": msg368,
+      		"712": select123,
+      		"713": select124,
+      		"714": msg446,
+      		"72": select38,
+      		"73": msg106,
+      		"74": msg107,
+      		"748": msg422,
+      		"75": msg108,
+      		"76": msg109,
+      		"760": select125,
+      		"766": msg378,
+      		"77": msg110,
+      		"78": msg111,
+      		"79": msg112,
+      		"793": msg416,
+      		"794": msg423,
+      		"796": msg483,
+      		"8": msg7,
+      		"80": msg113,
+      		"805": msg417,
+      		"809": select137,
+      		"81": msg114,
+      		"82": select39,
+      		"83": select40,
+      		"84": msg122,
+      		"860": select126,
+      		"866": select128,
+      		"867": select129,
+      		"87": select42,
+      		"88": select43,
+      		"880": msg484,
+      		"882": select130,
+      		"884": msg457,
+      		"888": select131,
+      		"89": select45,
+      		"892": msg389,
+      		"9": msg8,
+      		"90": msg129,
+      		"904": msg390,
+      		"905": msg391,
+      		"906": msg392,
+      		"907": msg393,
+      		"908": msg394,
+      		"909": msg395,
+      		"91": msg130,
+      		"910": msg479,
+      		"914": msg396,
+      		"92": msg131,
+      		"93": msg132,
+      		"931": msg397,
+      		"935": msg420,
+      		"94": msg133,
+      		"95": msg134,
+      		"96": msg135,
+      		"97": select52,
+      		"98": select65,
+      		"986": msg155,
+      		"99": msg158,
+      		"994": msg402,
+      		"995": msg404,
+      		"997": msg405,
+      		"998": select134,
+      		"m": msg480,
+      		"msg": msg436,
+      		"src": msg437,
+      	}),
+      ]);
+      
+      var part518 = match("MESSAGE#14:14:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{p0}");
+      
+      var part519 = match("MESSAGE#14:14:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}");
+      
+      var part520 = match("MESSAGE#14:14:01/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst= %{p0}");
+      
+      var part521 = match("MESSAGE#14:14:01/2", "nwparser.p0", "%{} %{p0}");
+      
+      var part522 = match("MESSAGE#28:23:01/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}");
+      
+      var part523 = match("MESSAGE#28:23:01/1_1", "nwparser.p0", "%{daddr->} %{p0}");
+      
+      var part524 = match("MESSAGE#38:29:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}");
+      
+      var part525 = match("MESSAGE#38:29:01/1_1", "nwparser.p0", " %{saddr->} dst= %{p0}");
+      
+      var part526 = match("MESSAGE#38:29:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} ");
+      
+      var part527 = match("MESSAGE#38:29:01/3_1", "nwparser.p0", "%{daddr->} ");
+      
+      var part528 = match("MESSAGE#40:30:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} src=%{p0}");
+      
+      var part529 = match("MESSAGE#49:33:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{p0}");
+      
+      var part530 = match("MESSAGE#54:36:01/2_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{p0}");
+      
+      var part531 = match("MESSAGE#54:36:01/2_1", "nwparser.p0", "%{saddr->} %{p0}");
+      
+      var part532 = match("MESSAGE#54:36:01/3", "nwparser.p0", "%{}dst= %{p0}");
+      
+      var part533 = match("MESSAGE#55:36:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src= %{p0}");
+      
+      var part534 = match("MESSAGE#55:36:02/1_1", "nwparser.p0", "%{saddr->} dst= %{p0}");
+      
+      var part535 = match("MESSAGE#57:37:01/1_1", "nwparser.p0", "n=%{fld1->} src=%{p0}");
+      
+      var part536 = match("MESSAGE#59:37:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto= %{p0}");
+      
+      var part537 = match("MESSAGE#59:37:03/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}");
+      
+      var part538 = match("MESSAGE#59:37:03/4", "nwparser.p0", "%{} %{protocol->} npcs=%{info}");
+      
+      var part539 = match("MESSAGE#62:38:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src= %{p0}");
+      
+      var part540 = match("MESSAGE#62:38:01/5_1", "nwparser.p0", "rule=%{rule->} ");
+      
+      var part541 = match("MESSAGE#63:38:02/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} type= %{p0}");
+      
+      var part542 = match("MESSAGE#63:38:02/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} type= %{p0}");
+      
+      var part543 = match("MESSAGE#64:38:03/0", "nwparser.payload", "msg=\"%{p0}");
+      
+      var part544 = match("MESSAGE#64:38:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}");
+      
+      var part545 = match("MESSAGE#64:38:03/3_1", "nwparser.p0", "%{daddr->} srcMac=%{p0}");
+      
+      var part546 = match("MESSAGE#135:97:01/0", "nwparser.payload", "n=%{fld1->} src= %{p0}");
+      
+      var part547 = match("MESSAGE#135:97:01/7_1", "nwparser.p0", "dstname=%{name->} ");
+      
+      var part548 = match("MESSAGE#137:97:03/0", "nwparser.payload", "sess=%{fld1->} n=%{fld2->} src= %{p0}");
+      
+      var part549 = match("MESSAGE#140:97:06/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{p0}");
+      
+      var part550 = match("MESSAGE#140:97:06/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}dst=%{p0}");
+      
+      var part551 = match("MESSAGE#145:98/2_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} %{p0}");
+      
+      var part552 = match("MESSAGE#145:98/3_0", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} fw_action=\"%{action}\"");
+      
+      var part553 = match("MESSAGE#147:98:01/4_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{p0}");
+      
+      var part554 = match("MESSAGE#147:98:01/4_2", "nwparser.p0", "%{saddr}dst=%{p0}");
+      
+      var part555 = match("MESSAGE#147:98:01/6_1", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} %{p0}");
+      
+      var part556 = match("MESSAGE#147:98:01/6_2", "nwparser.p0", " %{daddr->} %{p0}");
+      
+      var part557 = match("MESSAGE#148:98:06/5_2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}");
+      
+      var part558 = match("MESSAGE#148:98:06/5_3", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} proto=%{p0}");
+      
+      var part559 = match("MESSAGE#149:98:02/4", "nwparser.p0", "%{}proto=%{protocol}");
+      
+      var part560 = match("MESSAGE#154:427/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{p0}");
+      
+      var part561 = match("MESSAGE#155:428/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}");
+      
+      var part562 = match("MESSAGE#240:171:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} npcs= %{p0}");
+      
+      var part563 = match("MESSAGE#240:171:03/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} npcs= %{p0}");
+      
+      var part564 = match("MESSAGE#240:171:03/4", "nwparser.p0", "%{} %{info}");
+      
+      var part565 = match("MESSAGE#256:180:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} note= %{p0}");
+      
+      var part566 = match("MESSAGE#256:180:01/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note= %{p0}");
+      
+      var part567 = match("MESSAGE#256:180:01/4", "nwparser.p0", "%{}\"%{fld3}\" npcs=%{info}");
+      
+      var part568 = match("MESSAGE#260:194/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} sport=%{sport->} dport=%{dport->} %{p0}");
+      
+      var part569 = match("MESSAGE#260:194/1_0", "nwparser.p0", "sent=%{sbytes->} ");
+      
+      var part570 = match("MESSAGE#260:194/1_1", "nwparser.p0", " rcvd=%{rbytes}");
+      
+      var part571 = match("MESSAGE#262:196/1_0", "nwparser.p0", "sent=%{sbytes->} cmd=%{p0}");
+      
+      var part572 = match("MESSAGE#262:196/2", "nwparser.p0", "%{method}");
+      
+      var part573 = match("MESSAGE#280:261:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{p0}");
+      
+      var part574 = match("MESSAGE#283:273/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{p0}");
+      
+      var part575 = match("MESSAGE#302:401/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} %{p0}");
+      
+      var part576 = match("MESSAGE#302:401/1_1", "nwparser.p0", " %{space}");
+      
+      var part577 = match("MESSAGE#313:446/3_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=\"%{p0}");
+      
+      var part578 = match("MESSAGE#313:446/3_1", "nwparser.p0", "%{protocol->} fw_action=\"%{p0}");
+      
+      var part579 = match("MESSAGE#313:446/4", "nwparser.p0", "%{action}\"");
+      
+      var part580 = match("MESSAGE#318:522:01/4", "nwparser.p0", "%{}proto=%{protocol->} npcs=%{info}");
+      
+      var part581 = match("MESSAGE#321:524/5_0", "nwparser.p0", "proto=%{protocol->} ");
+      
+      var part582 = match("MESSAGE#330:537:01/0", "nwparser.payload", "msg=\"%{action}\" f=%{fld1->} n=%{fld2->} src= %{p0}");
+      
+      var part583 = match("MESSAGE#332:537:08/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld51->} appName=\"%{application}\"n=%{p0}");
+      
+      var part584 = match("MESSAGE#332:537:08/0_1", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld51->} sess=\"%{fld4}\" n=%{p0}");
+      
+      var part585 = match("MESSAGE#332:537:08/0_2", "nwparser.payload", " msg=\"%{event_description}\" app=%{fld51}n=%{p0}");
+      
+      var part586 = match("MESSAGE#332:537:08/0_3", "nwparser.payload", "msg=\"%{event_description}\"n=%{p0}");
+      
+      var part587 = match("MESSAGE#332:537:08/1_0", "nwparser.p0", "%{fld1->} usr=\"%{username}\"src=%{p0}");
+      
+      var part588 = match("MESSAGE#332:537:08/1_1", "nwparser.p0", "%{fld1}src=%{p0}");
+      
+      var part589 = match("MESSAGE#332:537:08/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{p0}");
+      
+      var part590 = match("MESSAGE#332:537:08/5_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{p0}");
+      
+      var part591 = match("MESSAGE#332:537:08/5_1", "nwparser.p0", " proto=%{protocol->} sent=%{p0}");
+      
+      var part592 = match("MESSAGE#333:537:09/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{p0}");
+      
+      var part593 = match("MESSAGE#333:537:09/5_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} %{p0}");
+      
+      var part594 = match("MESSAGE#333:537:09/5_1", "nwparser.p0", "%{sbytes->} %{p0}");
+      
+      var part595 = match("MESSAGE#333:537:09/6_0", "nwparser.p0", " spkt=%{fld3->} cdur=%{fld7->} fw_action=\"%{action}\"");
+      
+      var part596 = match("MESSAGE#333:537:09/6_1", "nwparser.p0", "spkt=%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} ");
+      
+      var part597 = match("MESSAGE#333:537:09/6_2", "nwparser.p0", "spkt=%{fld3->} cdur=%{fld7->} ");
+      
+      var part598 = match("MESSAGE#333:537:09/6_3", "nwparser.p0", " spkt=%{fld3}");
+      
+      var part599 = match("MESSAGE#336:537:04/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} src= %{p0}");
+      
+      var part600 = match("MESSAGE#336:537:04/3_2", "nwparser.p0", "%{daddr->} proto= %{p0}");
+      
+      var part601 = match("MESSAGE#338:537:10/1_0", "nwparser.p0", "%{fld2->} usr=\"%{username}\" %{p0}");
+      
+      var part602 = match("MESSAGE#338:537:10/1_1", "nwparser.p0", "%{fld2->} %{p0}");
+      
+      var part603 = match("MESSAGE#338:537:10/2", "nwparser.p0", "%{}src=%{p0}");
+      
+      var part604 = match("MESSAGE#338:537:10/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{p0}");
+      
+      var part605 = match("MESSAGE#338:537:10/3_1", "nwparser.p0", "%{saddr->} dst=%{p0}");
+      
+      var part606 = match("MESSAGE#338:537:10/6_0", "nwparser.p0", "npcs=%{info->} ");
+      
+      var part607 = match("MESSAGE#338:537:10/6_1", "nwparser.p0", "cdur=%{fld12->} ");
+      
+      var part608 = match("MESSAGE#355:598:01/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}");
+      
+      var part609 = match("MESSAGE#361:606/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}");
+      
+      var part610 = match("MESSAGE#361:606/1_1", "nwparser.p0", "%{daddr}:%{dport->} srcMac=%{p0}");
+      
+      var part611 = match("MESSAGE#361:606/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr}proto=%{p0}");
+      
+      var part612 = match("MESSAGE#366:712:02/0", "nwparser.payload", "msg=\"%{action}\" %{p0}");
+      
+      var part613 = match("MESSAGE#366:712:02/1_0", "nwparser.p0", "app=%{fld21->} appName=\"%{application}\" n=%{fld1->} src=%{p0}");
+      
+      var part614 = match("MESSAGE#366:712:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}");
+      
+      var part615 = match("MESSAGE#366:712:02/3_0", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}");
+      
+      var part616 = match("MESSAGE#366:712:02/3_1", "nwparser.p0", "%{smacaddr->} proto=%{p0}");
+      
+      var part617 = match("MESSAGE#366:712:02/4_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=%{p0}");
+      
+      var part618 = match("MESSAGE#366:712:02/4_1", "nwparser.p0", "%{protocol->} fw_action=%{p0}");
+      
+      var part619 = match("MESSAGE#366:712:02/5", "nwparser.p0", "%{fld51}");
+      
+      var part620 = match("MESSAGE#391:908/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{p0}");
+      
+      var part621 = match("MESSAGE#391:908/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}");
+      
+      var part622 = match("MESSAGE#439:1199/2", "nwparser.p0", "%{} %{daddr}:%{dport}:%{dinterface->} npcs=%{info}");
+      
+      var part623 = match("MESSAGE#444:1198/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}\" sess=%{fld1->} n=%{fld2->} src=%{p0}");
+      
+      var part624 = match("MESSAGE#461:1220/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note=%{p0}");
+      
+      var part625 = match("MESSAGE#461:1220/3_1", "nwparser.p0", "%{daddr}:%{dport->} note=%{p0}");
+      
+      var part626 = match("MESSAGE#461:1220/4", "nwparser.p0", "%{}\"%{info}\" fw_action=\"%{action}\"");
+      
+      var part627 = match("MESSAGE#471:1369/1_0", "nwparser.p0", "%{protocol}/%{fld3}fw_action=\"%{p0}");
+      
+      var part628 = match("MESSAGE#471:1369/1_1", "nwparser.p0", "%{protocol}fw_action=\"%{p0}");
+      
+      var select162 = linear_select([
+      	dup8,
+      	dup9,
+      ]);
+      
+      var select163 = linear_select([
+      	dup15,
+      	dup16,
+      ]);
+      
+      var part629 = match("MESSAGE#403:24:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([
+      	dup1,
+      	dup23,
+      ]));
+      
+      var select164 = linear_select([
+      	dup25,
+      	dup26,
+      ]);
+      
+      var select165 = linear_select([
+      	dup27,
+      	dup28,
+      ]);
+      
+      var select166 = linear_select([
+      	dup34,
+      	dup35,
+      ]);
+      
+      var select167 = linear_select([
+      	dup25,
+      	dup39,
+      ]);
+      
+      var select168 = linear_select([
+      	dup41,
+      	dup42,
+      ]);
+      
+      var select169 = linear_select([
+      	dup46,
+      	dup47,
+      ]);
+      
+      var select170 = linear_select([
+      	dup49,
+      	dup50,
+      ]);
+      
+      var part630 = match("MESSAGE#116:82:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([
+      	dup62,
+      ]));
+      
+      var part631 = match("MESSAGE#118:83:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([
+      	dup5,
+      ]));
+      
+      var select171 = linear_select([
+      	dup71,
+      	dup75,
+      	dup76,
+      ]);
+      
+      var select172 = linear_select([
+      	dup8,
+      	dup25,
+      ]);
+      
+      var part632 = match("MESSAGE#168:111:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=%{shost}", processor_chain([
+      	dup1,
+      ]));
+      
+      var select173 = linear_select([
+      	dup88,
+      	dup89,
+      ]);
+      
+      var part633 = match("MESSAGE#253:178", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([
+      	dup5,
+      ]));
+      
+      var select174 = linear_select([
+      	dup92,
+      	dup93,
+      ]);
+      
+      var select175 = linear_select([
+      	dup96,
+      	dup97,
+      ]);
+      
+      var part634 = match("MESSAGE#277:252", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([
+      	dup87,
+      ]));
+      
+      var part635 = match("MESSAGE#293:355", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([
+      	dup87,
+      ]));
+      
+      var part636 = match("MESSAGE#295:356", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([
+      	dup1,
+      ]));
+      
+      var part637 = match("MESSAGE#298:358", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([
+      	dup1,
+      ]));
+      
+      var part638 = match("MESSAGE#414:371:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} note=\"%{event_description}\"", processor_chain([
+      	dup1,
+      	dup23,
+      ]));
+      
+      var select176 = linear_select([
+      	dup66,
+      	dup108,
+      ]);
+      
+      var select177 = linear_select([
+      	dup110,
+      	dup111,
+      ]);
+      
+      var select178 = linear_select([
+      	dup115,
+      	dup45,
+      ]);
+      
+      var select179 = linear_select([
+      	dup8,
+      	dup26,
+      ]);
+      
+      var select180 = linear_select([
+      	dup8,
+      	dup25,
+      	dup39,
+      ]);
+      
+      var select181 = linear_select([
+      	dup71,
+      	dup15,
+      	dup16,
+      ]);
+      
+      var select182 = linear_select([
+      	dup121,
+      	dup122,
+      ]);
+      
+      var select183 = linear_select([
+      	dup68,
+      	dup69,
+      	dup74,
+      ]);
+      
+      var select184 = linear_select([
+      	dup127,
+      	dup128,
+      ]);
+      
+      var select185 = linear_select([
+      	dup41,
+      	dup42,
+      	dup134,
+      ]);
+      
+      var select186 = linear_select([
+      	dup135,
+      	dup136,
+      ]);
+      
+      var select187 = linear_select([
+      	dup138,
+      	dup139,
+      ]);
+      
+      var select188 = linear_select([
+      	dup140,
+      	dup141,
+      ]);
+      
+      var select189 = linear_select([
+      	dup49,
+      	dup148,
+      ]);
+      
+      var part639 = match("MESSAGE#365:710", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([
+      	dup150,
+      ]));
+      
+      var select190 = linear_select([
+      	dup152,
+      	dup40,
+      ]);
+      
+      var select191 = linear_select([
+      	dup154,
+      	dup155,
+      ]);
+      
+      var select192 = linear_select([
+      	dup156,
+      	dup157,
+      ]);
+      
+      var part640 = match("MESSAGE#375:766", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([
+      	dup5,
+      ]));
+      
+      var part641 = match("MESSAGE#377:860:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{ntype}", processor_chain([
+      	dup5,
+      ]));
+      
+      var part642 = match("MESSAGE#393:914", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{host->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{shost}", processor_chain([
+      	dup5,
+      	dup23,
+      ]));
+      
+      var part643 = match("MESSAGE#399:994", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([
+      	dup1,
+      	dup23,
+      ]));
+      
+      var part644 = match("MESSAGE#406:1110", "nwparser.payload", "msg=\"%{msg}\" %{space->} n=%{fld1}", processor_chain([
+      	dup1,
+      	dup23,
+      ]));
+      
+      var part645 = match("MESSAGE#420:614", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([
+      	dup163,
+      	dup37,
+      ]));
+      
+      var part646 = match("MESSAGE#454:654", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2}", processor_chain([
+      	dup1,
+      ]));
+      
+      var select193 = linear_select([
+      	dup169,
+      	dup170,
+      ]);
+      
+      var select194 = linear_select([
+      	dup172,
+      	dup173,
+      ]);
+      
+      var part647 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([
+      	dup1,
+      	dup54,
+      	dup17,
+      	dup82,
+      	dup19,
+      	dup20,
+      	dup21,
+      	dup37,
+      ]));
+      
+      var all114 = all_match({
+      	processors: [
+      		dup31,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup30,
+      	]),
+      });
+      
+      var all115 = all_match({
+      	processors: [
+      		dup31,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup85,
+      	]),
+      });
+      
+      var all116 = all_match({
+      	processors: [
+      		dup31,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup59,
+      	]),
+      });
+      
+      var all117 = all_match({
+      	processors: [
+      		dup95,
+      		dup192,
+      	],
+      	on_success: processor_chain([
+      		dup59,
+      	]),
+      });
+      
+      var all118 = all_match({
+      	processors: [
+      		dup31,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup100,
+      	]),
+      });
+      
+      var all119 = all_match({
+      	processors: [
+      		dup31,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup29,
+      	]),
+      });
+      
+      var all120 = all_match({
+      	processors: [
+      		dup102,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup103,
+      	]),
+      });
+      
+      var all121 = all_match({
+      	processors: [
+      		dup104,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup106,
+      	]),
+      });
+      
+      var all122 = all_match({
+      	processors: [
+      		dup107,
+      		dup198,
+      	],
+      	on_success: processor_chain([
+      		dup87,
+      	]),
+      });
+      
+      var all123 = all_match({
+      	processors: [
+      		dup104,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup109,
+      	]),
+      });
+      
+      var all124 = all_match({
+      	processors: [
+      		dup44,
+      		dup179,
+      		dup36,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      	]),
+      });
+      
+      var all125 = all_match({
+      	processors: [
+      		dup80,
+      		dup177,
+      		dup10,
+      		dup175,
+      		dup79,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var all126 = all_match({
+      	processors: [
+      		dup151,
+      		dup213,
+      		dup153,
+      		dup214,
+      		dup215,
+      		dup158,
+      	],
+      	on_success: processor_chain([
+      		dup150,
+      		dup51,
+      		dup52,
+      		dup53,
+      		dup54,
+      		dup37,
+      		dup55,
+      		dup17,
+      		dup18,
+      		dup19,
+      		dup20,
+      		dup21,
+      	]),
+      });
+      
+      var all127 = all_match({
+      	processors: [
+      		dup7,
+      		dup174,
+      		dup10,
+      		dup191,
+      		dup94,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var all128 = all_match({
+      	processors: [
+      		dup7,
+      		dup174,
+      		dup10,
+      		dup189,
+      		dup90,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+- community_id:
+- add_locale: ~
+- add_fields:
+    target: ''
+    fields:
+        ecs.version: 1.5.0
diff --git a/packages/sonicwall/0.1.0/dataset/firewall/agent/stream/tcp.yml.hbs b/packages/sonicwall/0.1.0/dataset/firewall/agent/stream/tcp.yml.hbs
new file mode 100644
index 0000000000..7c98d0b32b
--- /dev/null
+++ b/packages/sonicwall/0.1.0/dataset/firewall/agent/stream/tcp.yml.hbs
@@ -0,0 +1,9578 @@
+tcp:
+host: "{{tcp_host}}:{{tcp_port}}"
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "Sonicwall"
+        product: "Firewalls"
+        type: "Firewall"
+publisher_pipeline.disable_host: true
+
+processors:
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.error(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(populate_fields);
+      	builder.Add(restore_flags);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var dup1 = setc("eventcategory","1605000000");
+      
+      var dup2 = setc("eventcategory","1603090000");
+      
+      var dup3 = setc("eventcategory","1605030000");
+      
+      var dup4 = setc("eventcategory","1603060000");
+      
+      var dup5 = setc("eventcategory","1603000000");
+      
+      var dup6 = setc("eventcategory","1204020000");
+      
+      var dup7 = match("MESSAGE#14:14:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{p0}");
+      
+      var dup8 = match("MESSAGE#14:14:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}");
+      
+      var dup9 = match("MESSAGE#14:14:01/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst= %{p0}");
+      
+      var dup10 = match("MESSAGE#14:14:01/2", "nwparser.p0", "%{} %{p0}");
+      
+      var dup11 = date_time({
+      	dest: "event_time",
+      	args: ["hdate","htime"],
+      	fmts: [
+      		[dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup12 = setc("eventcategory","1502010000");
+      
+      var dup13 = setc("eventcategory","1502020000");
+      
+      var dup14 = setc("eventcategory","1002010000");
+      
+      var dup15 = match("MESSAGE#28:23:01/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}");
+      
+      var dup16 = match("MESSAGE#28:23:01/1_1", "nwparser.p0", "%{daddr->} %{p0}");
+      
+      var dup17 = setf("hostip","hhostip");
+      
+      var dup18 = setf("id","hid");
+      
+      var dup19 = setf("serial_number","hserial_number");
+      
+      var dup20 = setf("category","hcategory");
+      
+      var dup21 = setf("severity","hseverity");
+      
+      var dup22 = setc("eventcategory","1805010000");
+      
+      var dup23 = call({
+      	dest: "nwparser.msg",
+      	fn: RMQ,
+      	args: [
+      		field("msg"),
+      	],
+      });
+      
+      var dup24 = setc("eventcategory","1302000000");
+      
+      var dup25 = match("MESSAGE#38:29:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}");
+      
+      var dup26 = match("MESSAGE#38:29:01/1_1", "nwparser.p0", " %{saddr->} dst= %{p0}");
+      
+      var dup27 = match("MESSAGE#38:29:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} ");
+      
+      var dup28 = match("MESSAGE#38:29:01/3_1", "nwparser.p0", "%{daddr->} ");
+      
+      var dup29 = setc("eventcategory","1401050100");
+      
+      var dup30 = setc("eventcategory","1401030000");
+      
+      var dup31 = match("MESSAGE#40:30:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} src=%{p0}");
+      
+      var dup32 = setc("eventcategory","1301020000");
+      
+      var dup33 = match("MESSAGE#49:33:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{p0}");
+      
+      var dup34 = match("MESSAGE#54:36:01/2_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{p0}");
+      
+      var dup35 = match("MESSAGE#54:36:01/2_1", "nwparser.p0", "%{saddr->} %{p0}");
+      
+      var dup36 = match("MESSAGE#54:36:01/3", "nwparser.p0", "%{}dst= %{p0}");
+      
+      var dup37 = date_time({
+      	dest: "event_time",
+      	args: ["date","time"],
+      	fmts: [
+      		[dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup38 = match("MESSAGE#55:36:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src= %{p0}");
+      
+      var dup39 = match("MESSAGE#55:36:02/1_1", "nwparser.p0", "%{saddr->} dst= %{p0}");
+      
+      var dup40 = match("MESSAGE#57:37:01/1_1", "nwparser.p0", "n=%{fld1->} src=%{p0}");
+      
+      var dup41 = match("MESSAGE#59:37:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto= %{p0}");
+      
+      var dup42 = match("MESSAGE#59:37:03/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}");
+      
+      var dup43 = match("MESSAGE#59:37:03/4", "nwparser.p0", "%{} %{protocol->} npcs=%{info}");
+      
+      var dup44 = match("MESSAGE#62:38:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src= %{p0}");
+      
+      var dup45 = match("MESSAGE#62:38:01/5_1", "nwparser.p0", "rule=%{rule->} ");
+      
+      var dup46 = match("MESSAGE#63:38:02/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} type= %{p0}");
+      
+      var dup47 = match("MESSAGE#63:38:02/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} type= %{p0}");
+      
+      var dup48 = match("MESSAGE#64:38:03/0", "nwparser.payload", "msg=\"%{p0}");
+      
+      var dup49 = match("MESSAGE#64:38:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}");
+      
+      var dup50 = match("MESSAGE#64:38:03/3_1", "nwparser.p0", "%{daddr->} srcMac=%{p0}");
+      
+      var dup51 = setc("ec_subject","NetworkComm");
+      
+      var dup52 = setc("ec_activity","Deny");
+      
+      var dup53 = setc("ec_theme","Communication");
+      
+      var dup54 = setf("msg","$MSG");
+      
+      var dup55 = setc("action","dropped");
+      
+      var dup56 = setc("eventcategory","1608010000");
+      
+      var dup57 = setc("eventcategory","1302010000");
+      
+      var dup58 = setc("eventcategory","1301000000");
+      
+      var dup59 = setc("eventcategory","1001000000");
+      
+      var dup60 = setc("eventcategory","1003030000");
+      
+      var dup61 = setc("eventcategory","1003050000");
+      
+      var dup62 = setc("eventcategory","1103000000");
+      
+      var dup63 = setc("eventcategory","1603110000");
+      
+      var dup64 = setc("eventcategory","1605020000");
+      
+      var dup65 = match("MESSAGE#135:97:01/0", "nwparser.payload", "n=%{fld1->} src= %{p0}");
+      
+      var dup66 = match("MESSAGE#135:97:01/7_1", "nwparser.p0", "dstname=%{name->} ");
+      
+      var dup67 = match("MESSAGE#137:97:03/0", "nwparser.payload", "sess=%{fld1->} n=%{fld2->} src= %{p0}");
+      
+      var dup68 = match("MESSAGE#140:97:06/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{p0}");
+      
+      var dup69 = match("MESSAGE#140:97:06/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}dst=%{p0}");
+      
+      var dup70 = setc("eventcategory","1801000000");
+      
+      var dup71 = match("MESSAGE#145:98/2_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} %{p0}");
+      
+      var dup72 = match("MESSAGE#145:98/3_0", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} fw_action=\"%{action}\"");
+      
+      var dup73 = match("MESSAGE#147:98:01/4_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{p0}");
+      
+      var dup74 = match("MESSAGE#147:98:01/4_2", "nwparser.p0", "%{saddr}dst=%{p0}");
+      
+      var dup75 = match("MESSAGE#147:98:01/6_1", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} %{p0}");
+      
+      var dup76 = match("MESSAGE#147:98:01/6_2", "nwparser.p0", " %{daddr->} %{p0}");
+      
+      var dup77 = match("MESSAGE#148:98:06/5_2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}");
+      
+      var dup78 = match("MESSAGE#148:98:06/5_3", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} proto=%{p0}");
+      
+      var dup79 = match("MESSAGE#149:98:02/4", "nwparser.p0", "%{}proto=%{protocol}");
+      
+      var dup80 = match("MESSAGE#154:427/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{p0}");
+      
+      var dup81 = match("MESSAGE#155:428/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}");
+      
+      var dup82 = setf("id","hfld1");
+      
+      var dup83 = setc("eventcategory","1001020309");
+      
+      var dup84 = setc("eventcategory","1303000000");
+      
+      var dup85 = setc("eventcategory","1801010100");
+      
+      var dup86 = setc("eventcategory","1604010000");
+      
+      var dup87 = setc("eventcategory","1002020000");
+      
+      var dup88 = match("MESSAGE#240:171:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} npcs= %{p0}");
+      
+      var dup89 = match("MESSAGE#240:171:03/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} npcs= %{p0}");
+      
+      var dup90 = match("MESSAGE#240:171:03/4", "nwparser.p0", "%{} %{info}");
+      
+      var dup91 = setc("eventcategory","1001010000");
+      
+      var dup92 = match("MESSAGE#256:180:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} note= %{p0}");
+      
+      var dup93 = match("MESSAGE#256:180:01/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note= %{p0}");
+      
+      var dup94 = match("MESSAGE#256:180:01/4", "nwparser.p0", "%{}\"%{fld3}\" npcs=%{info}");
+      
+      var dup95 = match("MESSAGE#260:194/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} sport=%{sport->} dport=%{dport->} %{p0}");
+      
+      var dup96 = match("MESSAGE#260:194/1_0", "nwparser.p0", "sent=%{sbytes->} ");
+      
+      var dup97 = match("MESSAGE#260:194/1_1", "nwparser.p0", " rcvd=%{rbytes}");
+      
+      var dup98 = match("MESSAGE#262:196/1_0", "nwparser.p0", "sent=%{sbytes->} cmd=%{p0}");
+      
+      var dup99 = match("MESSAGE#262:196/2", "nwparser.p0", "%{method}");
+      
+      var dup100 = setc("eventcategory","1401060000");
+      
+      var dup101 = setc("eventcategory","1804000000");
+      
+      var dup102 = match("MESSAGE#280:261:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{p0}");
+      
+      var dup103 = setc("eventcategory","1401070000");
+      
+      var dup104 = match("MESSAGE#283:273/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{p0}");
+      
+      var dup105 = setc("eventcategory","1801030000");
+      
+      var dup106 = setc("eventcategory","1402020300");
+      
+      var dup107 = match("MESSAGE#302:401/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} %{p0}");
+      
+      var dup108 = match("MESSAGE#302:401/1_1", "nwparser.p0", " %{space}");
+      
+      var dup109 = setc("eventcategory","1402000000");
+      
+      var dup110 = match("MESSAGE#313:446/3_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=\"%{p0}");
+      
+      var dup111 = match("MESSAGE#313:446/3_1", "nwparser.p0", "%{protocol->} fw_action=\"%{p0}");
+      
+      var dup112 = match("MESSAGE#313:446/4", "nwparser.p0", "%{action}\"");
+      
+      var dup113 = setc("eventcategory","1803020000");
+      
+      var dup114 = match("MESSAGE#318:522:01/4", "nwparser.p0", "%{}proto=%{protocol->} npcs=%{info}");
+      
+      var dup115 = match("MESSAGE#321:524/5_0", "nwparser.p0", "proto=%{protocol->} ");
+      
+      var dup116 = match("MESSAGE#330:537:01/0", "nwparser.payload", "msg=\"%{action}\" f=%{fld1->} n=%{fld2->} src= %{p0}");
+      
+      var dup117 = match("MESSAGE#332:537:08/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld51->} appName=\"%{application}\"n=%{p0}");
+      
+      var dup118 = match("MESSAGE#332:537:08/0_1", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld51->} sess=\"%{fld4}\" n=%{p0}");
+      
+      var dup119 = match("MESSAGE#332:537:08/0_2", "nwparser.payload", " msg=\"%{event_description}\" app=%{fld51}n=%{p0}");
+      
+      var dup120 = match("MESSAGE#332:537:08/0_3", "nwparser.payload", "msg=\"%{event_description}\"n=%{p0}");
+      
+      var dup121 = match("MESSAGE#332:537:08/1_0", "nwparser.p0", "%{fld1->} usr=\"%{username}\"src=%{p0}");
+      
+      var dup122 = match("MESSAGE#332:537:08/1_1", "nwparser.p0", "%{fld1}src=%{p0}");
+      
+      var dup123 = match("MESSAGE#332:537:08/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{p0}");
+      
+      var dup124 = match("MESSAGE#332:537:08/5_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{p0}");
+      
+      var dup125 = match("MESSAGE#332:537:08/5_1", "nwparser.p0", " proto=%{protocol->} sent=%{p0}");
+      
+      var dup126 = match("MESSAGE#333:537:09/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{p0}");
+      
+      var dup127 = match("MESSAGE#333:537:09/5_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} %{p0}");
+      
+      var dup128 = match("MESSAGE#333:537:09/5_1", "nwparser.p0", "%{sbytes->} %{p0}");
+      
+      var dup129 = match("MESSAGE#333:537:09/6_0", "nwparser.p0", " spkt=%{fld3->} cdur=%{fld7->} fw_action=\"%{action}\"");
+      
+      var dup130 = match("MESSAGE#333:537:09/6_1", "nwparser.p0", "spkt=%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} ");
+      
+      var dup131 = match("MESSAGE#333:537:09/6_2", "nwparser.p0", "spkt=%{fld3->} cdur=%{fld7->} ");
+      
+      var dup132 = match("MESSAGE#333:537:09/6_3", "nwparser.p0", " spkt=%{fld3}");
+      
+      var dup133 = match("MESSAGE#336:537:04/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} src= %{p0}");
+      
+      var dup134 = match("MESSAGE#336:537:04/3_2", "nwparser.p0", "%{daddr->} proto= %{p0}");
+      
+      var dup135 = match("MESSAGE#338:537:10/1_0", "nwparser.p0", "%{fld2->} usr=\"%{username}\" %{p0}");
+      
+      var dup136 = match("MESSAGE#338:537:10/1_1", "nwparser.p0", "%{fld2->} %{p0}");
+      
+      var dup137 = match("MESSAGE#338:537:10/2", "nwparser.p0", "%{}src=%{p0}");
+      
+      var dup138 = match("MESSAGE#338:537:10/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{p0}");
+      
+      var dup139 = match("MESSAGE#338:537:10/3_1", "nwparser.p0", "%{saddr->} dst=%{p0}");
+      
+      var dup140 = match("MESSAGE#338:537:10/6_0", "nwparser.p0", "npcs=%{info->} ");
+      
+      var dup141 = match("MESSAGE#338:537:10/6_1", "nwparser.p0", "cdur=%{fld12->} ");
+      
+      var dup142 = setc("event_description","Connection Closed");
+      
+      var dup143 = setc("eventcategory","1801020000");
+      
+      var dup144 = setc("ec_activity","Permit");
+      
+      var dup145 = setc("action","allowed");
+      
+      var dup146 = match("MESSAGE#355:598:01/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}");
+      
+      var dup147 = match("MESSAGE#361:606/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}");
+      
+      var dup148 = match("MESSAGE#361:606/1_1", "nwparser.p0", "%{daddr}:%{dport->} srcMac=%{p0}");
+      
+      var dup149 = match("MESSAGE#361:606/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr}proto=%{p0}");
+      
+      var dup150 = setc("eventcategory","1001030500");
+      
+      var dup151 = match("MESSAGE#366:712:02/0", "nwparser.payload", "msg=\"%{action}\" %{p0}");
+      
+      var dup152 = match("MESSAGE#366:712:02/1_0", "nwparser.p0", "app=%{fld21->} appName=\"%{application}\" n=%{fld1->} src=%{p0}");
+      
+      var dup153 = match("MESSAGE#366:712:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}");
+      
+      var dup154 = match("MESSAGE#366:712:02/3_0", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}");
+      
+      var dup155 = match("MESSAGE#366:712:02/3_1", "nwparser.p0", "%{smacaddr->} proto=%{p0}");
+      
+      var dup156 = match("MESSAGE#366:712:02/4_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=%{p0}");
+      
+      var dup157 = match("MESSAGE#366:712:02/4_1", "nwparser.p0", "%{protocol->} fw_action=%{p0}");
+      
+      var dup158 = match("MESSAGE#366:712:02/5", "nwparser.p0", "%{fld51}");
+      
+      var dup159 = setc("eventcategory","1801010000");
+      
+      var dup160 = match("MESSAGE#391:908/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{p0}");
+      
+      var dup161 = match("MESSAGE#391:908/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}");
+      
+      var dup162 = setc("eventcategory","1003010000");
+      
+      var dup163 = setc("eventcategory","1609000000");
+      
+      var dup164 = setc("eventcategory","1204000000");
+      
+      var dup165 = setc("eventcategory","1602000000");
+      
+      var dup166 = match("MESSAGE#439:1199/2", "nwparser.p0", "%{} %{daddr}:%{dport}:%{dinterface->} npcs=%{info}");
+      
+      var dup167 = setc("eventcategory","1803000000");
+      
+      var dup168 = match("MESSAGE#444:1198/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}\" sess=%{fld1->} n=%{fld2->} src=%{p0}");
+      
+      var dup169 = match("MESSAGE#461:1220/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note=%{p0}");
+      
+      var dup170 = match("MESSAGE#461:1220/3_1", "nwparser.p0", "%{daddr}:%{dport->} note=%{p0}");
+      
+      var dup171 = match("MESSAGE#461:1220/4", "nwparser.p0", "%{}\"%{info}\" fw_action=\"%{action}\"");
+      
+      var dup172 = match("MESSAGE#471:1369/1_0", "nwparser.p0", "%{protocol}/%{fld3}fw_action=\"%{p0}");
+      
+      var dup173 = match("MESSAGE#471:1369/1_1", "nwparser.p0", "%{protocol}fw_action=\"%{p0}");
+      
+      var dup174 = linear_select([
+      	dup8,
+      	dup9,
+      ]);
+      
+      var dup175 = linear_select([
+      	dup15,
+      	dup16,
+      ]);
+      
+      var dup176 = match("MESSAGE#403:24:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([
+      	dup1,
+      	dup23,
+      ]));
+      
+      var dup177 = linear_select([
+      	dup25,
+      	dup26,
+      ]);
+      
+      var dup178 = linear_select([
+      	dup27,
+      	dup28,
+      ]);
+      
+      var dup179 = linear_select([
+      	dup34,
+      	dup35,
+      ]);
+      
+      var dup180 = linear_select([
+      	dup25,
+      	dup39,
+      ]);
+      
+      var dup181 = linear_select([
+      	dup41,
+      	dup42,
+      ]);
+      
+      var dup182 = linear_select([
+      	dup46,
+      	dup47,
+      ]);
+      
+      var dup183 = linear_select([
+      	dup49,
+      	dup50,
+      ]);
+      
+      var dup184 = match("MESSAGE#116:82:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([
+      	dup62,
+      ]));
+      
+      var dup185 = match("MESSAGE#118:83:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([
+      	dup5,
+      ]));
+      
+      var dup186 = linear_select([
+      	dup71,
+      	dup75,
+      	dup76,
+      ]);
+      
+      var dup187 = linear_select([
+      	dup8,
+      	dup25,
+      ]);
+      
+      var dup188 = match("MESSAGE#168:111:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=%{shost}", processor_chain([
+      	dup1,
+      ]));
+      
+      var dup189 = linear_select([
+      	dup88,
+      	dup89,
+      ]);
+      
+      var dup190 = match("MESSAGE#253:178", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([
+      	dup5,
+      ]));
+      
+      var dup191 = linear_select([
+      	dup92,
+      	dup93,
+      ]);
+      
+      var dup192 = linear_select([
+      	dup96,
+      	dup97,
+      ]);
+      
+      var dup193 = match("MESSAGE#277:252", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([
+      	dup87,
+      ]));
+      
+      var dup194 = match("MESSAGE#293:355", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([
+      	dup87,
+      ]));
+      
+      var dup195 = match("MESSAGE#295:356", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([
+      	dup1,
+      ]));
+      
+      var dup196 = match("MESSAGE#298:358", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([
+      	dup1,
+      ]));
+      
+      var dup197 = match("MESSAGE#414:371:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} note=\"%{event_description}\"", processor_chain([
+      	dup1,
+      	dup23,
+      ]));
+      
+      var dup198 = linear_select([
+      	dup66,
+      	dup108,
+      ]);
+      
+      var dup199 = linear_select([
+      	dup110,
+      	dup111,
+      ]);
+      
+      var dup200 = linear_select([
+      	dup115,
+      	dup45,
+      ]);
+      
+      var dup201 = linear_select([
+      	dup8,
+      	dup26,
+      ]);
+      
+      var dup202 = linear_select([
+      	dup8,
+      	dup25,
+      	dup39,
+      ]);
+      
+      var dup203 = linear_select([
+      	dup71,
+      	dup15,
+      	dup16,
+      ]);
+      
+      var dup204 = linear_select([
+      	dup121,
+      	dup122,
+      ]);
+      
+      var dup205 = linear_select([
+      	dup68,
+      	dup69,
+      	dup74,
+      ]);
+      
+      var dup206 = linear_select([
+      	dup127,
+      	dup128,
+      ]);
+      
+      var dup207 = linear_select([
+      	dup41,
+      	dup42,
+      	dup134,
+      ]);
+      
+      var dup208 = linear_select([
+      	dup135,
+      	dup136,
+      ]);
+      
+      var dup209 = linear_select([
+      	dup138,
+      	dup139,
+      ]);
+      
+      var dup210 = linear_select([
+      	dup140,
+      	dup141,
+      ]);
+      
+      var dup211 = linear_select([
+      	dup49,
+      	dup148,
+      ]);
+      
+      var dup212 = match("MESSAGE#365:710", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([
+      	dup150,
+      ]));
+      
+      var dup213 = linear_select([
+      	dup152,
+      	dup40,
+      ]);
+      
+      var dup214 = linear_select([
+      	dup154,
+      	dup155,
+      ]);
+      
+      var dup215 = linear_select([
+      	dup156,
+      	dup157,
+      ]);
+      
+      var dup216 = match("MESSAGE#375:766", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([
+      	dup5,
+      ]));
+      
+      var dup217 = match("MESSAGE#377:860:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{ntype}", processor_chain([
+      	dup5,
+      ]));
+      
+      var dup218 = match("MESSAGE#393:914", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{host->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{shost}", processor_chain([
+      	dup5,
+      	dup23,
+      ]));
+      
+      var dup219 = match("MESSAGE#399:994", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([
+      	dup1,
+      	dup23,
+      ]));
+      
+      var dup220 = match("MESSAGE#406:1110", "nwparser.payload", "msg=\"%{msg}\" %{space->} n=%{fld1}", processor_chain([
+      	dup1,
+      	dup23,
+      ]));
+      
+      var dup221 = match("MESSAGE#420:614", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([
+      	dup163,
+      	dup37,
+      ]));
+      
+      var dup222 = match("MESSAGE#454:654", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2}", processor_chain([
+      	dup1,
+      ]));
+      
+      var dup223 = linear_select([
+      	dup169,
+      	dup170,
+      ]);
+      
+      var dup224 = linear_select([
+      	dup172,
+      	dup173,
+      ]);
+      
+      var dup225 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([
+      	dup1,
+      	dup54,
+      	dup17,
+      	dup82,
+      	dup19,
+      	dup20,
+      	dup21,
+      	dup37,
+      ]));
+      
+      var dup226 = all_match({
+      	processors: [
+      		dup31,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup30,
+      	]),
+      });
+      
+      var dup227 = all_match({
+      	processors: [
+      		dup31,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup85,
+      	]),
+      });
+      
+      var dup228 = all_match({
+      	processors: [
+      		dup31,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup59,
+      	]),
+      });
+      
+      var dup229 = all_match({
+      	processors: [
+      		dup95,
+      		dup192,
+      	],
+      	on_success: processor_chain([
+      		dup59,
+      	]),
+      });
+      
+      var dup230 = all_match({
+      	processors: [
+      		dup31,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup100,
+      	]),
+      });
+      
+      var dup231 = all_match({
+      	processors: [
+      		dup31,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup29,
+      	]),
+      });
+      
+      var dup232 = all_match({
+      	processors: [
+      		dup102,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup103,
+      	]),
+      });
+      
+      var dup233 = all_match({
+      	processors: [
+      		dup104,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup106,
+      	]),
+      });
+      
+      var dup234 = all_match({
+      	processors: [
+      		dup107,
+      		dup198,
+      	],
+      	on_success: processor_chain([
+      		dup87,
+      	]),
+      });
+      
+      var dup235 = all_match({
+      	processors: [
+      		dup104,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup109,
+      	]),
+      });
+      
+      var dup236 = all_match({
+      	processors: [
+      		dup44,
+      		dup179,
+      		dup36,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      	]),
+      });
+      
+      var dup237 = all_match({
+      	processors: [
+      		dup80,
+      		dup177,
+      		dup10,
+      		dup175,
+      		dup79,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var dup238 = all_match({
+      	processors: [
+      		dup151,
+      		dup213,
+      		dup153,
+      		dup214,
+      		dup215,
+      		dup158,
+      	],
+      	on_success: processor_chain([
+      		dup150,
+      		dup51,
+      		dup52,
+      		dup53,
+      		dup54,
+      		dup37,
+      		dup55,
+      		dup17,
+      		dup18,
+      		dup19,
+      		dup20,
+      		dup21,
+      	]),
+      });
+      
+      var dup239 = all_match({
+      	processors: [
+      		dup7,
+      		dup174,
+      		dup10,
+      		dup191,
+      		dup94,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var dup240 = all_match({
+      	processors: [
+      		dup7,
+      		dup174,
+      		dup10,
+      		dup189,
+      		dup90,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var hdr1 = match("HEADER#0:0001", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{date->} %{time}\" fw=%{hhostip->} pri=%{hseverity->} c=%{hcategory->} m=%{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0001"),
+      ]));
+      
+      var hdr2 = match("HEADER#1:0002", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{date->} %{time}\" fw=%{hhostip->} pri=%{hseverity->} %{messageid}= %{payload}", processor_chain([
+      	setc("header_id","0002"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant("= "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr3 = match("HEADER#2:0003", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{hdate->} %{htime}\" fw=%{hhostip->} pri=%{hseverity->} c=%{hcategory->} m=%{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0003"),
+      ]));
+      
+      var hdr4 = match("HEADER#3:0004", "message", "%{hfld20->} id=%{hfld1->} sn=%{hserial_number->} time=\"%{hdate->} %{htime}\" fw=%{hhostip->} pri=%{hseverity->} c=%{hcategory->} m=%{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0004"),
+      ]));
+      
+      var select1 = linear_select([
+      	hdr1,
+      	hdr2,
+      	hdr3,
+      	hdr4,
+      ]);
+      
+      var part1 = match("MESSAGE#0:4", "nwparser.payload", "SonicWALL activated%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg1 = msg("4", part1);
+      
+      var part2 = match("MESSAGE#1:5", "nwparser.payload", "Log Cleared%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg2 = msg("5", part2);
+      
+      var part3 = match("MESSAGE#2:5:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg3 = msg("5:01", part3);
+      
+      var select2 = linear_select([
+      	msg2,
+      	msg3,
+      ]);
+      
+      var part4 = match("MESSAGE#3:6", "nwparser.payload", "Log successfully sent via email%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg4 = msg("6", part4);
+      
+      var part5 = match("MESSAGE#4:6:01", "nwparser.payload", "msg=\"Log successfully sent via email\" n=%{fld1}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg5 = msg("6:01", part5);
+      
+      var select3 = linear_select([
+      	msg4,
+      	msg5,
+      ]);
+      
+      var part6 = match("MESSAGE#5:7", "nwparser.payload", "Log full; deactivating SonicWALL%{}", processor_chain([
+      	dup2,
+      ]));
+      
+      var msg6 = msg("7", part6);
+      
+      var part7 = match("MESSAGE#6:8", "nwparser.payload", "New Filter list loaded%{}", processor_chain([
+      	dup3,
+      ]));
+      
+      var msg7 = msg("8", part7);
+      
+      var part8 = match("MESSAGE#7:9", "nwparser.payload", "No new Filter list available%{}", processor_chain([
+      	dup4,
+      ]));
+      
+      var msg8 = msg("9", part8);
+      
+      var part9 = match("MESSAGE#8:10", "nwparser.payload", "Problem loading the Filter list; check Filter settings%{}", processor_chain([
+      	dup4,
+      ]));
+      
+      var msg9 = msg("10", part9);
+      
+      var part10 = match("MESSAGE#9:11", "nwparser.payload", "Problem loading the Filter list; check your DNS server%{}", processor_chain([
+      	dup4,
+      ]));
+      
+      var msg10 = msg("11", part10);
+      
+      var part11 = match("MESSAGE#10:12", "nwparser.payload", "Problem sending log email; check log settings%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg11 = msg("12", part11);
+      
+      var part12 = match("MESSAGE#11:12:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg12 = msg("12:01", part12);
+      
+      var select4 = linear_select([
+      	msg11,
+      	msg12,
+      ]);
+      
+      var part13 = match("MESSAGE#12:13", "nwparser.payload", "Restarting SonicWALL; dumping log to email%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg13 = msg("13", part13);
+      
+      var part14 = match("MESSAGE#13:14/0", "nwparser.payload", "%{} %{p0}");
+      
+      var part15 = match("MESSAGE#13:14/1_0", "nwparser.p0", "msg=\"Web site access denied\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} dstname=%{dhost->} arg=%{fld2->} code=%{icmpcode->} ");
+      
+      var part16 = match("MESSAGE#13:14/1_1", "nwparser.p0", "Web site blocked %{}");
+      
+      var select5 = linear_select([
+      	part15,
+      	part16,
+      ]);
+      
+      var all1 = all_match({
+      	processors: [
+      		part14,
+      		select5,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		setc("action","Web site access denied"),
+      	]),
+      });
+      
+      var msg14 = msg("14", all1);
+      
+      var part17 = match("MESSAGE#14:14:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} code= %{p0}");
+      
+      var part18 = match("MESSAGE#14:14:01/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} code= %{p0}");
+      
+      var select6 = linear_select([
+      	part17,
+      	part18,
+      ]);
+      
+      var part19 = match("MESSAGE#14:14:01/4", "nwparser.p0", "%{} %{fld3->} Category=%{fld4->} npcs=%{info}");
+      
+      var all2 = all_match({
+      	processors: [
+      		dup7,
+      		dup174,
+      		dup10,
+      		select6,
+      		part19,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      	]),
+      });
+      
+      var msg15 = msg("14:01", all2);
+      
+      var part20 = match("MESSAGE#15:14:02", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{name->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([
+      	dup6,
+      	dup11,
+      ]));
+      
+      var msg16 = msg("14:02", part20);
+      
+      var part21 = match("MESSAGE#16:14:03", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([
+      	dup6,
+      	dup11,
+      ]));
+      
+      var msg17 = msg("14:03", part21);
+      
+      var part22 = match("MESSAGE#17:14:04", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{name->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([
+      	dup6,
+      	dup11,
+      ]));
+      
+      var msg18 = msg("14:04", part22);
+      
+      var part23 = match("MESSAGE#18:14:05", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr}dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{dhost->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([
+      	dup6,
+      	dup11,
+      ]));
+      
+      var msg19 = msg("14:05", part23);
+      
+      var select7 = linear_select([
+      	msg14,
+      	msg15,
+      	msg16,
+      	msg17,
+      	msg18,
+      	msg19,
+      ]);
+      
+      var part24 = match("MESSAGE#19:15", "nwparser.payload", "Newsgroup blocked%{}", processor_chain([
+      	dup12,
+      ]));
+      
+      var msg20 = msg("15", part24);
+      
+      var part25 = match("MESSAGE#20:16", "nwparser.payload", "Web site accessed%{}", processor_chain([
+      	dup13,
+      ]));
+      
+      var msg21 = msg("16", part25);
+      
+      var part26 = match("MESSAGE#21:17", "nwparser.payload", "Newsgroup accessed%{}", processor_chain([
+      	dup13,
+      ]));
+      
+      var msg22 = msg("17", part26);
+      
+      var part27 = match("MESSAGE#22:18", "nwparser.payload", "ActiveX blocked%{}", processor_chain([
+      	dup12,
+      ]));
+      
+      var msg23 = msg("18", part27);
+      
+      var part28 = match("MESSAGE#23:19", "nwparser.payload", "Java blocked%{}", processor_chain([
+      	dup12,
+      ]));
+      
+      var msg24 = msg("19", part28);
+      
+      var part29 = match("MESSAGE#24:20", "nwparser.payload", "ActiveX or Java archive blocked%{}", processor_chain([
+      	dup12,
+      ]));
+      
+      var msg25 = msg("20", part29);
+      
+      var part30 = match("MESSAGE#25:21", "nwparser.payload", "Cookie removed%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg26 = msg("21", part30);
+      
+      var part31 = match("MESSAGE#26:22", "nwparser.payload", "Ping of death blocked%{}", processor_chain([
+      	dup14,
+      ]));
+      
+      var msg27 = msg("22", part31);
+      
+      var part32 = match("MESSAGE#27:23", "nwparser.payload", "IP spoof detected%{}", processor_chain([
+      	dup14,
+      ]));
+      
+      var msg28 = msg("23", part32);
+      
+      var part33 = match("MESSAGE#28:23:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}");
+      
+      var part34 = match("MESSAGE#28:23:01/3_0", "nwparser.p0", "- MAC address: %{p0}");
+      
+      var part35 = match("MESSAGE#28:23:01/3_1", "nwparser.p0", "mac= %{p0}");
+      
+      var select8 = linear_select([
+      	part34,
+      	part35,
+      ]);
+      
+      var part36 = match("MESSAGE#28:23:01/4", "nwparser.p0", "%{} %{smacaddr}");
+      
+      var all3 = all_match({
+      	processors: [
+      		part33,
+      		dup175,
+      		dup10,
+      		select8,
+      		part36,
+      	],
+      	on_success: processor_chain([
+      		dup14,
+      	]),
+      });
+      
+      var msg29 = msg("23:01", all3);
+      
+      var part37 = match("MESSAGE#29:23:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} - MAC address: %{smacaddr}", processor_chain([
+      	dup14,
+      ]));
+      
+      var msg30 = msg("23:02", part37);
+      
+      var part38 = match("MESSAGE#30:23:03/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}");
+      
+      var part39 = match("MESSAGE#30:23:03/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac= %{p0}");
+      
+      var part40 = match("MESSAGE#30:23:03/1_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} srcMac= %{p0}");
+      
+      var select9 = linear_select([
+      	part39,
+      	part40,
+      ]);
+      
+      var part41 = match("MESSAGE#30:23:03/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol}");
+      
+      var all4 = all_match({
+      	processors: [
+      		part38,
+      		select9,
+      		part41,
+      	],
+      	on_success: processor_chain([
+      		dup14,
+      		dup11,
+      		dup17,
+      		dup18,
+      		dup19,
+      		dup20,
+      		dup21,
+      	]),
+      });
+      
+      var msg31 = msg("23:03", all4);
+      
+      var select10 = linear_select([
+      	msg28,
+      	msg29,
+      	msg30,
+      	msg31,
+      ]);
+      
+      var part42 = match("MESSAGE#31:24", "nwparser.payload", "Illegal LAN address in use%{}", processor_chain([
+      	dup22,
+      ]));
+      
+      var msg32 = msg("24", part42);
+      
+      var msg33 = msg("24:01", dup176);
+      
+      var select11 = linear_select([
+      	msg32,
+      	msg33,
+      ]);
+      
+      var part43 = match("MESSAGE#32:25", "nwparser.payload", "Possible SYN flood attack%{}", processor_chain([
+      	dup14,
+      ]));
+      
+      var msg34 = msg("25", part43);
+      
+      var part44 = match("MESSAGE#33:26", "nwparser.payload", "Probable SYN flood attack%{}", processor_chain([
+      	dup14,
+      ]));
+      
+      var msg35 = msg("26", part44);
+      
+      var part45 = match("MESSAGE#34:27", "nwparser.payload", "Land Attack Dropped%{}", processor_chain([
+      	dup14,
+      ]));
+      
+      var msg36 = msg("27", part45);
+      
+      var part46 = match("MESSAGE#35:28", "nwparser.payload", "Fragmented Packet Dropped%{}", processor_chain([
+      	dup14,
+      ]));
+      
+      var msg37 = msg("28", part46);
+      
+      var part47 = match("MESSAGE#36:28:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([
+      	dup14,
+      ]));
+      
+      var msg38 = msg("28:01", part47);
+      
+      var select12 = linear_select([
+      	msg37,
+      	msg38,
+      ]);
+      
+      var part48 = match("MESSAGE#37:29", "nwparser.payload", "Successful administrator login%{}", processor_chain([
+      	dup24,
+      ]));
+      
+      var msg39 = msg("29", part48);
+      
+      var part49 = match("MESSAGE#38:29:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} usr=%{username->} src=%{p0}");
+      
+      var all5 = all_match({
+      	processors: [
+      		part49,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup29,
+      	]),
+      });
+      
+      var msg40 = msg("29:01", all5);
+      
+      var select13 = linear_select([
+      	msg39,
+      	msg40,
+      ]);
+      
+      var part50 = match("MESSAGE#39:30", "nwparser.payload", "Administrator login failed - incorrect password%{}", processor_chain([
+      	dup30,
+      ]));
+      
+      var msg41 = msg("30", part50);
+      
+      var msg42 = msg("30:01", dup226);
+      
+      var select14 = linear_select([
+      	msg41,
+      	msg42,
+      ]);
+      
+      var part51 = match("MESSAGE#41:31", "nwparser.payload", "Successful user login%{}", processor_chain([
+      	dup24,
+      ]));
+      
+      var msg43 = msg("31", part51);
+      
+      var all6 = all_match({
+      	processors: [
+      		dup31,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup24,
+      	]),
+      });
+      
+      var msg44 = msg("31:01", all6);
+      
+      var part52 = match("MESSAGE#43:31:02", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([
+      	dup24,
+      	dup11,
+      ]));
+      
+      var msg45 = msg("31:02", part52);
+      
+      var part53 = match("MESSAGE#44:31:03", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration}n=%{fld1}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}proto=%{protocol}note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([
+      	dup24,
+      	dup11,
+      ]));
+      
+      var msg46 = msg("31:03", part53);
+      
+      var part54 = match("MESSAGE#45:31:04", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([
+      	dup24,
+      	dup11,
+      ]));
+      
+      var msg47 = msg("31:04", part54);
+      
+      var select15 = linear_select([
+      	msg43,
+      	msg44,
+      	msg45,
+      	msg46,
+      	msg47,
+      ]);
+      
+      var part55 = match("MESSAGE#46:32", "nwparser.payload", "User login failed - incorrect password%{}", processor_chain([
+      	dup30,
+      ]));
+      
+      var msg48 = msg("32", part55);
+      
+      var msg49 = msg("32:01", dup226);
+      
+      var select16 = linear_select([
+      	msg48,
+      	msg49,
+      ]);
+      
+      var part56 = match("MESSAGE#48:33", "nwparser.payload", "Unknown user attempted to log in%{}", processor_chain([
+      	dup32,
+      ]));
+      
+      var msg50 = msg("33", part56);
+      
+      var all7 = all_match({
+      	processors: [
+      		dup33,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup30,
+      	]),
+      });
+      
+      var msg51 = msg("33:01", all7);
+      
+      var select17 = linear_select([
+      	msg50,
+      	msg51,
+      ]);
+      
+      var part57 = match("MESSAGE#50:34", "nwparser.payload", "Login screen timed out%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg52 = msg("34", part57);
+      
+      var part58 = match("MESSAGE#51:35", "nwparser.payload", "Attempted administrator login from WAN%{}", processor_chain([
+      	setc("eventcategory","1401040000"),
+      ]));
+      
+      var msg53 = msg("35", part58);
+      
+      var part59 = match("MESSAGE#52:35:01/3_1", "nwparser.p0", "%{daddr}");
+      
+      var select18 = linear_select([
+      	dup27,
+      	part59,
+      ]);
+      
+      var all8 = all_match({
+      	processors: [
+      		dup31,
+      		dup177,
+      		dup10,
+      		select18,
+      	],
+      	on_success: processor_chain([
+      		setc("eventcategory","1401050200"),
+      	]),
+      });
+      
+      var msg54 = msg("35:01", all8);
+      
+      var select19 = linear_select([
+      	msg53,
+      	msg54,
+      ]);
+      
+      var part60 = match("MESSAGE#53:36", "nwparser.payload", "TCP connection dropped%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg55 = msg("36", part60);
+      
+      var part61 = match("MESSAGE#54:36:01/0", "nwparser.payload", "msg=\"%{msg}\" %{p0}");
+      
+      var part62 = match("MESSAGE#54:36:01/1_0", "nwparser.p0", "app=%{fld51->} appName=\"%{application}\" n=%{fld1->} src= %{p0}");
+      
+      var part63 = match("MESSAGE#54:36:01/1_1", "nwparser.p0", "n=%{fld1->} src= %{p0}");
+      
+      var select20 = linear_select([
+      	part62,
+      	part63,
+      ]);
+      
+      var part64 = match("MESSAGE#54:36:01/6_0", "nwparser.p0", "srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\" ");
+      
+      var part65 = match("MESSAGE#54:36:01/6_1", "nwparser.p0", " rule=%{rule->} ");
+      
+      var part66 = match("MESSAGE#54:36:01/6_2", "nwparser.p0", " proto=%{protocol->} ");
+      
+      var select21 = linear_select([
+      	part64,
+      	part65,
+      	part66,
+      ]);
+      
+      var all9 = all_match({
+      	processors: [
+      		part61,
+      		select20,
+      		dup179,
+      		dup36,
+      		dup175,
+      		dup10,
+      		select21,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		dup37,
+      	]),
+      });
+      
+      var msg56 = msg("36:01", all9);
+      
+      var part67 = match("MESSAGE#55:36:02/5_0", "nwparser.p0", "rule=%{rule->} %{p0}");
+      
+      var part68 = match("MESSAGE#55:36:02/5_1", "nwparser.p0", "proto=%{protocol->} %{p0}");
+      
+      var select22 = linear_select([
+      	part67,
+      	part68,
+      ]);
+      
+      var part69 = match("MESSAGE#55:36:02/6", "nwparser.p0", "%{}npcs=%{info}");
+      
+      var all10 = all_match({
+      	processors: [
+      		dup38,
+      		dup180,
+      		dup10,
+      		dup175,
+      		dup10,
+      		select22,
+      		part69,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      	]),
+      });
+      
+      var msg57 = msg("36:02", all10);
+      
+      var select23 = linear_select([
+      	msg55,
+      	msg56,
+      	msg57,
+      ]);
+      
+      var part70 = match("MESSAGE#56:37", "nwparser.payload", "UDP packet dropped%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg58 = msg("37", part70);
+      
+      var part71 = match("MESSAGE#57:37:01/0", "nwparser.payload", "msg=\"UDP packet dropped\" %{p0}");
+      
+      var part72 = match("MESSAGE#57:37:01/1_0", "nwparser.p0", "app=%{fld51->} appName=\"%{application}\" n=%{fld1->} src=%{p0}");
+      
+      var select24 = linear_select([
+      	part72,
+      	dup40,
+      ]);
+      
+      var part73 = match("MESSAGE#57:37:01/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{p0}");
+      
+      var part74 = match("MESSAGE#57:37:01/3_0", "nwparser.p0", "%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} %{p0}");
+      
+      var part75 = match("MESSAGE#57:37:01/3_1", "nwparser.p0", "%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} %{p0}");
+      
+      var part76 = match("MESSAGE#57:37:01/3_2", "nwparser.p0", "%{dport}:%{dinterface->} %{p0}");
+      
+      var select25 = linear_select([
+      	part74,
+      	part75,
+      	part76,
+      ]);
+      
+      var part77 = match("MESSAGE#57:37:01/4_0", "nwparser.p0", "proto=%{protocol->} fw_action=\"%{fld3}\" ");
+      
+      var part78 = match("MESSAGE#57:37:01/4_1", "nwparser.p0", " rule=%{rule}");
+      
+      var select26 = linear_select([
+      	part77,
+      	part78,
+      ]);
+      
+      var all11 = all_match({
+      	processors: [
+      		part71,
+      		select24,
+      		part73,
+      		select25,
+      		select26,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		dup37,
+      	]),
+      });
+      
+      var msg59 = msg("37:01", all11);
+      
+      var part79 = match("MESSAGE#58:37:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} rule=%{rule}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg60 = msg("37:02", part79);
+      
+      var all12 = all_match({
+      	processors: [
+      		dup7,
+      		dup174,
+      		dup10,
+      		dup181,
+      		dup43,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      	]),
+      });
+      
+      var msg61 = msg("37:03", all12);
+      
+      var part80 = match("MESSAGE#60:37:04", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([
+      	dup5,
+      	dup11,
+      ]));
+      
+      var msg62 = msg("37:04", part80);
+      
+      var select27 = linear_select([
+      	msg58,
+      	msg59,
+      	msg60,
+      	msg61,
+      	msg62,
+      ]);
+      
+      var part81 = match("MESSAGE#61:38", "nwparser.payload", "ICMP packet dropped%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg63 = msg("38", part81);
+      
+      var part82 = match("MESSAGE#62:38:01/5_0", "nwparser.p0", "type=%{type->} code=%{code->} ");
+      
+      var select28 = linear_select([
+      	part82,
+      	dup45,
+      ]);
+      
+      var all13 = all_match({
+      	processors: [
+      		dup44,
+      		dup179,
+      		dup36,
+      		dup175,
+      		dup10,
+      		select28,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      	]),
+      });
+      
+      var msg64 = msg("38:01", all13);
+      
+      var part83 = match("MESSAGE#63:38:02/4", "nwparser.p0", "%{} %{fld3->} icmpCode=%{fld4->} npcs=%{info}");
+      
+      var all14 = all_match({
+      	processors: [
+      		dup7,
+      		dup174,
+      		dup10,
+      		dup182,
+      		part83,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      	]),
+      });
+      
+      var msg65 = msg("38:02", all14);
+      
+      var part84 = match("MESSAGE#64:38:03/1_0", "nwparser.p0", "%{event_description}\" app=%{fld2->} appName=\"%{application}\"%{p0}");
+      
+      var part85 = match("MESSAGE#64:38:03/1_1", "nwparser.p0", "%{event_description}\"%{p0}");
+      
+      var select29 = linear_select([
+      	part84,
+      	part85,
+      ]);
+      
+      var part86 = match("MESSAGE#64:38:03/2", "nwparser.p0", "%{}n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}");
+      
+      var part87 = match("MESSAGE#64:38:03/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"");
+      
+      var all15 = all_match({
+      	processors: [
+      		dup48,
+      		select29,
+      		part86,
+      		dup183,
+      		part87,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		dup11,
+      		dup18,
+      		dup19,
+      		dup20,
+      		dup21,
+      	]),
+      });
+      
+      var msg66 = msg("38:03", all15);
+      
+      var select30 = linear_select([
+      	msg63,
+      	msg64,
+      	msg65,
+      	msg66,
+      ]);
+      
+      var part88 = match("MESSAGE#65:39", "nwparser.payload", "PPTP packet dropped%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg67 = msg("39", part88);
+      
+      var part89 = match("MESSAGE#66:40", "nwparser.payload", "IPSec packet dropped%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg68 = msg("40", part89);
+      
+      var part90 = match("MESSAGE#67:41:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} note=\"IP Protocol: %{dclass_counter1}\"", processor_chain([
+      	dup5,
+      	dup51,
+      	dup52,
+      	dup53,
+      	dup54,
+      	dup11,
+      	dup55,
+      	dup17,
+      	dup18,
+      	dup19,
+      	dup20,
+      	dup21,
+      ]));
+      
+      var msg69 = msg("41:01", part90);
+      
+      var part91 = match("MESSAGE#68:41:02", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport}:%{sinterface->} dst=%{dtransaddr}:%{dtransport}::%{dinterface}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg70 = msg("41:02", part91);
+      
+      var part92 = match("MESSAGE#69:41:03", "nwparser.payload", "Unknown protocol dropped%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg71 = msg("41:03", part92);
+      
+      var select31 = linear_select([
+      	msg69,
+      	msg70,
+      	msg71,
+      ]);
+      
+      var part93 = match("MESSAGE#70:42", "nwparser.payload", "IPSec packet dropped; waiting for pending IPSec connection%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg72 = msg("42", part93);
+      
+      var part94 = match("MESSAGE#71:43", "nwparser.payload", "IPSec connection interrupt%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg73 = msg("43", part94);
+      
+      var part95 = match("MESSAGE#72:44", "nwparser.payload", "NAT could not remap incoming packet%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg74 = msg("44", part95);
+      
+      var part96 = match("MESSAGE#73:45", "nwparser.payload", "ARP timeout%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg75 = msg("45", part96);
+      
+      var part97 = match("MESSAGE#74:45:01", "nwparser.payload", "msg=\"ARP timeout\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg76 = msg("45:01", part97);
+      
+      var part98 = match("MESSAGE#75:45:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr->} dst=%{daddr->} npcs=%{info}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg77 = msg("45:02", part98);
+      
+      var select32 = linear_select([
+      	msg75,
+      	msg76,
+      	msg77,
+      ]);
+      
+      var part99 = match("MESSAGE#76:46:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} proto=%{protocol}/%{fld4}", processor_chain([
+      	dup5,
+      	dup51,
+      	dup52,
+      	dup53,
+      	dup54,
+      	dup11,
+      	dup55,
+      	dup17,
+      	dup18,
+      	dup19,
+      	dup20,
+      	dup21,
+      ]));
+      
+      var msg78 = msg("46:01", part99);
+      
+      var part100 = match("MESSAGE#77:46:02", "nwparser.payload", "msg=\"Broadcast packet dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg79 = msg("46:02", part100);
+      
+      var part101 = match("MESSAGE#78:46", "nwparser.payload", "Broadcast packet dropped%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg80 = msg("46", part101);
+      
+      var part102 = match("MESSAGE#79:46:03/0", "nwparser.payload", "msg=\"Broadcast packet dropped\" sess=%{fld1->} n=%{fld2->} src=%{p0}");
+      
+      var all16 = all_match({
+      	processors: [
+      		part102,
+      		dup174,
+      		dup10,
+      		dup181,
+      		dup43,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      	]),
+      });
+      
+      var msg81 = msg("46:03", all16);
+      
+      var select33 = linear_select([
+      	msg78,
+      	msg79,
+      	msg80,
+      	msg81,
+      ]);
+      
+      var part103 = match("MESSAGE#80:47", "nwparser.payload", "No ICMP redirect sent%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg82 = msg("47", part103);
+      
+      var part104 = match("MESSAGE#81:48", "nwparser.payload", "Out-of-order command packet dropped%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg83 = msg("48", part104);
+      
+      var part105 = match("MESSAGE#82:49", "nwparser.payload", "Failure to add data channel%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg84 = msg("49", part105);
+      
+      var part106 = match("MESSAGE#83:50", "nwparser.payload", "RealAudio decode failure%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg85 = msg("50", part106);
+      
+      var part107 = match("MESSAGE#84:51", "nwparser.payload", "Duplicate packet dropped%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg86 = msg("51", part107);
+      
+      var part108 = match("MESSAGE#85:52", "nwparser.payload", "No HOST tag found in HTTP request%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg87 = msg("52", part108);
+      
+      var part109 = match("MESSAGE#86:53", "nwparser.payload", "The cache is full; too many open connections; some will be dropped%{}", processor_chain([
+      	dup2,
+      ]));
+      
+      var msg88 = msg("53", part109);
+      
+      var part110 = match("MESSAGE#87:58", "nwparser.payload", "License exceeded: Connection dropped because too many IP addresses are in use on your LAN%{}", processor_chain([
+      	dup56,
+      ]));
+      
+      var msg89 = msg("58", part110);
+      
+      var part111 = match("MESSAGE#88:60", "nwparser.payload", "Access to Proxy Server Blocked%{}", processor_chain([
+      	dup12,
+      ]));
+      
+      var msg90 = msg("60", part111);
+      
+      var part112 = match("MESSAGE#89:61", "nwparser.payload", "Diagnostic Code E%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg91 = msg("61", part112);
+      
+      var part113 = match("MESSAGE#90:62", "nwparser.payload", "Dynamic IPSec client connected%{}", processor_chain([
+      	dup57,
+      ]));
+      
+      var msg92 = msg("62", part113);
+      
+      var part114 = match("MESSAGE#91:63", "nwparser.payload", "IPSec packet too big%{}", processor_chain([
+      	dup58,
+      ]));
+      
+      var msg93 = msg("63", part114);
+      
+      var part115 = match("MESSAGE#92:63:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([
+      	dup58,
+      ]));
+      
+      var msg94 = msg("63:01", part115);
+      
+      var select34 = linear_select([
+      	msg93,
+      	msg94,
+      ]);
+      
+      var part116 = match("MESSAGE#93:64", "nwparser.payload", "Diagnostic Code D%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg95 = msg("64", part116);
+      
+      var part117 = match("MESSAGE#94:65", "nwparser.payload", "Illegal IPSec SPI%{}", processor_chain([
+      	dup58,
+      ]));
+      
+      var msg96 = msg("65", part117);
+      
+      var part118 = match("MESSAGE#95:66", "nwparser.payload", "Unknown IPSec SPI%{}", processor_chain([
+      	dup58,
+      ]));
+      
+      var msg97 = msg("66", part118);
+      
+      var part119 = match("MESSAGE#96:67", "nwparser.payload", "IPSec Authentication Failed%{}", processor_chain([
+      	dup58,
+      ]));
+      
+      var msg98 = msg("67", part119);
+      
+      var all17 = all_match({
+      	processors: [
+      		dup31,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      	]),
+      });
+      
+      var msg99 = msg("67:01", all17);
+      
+      var select35 = linear_select([
+      	msg98,
+      	msg99,
+      ]);
+      
+      var part120 = match("MESSAGE#98:68", "nwparser.payload", "IPSec Decryption Failed%{}", processor_chain([
+      	dup58,
+      ]));
+      
+      var msg100 = msg("68", part120);
+      
+      var part121 = match("MESSAGE#99:69", "nwparser.payload", "Incompatible IPSec Security Association%{}", processor_chain([
+      	dup58,
+      ]));
+      
+      var msg101 = msg("69", part121);
+      
+      var part122 = match("MESSAGE#100:70", "nwparser.payload", "IPSec packet from illegal host%{}", processor_chain([
+      	dup58,
+      ]));
+      
+      var msg102 = msg("70", part122);
+      
+      var part123 = match("MESSAGE#101:70:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} %{p0}");
+      
+      var part124 = match("MESSAGE#101:70:01/1_0", "nwparser.p0", "dst=%{daddr->} ");
+      
+      var part125 = match("MESSAGE#101:70:01/1_1", "nwparser.p0", " dstname=%{name}");
+      
+      var select36 = linear_select([
+      	part124,
+      	part125,
+      ]);
+      
+      var all18 = all_match({
+      	processors: [
+      		part123,
+      		select36,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      	]),
+      });
+      
+      var msg103 = msg("70:01", all18);
+      
+      var select37 = linear_select([
+      	msg102,
+      	msg103,
+      ]);
+      
+      var part126 = match("MESSAGE#102:72", "nwparser.payload", "NetBus Attack Dropped%{}", processor_chain([
+      	dup59,
+      ]));
+      
+      var msg104 = msg("72", part126);
+      
+      var part127 = match("MESSAGE#103:72:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([
+      	dup59,
+      ]));
+      
+      var msg105 = msg("72:01", part127);
+      
+      var select38 = linear_select([
+      	msg104,
+      	msg105,
+      ]);
+      
+      var part128 = match("MESSAGE#104:73", "nwparser.payload", "Back Orifice Attack Dropped%{}", processor_chain([
+      	dup60,
+      ]));
+      
+      var msg106 = msg("73", part128);
+      
+      var part129 = match("MESSAGE#105:74", "nwparser.payload", "Net Spy Attack Dropped%{}", processor_chain([
+      	dup61,
+      ]));
+      
+      var msg107 = msg("74", part129);
+      
+      var part130 = match("MESSAGE#106:75", "nwparser.payload", "Sub Seven Attack Dropped%{}", processor_chain([
+      	dup60,
+      ]));
+      
+      var msg108 = msg("75", part130);
+      
+      var part131 = match("MESSAGE#107:76", "nwparser.payload", "Ripper Attack Dropped%{}", processor_chain([
+      	dup59,
+      ]));
+      
+      var msg109 = msg("76", part131);
+      
+      var part132 = match("MESSAGE#108:77", "nwparser.payload", "Striker Attack Dropped%{}", processor_chain([
+      	dup59,
+      ]));
+      
+      var msg110 = msg("77", part132);
+      
+      var part133 = match("MESSAGE#109:78", "nwparser.payload", "Senna Spy Attack Dropped%{}", processor_chain([
+      	dup61,
+      ]));
+      
+      var msg111 = msg("78", part133);
+      
+      var part134 = match("MESSAGE#110:79", "nwparser.payload", "Priority Attack Dropped%{}", processor_chain([
+      	dup59,
+      ]));
+      
+      var msg112 = msg("79", part134);
+      
+      var part135 = match("MESSAGE#111:80", "nwparser.payload", "Ini Killer Attack Dropped%{}", processor_chain([
+      	dup59,
+      ]));
+      
+      var msg113 = msg("80", part135);
+      
+      var part136 = match("MESSAGE#112:81", "nwparser.payload", "Smurf Amplification Attack Dropped%{}", processor_chain([
+      	dup14,
+      ]));
+      
+      var msg114 = msg("81", part136);
+      
+      var part137 = match("MESSAGE#113:82", "nwparser.payload", "Possible Port Scan%{}", processor_chain([
+      	dup62,
+      ]));
+      
+      var msg115 = msg("82", part137);
+      
+      var part138 = match("MESSAGE#114:82:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{info}\"", processor_chain([
+      	dup62,
+      ]));
+      
+      var msg116 = msg("82:02", part138);
+      
+      var part139 = match("MESSAGE#115:82:03", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{fld3}\" npcs=%{info}", processor_chain([
+      	dup62,
+      ]));
+      
+      var msg117 = msg("82:03", part139);
+      
+      var msg118 = msg("82:01", dup184);
+      
+      var select39 = linear_select([
+      	msg115,
+      	msg116,
+      	msg117,
+      	msg118,
+      ]);
+      
+      var part140 = match("MESSAGE#117:83", "nwparser.payload", "Probable Port Scan%{}", processor_chain([
+      	dup62,
+      ]));
+      
+      var msg119 = msg("83", part140);
+      
+      var msg120 = msg("83:01", dup185);
+      
+      var part141 = match("MESSAGE#119:83:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{fld3}\" npcs=%{info}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg121 = msg("83:02", part141);
+      
+      var select40 = linear_select([
+      	msg119,
+      	msg120,
+      	msg121,
+      ]);
+      
+      var part142 = match("MESSAGE#120:84/0_0", "nwparser.payload", "msg=\"Failed to resolve name\" n=%{fld1->} dstname=%{dhost}");
+      
+      var part143 = match("MESSAGE#120:84/0_1", "nwparser.payload", "Failed to resolve name%{}");
+      
+      var select41 = linear_select([
+      	part142,
+      	part143,
+      ]);
+      
+      var all19 = all_match({
+      	processors: [
+      		select41,
+      	],
+      	on_success: processor_chain([
+      		dup63,
+      		setc("action","Failed to resolve name"),
+      	]),
+      });
+      
+      var msg122 = msg("84", all19);
+      
+      var part144 = match("MESSAGE#121:87", "nwparser.payload", "IKE Responder: Accepting IPSec proposal%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg123 = msg("87", part144);
+      
+      var part145 = match("MESSAGE#122:87:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg124 = msg("87:01", part145);
+      
+      var select42 = linear_select([
+      	msg123,
+      	msg124,
+      ]);
+      
+      var part146 = match("MESSAGE#123:88", "nwparser.payload", "IKE Responder: IPSec proposal not acceptable%{}", processor_chain([
+      	dup58,
+      ]));
+      
+      var msg125 = msg("88", part146);
+      
+      var part147 = match("MESSAGE#124:88:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{saddr->} dst=%{daddr}", processor_chain([
+      	dup58,
+      ]));
+      
+      var msg126 = msg("88:01", part147);
+      
+      var select43 = linear_select([
+      	msg125,
+      	msg126,
+      ]);
+      
+      var part148 = match("MESSAGE#125:89", "nwparser.payload", "IKE negotiation complete. Adding IPSec SA%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg127 = msg("89", part148);
+      
+      var part149 = match("MESSAGE#126:89:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} %{p0}");
+      
+      var part150 = match("MESSAGE#126:89:01/1_0", "nwparser.p0", "src=%{saddr}:::%{sinterface->} dst=%{daddr}:::%{dinterface->} ");
+      
+      var part151 = match("MESSAGE#126:89:01/1_1", "nwparser.p0", " src=%{saddr->} dst=%{daddr->} dstname=%{name}");
+      
+      var select44 = linear_select([
+      	part150,
+      	part151,
+      ]);
+      
+      var all20 = all_match({
+      	processors: [
+      		part149,
+      		select44,
+      	],
+      	on_success: processor_chain([
+      		dup64,
+      	]),
+      });
+      
+      var msg128 = msg("89:01", all20);
+      
+      var select45 = linear_select([
+      	msg127,
+      	msg128,
+      ]);
+      
+      var part152 = match("MESSAGE#127:90", "nwparser.payload", "Starting IKE negotiation%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg129 = msg("90", part152);
+      
+      var part153 = match("MESSAGE#128:91", "nwparser.payload", "Deleting IPSec SA for destination%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg130 = msg("91", part153);
+      
+      var part154 = match("MESSAGE#129:92", "nwparser.payload", "Deleting IPSec SA%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg131 = msg("92", part154);
+      
+      var part155 = match("MESSAGE#130:93", "nwparser.payload", "Diagnostic Code A%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg132 = msg("93", part155);
+      
+      var part156 = match("MESSAGE#131:94", "nwparser.payload", "Diagnostic Code B%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg133 = msg("94", part156);
+      
+      var part157 = match("MESSAGE#132:95", "nwparser.payload", "Diagnostic Code C%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg134 = msg("95", part157);
+      
+      var part158 = match("MESSAGE#133:96", "nwparser.payload", "Status%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg135 = msg("96", part158);
+      
+      var part159 = match("MESSAGE#134:97", "nwparser.payload", "Web site hit%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg136 = msg("97", part159);
+      
+      var part160 = match("MESSAGE#135:97:01/4", "nwparser.p0", "%{}proto=%{protocol->} op=%{fld->} %{p0}");
+      
+      var part161 = match("MESSAGE#135:97:01/5_0", "nwparser.p0", "rcvd=%{rbytes->} %{p0}");
+      
+      var part162 = match("MESSAGE#135:97:01/5_1", "nwparser.p0", "sent=%{sbytes->} %{p0}");
+      
+      var select46 = linear_select([
+      	part161,
+      	part162,
+      ]);
+      
+      var part163 = match("MESSAGE#135:97:01/7_0", "nwparser.p0", "result=%{result->} dstname=%{name->} ");
+      
+      var select47 = linear_select([
+      	part163,
+      	dup66,
+      ]);
+      
+      var all21 = all_match({
+      	processors: [
+      		dup65,
+      		dup179,
+      		dup36,
+      		dup175,
+      		part160,
+      		select46,
+      		dup10,
+      		select47,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg137 = msg("97:01", all21);
+      
+      var part164 = match("MESSAGE#136:97:02/4", "nwparser.p0", "%{}proto=%{protocol->} op=%{fld->} result=%{result}");
+      
+      var all22 = all_match({
+      	processors: [
+      		dup65,
+      		dup179,
+      		dup36,
+      		dup175,
+      		part164,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg138 = msg("97:02", all22);
+      
+      var part165 = match("MESSAGE#137:97:03/4", "nwparser.p0", "%{}proto=%{protocol->} op=%{fld3->} sent=%{sbytes->} rcvd=%{rbytes->} %{p0}");
+      
+      var part166 = match("MESSAGE#137:97:03/5_0", "nwparser.p0", "result=%{result->} dstname=%{name->} %{p0}");
+      
+      var part167 = match("MESSAGE#137:97:03/5_1", "nwparser.p0", "dstname=%{name->} %{p0}");
+      
+      var select48 = linear_select([
+      	part166,
+      	part167,
+      ]);
+      
+      var part168 = match("MESSAGE#137:97:03/6", "nwparser.p0", "%{}arg=%{fld4->} code=%{fld5->} Category=\"%{category}\" npcs=%{info}");
+      
+      var all23 = all_match({
+      	processors: [
+      		dup67,
+      		dup179,
+      		dup36,
+      		dup175,
+      		part165,
+      		select48,
+      		part168,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg139 = msg("97:03", all23);
+      
+      var part169 = match("MESSAGE#138:97:04/4", "nwparser.p0", "%{}proto=%{protocol->} op=%{fld3->} %{p0}");
+      
+      var part170 = match("MESSAGE#138:97:04/5_0", "nwparser.p0", "result=%{result->} dstname=%{name->} arg= %{p0}");
+      
+      var part171 = match("MESSAGE#138:97:04/5_1", "nwparser.p0", "dstname=%{name->} arg= %{p0}");
+      
+      var select49 = linear_select([
+      	part170,
+      	part171,
+      ]);
+      
+      var part172 = match("MESSAGE#138:97:04/6", "nwparser.p0", "%{} %{fld4->} code=%{fld5->} Category=\"%{category}\" npcs=%{info}");
+      
+      var all24 = all_match({
+      	processors: [
+      		dup67,
+      		dup179,
+      		dup36,
+      		dup175,
+      		part169,
+      		select49,
+      		part172,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg140 = msg("97:04", all24);
+      
+      var part173 = match("MESSAGE#139:97:05/4", "nwparser.p0", "%{}proto=%{protocol->} op=%{fld2->} dstname=%{name->} arg=%{fld3->} code=%{fld4->} Category=%{category}");
+      
+      var all25 = all_match({
+      	processors: [
+      		dup65,
+      		dup179,
+      		dup36,
+      		dup175,
+      		part173,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg141 = msg("97:05", all25);
+      
+      var part174 = match("MESSAGE#140:97:06/0", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{p0}");
+      
+      var select50 = linear_select([
+      	dup68,
+      	dup69,
+      ]);
+      
+      var part175 = match("MESSAGE#140:97:06/2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"");
+      
+      var all26 = all_match({
+      	processors: [
+      		part174,
+      		select50,
+      		part175,
+      	],
+      	on_success: processor_chain([
+      		dup70,
+      		dup11,
+      	]),
+      });
+      
+      var msg142 = msg("97:06", all26);
+      
+      var part176 = match("MESSAGE#141:97:07/0", "nwparser.payload", "app=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{p0}");
+      
+      var part177 = match("MESSAGE#141:97:07/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{fld3->} srcMac=%{p0}");
+      
+      var select51 = linear_select([
+      	part177,
+      	dup49,
+      ]);
+      
+      var part178 = match("MESSAGE#141:97:07/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} dstname=%{dhost->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"");
+      
+      var all27 = all_match({
+      	processors: [
+      		part176,
+      		select51,
+      		part178,
+      	],
+      	on_success: processor_chain([
+      		dup70,
+      		dup11,
+      	]),
+      });
+      
+      var msg143 = msg("97:07", all27);
+      
+      var part179 = match("MESSAGE#142:97:08", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([
+      	dup70,
+      	dup11,
+      ]));
+      
+      var msg144 = msg("97:08", part179);
+      
+      var part180 = match("MESSAGE#143:97:09", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([
+      	dup70,
+      	dup11,
+      ]));
+      
+      var msg145 = msg("97:09", part180);
+      
+      var part181 = match("MESSAGE#144:97:10", "nwparser.payload", "app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([
+      	dup70,
+      	dup11,
+      ]));
+      
+      var msg146 = msg("97:10", part181);
+      
+      var select52 = linear_select([
+      	msg136,
+      	msg137,
+      	msg138,
+      	msg139,
+      	msg140,
+      	msg141,
+      	msg142,
+      	msg143,
+      	msg144,
+      	msg145,
+      	msg146,
+      ]);
+      
+      var part182 = match("MESSAGE#145:98/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld2->} appName=\"%{application}\"%{p0}");
+      
+      var part183 = match("MESSAGE#145:98/0_1", "nwparser.payload", " msg=\"%{event_description}\"%{p0}");
+      
+      var select53 = linear_select([
+      	part182,
+      	part183,
+      ]);
+      
+      var part184 = match("MESSAGE#145:98/1", "nwparser.p0", "%{}n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{p0}");
+      
+      var part185 = match("MESSAGE#145:98/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} %{p0}");
+      
+      var select54 = linear_select([
+      	part185,
+      	dup71,
+      ]);
+      
+      var part186 = match("MESSAGE#145:98/3_1", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} ");
+      
+      var part187 = match("MESSAGE#145:98/3_2", "nwparser.p0", " proto=%{protocol}");
+      
+      var select55 = linear_select([
+      	dup72,
+      	part186,
+      	part187,
+      ]);
+      
+      var all28 = all_match({
+      	processors: [
+      		select53,
+      		part184,
+      		select54,
+      		select55,
+      	],
+      	on_success: processor_chain([
+      		dup70,
+      		dup51,
+      		setc("ec_activity","Stop"),
+      		dup53,
+      		dup54,
+      		dup11,
+      		setc("action","Opened"),
+      		dup17,
+      		dup18,
+      		dup19,
+      		dup20,
+      		dup21,
+      	]),
+      });
+      
+      var msg147 = msg("98", all28);
+      
+      var part188 = match("MESSAGE#146:98:07", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} proto=%{protocol}/%{fld4->} sent=%{sbytes->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([
+      	dup1,
+      	dup11,
+      	dup17,
+      	dup18,
+      	dup19,
+      	dup20,
+      	dup21,
+      ]));
+      
+      var msg148 = msg("98:07", part188);
+      
+      var part189 = match("MESSAGE#147:98:01/1_0", "nwparser.p0", "%{msg}\" app=%{fld2->} sess=\"%{fld3}\"%{p0}");
+      
+      var part190 = match("MESSAGE#147:98:01/1_1", "nwparser.p0", "%{msg}\"%{p0}");
+      
+      var select56 = linear_select([
+      	part189,
+      	part190,
+      ]);
+      
+      var part191 = match("MESSAGE#147:98:01/2", "nwparser.p0", "%{}n=%{p0}");
+      
+      var part192 = match("MESSAGE#147:98:01/3_0", "nwparser.p0", "%{fld1->} usr=%{username->} src=%{p0}");
+      
+      var part193 = match("MESSAGE#147:98:01/3_1", "nwparser.p0", "%{fld1->} src=%{p0}");
+      
+      var select57 = linear_select([
+      	part192,
+      	part193,
+      ]);
+      
+      var select58 = linear_select([
+      	dup73,
+      	dup69,
+      	dup74,
+      ]);
+      
+      var part194 = match("MESSAGE#147:98:01/7_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} fw_action=\"%{action}\"");
+      
+      var part195 = match("MESSAGE#147:98:01/7_1", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} ");
+      
+      var part196 = match("MESSAGE#147:98:01/7_2", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} rule=\"%{rulename}\" fw_action=\"%{action}\"");
+      
+      var part197 = match("MESSAGE#147:98:01/7_4", "nwparser.p0", " proto=%{protocol->} sent=%{sbytes}");
+      
+      var part198 = match("MESSAGE#147:98:01/7_5", "nwparser.p0", "proto=%{protocol}");
+      
+      var select59 = linear_select([
+      	part194,
+      	part195,
+      	part196,
+      	dup72,
+      	part197,
+      	part198,
+      ]);
+      
+      var all29 = all_match({
+      	processors: [
+      		dup48,
+      		select56,
+      		part191,
+      		select57,
+      		select58,
+      		dup10,
+      		dup186,
+      		select59,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg149 = msg("98:01", all29);
+      
+      var part199 = match("MESSAGE#148:98:06/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld2->} appName=\"%{application}\" %{p0}");
+      
+      var part200 = match("MESSAGE#148:98:06/0_1", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld2->} %{p0}");
+      
+      var part201 = match("MESSAGE#148:98:06/0_2", "nwparser.payload", " msg=\"%{event_description}\" sess=%{fld2->} %{p0}");
+      
+      var select60 = linear_select([
+      	part199,
+      	part200,
+      	part201,
+      ]);
+      
+      var part202 = match("MESSAGE#148:98:06/1_0", "nwparser.p0", "n=%{fld1->} usr=%{username->} %{p0}");
+      
+      var part203 = match("MESSAGE#148:98:06/1_1", "nwparser.p0", " n=%{fld1->} %{p0}");
+      
+      var select61 = linear_select([
+      	part202,
+      	part203,
+      ]);
+      
+      var part204 = match("MESSAGE#148:98:06/2", "nwparser.p0", "%{}src= %{p0}");
+      
+      var part205 = match("MESSAGE#148:98:06/5_0", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{dmacaddr->} proto=%{p0}");
+      
+      var part206 = match("MESSAGE#148:98:06/5_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} proto=%{p0}");
+      
+      var select62 = linear_select([
+      	part205,
+      	part206,
+      	dup77,
+      	dup78,
+      ]);
+      
+      var part207 = match("MESSAGE#148:98:06/6", "nwparser.p0", "%{protocol->} %{p0}");
+      
+      var part208 = match("MESSAGE#148:98:06/7_0", "nwparser.p0", "sent=%{sbytes->} rule=\"%{rulename}\" fw_action=\"%{action}\"");
+      
+      var part209 = match("MESSAGE#148:98:06/7_1", "nwparser.p0", "sent=%{sbytes->} rule=\"%{rulename}\" fw_action=%{action}");
+      
+      var part210 = match("MESSAGE#148:98:06/7_2", "nwparser.p0", "sent=%{sbytes->} fw_action=\"%{action}\"");
+      
+      var part211 = match("MESSAGE#148:98:06/7_3", "nwparser.p0", "sent=%{sbytes}");
+      
+      var part212 = match("MESSAGE#148:98:06/7_4", "nwparser.p0", "fw_action=\"%{action}\"");
+      
+      var select63 = linear_select([
+      	part208,
+      	part209,
+      	part210,
+      	part211,
+      	part212,
+      ]);
+      
+      var all30 = all_match({
+      	processors: [
+      		select60,
+      		select61,
+      		part204,
+      		dup187,
+      		dup10,
+      		select62,
+      		part207,
+      		select63,
+      	],
+      	on_success: processor_chain([
+      		dup70,
+      		dup11,
+      		dup17,
+      		dup18,
+      		dup19,
+      		dup20,
+      		dup21,
+      	]),
+      });
+      
+      var msg150 = msg("98:06", all30);
+      
+      var part213 = match("MESSAGE#149:98:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} usr=%{username->} src=%{p0}");
+      
+      var all31 = all_match({
+      	processors: [
+      		part213,
+      		dup177,
+      		dup10,
+      		dup175,
+      		dup79,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg151 = msg("98:02", all31);
+      
+      var part214 = match("MESSAGE#150:98:03/0_0", "nwparser.payload", "Connection %{}");
+      
+      var part215 = match("MESSAGE#150:98:03/0_1", "nwparser.payload", " msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} ");
+      
+      var select64 = linear_select([
+      	part214,
+      	part215,
+      ]);
+      
+      var all32 = all_match({
+      	processors: [
+      		select64,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup37,
+      	]),
+      });
+      
+      var msg152 = msg("98:03", all32);
+      
+      var part216 = match("MESSAGE#151:98:04/4", "nwparser.p0", "%{}proto=%{protocol->} sent=%{sbytes->} vpnpolicy=\"%{policyname}\" npcs=%{info}");
+      
+      var all33 = all_match({
+      	processors: [
+      		dup7,
+      		dup177,
+      		dup10,
+      		dup175,
+      		part216,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg153 = msg("98:04", all33);
+      
+      var part217 = match("MESSAGE#152:98:05/4", "nwparser.p0", "%{}proto=%{protocol->} sent=%{sbytes->} npcs=%{info}");
+      
+      var all34 = all_match({
+      	processors: [
+      		dup7,
+      		dup177,
+      		dup10,
+      		dup175,
+      		part217,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg154 = msg("98:05", all34);
+      
+      var select65 = linear_select([
+      	msg147,
+      	msg148,
+      	msg149,
+      	msg150,
+      	msg151,
+      	msg152,
+      	msg153,
+      	msg154,
+      ]);
+      
+      var part218 = match("MESSAGE#153:986", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([
+      	dup30,
+      	dup11,
+      ]));
+      
+      var msg155 = msg("986", part218);
+      
+      var part219 = match("MESSAGE#154:427/4", "nwparser.p0", "%{}note=\"%{event_description}\"");
+      
+      var all35 = all_match({
+      	processors: [
+      		dup80,
+      		dup177,
+      		dup10,
+      		dup175,
+      		part219,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg156 = msg("427", all35);
+      
+      var part220 = match("MESSAGE#155:428/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"");
+      
+      var all36 = all_match({
+      	processors: [
+      		dup81,
+      		dup183,
+      		part220,
+      	],
+      	on_success: processor_chain([
+      		dup22,
+      		dup54,
+      		dup17,
+      		dup82,
+      		dup19,
+      		dup20,
+      		dup21,
+      		dup37,
+      	]),
+      });
+      
+      var msg157 = msg("428", all36);
+      
+      var part221 = match("MESSAGE#156:99", "nwparser.payload", "Retransmitting DHCP DISCOVER.%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg158 = msg("99", part221);
+      
+      var part222 = match("MESSAGE#157:100", "nwparser.payload", "Retransmitting DHCP REQUEST (Requesting).%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg159 = msg("100", part222);
+      
+      var part223 = match("MESSAGE#158:101", "nwparser.payload", "Retransmitting DHCP REQUEST (Renewing).%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg160 = msg("101", part223);
+      
+      var part224 = match("MESSAGE#159:102", "nwparser.payload", "Retransmitting DHCP REQUEST (Rebinding).%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg161 = msg("102", part224);
+      
+      var part225 = match("MESSAGE#160:103", "nwparser.payload", "Retransmitting DHCP REQUEST (Rebooting).%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg162 = msg("103", part225);
+      
+      var part226 = match("MESSAGE#161:104", "nwparser.payload", "Retransmitting DHCP REQUEST (Verifying).%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg163 = msg("104", part226);
+      
+      var part227 = match("MESSAGE#162:105", "nwparser.payload", "Sending DHCP DISCOVER.%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg164 = msg("105", part227);
+      
+      var part228 = match("MESSAGE#163:106", "nwparser.payload", "DHCP Server not available. Did not get any DHCP OFFER.%{}", processor_chain([
+      	dup63,
+      ]));
+      
+      var msg165 = msg("106", part228);
+      
+      var part229 = match("MESSAGE#164:107", "nwparser.payload", "Got DHCP OFFER. Selecting.%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg166 = msg("107", part229);
+      
+      var part230 = match("MESSAGE#165:108", "nwparser.payload", "Sending DHCP REQUEST.%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg167 = msg("108", part230);
+      
+      var part231 = match("MESSAGE#166:109", "nwparser.payload", "DHCP Client did not get DHCP ACK.%{}", processor_chain([
+      	dup63,
+      ]));
+      
+      var msg168 = msg("109", part231);
+      
+      var part232 = match("MESSAGE#167:110", "nwparser.payload", "DHCP Client got NACK.%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg169 = msg("110", part232);
+      
+      var msg170 = msg("111:01", dup188);
+      
+      var part233 = match("MESSAGE#169:111", "nwparser.payload", "DHCP Client got ACK from server.%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg171 = msg("111", part233);
+      
+      var select66 = linear_select([
+      	msg170,
+      	msg171,
+      ]);
+      
+      var part234 = match("MESSAGE#170:112", "nwparser.payload", "DHCP Client is declining address offered by the server.%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg172 = msg("112", part234);
+      
+      var part235 = match("MESSAGE#171:113", "nwparser.payload", "DHCP Client sending REQUEST and going to REBIND state.%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg173 = msg("113", part235);
+      
+      var part236 = match("MESSAGE#172:114", "nwparser.payload", "DHCP Client sending REQUEST and going to RENEW state.%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg174 = msg("114", part236);
+      
+      var msg175 = msg("115:01", dup188);
+      
+      var part237 = match("MESSAGE#174:115", "nwparser.payload", "Sending DHCP REQUEST (Renewing).%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg176 = msg("115", part237);
+      
+      var select67 = linear_select([
+      	msg175,
+      	msg176,
+      ]);
+      
+      var part238 = match("MESSAGE#175:116", "nwparser.payload", "Sending DHCP REQUEST (Rebinding).%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg177 = msg("116", part238);
+      
+      var part239 = match("MESSAGE#176:117", "nwparser.payload", "Sending DHCP REQUEST (Rebooting).%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg178 = msg("117", part239);
+      
+      var part240 = match("MESSAGE#177:118", "nwparser.payload", "Sending DHCP REQUEST (Verifying).%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg179 = msg("118", part240);
+      
+      var part241 = match("MESSAGE#178:119", "nwparser.payload", "DHCP Client failed to verify and lease has expired. Go to INIT state.%{}", processor_chain([
+      	dup63,
+      ]));
+      
+      var msg180 = msg("119", part241);
+      
+      var part242 = match("MESSAGE#179:120", "nwparser.payload", "DHCP Client failed to verify and lease is still valid. Go to BOUND state.%{}", processor_chain([
+      	dup63,
+      ]));
+      
+      var msg181 = msg("120", part242);
+      
+      var part243 = match("MESSAGE#180:121", "nwparser.payload", "DHCP Client got a new IP address lease.%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg182 = msg("121", part243);
+      
+      var part244 = match("MESSAGE#181:122", "nwparser.payload", "Access attempt from host without Anti-Virus agent installed%{}", processor_chain([
+      	dup63,
+      ]));
+      
+      var msg183 = msg("122", part244);
+      
+      var part245 = match("MESSAGE#182:123", "nwparser.payload", "Anti-Virus agent out-of-date on host%{}", processor_chain([
+      	dup63,
+      ]));
+      
+      var msg184 = msg("123", part245);
+      
+      var part246 = match("MESSAGE#183:124", "nwparser.payload", "Received AV Alert: %s%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg185 = msg("124", part246);
+      
+      var part247 = match("MESSAGE#184:125", "nwparser.payload", "Unused AV log entry.%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg186 = msg("125", part247);
+      
+      var part248 = match("MESSAGE#185:1254", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([
+      	dup83,
+      	dup11,
+      ]));
+      
+      var msg187 = msg("1254", part248);
+      
+      var part249 = match("MESSAGE#186:1256", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([
+      	dup70,
+      	dup54,
+      	dup17,
+      	dup82,
+      	dup19,
+      	dup20,
+      	dup21,
+      	dup37,
+      ]));
+      
+      var msg188 = msg("1256", part249);
+      
+      var part250 = match("MESSAGE#187:1257", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([
+      	dup83,
+      	dup11,
+      ]));
+      
+      var msg189 = msg("1257", part250);
+      
+      var part251 = match("MESSAGE#188:126", "nwparser.payload", "Starting PPPoE discovery%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg190 = msg("126", part251);
+      
+      var part252 = match("MESSAGE#189:127", "nwparser.payload", "PPPoE LCP Link Up%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg191 = msg("127", part252);
+      
+      var part253 = match("MESSAGE#190:128", "nwparser.payload", "PPPoE LCP Link Down%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg192 = msg("128", part253);
+      
+      var part254 = match("MESSAGE#191:129", "nwparser.payload", "PPPoE terminated%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg193 = msg("129", part254);
+      
+      var part255 = match("MESSAGE#192:130", "nwparser.payload", "PPPoE Network Connected%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg194 = msg("130", part255);
+      
+      var part256 = match("MESSAGE#193:131", "nwparser.payload", "PPPoE Network Disconnected%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg195 = msg("131", part256);
+      
+      var part257 = match("MESSAGE#194:132", "nwparser.payload", "PPPoE discovery process complete%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg196 = msg("132", part257);
+      
+      var part258 = match("MESSAGE#195:133", "nwparser.payload", "PPPoE starting CHAP Authentication%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg197 = msg("133", part258);
+      
+      var part259 = match("MESSAGE#196:134", "nwparser.payload", "PPPoE starting PAP Authentication%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg198 = msg("134", part259);
+      
+      var part260 = match("MESSAGE#197:135", "nwparser.payload", "PPPoE CHAP Authentication Failed%{}", processor_chain([
+      	dup84,
+      ]));
+      
+      var msg199 = msg("135", part260);
+      
+      var part261 = match("MESSAGE#198:136", "nwparser.payload", "PPPoE PAP Authentication Failed%{}", processor_chain([
+      	dup84,
+      ]));
+      
+      var msg200 = msg("136", part261);
+      
+      var part262 = match("MESSAGE#199:137", "nwparser.payload", "Wan IP Changed%{}", processor_chain([
+      	dup3,
+      ]));
+      
+      var msg201 = msg("137", part262);
+      
+      var part263 = match("MESSAGE#200:138", "nwparser.payload", "XAUTH Succeeded%{}", processor_chain([
+      	dup3,
+      ]));
+      
+      var msg202 = msg("138", part263);
+      
+      var part264 = match("MESSAGE#201:139", "nwparser.payload", "XAUTH Failed%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg203 = msg("139", part264);
+      
+      var all37 = all_match({
+      	processors: [
+      		dup31,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		setc("eventcategory","1801020100"),
+      	]),
+      });
+      
+      var msg204 = msg("139:01", all37);
+      
+      var select68 = linear_select([
+      	msg203,
+      	msg204,
+      ]);
+      
+      var msg205 = msg("140", dup227);
+      
+      var msg206 = msg("141", dup227);
+      
+      var part265 = match("MESSAGE#205:142", "nwparser.payload", "Primary firewall has transitioned to Active%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg207 = msg("142", part265);
+      
+      var part266 = match("MESSAGE#206:143", "nwparser.payload", "Backup firewall has transitioned to Active%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg208 = msg("143", part266);
+      
+      var part267 = match("MESSAGE#207:1431", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=::%{sinterface->} dstV6=%{daddr_v6->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([
+      	dup70,
+      	dup11,
+      ]));
+      
+      var msg209 = msg("1431", part267);
+      
+      var part268 = match("MESSAGE#208:144", "nwparser.payload", "Primary firewall has transitioned to Idle%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg210 = msg("144", part268);
+      
+      var part269 = match("MESSAGE#209:145", "nwparser.payload", "Backup firewall has transitioned to Idle%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg211 = msg("145", part269);
+      
+      var part270 = match("MESSAGE#210:146", "nwparser.payload", "Primary missed heartbeats from Active Backup: Primary going Active%{}", processor_chain([
+      	dup86,
+      ]));
+      
+      var msg212 = msg("146", part270);
+      
+      var part271 = match("MESSAGE#211:147", "nwparser.payload", "Backup missed heartbeats from Active Primary: Backup going Active%{}", processor_chain([
+      	dup86,
+      ]));
+      
+      var msg213 = msg("147", part271);
+      
+      var part272 = match("MESSAGE#212:148", "nwparser.payload", "Primary received error signal from Active Backup: Primary going Active%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg214 = msg("148", part272);
+      
+      var part273 = match("MESSAGE#213:1480", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([
+      	setc("eventcategory","1204010000"),
+      	dup11,
+      ]));
+      
+      var msg215 = msg("1480", part273);
+      
+      var part274 = match("MESSAGE#214:149", "nwparser.payload", "Backup received error signal from Active Primary: Backup going Active%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg216 = msg("149", part274);
+      
+      var part275 = match("MESSAGE#215:150", "nwparser.payload", "Backup firewall being preempted by Primary%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg217 = msg("150", part275);
+      
+      var part276 = match("MESSAGE#216:151", "nwparser.payload", "Primary firewall preempting Backup%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg218 = msg("151", part276);
+      
+      var part277 = match("MESSAGE#217:152", "nwparser.payload", "Active Backup detects Active Primary: Backup rebooting%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg219 = msg("152", part277);
+      
+      var part278 = match("MESSAGE#218:153", "nwparser.payload", "Imported HA hardware ID did not match this firewall%{}", processor_chain([
+      	setc("eventcategory","1603010000"),
+      ]));
+      
+      var msg220 = msg("153", part278);
+      
+      var part279 = match("MESSAGE#219:154", "nwparser.payload", "Received AV Alert: Your SonicWALL Network Anti-Virus subscription has expired. %s%{}", processor_chain([
+      	dup56,
+      ]));
+      
+      var msg221 = msg("154", part279);
+      
+      var part280 = match("MESSAGE#220:155", "nwparser.payload", "Primary received heartbeat from wrong source%{}", processor_chain([
+      	dup86,
+      ]));
+      
+      var msg222 = msg("155", part280);
+      
+      var part281 = match("MESSAGE#221:156", "nwparser.payload", "Backup received heartbeat from wrong source%{}", processor_chain([
+      	dup86,
+      ]));
+      
+      var msg223 = msg("156", part281);
+      
+      var part282 = match("MESSAGE#222:157:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg224 = msg("157:01", part282);
+      
+      var part283 = match("MESSAGE#223:157", "nwparser.payload", "HA packet processing error%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg225 = msg("157", part283);
+      
+      var select69 = linear_select([
+      	msg224,
+      	msg225,
+      ]);
+      
+      var part284 = match("MESSAGE#224:158", "nwparser.payload", "Heartbeat received from incompatible source%{}", processor_chain([
+      	dup86,
+      ]));
+      
+      var msg226 = msg("158", part284);
+      
+      var part285 = match("MESSAGE#225:159", "nwparser.payload", "Diagnostic Code F%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg227 = msg("159", part285);
+      
+      var part286 = match("MESSAGE#226:160", "nwparser.payload", "Forbidden E-mail attachment altered%{}", processor_chain([
+      	setc("eventcategory","1203000000"),
+      ]));
+      
+      var msg228 = msg("160", part286);
+      
+      var part287 = match("MESSAGE#227:161", "nwparser.payload", "PPPoE PAP Authentication success.%{}", processor_chain([
+      	dup57,
+      ]));
+      
+      var msg229 = msg("161", part287);
+      
+      var part288 = match("MESSAGE#228:162", "nwparser.payload", "PPPoE PAP Authentication Failed. Please verify PPPoE username and password%{}", processor_chain([
+      	dup32,
+      ]));
+      
+      var msg230 = msg("162", part288);
+      
+      var part289 = match("MESSAGE#229:163", "nwparser.payload", "Disconnecting PPPoE due to traffic timeout%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg231 = msg("163", part289);
+      
+      var part290 = match("MESSAGE#230:164", "nwparser.payload", "No response from ISP Disconnecting PPPoE.%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg232 = msg("164", part290);
+      
+      var part291 = match("MESSAGE#231:165", "nwparser.payload", "Backup going Active in preempt mode after reboot%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg233 = msg("165", part291);
+      
+      var part292 = match("MESSAGE#232:166", "nwparser.payload", "Denied TCP connection from LAN%{}", processor_chain([
+      	dup12,
+      ]));
+      
+      var msg234 = msg("166", part292);
+      
+      var part293 = match("MESSAGE#233:167", "nwparser.payload", "Denied UDP packet from LAN%{}", processor_chain([
+      	dup12,
+      ]));
+      
+      var msg235 = msg("167", part293);
+      
+      var part294 = match("MESSAGE#234:168", "nwparser.payload", "Denied ICMP packet from LAN%{}", processor_chain([
+      	dup12,
+      ]));
+      
+      var msg236 = msg("168", part294);
+      
+      var part295 = match("MESSAGE#235:169", "nwparser.payload", "Firewall access from LAN%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg237 = msg("169", part295);
+      
+      var part296 = match("MESSAGE#236:170", "nwparser.payload", "Received a path MTU icmp message from router/gateway%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg238 = msg("170", part296);
+      
+      var part297 = match("MESSAGE#237:171", "nwparser.payload", "Probable TCP FIN scan%{}", processor_chain([
+      	dup62,
+      ]));
+      
+      var msg239 = msg("171", part297);
+      
+      var part298 = match("MESSAGE#238:171:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([
+      	dup87,
+      ]));
+      
+      var msg240 = msg("171:01", part298);
+      
+      var part299 = match("MESSAGE#239:171:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}:%{dport}", processor_chain([
+      	dup87,
+      ]));
+      
+      var msg241 = msg("171:02", part299);
+      
+      var part300 = match("MESSAGE#240:171:03/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld1}\" sess=%{fld2->} n=%{fld3->} src=%{p0}");
+      
+      var all38 = all_match({
+      	processors: [
+      		part300,
+      		dup174,
+      		dup10,
+      		dup189,
+      		dup90,
+      	],
+      	on_success: processor_chain([
+      		dup87,
+      	]),
+      });
+      
+      var msg242 = msg("171:03", all38);
+      
+      var select70 = linear_select([
+      	msg239,
+      	msg240,
+      	msg241,
+      	msg242,
+      ]);
+      
+      var part301 = match("MESSAGE#241:172", "nwparser.payload", "Probable TCP XMAS scan%{}", processor_chain([
+      	dup62,
+      ]));
+      
+      var msg243 = msg("172", part301);
+      
+      var part302 = match("MESSAGE#242:172:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([
+      	dup62,
+      ]));
+      
+      var msg244 = msg("172:01", part302);
+      
+      var select71 = linear_select([
+      	msg243,
+      	msg244,
+      ]);
+      
+      var part303 = match("MESSAGE#243:173", "nwparser.payload", "Probable TCP NULL scan%{}", processor_chain([
+      	dup62,
+      ]));
+      
+      var msg245 = msg("173", part303);
+      
+      var part304 = match("MESSAGE#244:174", "nwparser.payload", "IPSEC Replay Detected%{}", processor_chain([
+      	dup59,
+      ]));
+      
+      var msg246 = msg("174", part304);
+      
+      var all39 = all_match({
+      	processors: [
+      		dup80,
+      		dup177,
+      		dup10,
+      		dup175,
+      		dup79,
+      	],
+      	on_success: processor_chain([
+      		dup59,
+      	]),
+      });
+      
+      var msg247 = msg("174:01", all39);
+      
+      var all40 = all_match({
+      	processors: [
+      		dup44,
+      		dup179,
+      		dup36,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      	]),
+      });
+      
+      var msg248 = msg("174:02", all40);
+      
+      var all41 = all_match({
+      	processors: [
+      		dup7,
+      		dup174,
+      		dup10,
+      		dup181,
+      		dup43,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      	]),
+      });
+      
+      var msg249 = msg("174:03", all41);
+      
+      var select72 = linear_select([
+      	msg246,
+      	msg247,
+      	msg248,
+      	msg249,
+      ]);
+      
+      var part305 = match("MESSAGE#248:175", "nwparser.payload", "TCP FIN packet dropped%{}", processor_chain([
+      	dup59,
+      ]));
+      
+      var msg250 = msg("175", part305);
+      
+      var part306 = match("MESSAGE#249:175:01", "nwparser.payload", "msg=\"ICMP packet from LAN dropped\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} type=%{type}", processor_chain([
+      	dup59,
+      ]));
+      
+      var msg251 = msg("175:01", part306);
+      
+      var part307 = match("MESSAGE#250:175:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr->} dst=%{daddr->} type=%{type->} icmpCode=%{fld3->} npcs=%{info}", processor_chain([
+      	dup59,
+      ]));
+      
+      var msg252 = msg("175:02", part307);
+      
+      var select73 = linear_select([
+      	msg250,
+      	msg251,
+      	msg252,
+      ]);
+      
+      var part308 = match("MESSAGE#251:176", "nwparser.payload", "Fraudulent Microsoft Certificate Blocked%{}", processor_chain([
+      	dup87,
+      ]));
+      
+      var msg253 = msg("176", part308);
+      
+      var msg254 = msg("177", dup185);
+      
+      var msg255 = msg("178", dup190);
+      
+      var msg256 = msg("179", dup185);
+      
+      var all42 = all_match({
+      	processors: [
+      		dup33,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup91,
+      	]),
+      });
+      
+      var msg257 = msg("180", all42);
+      
+      var all43 = all_match({
+      	processors: [
+      		dup7,
+      		dup174,
+      		dup10,
+      		dup191,
+      		dup94,
+      	],
+      	on_success: processor_chain([
+      		dup91,
+      	]),
+      });
+      
+      var msg258 = msg("180:01", all43);
+      
+      var select74 = linear_select([
+      	msg257,
+      	msg258,
+      ]);
+      
+      var msg259 = msg("181", dup184);
+      
+      var all44 = all_match({
+      	processors: [
+      		dup7,
+      		dup174,
+      		dup10,
+      		dup189,
+      		dup90,
+      	],
+      	on_success: processor_chain([
+      		dup62,
+      	]),
+      });
+      
+      var msg260 = msg("181:01", all44);
+      
+      var select75 = linear_select([
+      	msg259,
+      	msg260,
+      ]);
+      
+      var msg261 = msg("193", dup228);
+      
+      var msg262 = msg("194", dup229);
+      
+      var msg263 = msg("195", dup229);
+      
+      var part309 = match("MESSAGE#262:196/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{fld2->} dst=%{daddr}:%{fld3->} sport=%{sport->} dport=%{dport->} %{p0}");
+      
+      var part310 = match("MESSAGE#262:196/1_1", "nwparser.p0", " rcvd=%{rbytes->} cmd=%{p0}");
+      
+      var select76 = linear_select([
+      	dup98,
+      	part310,
+      ]);
+      
+      var all45 = all_match({
+      	processors: [
+      		part309,
+      		select76,
+      		dup99,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg264 = msg("196", all45);
+      
+      var part311 = match("MESSAGE#263:196:01/1_1", "nwparser.p0", "rcvd=%{rbytes->} cmd=%{p0}");
+      
+      var select77 = linear_select([
+      	dup98,
+      	part311,
+      ]);
+      
+      var all46 = all_match({
+      	processors: [
+      		dup95,
+      		select77,
+      		dup99,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg265 = msg("196:01", all46);
+      
+      var select78 = linear_select([
+      	msg264,
+      	msg265,
+      ]);
+      
+      var msg266 = msg("199", dup230);
+      
+      var msg267 = msg("200", dup226);
+      
+      var part312 = match("MESSAGE#266:235:02", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} usr=%{username->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([
+      	dup29,
+      ]));
+      
+      var msg268 = msg("235:02", part312);
+      
+      var part313 = match("MESSAGE#267:235/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} usr=%{username->} src=%{p0}");
+      
+      var all47 = all_match({
+      	processors: [
+      		part313,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup29,
+      	]),
+      });
+      
+      var msg269 = msg("235", all47);
+      
+      var msg270 = msg("235:01", dup231);
+      
+      var select79 = linear_select([
+      	msg268,
+      	msg269,
+      	msg270,
+      ]);
+      
+      var msg271 = msg("236", dup231);
+      
+      var msg272 = msg("237", dup230);
+      
+      var msg273 = msg("238", dup230);
+      
+      var part314 = match("MESSAGE#272:239", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr->} dst=%{dtransaddr}", processor_chain([
+      	dup101,
+      ]));
+      
+      var msg274 = msg("239", part314);
+      
+      var part315 = match("MESSAGE#273:240", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr->} dst=%{dtransaddr}", processor_chain([
+      	dup101,
+      ]));
+      
+      var msg275 = msg("240", part315);
+      
+      var part316 = match("MESSAGE#274:241", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([
+      	dup70,
+      ]));
+      
+      var msg276 = msg("241", part316);
+      
+      var part317 = match("MESSAGE#275:241:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([
+      	dup70,
+      ]));
+      
+      var msg277 = msg("241:01", part317);
+      
+      var select80 = linear_select([
+      	msg276,
+      	msg277,
+      ]);
+      
+      var part318 = match("MESSAGE#276:242/1_0", "nwparser.p0", "%{saddr}:%{sport}:: %{p0}");
+      
+      var part319 = match("MESSAGE#276:242/1_1", "nwparser.p0", "%{saddr}:%{sport->} %{p0}");
+      
+      var select81 = linear_select([
+      	part318,
+      	part319,
+      	dup35,
+      ]);
+      
+      var part320 = match("MESSAGE#276:242/3_0", "nwparser.p0", "%{daddr}:%{dport}:: ");
+      
+      var part321 = match("MESSAGE#276:242/3_1", "nwparser.p0", "%{daddr}:%{dport->} ");
+      
+      var select82 = linear_select([
+      	part320,
+      	part321,
+      	dup28,
+      ]);
+      
+      var all48 = all_match({
+      	processors: [
+      		dup44,
+      		select81,
+      		dup36,
+      		select82,
+      	],
+      	on_success: processor_chain([
+      		dup70,
+      	]),
+      });
+      
+      var msg278 = msg("242", all48);
+      
+      var msg279 = msg("252", dup193);
+      
+      var msg280 = msg("255", dup193);
+      
+      var msg281 = msg("257", dup193);
+      
+      var msg282 = msg("261:01", dup232);
+      
+      var msg283 = msg("261", dup193);
+      
+      var select83 = linear_select([
+      	msg282,
+      	msg283,
+      ]);
+      
+      var msg284 = msg("262", dup232);
+      
+      var all49 = all_match({
+      	processors: [
+      		dup104,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup105,
+      	]),
+      });
+      
+      var msg285 = msg("273", all49);
+      
+      var msg286 = msg("328", dup233);
+      
+      var msg287 = msg("329", dup226);
+      
+      var msg288 = msg("346", dup193);
+      
+      var msg289 = msg("350", dup193);
+      
+      var msg290 = msg("351", dup193);
+      
+      var msg291 = msg("352", dup193);
+      
+      var msg292 = msg("353:01", dup190);
+      
+      var part322 = match("MESSAGE#291:353", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr->} dst=%{dtransaddr->} dstname=%{shost->} lifeSeconds=%{misc}\"", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg293 = msg("353", part322);
+      
+      var select84 = linear_select([
+      	msg292,
+      	msg293,
+      ]);
+      
+      var part323 = match("MESSAGE#292:354", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=\"%{shost->} lifeSeconds=%{misc}\"", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg294 = msg("354", part323);
+      
+      var msg295 = msg("355", dup194);
+      
+      var msg296 = msg("355:01", dup193);
+      
+      var select85 = linear_select([
+      	msg295,
+      	msg296,
+      ]);
+      
+      var msg297 = msg("356", dup195);
+      
+      var part324 = match("MESSAGE#296:357", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} dstname=%{name}", processor_chain([
+      	dup87,
+      ]));
+      
+      var msg298 = msg("357", part324);
+      
+      var part325 = match("MESSAGE#297:357:01", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([
+      	dup87,
+      ]));
+      
+      var msg299 = msg("357:01", part325);
+      
+      var select86 = linear_select([
+      	msg298,
+      	msg299,
+      ]);
+      
+      var msg300 = msg("358", dup196);
+      
+      var part326 = match("MESSAGE#299:371", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr->} dst=%{dtransaddr->} dstname=%{shost}", processor_chain([
+      	setc("eventcategory","1503000000"),
+      ]));
+      
+      var msg301 = msg("371", part326);
+      
+      var msg302 = msg("371:01", dup197);
+      
+      var select87 = linear_select([
+      	msg301,
+      	msg302,
+      ]);
+      
+      var msg303 = msg("372", dup193);
+      
+      var msg304 = msg("373", dup195);
+      
+      var msg305 = msg("401", dup234);
+      
+      var msg306 = msg("402", dup234);
+      
+      var msg307 = msg("406", dup196);
+      
+      var part327 = match("MESSAGE#305:413", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg308 = msg("413", part327);
+      
+      var msg309 = msg("414", dup193);
+      
+      var msg310 = msg("438", dup235);
+      
+      var msg311 = msg("439", dup235);
+      
+      var all50 = all_match({
+      	processors: [
+      		dup104,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		setc("eventcategory","1501020000"),
+      	]),
+      });
+      
+      var msg312 = msg("440", all50);
+      
+      var all51 = all_match({
+      	processors: [
+      		dup104,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		setc("eventcategory","1502050000"),
+      	]),
+      });
+      
+      var msg313 = msg("441", all51);
+      
+      var part328 = match("MESSAGE#311:441:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([
+      	setc("eventcategory","1001020000"),
+      ]));
+      
+      var msg314 = msg("441:01", part328);
+      
+      var select88 = linear_select([
+      	msg313,
+      	msg314,
+      ]);
+      
+      var all52 = all_match({
+      	processors: [
+      		dup104,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		setc("eventcategory","1501030000"),
+      	]),
+      });
+      
+      var msg315 = msg("442", all52);
+      
+      var part329 = match("MESSAGE#313:446/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{p0}");
+      
+      var part330 = match("MESSAGE#313:446/1_0", "nwparser.p0", "%{fld1->} appName=\"%{application}\" n=%{p0}");
+      
+      var part331 = match("MESSAGE#313:446/1_1", "nwparser.p0", "%{fld1->} n=%{p0}");
+      
+      var select89 = linear_select([
+      	part330,
+      	part331,
+      ]);
+      
+      var part332 = match("MESSAGE#313:446/2", "nwparser.p0", "%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}");
+      
+      var all53 = all_match({
+      	processors: [
+      		part329,
+      		select89,
+      		part332,
+      		dup199,
+      		dup112,
+      	],
+      	on_success: processor_chain([
+      		dup59,
+      		dup54,
+      		dup17,
+      		dup82,
+      		dup19,
+      		dup20,
+      		dup21,
+      		dup37,
+      	]),
+      });
+      
+      var msg316 = msg("446", all53);
+      
+      var part333 = match("MESSAGE#314:477", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=\"MAC=%{smacaddr->} HostName:%{hostname}\"", processor_chain([
+      	dup113,
+      	dup51,
+      	dup52,
+      	dup53,
+      	dup54,
+      	dup11,
+      	dup55,
+      	dup17,
+      	dup18,
+      	dup19,
+      	dup20,
+      	dup21,
+      ]));
+      
+      var msg317 = msg("477", part333);
+      
+      var all54 = all_match({
+      	processors: [
+      		dup80,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup29,
+      	]),
+      });
+      
+      var msg318 = msg("509", all54);
+      
+      var all55 = all_match({
+      	processors: [
+      		dup104,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup103,
+      	]),
+      });
+      
+      var msg319 = msg("520", all55);
+      
+      var msg320 = msg("522", dup236);
+      
+      var part334 = match("MESSAGE#318:522:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} srcV6=%{saddr_v6->} src= %{p0}");
+      
+      var part335 = match("MESSAGE#318:522:01/2", "nwparser.p0", "%{}dstV6=%{daddr_v6->} dst= %{p0}");
+      
+      var all56 = all_match({
+      	processors: [
+      		part334,
+      		dup179,
+      		part335,
+      		dup175,
+      		dup114,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      	]),
+      });
+      
+      var msg321 = msg("522:01", all56);
+      
+      var part336 = match("MESSAGE#319:522:02/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{shost->} dst= %{p0}");
+      
+      var select90 = linear_select([
+      	part336,
+      	dup39,
+      ]);
+      
+      var all57 = all_match({
+      	processors: [
+      		dup38,
+      		select90,
+      		dup10,
+      		dup175,
+      		dup114,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      	]),
+      });
+      
+      var msg322 = msg("522:02", all57);
+      
+      var select91 = linear_select([
+      	msg320,
+      	msg321,
+      	msg322,
+      ]);
+      
+      var msg323 = msg("523", dup236);
+      
+      var all58 = all_match({
+      	processors: [
+      		dup80,
+      		dup177,
+      		dup10,
+      		dup175,
+      		dup10,
+      		dup200,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg324 = msg("524", all58);
+      
+      var part337 = match("MESSAGE#322:524:01/5_0", "nwparser.p0", "proto=%{protocol->} npcs= %{p0}");
+      
+      var part338 = match("MESSAGE#322:524:01/5_1", "nwparser.p0", "rule=%{rule->} npcs= %{p0}");
+      
+      var select92 = linear_select([
+      	part337,
+      	part338,
+      ]);
+      
+      var all59 = all_match({
+      	processors: [
+      		dup7,
+      		dup177,
+      		dup10,
+      		dup175,
+      		dup10,
+      		select92,
+      		dup90,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg325 = msg("524:01", all59);
+      
+      var part339 = match("MESSAGE#323:524:02/0", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol}rule=\"%{p0}");
+      
+      var part340 = match("MESSAGE#323:524:02/1_0", "nwparser.p0", "%{rule}\" note=\"%{rulename}\"%{p0}");
+      
+      var part341 = match("MESSAGE#323:524:02/1_1", "nwparser.p0", "%{rule}\"%{p0}");
+      
+      var select93 = linear_select([
+      	part340,
+      	part341,
+      ]);
+      
+      var part342 = match("MESSAGE#323:524:02/2", "nwparser.p0", "%{}fw_action=\"%{action}\"");
+      
+      var all60 = all_match({
+      	processors: [
+      		part339,
+      		select93,
+      		part342,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup11,
+      	]),
+      });
+      
+      var msg326 = msg("524:02", all60);
+      
+      var select94 = linear_select([
+      	msg324,
+      	msg325,
+      	msg326,
+      ]);
+      
+      var msg327 = msg("526", dup237);
+      
+      var part343 = match("MESSAGE#325:526:01/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{fld20->} dst= %{p0}");
+      
+      var select95 = linear_select([
+      	dup25,
+      	part343,
+      	dup39,
+      ]);
+      
+      var part344 = match("MESSAGE#325:526:01/3_1", "nwparser.p0", " %{daddr->} ");
+      
+      var select96 = linear_select([
+      	dup27,
+      	part344,
+      ]);
+      
+      var all61 = all_match({
+      	processors: [
+      		dup80,
+      		select95,
+      		dup10,
+      		select96,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg328 = msg("526:01", all61);
+      
+      var all62 = all_match({
+      	processors: [
+      		dup7,
+      		dup201,
+      		dup10,
+      		dup175,
+      		dup114,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg329 = msg("526:02", all62);
+      
+      var part345 = match("MESSAGE#327:526:03", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([
+      	dup1,
+      	dup11,
+      ]));
+      
+      var msg330 = msg("526:03", part345);
+      
+      var part346 = match("MESSAGE#328:526:04", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([
+      	dup1,
+      	dup11,
+      ]));
+      
+      var msg331 = msg("526:04", part346);
+      
+      var part347 = match("MESSAGE#329:526:05", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([
+      	dup1,
+      	dup11,
+      ]));
+      
+      var msg332 = msg("526:05", part347);
+      
+      var select97 = linear_select([
+      	msg327,
+      	msg328,
+      	msg329,
+      	msg330,
+      	msg331,
+      	msg332,
+      ]);
+      
+      var part348 = match("MESSAGE#330:537:01/4", "nwparser.p0", "%{}proto=%{protocol->} sent=%{sbytes->} rcvd=%{p0}");
+      
+      var part349 = match("MESSAGE#330:537:01/5_0", "nwparser.p0", "%{rbytes->} vpnpolicy=%{fld3->} ");
+      
+      var part350 = match("MESSAGE#330:537:01/5_1", "nwparser.p0", "%{rbytes->} ");
+      
+      var select98 = linear_select([
+      	part349,
+      	part350,
+      ]);
+      
+      var all63 = all_match({
+      	processors: [
+      		dup116,
+      		dup202,
+      		dup10,
+      		dup203,
+      		part348,
+      		select98,
+      	],
+      	on_success: processor_chain([
+      		dup105,
+      	]),
+      });
+      
+      var msg333 = msg("537:01", all63);
+      
+      var part351 = match("MESSAGE#331:537:02/4", "nwparser.p0", "%{}proto=%{protocol->} sent=%{sbytes}");
+      
+      var all64 = all_match({
+      	processors: [
+      		dup116,
+      		dup202,
+      		dup10,
+      		dup203,
+      		part351,
+      	],
+      	on_success: processor_chain([
+      		dup105,
+      	]),
+      });
+      
+      var msg334 = msg("537:02", all64);
+      
+      var select99 = linear_select([
+      	dup117,
+      	dup118,
+      	dup119,
+      	dup120,
+      ]);
+      
+      var part352 = match("MESSAGE#332:537:08/3_1", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}");
+      
+      var part353 = match("MESSAGE#332:537:08/3_2", "nwparser.p0", " %{daddr}srcMac=%{p0}");
+      
+      var select100 = linear_select([
+      	dup123,
+      	part352,
+      	part353,
+      ]);
+      
+      var part354 = match("MESSAGE#332:537:08/4", "nwparser.p0", "%{} %{smacaddr->} %{p0}");
+      
+      var select101 = linear_select([
+      	dup124,
+      	dup125,
+      ]);
+      
+      var part355 = match("MESSAGE#332:537:08/6_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{p0}");
+      
+      var part356 = match("MESSAGE#332:537:08/6_1", "nwparser.p0", "%{sbytes->} spkt=%{p0}");
+      
+      var select102 = linear_select([
+      	part355,
+      	part356,
+      ]);
+      
+      var part357 = match("MESSAGE#332:537:08/7_0", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} fw_action=\"%{action}\" ");
+      
+      var part358 = match("MESSAGE#332:537:08/7_1", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} ");
+      
+      var part359 = match("MESSAGE#332:537:08/7_2", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} fw_action=\"%{action}\" ");
+      
+      var part360 = match("MESSAGE#332:537:08/7_3", "nwparser.p0", "%{fld3->} cdur=%{fld7->} ");
+      
+      var part361 = match("MESSAGE#332:537:08/7_4", "nwparser.p0", "%{fld3}");
+      
+      var select103 = linear_select([
+      	part357,
+      	part358,
+      	part359,
+      	part360,
+      	part361,
+      ]);
+      
+      var all65 = all_match({
+      	processors: [
+      		select99,
+      		dup204,
+      		dup205,
+      		select100,
+      		part354,
+      		select101,
+      		select102,
+      		select103,
+      	],
+      	on_success: processor_chain([
+      		dup105,
+      		dup11,
+      		dup17,
+      		dup18,
+      		dup19,
+      		dup20,
+      		dup21,
+      	]),
+      });
+      
+      var msg335 = msg("537:08", all65);
+      
+      var select104 = linear_select([
+      	dup118,
+      	dup117,
+      	dup119,
+      	dup120,
+      ]);
+      
+      var part362 = match("MESSAGE#333:537:09/3_1", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} dstMac=%{p0}");
+      
+      var part363 = match("MESSAGE#333:537:09/3_2", "nwparser.p0", " %{daddr}dstMac=%{p0}");
+      
+      var select105 = linear_select([
+      	dup126,
+      	part362,
+      	part363,
+      ]);
+      
+      var part364 = match("MESSAGE#333:537:09/4", "nwparser.p0", "%{} %{dmacaddr->} proto=%{protocol->} sent=%{p0}");
+      
+      var select106 = linear_select([
+      	dup129,
+      	dup130,
+      	dup131,
+      	dup132,
+      ]);
+      
+      var all66 = all_match({
+      	processors: [
+      		select104,
+      		dup204,
+      		dup205,
+      		select105,
+      		part364,
+      		dup206,
+      		select106,
+      	],
+      	on_success: processor_chain([
+      		dup105,
+      		dup11,
+      		dup17,
+      		dup18,
+      		dup19,
+      		dup20,
+      		dup21,
+      	]),
+      });
+      
+      var msg336 = msg("537:09", all66);
+      
+      var part365 = match("MESSAGE#334:537:07/0_1", "nwparser.payload", " msg=\"%{event_description}\" app=%{fld51->} sess=\"%{fld4}\" n=%{p0}");
+      
+      var select107 = linear_select([
+      	dup117,
+      	part365,
+      	dup119,
+      	dup120,
+      ]);
+      
+      var part366 = match("MESSAGE#334:537:07/4_0", "nwparser.p0", "srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{p0}");
+      
+      var part367 = match("MESSAGE#334:537:07/4_1", "nwparser.p0", " srcMac=%{smacaddr->} proto=%{protocol->} sent=%{p0}");
+      
+      var select108 = linear_select([
+      	part366,
+      	part367,
+      	dup124,
+      	dup125,
+      ]);
+      
+      var part368 = match("MESSAGE#334:537:07/6_3", "nwparser.p0", " spkt=%{fld3->} fw_action=\"%{action}\"");
+      
+      var select109 = linear_select([
+      	dup129,
+      	dup130,
+      	dup131,
+      	part368,
+      	dup132,
+      ]);
+      
+      var all67 = all_match({
+      	processors: [
+      		select107,
+      		dup204,
+      		dup205,
+      		dup186,
+      		select108,
+      		dup206,
+      		select109,
+      	],
+      	on_success: processor_chain([
+      		dup105,
+      		dup11,
+      		dup17,
+      		dup18,
+      		dup19,
+      		dup20,
+      		dup21,
+      	]),
+      });
+      
+      var msg337 = msg("537:07", all67);
+      
+      var part369 = match("MESSAGE#335:537/1_0", "nwparser.p0", "%{action}\" app=%{fld51->} appName=\"%{application}\"%{p0}");
+      
+      var part370 = match("MESSAGE#335:537/1_1", "nwparser.p0", "%{action}\"%{p0}");
+      
+      var select110 = linear_select([
+      	part369,
+      	part370,
+      ]);
+      
+      var part371 = match("MESSAGE#335:537/2", "nwparser.p0", "%{}n=%{fld1->} src= %{p0}");
+      
+      var part372 = match("MESSAGE#335:537/4_0", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} sent=%{p0}");
+      
+      var part373 = match("MESSAGE#335:537/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}: proto=%{protocol->} sent=%{p0}");
+      
+      var part374 = match("MESSAGE#335:537/4_2", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} sent=%{p0}");
+      
+      var part375 = match("MESSAGE#335:537/4_3", "nwparser.p0", " %{daddr->} proto=%{protocol->} sent=%{p0}");
+      
+      var select111 = linear_select([
+      	part372,
+      	part373,
+      	part374,
+      	part375,
+      ]);
+      
+      var part376 = match("MESSAGE#335:537/5_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} cdur=%{fld5->} fw_action=\"%{fld6}\"");
+      
+      var part377 = match("MESSAGE#335:537/5_1", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} fw_action=\"%{fld5}\"");
+      
+      var part378 = match("MESSAGE#335:537/5_2", "nwparser.p0", "%{sbytes->} spkt=%{fld3}fw_action=\"%{fld4}\"");
+      
+      var part379 = match("MESSAGE#335:537/5_3", "nwparser.p0", "%{sbytes}rcvd=%{rbytes}");
+      
+      var part380 = match("MESSAGE#335:537/5_4", "nwparser.p0", "%{sbytes}");
+      
+      var select112 = linear_select([
+      	part376,
+      	part377,
+      	part378,
+      	part379,
+      	part380,
+      ]);
+      
+      var all68 = all_match({
+      	processors: [
+      		dup48,
+      		select110,
+      		part371,
+      		dup202,
+      		select111,
+      		select112,
+      	],
+      	on_success: processor_chain([
+      		dup105,
+      	]),
+      });
+      
+      var msg338 = msg("537", all68);
+      
+      var part381 = match("MESSAGE#336:537:04/4", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} cdur=%{fld5->} npcs=%{info}");
+      
+      var all69 = all_match({
+      	processors: [
+      		dup133,
+      		dup180,
+      		dup10,
+      		dup207,
+      		part381,
+      	],
+      	on_success: processor_chain([
+      		dup105,
+      	]),
+      });
+      
+      var msg339 = msg("537:04", all69);
+      
+      var part382 = match("MESSAGE#337:537:05/4", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} spkt=%{fld3->} cdur=%{p0}");
+      
+      var part383 = match("MESSAGE#337:537:05/5_0", "nwparser.p0", "%{fld4->} appcat=%{fld5->} appid=%{fld6->} npcs= %{p0}");
+      
+      var part384 = match("MESSAGE#337:537:05/5_1", "nwparser.p0", "%{fld4->} npcs= %{p0}");
+      
+      var select113 = linear_select([
+      	part383,
+      	part384,
+      ]);
+      
+      var all70 = all_match({
+      	processors: [
+      		dup133,
+      		dup180,
+      		dup10,
+      		dup207,
+      		part382,
+      		select113,
+      		dup90,
+      	],
+      	on_success: processor_chain([
+      		dup105,
+      	]),
+      });
+      
+      var msg340 = msg("537:05", all70);
+      
+      var part385 = match("MESSAGE#338:537:10/0", "nwparser.payload", "msg=\"%{event_description}\" sess=%{fld1->} n=%{p0}");
+      
+      var part386 = match("MESSAGE#338:537:10/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{p0}");
+      
+      var part387 = match("MESSAGE#338:537:10/4_2", "nwparser.p0", "%{daddr->} dstMac=%{p0}");
+      
+      var select114 = linear_select([
+      	dup126,
+      	part386,
+      	part387,
+      ]);
+      
+      var part388 = match("MESSAGE#338:537:10/5", "nwparser.p0", "%{} %{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld10->} rpkt=%{fld11->} %{p0}");
+      
+      var all71 = all_match({
+      	processors: [
+      		part385,
+      		dup208,
+      		dup137,
+      		dup209,
+      		select114,
+      		part388,
+      		dup210,
+      	],
+      	on_success: processor_chain([
+      		dup105,
+      		dup11,
+      		dup17,
+      		dup18,
+      		dup19,
+      		dup20,
+      		dup21,
+      	]),
+      });
+      
+      var msg341 = msg("537:10", all71);
+      
+      var part389 = match("MESSAGE#339:537:03/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{p0}");
+      
+      var part390 = match("MESSAGE#339:537:03/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto=%{p0}");
+      
+      var part391 = match("MESSAGE#339:537:03/4_2", "nwparser.p0", "%{daddr->} proto=%{p0}");
+      
+      var select115 = linear_select([
+      	dup77,
+      	part390,
+      	part391,
+      ]);
+      
+      var part392 = match("MESSAGE#339:537:03/5", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld10->} rpkt=%{fld11->} %{p0}");
+      
+      var all72 = all_match({
+      	processors: [
+      		part389,
+      		dup208,
+      		dup137,
+      		dup209,
+      		select115,
+      		part392,
+      		dup210,
+      	],
+      	on_success: processor_chain([
+      		dup105,
+      	]),
+      });
+      
+      var msg342 = msg("537:03", all72);
+      
+      var part393 = match("MESSAGE#340:537:06/4", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} spkt=%{fld3->} npcs=%{info}");
+      
+      var all73 = all_match({
+      	processors: [
+      		dup133,
+      		dup180,
+      		dup10,
+      		dup207,
+      		part393,
+      	],
+      	on_success: processor_chain([
+      		dup105,
+      	]),
+      });
+      
+      var msg343 = msg("537:06", all73);
+      
+      var part394 = match("MESSAGE#341:537:11", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}spkt=%{fld3}rpkt=%{fld4}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([
+      	dup105,
+      	dup54,
+      	dup11,
+      	dup142,
+      ]));
+      
+      var msg344 = msg("537:11", part394);
+      
+      var part395 = match("MESSAGE#342:537:12", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([
+      	dup105,
+      	dup54,
+      	dup11,
+      	dup142,
+      ]));
+      
+      var msg345 = msg("537:12", part395);
+      
+      var select116 = linear_select([
+      	msg333,
+      	msg334,
+      	msg335,
+      	msg336,
+      	msg337,
+      	msg338,
+      	msg339,
+      	msg340,
+      	msg341,
+      	msg342,
+      	msg343,
+      	msg344,
+      	msg345,
+      ]);
+      
+      var msg346 = msg("538", dup228);
+      
+      var msg347 = msg("549", dup226);
+      
+      var msg348 = msg("557", dup226);
+      
+      var all74 = all_match({
+      	processors: [
+      		dup104,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		setc("eventcategory","1402020200"),
+      	]),
+      });
+      
+      var msg349 = msg("558", all74);
+      
+      var msg350 = msg("561", dup233);
+      
+      var msg351 = msg("562", dup233);
+      
+      var msg352 = msg("563", dup233);
+      
+      var all75 = all_match({
+      	processors: [
+      		dup104,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		setc("eventcategory","1402020400"),
+      	]),
+      });
+      
+      var msg353 = msg("583", all75);
+      
+      var part396 = match("MESSAGE#351:597:01", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} type=%{icmptype->} code=%{icmpcode}", processor_chain([
+      	dup143,
+      	dup51,
+      	dup144,
+      	dup53,
+      	dup54,
+      	dup11,
+      	dup145,
+      	dup17,
+      	dup18,
+      	dup19,
+      	dup20,
+      	dup21,
+      ]));
+      
+      var msg354 = msg("597:01", part396);
+      
+      var part397 = match("MESSAGE#352:597:02", "nwparser.payload", "msg=%{msg->} n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} type=%{icmptype->} code=%{icmpcode}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg355 = msg("597:02", part397);
+      
+      var part398 = match("MESSAGE#353:597:03/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src= %{p0}");
+      
+      var all76 = all_match({
+      	processors: [
+      		part398,
+      		dup187,
+      		dup10,
+      		dup189,
+      		dup90,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg356 = msg("597:03", all76);
+      
+      var select117 = linear_select([
+      	msg354,
+      	msg355,
+      	msg356,
+      ]);
+      
+      var part399 = match("MESSAGE#354:598", "nwparser.payload", "msg=%{msg->} n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} type=%{type->} code=%{code}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg357 = msg("598", part399);
+      
+      var part400 = match("MESSAGE#355:598:01/2", "nwparser.p0", "%{} %{type->} npcs=%{info}");
+      
+      var all77 = all_match({
+      	processors: [
+      		dup146,
+      		dup182,
+      		part400,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg358 = msg("598:01", all77);
+      
+      var all78 = all_match({
+      	processors: [
+      		dup146,
+      		dup189,
+      		dup90,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg359 = msg("598:02", all78);
+      
+      var select118 = linear_select([
+      	msg357,
+      	msg358,
+      	msg359,
+      ]);
+      
+      var part401 = match("MESSAGE#357:602:01", "nwparser.payload", "msg=\"%{event_description}allowed\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} proto=%{protocol}/%{fld4}", processor_chain([
+      	dup143,
+      	dup51,
+      	dup144,
+      	dup53,
+      	dup54,
+      	dup11,
+      	dup145,
+      	dup17,
+      	dup18,
+      	dup19,
+      	dup20,
+      	dup21,
+      ]));
+      
+      var msg360 = msg("602:01", part401);
+      
+      var msg361 = msg("602:02", dup237);
+      
+      var all79 = all_match({
+      	processors: [
+      		dup7,
+      		dup177,
+      		dup10,
+      		dup175,
+      		dup79,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg362 = msg("602:03", all79);
+      
+      var select119 = linear_select([
+      	msg360,
+      	msg361,
+      	msg362,
+      ]);
+      
+      var msg363 = msg("605", dup196);
+      
+      var all80 = all_match({
+      	processors: [
+      		dup147,
+      		dup211,
+      		dup149,
+      		dup199,
+      		dup112,
+      	],
+      	on_success: processor_chain([
+      		dup87,
+      		dup54,
+      		dup17,
+      		dup82,
+      		dup19,
+      		dup20,
+      		dup21,
+      		dup37,
+      	]),
+      });
+      
+      var msg364 = msg("606", all80);
+      
+      var part402 = match("MESSAGE#362:608/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} ipscat=%{ipscat->} ipspri=%{p0}");
+      
+      var part403 = match("MESSAGE#362:608/1_0", "nwparser.p0", "%{fld66->} pktdatId=%{fld11->} n=%{p0}");
+      
+      var part404 = match("MESSAGE#362:608/1_1", "nwparser.p0", "%{ipspri->} n=%{p0}");
+      
+      var select120 = linear_select([
+      	part403,
+      	part404,
+      ]);
+      
+      var part405 = match("MESSAGE#362:608/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{p0}");
+      
+      var part406 = match("MESSAGE#362:608/3_0", "nwparser.p0", "%{sport}:%{sinterface->} dst=%{p0}");
+      
+      var part407 = match("MESSAGE#362:608/3_1", "nwparser.p0", "%{sport->} dst=%{p0}");
+      
+      var select121 = linear_select([
+      	part406,
+      	part407,
+      ]);
+      
+      var part408 = match("MESSAGE#362:608/4", "nwparser.p0", "%{daddr}:%{p0}");
+      
+      var part409 = match("MESSAGE#362:608/5_0", "nwparser.p0", "%{dport}:%{dinterface->} proto=%{protocol->} fw_action=\"%{fld2}\"");
+      
+      var part410 = match("MESSAGE#362:608/5_1", "nwparser.p0", "%{dport}:%{dinterface}");
+      
+      var part411 = match("MESSAGE#362:608/5_2", "nwparser.p0", "%{dport}");
+      
+      var select122 = linear_select([
+      	part409,
+      	part410,
+      	part411,
+      ]);
+      
+      var all81 = all_match({
+      	processors: [
+      		part402,
+      		select120,
+      		part405,
+      		select121,
+      		part408,
+      		select122,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup37,
+      	]),
+      });
+      
+      var msg365 = msg("608", all81);
+      
+      var msg366 = msg("616", dup194);
+      
+      var msg367 = msg("658", dup190);
+      
+      var msg368 = msg("710", dup212);
+      
+      var msg369 = msg("712:02", dup238);
+      
+      var msg370 = msg("712", dup212);
+      
+      var all82 = all_match({
+      	processors: [
+      		dup7,
+      		dup174,
+      		dup10,
+      		dup191,
+      		dup94,
+      	],
+      	on_success: processor_chain([
+      		dup150,
+      	]),
+      });
+      
+      var msg371 = msg("712:01", all82);
+      
+      var select123 = linear_select([
+      	msg369,
+      	msg370,
+      	msg371,
+      ]);
+      
+      var part412 = match("MESSAGE#369:713:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} note=%{info}", processor_chain([
+      	dup5,
+      	dup51,
+      	dup52,
+      	dup53,
+      	dup54,
+      	dup11,
+      	dup55,
+      	dup17,
+      	dup18,
+      	dup19,
+      	dup20,
+      	dup21,
+      ]));
+      
+      var msg372 = msg("713:01", part412);
+      
+      var msg373 = msg("713:04", dup238);
+      
+      var msg374 = msg("713:02", dup212);
+      
+      var part413 = match("MESSAGE#372:713:03", "nwparser.payload", "msg=\"%{event_description}dropped\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{action}\" npcs=%{info}", processor_chain([
+      	dup5,
+      	dup51,
+      	dup52,
+      	dup53,
+      	dup54,
+      	dup11,
+      	dup55,
+      	dup17,
+      	dup18,
+      	dup19,
+      	dup20,
+      	dup21,
+      ]));
+      
+      var msg375 = msg("713:03", part413);
+      
+      var select124 = linear_select([
+      	msg372,
+      	msg373,
+      	msg374,
+      	msg375,
+      ]);
+      
+      var part414 = match("MESSAGE#373:760", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=%{info}", processor_chain([
+      	dup113,
+      	dup51,
+      	dup52,
+      	dup53,
+      	dup54,
+      	dup11,
+      	dup55,
+      	dup17,
+      	dup18,
+      	dup19,
+      	dup20,
+      	dup21,
+      ]));
+      
+      var msg376 = msg("760", part414);
+      
+      var part415 = match("MESSAGE#374:760:01/0", "nwparser.payload", "msg=\"%{event_description}dropped\" sess=%{fld1->} n=%{fld2->} src=%{p0}");
+      
+      var part416 = match("MESSAGE#374:760:01/4", "nwparser.p0", "%{} %{action->} npcs=%{info}");
+      
+      var all83 = all_match({
+      	processors: [
+      		part415,
+      		dup174,
+      		dup10,
+      		dup191,
+      		part416,
+      	],
+      	on_success: processor_chain([
+      		dup113,
+      		dup51,
+      		dup52,
+      		dup53,
+      		dup54,
+      		dup11,
+      		dup55,
+      		dup17,
+      		dup18,
+      		dup19,
+      		dup20,
+      		dup21,
+      	]),
+      });
+      
+      var msg377 = msg("760:01", all83);
+      
+      var select125 = linear_select([
+      	msg376,
+      	msg377,
+      ]);
+      
+      var msg378 = msg("766", dup216);
+      
+      var msg379 = msg("860", dup216);
+      
+      var msg380 = msg("860:01", dup217);
+      
+      var select126 = linear_select([
+      	msg379,
+      	msg380,
+      ]);
+      
+      var part417 = match("MESSAGE#378:866/0", "nwparser.payload", "msg=\"%{msg}\" n=%{p0}");
+      
+      var part418 = match("MESSAGE#378:866/1_0", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\" ");
+      
+      var part419 = match("MESSAGE#378:866/1_1", "nwparser.p0", "%{ntype->} ");
+      
+      var select127 = linear_select([
+      	part418,
+      	part419,
+      ]);
+      
+      var all84 = all_match({
+      	processors: [
+      		part417,
+      		select127,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		dup37,
+      	]),
+      });
+      
+      var msg381 = msg("866", all84);
+      
+      var msg382 = msg("866:01", dup217);
+      
+      var select128 = linear_select([
+      	msg381,
+      	msg382,
+      ]);
+      
+      var msg383 = msg("867", dup216);
+      
+      var msg384 = msg("867:01", dup217);
+      
+      var select129 = linear_select([
+      	msg383,
+      	msg384,
+      ]);
+      
+      var part420 = match("MESSAGE#382:882", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg385 = msg("882", part420);
+      
+      var part421 = match("MESSAGE#383:882:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} npcs=%{info}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg386 = msg("882:01", part421);
+      
+      var select130 = linear_select([
+      	msg385,
+      	msg386,
+      ]);
+      
+      var part422 = match("MESSAGE#384:888", "nwparser.payload", "msg=\"%{reason};%{action}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}", processor_chain([
+      	dup159,
+      ]));
+      
+      var msg387 = msg("888", part422);
+      
+      var part423 = match("MESSAGE#385:888:01", "nwparser.payload", "msg=\"%{reason};%{action}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=%{fld3->} npcs=%{info}", processor_chain([
+      	dup159,
+      ]));
+      
+      var msg388 = msg("888:01", part423);
+      
+      var select131 = linear_select([
+      	msg387,
+      	msg388,
+      ]);
+      
+      var all85 = all_match({
+      	processors: [
+      		dup7,
+      		dup174,
+      		dup10,
+      		dup189,
+      		dup90,
+      	],
+      	on_success: processor_chain([
+      		dup159,
+      	]),
+      });
+      
+      var msg389 = msg("892", all85);
+      
+      var msg390 = msg("904", dup216);
+      
+      var msg391 = msg("905", dup216);
+      
+      var msg392 = msg("906", dup216);
+      
+      var msg393 = msg("907", dup216);
+      
+      var select132 = linear_select([
+      	dup73,
+      	dup138,
+      ]);
+      
+      var all86 = all_match({
+      	processors: [
+      		dup160,
+      		select132,
+      		dup10,
+      		dup211,
+      		dup161,
+      		dup199,
+      		dup112,
+      	],
+      	on_success: processor_chain([
+      		dup70,
+      		dup54,
+      		dup17,
+      		dup82,
+      		dup19,
+      		dup20,
+      		dup21,
+      		dup37,
+      	]),
+      });
+      
+      var msg394 = msg("908", all86);
+      
+      var msg395 = msg("909", dup216);
+      
+      var msg396 = msg("914", dup218);
+      
+      var part424 = match("MESSAGE#394:931", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg397 = msg("931", part424);
+      
+      var msg398 = msg("657", dup218);
+      
+      var all87 = all_match({
+      	processors: [
+      		dup7,
+      		dup174,
+      		dup10,
+      		dup189,
+      		dup90,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      	]),
+      });
+      
+      var msg399 = msg("657:01", all87);
+      
+      var select133 = linear_select([
+      	msg398,
+      	msg399,
+      ]);
+      
+      var msg400 = msg("403", dup197);
+      
+      var msg401 = msg("534", dup176);
+      
+      var msg402 = msg("994", dup219);
+      
+      var part425 = match("MESSAGE#400:243", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} proto=%{protocol}", processor_chain([
+      	dup1,
+      	dup23,
+      ]));
+      
+      var msg403 = msg("243", part425);
+      
+      var msg404 = msg("995", dup176);
+      
+      var part426 = match("MESSAGE#402:997", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{fld3->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld4->} note=\"%{info}\"", processor_chain([
+      	dup1,
+      	dup51,
+      	dup53,
+      	dup54,
+      	dup11,
+      	dup17,
+      	dup18,
+      	dup19,
+      	dup20,
+      	dup21,
+      ]));
+      
+      var msg405 = msg("997", part426);
+      
+      var msg406 = msg("998", dup219);
+      
+      var part427 = match("MESSAGE#405:998:01", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([
+      	dup105,
+      	dup11,
+      ]));
+      
+      var msg407 = msg("998:01", part427);
+      
+      var select134 = linear_select([
+      	msg406,
+      	msg407,
+      ]);
+      
+      var msg408 = msg("1110", dup220);
+      
+      var msg409 = msg("565", dup220);
+      
+      var part428 = match("MESSAGE#408:404", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} note=\"%{event_description}\"", processor_chain([
+      	dup1,
+      	dup54,
+      ]));
+      
+      var msg410 = msg("404", part428);
+      
+      var select135 = linear_select([
+      	dup148,
+      	dup50,
+      ]);
+      
+      var part429 = match("MESSAGE#409:267:01/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} note=\"%{fld3}\" fw_action=\"%{action}\"");
+      
+      var all88 = all_match({
+      	processors: [
+      		dup81,
+      		select135,
+      		part429,
+      	],
+      	on_success: processor_chain([
+      		dup105,
+      		dup54,
+      		dup17,
+      		dup82,
+      		dup19,
+      		dup20,
+      		dup21,
+      		dup37,
+      	]),
+      });
+      
+      var msg411 = msg("267:01", all88);
+      
+      var part430 = match("MESSAGE#410:267", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}", processor_chain([
+      	dup1,
+      	dup54,
+      ]));
+      
+      var msg412 = msg("267", part430);
+      
+      var select136 = linear_select([
+      	msg411,
+      	msg412,
+      ]);
+      
+      var part431 = match("MESSAGE#411:263", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} proto=%{protocol}", processor_chain([
+      	dup1,
+      	dup23,
+      ]));
+      
+      var msg413 = msg("263", part431);
+      
+      var part432 = match("MESSAGE#412:264", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([
+      	dup103,
+      	dup11,
+      ]));
+      
+      var msg414 = msg("264", part432);
+      
+      var msg415 = msg("412", dup197);
+      
+      var part433 = match("MESSAGE#415:793", "nwparser.payload", "msg=\"%{msg}\" af_polid=%{fld1->} af_policy=\"%{fld2}\" af_type=\"%{fld3}\" af_service=\"%{fld4}\" af_action=\"%{fld5}\" n=%{fld6->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{shost->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{dhost}", processor_chain([
+      	dup1,
+      	dup23,
+      ]));
+      
+      var msg416 = msg("793", part433);
+      
+      var part434 = match("MESSAGE#416:805", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} if=%{fld2->} ucastRx=%{fld3->} bcastRx=%{fld4->} bytesRx=%{rbytes->} ucastTx=%{fld5->} bcastTx=%{fld6->} bytesTx=%{sbytes}", processor_chain([
+      	dup1,
+      	dup23,
+      ]));
+      
+      var msg417 = msg("805", part434);
+      
+      var part435 = match("MESSAGE#417:809", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([
+      	dup162,
+      	dup11,
+      ]));
+      
+      var msg418 = msg("809", part435);
+      
+      var part436 = match("MESSAGE#418:809:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([
+      	dup162,
+      	dup11,
+      ]));
+      
+      var msg419 = msg("809:01", part436);
+      
+      var select137 = linear_select([
+      	msg418,
+      	msg419,
+      ]);
+      
+      var msg420 = msg("935", dup218);
+      
+      var msg421 = msg("614", dup221);
+      
+      var part437 = match("MESSAGE#421:748/0", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{p0}");
+      
+      var all89 = all_match({
+      	processors: [
+      		part437,
+      		dup199,
+      		dup112,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup37,
+      	]),
+      });
+      
+      var msg422 = msg("748", all89);
+      
+      var part438 = match("MESSAGE#422:794/0", "nwparser.payload", "msg=\"%{event_description}\" sid=%{sid->} spycat=%{fld1->} spypri=%{fld2->} pktdatId=%{fld3->} n=%{fld4->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{p0}");
+      
+      var part439 = match("MESSAGE#422:794/1_0", "nwparser.p0", "%{protocol}/%{fld5->} fw_action=\"%{p0}");
+      
+      var select138 = linear_select([
+      	part439,
+      	dup111,
+      ]);
+      
+      var all90 = all_match({
+      	processors: [
+      		part438,
+      		select138,
+      		dup112,
+      	],
+      	on_success: processor_chain([
+      		dup163,
+      		dup37,
+      	]),
+      });
+      
+      var msg423 = msg("794", all90);
+      
+      var msg424 = msg("1086", dup221);
+      
+      var part440 = match("MESSAGE#424:1430", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([
+      	dup163,
+      	dup37,
+      ]));
+      
+      var msg425 = msg("1430", part440);
+      
+      var msg426 = msg("1149", dup221);
+      
+      var msg427 = msg("1159", dup221);
+      
+      var part441 = match("MESSAGE#427:1195", "nwparser.payload", "n=%{fld1->} fw_action=\"%{action}\"", processor_chain([
+      	dup163,
+      	dup37,
+      ]));
+      
+      var msg428 = msg("1195", part441);
+      
+      var part442 = match("MESSAGE#428:1195:01", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}", processor_chain([
+      	dup163,
+      	dup37,
+      ]));
+      
+      var msg429 = msg("1195:01", part442);
+      
+      var select139 = linear_select([
+      	msg428,
+      	msg429,
+      ]);
+      
+      var part443 = match("MESSAGE#429:1226", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([
+      	dup5,
+      	dup37,
+      ]));
+      
+      var msg430 = msg("1226", part443);
+      
+      var part444 = match("MESSAGE#430:1222", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} note=\"%{fld3}\" fw_action=\"%{action}\"", processor_chain([
+      	dup5,
+      	dup37,
+      ]));
+      
+      var msg431 = msg("1222", part444);
+      
+      var part445 = match("MESSAGE#431:1154", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{shost->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{dhost}", processor_chain([
+      	dup1,
+      	dup23,
+      ]));
+      
+      var msg432 = msg("1154", part445);
+      
+      var part446 = match("MESSAGE#432:1154:01/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{p0}");
+      
+      var all91 = all_match({
+      	processors: [
+      		part446,
+      		dup174,
+      		dup10,
+      		dup189,
+      		dup90,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup23,
+      	]),
+      });
+      
+      var msg433 = msg("1154:01", all91);
+      
+      var part447 = match("MESSAGE#433:1154:02", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=\"%{fld1}\" appid%{fld2->} catid=%{fld3->} sess=\"%{fld4}\" n=%{fld5->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([
+      	dup164,
+      	dup11,
+      ]));
+      
+      var msg434 = msg("1154:02", part447);
+      
+      var part448 = match("MESSAGE#434:1154:03/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=\"%{fld1}\" appid=%{fld2->} catid=%{fld3->} n=%{fld4->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}");
+      
+      var select140 = linear_select([
+      	dup123,
+      	dup49,
+      ]);
+      
+      var part449 = match("MESSAGE#434:1154:03/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\"");
+      
+      var all92 = all_match({
+      	processors: [
+      		part448,
+      		select140,
+      		part449,
+      	],
+      	on_success: processor_chain([
+      		dup164,
+      		dup11,
+      	]),
+      });
+      
+      var msg435 = msg("1154:03", all92);
+      
+      var select141 = linear_select([
+      	msg432,
+      	msg433,
+      	msg434,
+      	msg435,
+      ]);
+      
+      var part450 = match("MESSAGE#435:msg", "nwparser.payload", "msg=\"%{msg}\" src=%{stransaddr->} dst=%{dtransaddr->} %{result}", processor_chain([
+      	dup165,
+      ]));
+      
+      var msg436 = msg("msg", part450);
+      
+      var part451 = match("MESSAGE#436:src", "nwparser.payload", "src=%{stransaddr->} dst=%{dtransaddr->} %{msg}", processor_chain([
+      	dup165,
+      ]));
+      
+      var msg437 = msg("src", part451);
+      
+      var all93 = all_match({
+      	processors: [
+      		dup7,
+      		dup177,
+      		dup10,
+      		dup175,
+      		dup10,
+      		dup200,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg438 = msg("1235", all93);
+      
+      var part452 = match("MESSAGE#438:1197/4", "nwparser.p0", "%{}\"%{fld3->} Protocol:%{protocol}\" npcs=%{info}");
+      
+      var all94 = all_match({
+      	processors: [
+      		dup7,
+      		dup177,
+      		dup10,
+      		dup191,
+      		part452,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg439 = msg("1197", all94);
+      
+      var part453 = match("MESSAGE#439:1199/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3->} sess=%{fld1->} n=%{fld2->} src=%{p0}");
+      
+      var all95 = all_match({
+      	processors: [
+      		part453,
+      		dup177,
+      		dup166,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg440 = msg("1199", all95);
+      
+      var part454 = match("MESSAGE#440:1199:01", "nwparser.payload", "msg=\"Responder from country blocked: Responder IP:%{fld1}Country Name:%{location_country}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([
+      	dup167,
+      	dup11,
+      ]));
+      
+      var msg441 = msg("1199:01", part454);
+      
+      var part455 = match("MESSAGE#441:1199:02", "nwparser.payload", "msg=\"Responder from country blocked: Responder IP:%{fld1}Country Name:%{location_country}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([
+      	dup167,
+      	dup11,
+      ]));
+      
+      var msg442 = msg("1199:02", part455);
+      
+      var select142 = linear_select([
+      	msg440,
+      	msg441,
+      	msg442,
+      ]);
+      
+      var part456 = match("MESSAGE#442:1155/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} catid=%{fld3->} sess=%{fld4->} n=%{fld5->} src=%{p0}");
+      
+      var all96 = all_match({
+      	processors: [
+      		part456,
+      		dup174,
+      		dup10,
+      		dup189,
+      		dup90,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg443 = msg("1155", all96);
+      
+      var part457 = match("MESSAGE#443:1155:01", "nwparser.payload", "msg=\"%{action}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}", processor_chain([
+      	dup105,
+      ]));
+      
+      var msg444 = msg("1155:01", part457);
+      
+      var select143 = linear_select([
+      	msg443,
+      	msg444,
+      ]);
+      
+      var all97 = all_match({
+      	processors: [
+      		dup168,
+      		dup201,
+      		dup166,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg445 = msg("1198", all97);
+      
+      var all98 = all_match({
+      	processors: [
+      		dup7,
+      		dup177,
+      		dup166,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg446 = msg("714", all98);
+      
+      var msg447 = msg("709", dup239);
+      
+      var msg448 = msg("1005", dup239);
+      
+      var msg449 = msg("1003", dup239);
+      
+      var msg450 = msg("1007", dup240);
+      
+      var part458 = match("MESSAGE#450:1008", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}::%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([
+      	dup103,
+      	dup11,
+      ]));
+      
+      var msg451 = msg("1008", part458);
+      
+      var msg452 = msg("708", dup240);
+      
+      var all99 = all_match({
+      	processors: [
+      		dup168,
+      		dup174,
+      		dup10,
+      		dup189,
+      		dup90,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg453 = msg("1201", all99);
+      
+      var msg454 = msg("1201:01", dup240);
+      
+      var select144 = linear_select([
+      	msg453,
+      	msg454,
+      ]);
+      
+      var msg455 = msg("654", dup222);
+      
+      var msg456 = msg("670", dup222);
+      
+      var msg457 = msg("884", dup240);
+      
+      var part459 = match("MESSAGE#457:1153", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} rcvd=%{rbytes->} note=\"%{info}\"", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg458 = msg("1153", part459);
+      
+      var part460 = match("MESSAGE#458:1153:01/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1->} sess=%{fld2->} n=%{p0}");
+      
+      var part461 = match("MESSAGE#458:1153:01/0_1", "nwparser.payload", " msg=\"%{event_description}\" sess=%{fld2->} n=%{p0}");
+      
+      var part462 = match("MESSAGE#458:1153:01/0_2", "nwparser.payload", " msg=\"%{event_description}\" n=%{p0}");
+      
+      var select145 = linear_select([
+      	part460,
+      	part461,
+      	part462,
+      ]);
+      
+      var part463 = match("MESSAGE#458:1153:01/1", "nwparser.p0", "%{fld3->} usr=\"%{username}\" src=%{p0}");
+      
+      var part464 = match("MESSAGE#458:1153:01/2_0", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}");
+      
+      var select146 = linear_select([
+      	part464,
+      	dup25,
+      ]);
+      
+      var part465 = match("MESSAGE#458:1153:01/4_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac= %{p0}");
+      
+      var part466 = match("MESSAGE#458:1153:01/4_1", "nwparser.p0", "%{daddr}:%{dport}srcMac= %{p0}");
+      
+      var part467 = match("MESSAGE#458:1153:01/4_2", "nwparser.p0", "%{daddr}srcMac= %{p0}");
+      
+      var select147 = linear_select([
+      	part465,
+      	part466,
+      	part467,
+      ]);
+      
+      var part468 = match("MESSAGE#458:1153:01/5", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} %{p0}");
+      
+      var part469 = match("MESSAGE#458:1153:01/6_0", "nwparser.p0", "sent=%{sbytes}rcvd=%{rbytes->} ");
+      
+      var part470 = match("MESSAGE#458:1153:01/6_1", "nwparser.p0", "type=%{fld4->} icmpCode=%{fld5->} rcvd=%{rbytes->} ");
+      
+      var part471 = match("MESSAGE#458:1153:01/6_2", "nwparser.p0", "rcvd=%{rbytes->} ");
+      
+      var select148 = linear_select([
+      	part469,
+      	part470,
+      	part471,
+      ]);
+      
+      var all100 = all_match({
+      	processors: [
+      		select145,
+      		part463,
+      		select146,
+      		dup10,
+      		select147,
+      		part468,
+      		select148,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup11,
+      		dup17,
+      		dup18,
+      		dup19,
+      		dup20,
+      		dup21,
+      	]),
+      });
+      
+      var msg459 = msg("1153:01", all100);
+      
+      var part472 = match("MESSAGE#459:1153:02/0", "nwparser.payload", "msg=\"%{event_description}\" %{p0}");
+      
+      var part473 = match("MESSAGE#459:1153:02/1_0", "nwparser.p0", "app=%{fld1->} n=%{fld2->} src=%{p0}");
+      
+      var part474 = match("MESSAGE#459:1153:02/1_1", "nwparser.p0", " n=%{fld2->} src=%{p0}");
+      
+      var select149 = linear_select([
+      	part473,
+      	part474,
+      ]);
+      
+      var part475 = match("MESSAGE#459:1153:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes}");
+      
+      var all101 = all_match({
+      	processors: [
+      		part472,
+      		select149,
+      		part475,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup11,
+      		dup17,
+      		dup18,
+      		dup19,
+      		dup20,
+      		dup21,
+      	]),
+      });
+      
+      var msg460 = msg("1153:02", all101);
+      
+      var select150 = linear_select([
+      	msg458,
+      	msg459,
+      	msg460,
+      ]);
+      
+      var part476 = match("MESSAGE#460:1107", "nwparser.payload", "msg=\"%{msg}\"%{space}n=%{fld1}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg461 = msg("1107", part476);
+      
+      var part477 = match("MESSAGE#461:1220/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{p0}");
+      
+      var part478 = match("MESSAGE#461:1220/1_0", "nwparser.p0", "%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}");
+      
+      var part479 = match("MESSAGE#461:1220/1_1", "nwparser.p0", "%{fld2}src=%{saddr}:%{sport->} dst=%{p0}");
+      
+      var select151 = linear_select([
+      	part478,
+      	part479,
+      ]);
+      
+      var all102 = all_match({
+      	processors: [
+      		part477,
+      		select151,
+      		dup10,
+      		dup223,
+      		dup171,
+      	],
+      	on_success: processor_chain([
+      		dup159,
+      		dup54,
+      		dup17,
+      		dup82,
+      		dup19,
+      		dup20,
+      		dup21,
+      		dup37,
+      	]),
+      });
+      
+      var msg462 = msg("1220", all102);
+      
+      var all103 = all_match({
+      	processors: [
+      		dup147,
+      		dup223,
+      		dup171,
+      	],
+      	on_success: processor_chain([
+      		dup159,
+      		dup54,
+      		dup17,
+      		dup82,
+      		dup19,
+      		dup20,
+      		dup21,
+      		dup37,
+      	]),
+      });
+      
+      var msg463 = msg("1230", all103);
+      
+      var part480 = match("MESSAGE#463:1231", "nwparser.payload", "msg=\"%{msg}\"%{space}n=%{fld1->} note=\"%{info}\"", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg464 = msg("1231", part480);
+      
+      var part481 = match("MESSAGE#464:1233", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([
+      	dup167,
+      	dup11,
+      ]));
+      
+      var msg465 = msg("1233", part481);
+      
+      var part482 = match("MESSAGE#465:1079/0", "nwparser.payload", "msg=\"User%{username}log%{p0}");
+      
+      var part483 = match("MESSAGE#465:1079/1_0", "nwparser.p0", "in%{p0}");
+      
+      var part484 = match("MESSAGE#465:1079/1_1", "nwparser.p0", "out%{p0}");
+      
+      var select152 = linear_select([
+      	part483,
+      	part484,
+      ]);
+      
+      var part485 = match("MESSAGE#465:1079/2", "nwparser.p0", "\"%{p0}");
+      
+      var part486 = match("MESSAGE#465:1079/3_0", "nwparser.p0", "dur=%{duration->} %{space}n=%{fld1}");
+      
+      var part487 = match("MESSAGE#465:1079/3_1", "nwparser.p0", "sess=\"%{fld2}\" n=%{fld1->} ");
+      
+      var part488 = match("MESSAGE#465:1079/3_2", "nwparser.p0", "n=%{fld1}");
+      
+      var select153 = linear_select([
+      	part486,
+      	part487,
+      	part488,
+      ]);
+      
+      var all104 = all_match({
+      	processors: [
+      		part482,
+      		select152,
+      		part485,
+      		select153,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg466 = msg("1079", all104);
+      
+      var part489 = match("MESSAGE#466:1079:01", "nwparser.payload", "msg=\"Client%{username}is assigned IP:%{hostip}\" %{space->} n=%{fld1}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg467 = msg("1079:01", part489);
+      
+      var part490 = match("MESSAGE#467:1079:02", "nwparser.payload", "msg=\"destination for %{daddr->} is not allowed by access control\" n=%{fld2}", processor_chain([
+      	dup1,
+      	dup11,
+      	setc("event_description","destination is not allowed by access control"),
+      	dup17,
+      	dup18,
+      	dup19,
+      	dup20,
+      	dup21,
+      ]));
+      
+      var msg468 = msg("1079:02", part490);
+      
+      var part491 = match("MESSAGE#468:1079:03", "nwparser.payload", "msg=\"SSLVPN Client %{username->} matched device profile Default Device Profile for Windows\" n=%{fld2}", processor_chain([
+      	dup1,
+      	dup11,
+      	setc("event_description","SSLVPN Client matched device profile Default Device Profile for Windows"),
+      	dup17,
+      	dup18,
+      	dup19,
+      	dup20,
+      	dup21,
+      ]));
+      
+      var msg469 = msg("1079:03", part491);
+      
+      var select154 = linear_select([
+      	msg466,
+      	msg467,
+      	msg468,
+      	msg469,
+      ]);
+      
+      var part492 = match("MESSAGE#469:1080/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} usr=\"%{username}\" src= %{p0}");
+      
+      var part493 = match("MESSAGE#469:1080/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst=%{p0}");
+      
+      var select155 = linear_select([
+      	dup73,
+      	part493,
+      ]);
+      
+      var select156 = linear_select([
+      	dup77,
+      	dup78,
+      ]);
+      
+      var part494 = match("MESSAGE#469:1080/4", "nwparser.p0", "%{} %{protocol}");
+      
+      var all105 = all_match({
+      	processors: [
+      		part492,
+      		select155,
+      		dup10,
+      		select156,
+      		part494,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg470 = msg("1080", all105);
+      
+      var part495 = match("MESSAGE#470:580", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([
+      	dup5,
+      	dup54,
+      	dup17,
+      	dup82,
+      	dup19,
+      	dup20,
+      	dup21,
+      	dup37,
+      ]));
+      
+      var msg471 = msg("580", part495);
+      
+      var part496 = match("MESSAGE#471:1369/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{p0}");
+      
+      var all106 = all_match({
+      	processors: [
+      		part496,
+      		dup224,
+      		dup112,
+      	],
+      	on_success: processor_chain([
+      		dup70,
+      		dup54,
+      		dup17,
+      		dup82,
+      		dup19,
+      		dup20,
+      		dup21,
+      		dup37,
+      	]),
+      });
+      
+      var msg472 = msg("1369", all106);
+      
+      var all107 = all_match({
+      	processors: [
+      		dup147,
+      		dup211,
+      		dup149,
+      		dup224,
+      		dup112,
+      	],
+      	on_success: processor_chain([
+      		dup70,
+      		dup54,
+      		dup17,
+      		dup82,
+      		dup19,
+      		dup20,
+      		dup21,
+      		dup37,
+      	]),
+      });
+      
+      var msg473 = msg("1370", all107);
+      
+      var all108 = all_match({
+      	processors: [
+      		dup147,
+      		dup211,
+      		dup161,
+      		dup199,
+      		dup112,
+      	],
+      	on_success: processor_chain([
+      		dup70,
+      		dup54,
+      		dup17,
+      		dup82,
+      		dup19,
+      		dup20,
+      		dup21,
+      		dup37,
+      	]),
+      });
+      
+      var msg474 = msg("1371", all108);
+      
+      var part497 = match("MESSAGE#474:1387/1_1", "nwparser.p0", "%{saddr}:%{sport}: dst=%{p0}");
+      
+      var select157 = linear_select([
+      	dup138,
+      	part497,
+      ]);
+      
+      var all109 = all_match({
+      	processors: [
+      		dup160,
+      		select157,
+      		dup10,
+      		dup211,
+      		dup161,
+      		dup199,
+      		dup112,
+      	],
+      	on_success: processor_chain([
+      		dup159,
+      		dup54,
+      		dup17,
+      		dup82,
+      		dup19,
+      		dup20,
+      		dup21,
+      		dup37,
+      	]),
+      });
+      
+      var msg475 = msg("1387", all109);
+      
+      var part498 = match("MESSAGE#475:1391/0", "nwparser.payload", "pktdatId=%{fld1}pktdatNum=\"%{fld2}\" pktdatEnc=\"%{fld3}\" n=%{fld4}src=%{p0}");
+      
+      var part499 = match("MESSAGE#475:1391/1_1", "nwparser.p0", "%{saddr}:%{sport}dst=%{p0}");
+      
+      var select158 = linear_select([
+      	dup69,
+      	part499,
+      ]);
+      
+      var part500 = match("MESSAGE#475:1391/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost}");
+      
+      var part501 = match("MESSAGE#475:1391/2_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}");
+      
+      var part502 = match("MESSAGE#475:1391/2_2", "nwparser.p0", "%{daddr}:%{dport}");
+      
+      var select159 = linear_select([
+      	part500,
+      	part501,
+      	part502,
+      ]);
+      
+      var all110 = all_match({
+      	processors: [
+      		part498,
+      		select158,
+      		select159,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup54,
+      		dup17,
+      		dup82,
+      		dup19,
+      		dup20,
+      		dup21,
+      		dup37,
+      	]),
+      });
+      
+      var msg476 = msg("1391", all110);
+      
+      var part503 = match("MESSAGE#476:1253", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1}appName=\"%{application}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\"", processor_chain([
+      	dup5,
+      	dup54,
+      	dup17,
+      	dup82,
+      	dup19,
+      	dup20,
+      	dup21,
+      	dup37,
+      ]));
+      
+      var msg477 = msg("1253", part503);
+      
+      var part504 = match("MESSAGE#477:1009", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([
+      	dup5,
+      	dup54,
+      	dup17,
+      	dup82,
+      	dup19,
+      	dup20,
+      	dup21,
+      	dup37,
+      ]));
+      
+      var msg478 = msg("1009", part504);
+      
+      var part505 = match("MESSAGE#478:910/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld2}appName=\"%{application}\" n=%{fld3}src=%{saddr}:%{sport}:%{sinterface}dst=%{p0}");
+      
+      var part506 = match("MESSAGE#478:910/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{p0}");
+      
+      var part507 = match("MESSAGE#478:910/1_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac=%{p0}");
+      
+      var select160 = linear_select([
+      	part506,
+      	part507,
+      ]);
+      
+      var part508 = match("MESSAGE#478:910/2", "nwparser.p0", "%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\"");
+      
+      var all111 = all_match({
+      	processors: [
+      		part505,
+      		select160,
+      		part508,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		dup54,
+      		dup17,
+      		dup82,
+      		dup19,
+      		dup20,
+      		dup21,
+      		dup37,
+      	]),
+      });
+      
+      var msg479 = msg("910", all111);
+      
+      var part509 = match("MESSAGE#479:m:01", "nwparser.payload", "m=%{id1}msg=\"%{event_description}\" n=%{fld2}if=%{interface}ucastRx=%{fld3}bcastRx=%{fld4}bytesRx=%{rbytes}ucastTx=%{fld5}bcastTx=%{fld6}bytesTx=%{sbytes}", processor_chain([
+      	dup1,
+      	dup54,
+      	dup17,
+      	dup82,
+      	dup19,
+      	dup21,
+      	dup37,
+      ]));
+      
+      var msg480 = msg("m:01", part509);
+      
+      var part510 = match("MESSAGE#480:1011", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([
+      	dup1,
+      	dup54,
+      	dup17,
+      	dup82,
+      	dup19,
+      	dup20,
+      	dup21,
+      	dup37,
+      ]));
+      
+      var msg481 = msg("1011", part510);
+      
+      var part511 = match("MESSAGE#481:609", "nwparser.payload", "msg=\"%{event_description}\" sid=%{sid->} ipscat=\"%{fld3}\" ipspri=%{fld4->} pktdatId=%{fld5->} n=%{fld6->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([
+      	dup164,
+      	dup54,
+      	dup17,
+      	dup82,
+      	dup19,
+      	dup20,
+      	dup21,
+      	dup37,
+      ]));
+      
+      var msg482 = msg("609", part511);
+      
+      var msg483 = msg("796", dup225);
+      
+      var part512 = match("MESSAGE#483:880", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([
+      	dup70,
+      	dup54,
+      	dup17,
+      	dup82,
+      	dup19,
+      	dup20,
+      	dup21,
+      	dup37,
+      ]));
+      
+      var msg484 = msg("880", part512);
+      
+      var part513 = match("MESSAGE#484:1309", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([
+      	dup159,
+      	dup54,
+      	dup17,
+      	dup82,
+      	dup19,
+      	dup20,
+      	dup21,
+      	dup37,
+      ]));
+      
+      var msg485 = msg("1309", part513);
+      
+      var msg486 = msg("1310", dup225);
+      
+      var part514 = match("MESSAGE#486:1232/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=\"%{p0}");
+      
+      var part515 = match("MESSAGE#486:1232/1_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note=\"%{p0}");
+      
+      var select161 = linear_select([
+      	part514,
+      	part515,
+      ]);
+      
+      var part516 = match("MESSAGE#486:1232/2", "nwparser.p0", "%{info}\" fw_action=\"%{action}\"");
+      
+      var all112 = all_match({
+      	processors: [
+      		dup81,
+      		select161,
+      		part516,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup54,
+      		dup17,
+      		dup82,
+      		dup19,
+      		dup20,
+      		dup21,
+      		dup37,
+      	]),
+      });
+      
+      var msg487 = msg("1232", all112);
+      
+      var part517 = match("MESSAGE#487:1447/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1->} appName=\"%{application}\" n=%{fld2->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}");
+      
+      var all113 = all_match({
+      	processors: [
+      		part517,
+      		dup199,
+      		dup112,
+      	],
+      	on_success: processor_chain([
+      		dup159,
+      		dup54,
+      		dup17,
+      		dup82,
+      		dup19,
+      		dup20,
+      		dup21,
+      		dup37,
+      	]),
+      });
+      
+      var msg488 = msg("1447", all113);
+      
+      var chain1 = processor_chain([
+      	select1,
+      	msgid_select({
+      		"10": msg9,
+      		"100": msg159,
+      		"1003": msg449,
+      		"1005": msg448,
+      		"1007": msg450,
+      		"1008": msg451,
+      		"1009": msg478,
+      		"101": msg160,
+      		"1011": msg481,
+      		"102": msg161,
+      		"103": msg162,
+      		"104": msg163,
+      		"105": msg164,
+      		"106": msg165,
+      		"107": msg166,
+      		"1079": select154,
+      		"108": msg167,
+      		"1080": msg470,
+      		"1086": msg424,
+      		"109": msg168,
+      		"11": msg10,
+      		"110": msg169,
+      		"1107": msg461,
+      		"111": select66,
+      		"1110": msg408,
+      		"112": msg172,
+      		"113": msg173,
+      		"114": msg174,
+      		"1149": msg426,
+      		"115": select67,
+      		"1153": select150,
+      		"1154": select141,
+      		"1155": select143,
+      		"1159": msg427,
+      		"116": msg177,
+      		"117": msg178,
+      		"118": msg179,
+      		"119": msg180,
+      		"1195": select139,
+      		"1197": msg439,
+      		"1198": msg445,
+      		"1199": select142,
+      		"12": select4,
+      		"120": msg181,
+      		"1201": select144,
+      		"121": msg182,
+      		"122": msg183,
+      		"1220": msg462,
+      		"1222": msg431,
+      		"1226": msg430,
+      		"123": msg184,
+      		"1230": msg463,
+      		"1231": msg464,
+      		"1232": msg487,
+      		"1233": msg465,
+      		"1235": msg438,
+      		"124": msg185,
+      		"125": msg186,
+      		"1253": msg477,
+      		"1254": msg187,
+      		"1256": msg188,
+      		"1257": msg189,
+      		"126": msg190,
+      		"127": msg191,
+      		"128": msg192,
+      		"129": msg193,
+      		"13": msg13,
+      		"130": msg194,
+      		"1309": msg485,
+      		"131": msg195,
+      		"1310": msg486,
+      		"132": msg196,
+      		"133": msg197,
+      		"134": msg198,
+      		"135": msg199,
+      		"136": msg200,
+      		"1369": msg472,
+      		"137": msg201,
+      		"1370": msg473,
+      		"1371": msg474,
+      		"138": msg202,
+      		"1387": msg475,
+      		"139": select68,
+      		"1391": msg476,
+      		"14": select7,
+      		"140": msg205,
+      		"141": msg206,
+      		"142": msg207,
+      		"143": msg208,
+      		"1430": msg425,
+      		"1431": msg209,
+      		"144": msg210,
+      		"1447": msg488,
+      		"145": msg211,
+      		"146": msg212,
+      		"147": msg213,
+      		"148": msg214,
+      		"1480": msg215,
+      		"149": msg216,
+      		"15": msg20,
+      		"150": msg217,
+      		"151": msg218,
+      		"152": msg219,
+      		"153": msg220,
+      		"154": msg221,
+      		"155": msg222,
+      		"156": msg223,
+      		"157": select69,
+      		"158": msg226,
+      		"159": msg227,
+      		"16": msg21,
+      		"160": msg228,
+      		"161": msg229,
+      		"162": msg230,
+      		"163": msg231,
+      		"164": msg232,
+      		"165": msg233,
+      		"166": msg234,
+      		"167": msg235,
+      		"168": msg236,
+      		"169": msg237,
+      		"17": msg22,
+      		"170": msg238,
+      		"171": select70,
+      		"172": select71,
+      		"173": msg245,
+      		"174": select72,
+      		"175": select73,
+      		"176": msg253,
+      		"177": msg254,
+      		"178": msg255,
+      		"179": msg256,
+      		"18": msg23,
+      		"180": select74,
+      		"181": select75,
+      		"19": msg24,
+      		"193": msg261,
+      		"194": msg262,
+      		"195": msg263,
+      		"196": select78,
+      		"199": msg266,
+      		"20": msg25,
+      		"200": msg267,
+      		"21": msg26,
+      		"22": msg27,
+      		"23": select10,
+      		"235": select79,
+      		"236": msg271,
+      		"237": msg272,
+      		"238": msg273,
+      		"239": msg274,
+      		"24": select11,
+      		"240": msg275,
+      		"241": select80,
+      		"242": msg278,
+      		"243": msg403,
+      		"25": msg34,
+      		"252": msg279,
+      		"255": msg280,
+      		"257": msg281,
+      		"26": msg35,
+      		"261": select83,
+      		"262": msg284,
+      		"263": msg413,
+      		"264": msg414,
+      		"267": select136,
+      		"27": msg36,
+      		"273": msg285,
+      		"28": select12,
+      		"29": select13,
+      		"30": select14,
+      		"31": select15,
+      		"32": select16,
+      		"328": msg286,
+      		"329": msg287,
+      		"33": select17,
+      		"34": msg52,
+      		"346": msg288,
+      		"35": select19,
+      		"350": msg289,
+      		"351": msg290,
+      		"352": msg291,
+      		"353": select84,
+      		"354": msg294,
+      		"355": select85,
+      		"356": msg297,
+      		"357": select86,
+      		"358": msg300,
+      		"36": select23,
+      		"37": select27,
+      		"371": select87,
+      		"372": msg303,
+      		"373": msg304,
+      		"38": select30,
+      		"39": msg67,
+      		"4": msg1,
+      		"40": msg68,
+      		"401": msg305,
+      		"402": msg306,
+      		"403": msg400,
+      		"404": msg410,
+      		"406": msg307,
+      		"41": select31,
+      		"412": msg415,
+      		"413": msg308,
+      		"414": msg309,
+      		"42": msg72,
+      		"427": msg156,
+      		"428": msg157,
+      		"43": msg73,
+      		"438": msg310,
+      		"439": msg311,
+      		"44": msg74,
+      		"440": msg312,
+      		"441": select88,
+      		"442": msg315,
+      		"446": msg316,
+      		"45": select32,
+      		"46": select33,
+      		"47": msg82,
+      		"477": msg317,
+      		"48": msg83,
+      		"49": msg84,
+      		"5": select2,
+      		"50": msg85,
+      		"509": msg318,
+      		"51": msg86,
+      		"52": msg87,
+      		"520": msg319,
+      		"522": select91,
+      		"523": msg323,
+      		"524": select94,
+      		"526": select97,
+      		"53": msg88,
+      		"534": msg401,
+      		"537": select116,
+      		"538": msg346,
+      		"549": msg347,
+      		"557": msg348,
+      		"558": msg349,
+      		"561": msg350,
+      		"562": msg351,
+      		"563": msg352,
+      		"565": msg409,
+      		"58": msg89,
+      		"580": msg471,
+      		"583": msg353,
+      		"597": select117,
+      		"598": select118,
+      		"6": select3,
+      		"60": msg90,
+      		"602": select119,
+      		"605": msg363,
+      		"606": msg364,
+      		"608": msg365,
+      		"609": msg482,
+      		"61": msg91,
+      		"614": msg421,
+      		"616": msg366,
+      		"62": msg92,
+      		"63": select34,
+      		"64": msg95,
+      		"65": msg96,
+      		"654": msg455,
+      		"657": select133,
+      		"658": msg367,
+      		"66": msg97,
+      		"67": select35,
+      		"670": msg456,
+      		"68": msg100,
+      		"69": msg101,
+      		"7": msg6,
+      		"70": select37,
+      		"708": msg452,
+      		"709": msg447,
+      		"710": msg368,
+      		"712": select123,
+      		"713": select124,
+      		"714": msg446,
+      		"72": select38,
+      		"73": msg106,
+      		"74": msg107,
+      		"748": msg422,
+      		"75": msg108,
+      		"76": msg109,
+      		"760": select125,
+      		"766": msg378,
+      		"77": msg110,
+      		"78": msg111,
+      		"79": msg112,
+      		"793": msg416,
+      		"794": msg423,
+      		"796": msg483,
+      		"8": msg7,
+      		"80": msg113,
+      		"805": msg417,
+      		"809": select137,
+      		"81": msg114,
+      		"82": select39,
+      		"83": select40,
+      		"84": msg122,
+      		"860": select126,
+      		"866": select128,
+      		"867": select129,
+      		"87": select42,
+      		"88": select43,
+      		"880": msg484,
+      		"882": select130,
+      		"884": msg457,
+      		"888": select131,
+      		"89": select45,
+      		"892": msg389,
+      		"9": msg8,
+      		"90": msg129,
+      		"904": msg390,
+      		"905": msg391,
+      		"906": msg392,
+      		"907": msg393,
+      		"908": msg394,
+      		"909": msg395,
+      		"91": msg130,
+      		"910": msg479,
+      		"914": msg396,
+      		"92": msg131,
+      		"93": msg132,
+      		"931": msg397,
+      		"935": msg420,
+      		"94": msg133,
+      		"95": msg134,
+      		"96": msg135,
+      		"97": select52,
+      		"98": select65,
+      		"986": msg155,
+      		"99": msg158,
+      		"994": msg402,
+      		"995": msg404,
+      		"997": msg405,
+      		"998": select134,
+      		"m": msg480,
+      		"msg": msg436,
+      		"src": msg437,
+      	}),
+      ]);
+      
+      var part518 = match("MESSAGE#14:14:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{p0}");
+      
+      var part519 = match("MESSAGE#14:14:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}");
+      
+      var part520 = match("MESSAGE#14:14:01/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst= %{p0}");
+      
+      var part521 = match("MESSAGE#14:14:01/2", "nwparser.p0", "%{} %{p0}");
+      
+      var part522 = match("MESSAGE#28:23:01/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}");
+      
+      var part523 = match("MESSAGE#28:23:01/1_1", "nwparser.p0", "%{daddr->} %{p0}");
+      
+      var part524 = match("MESSAGE#38:29:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}");
+      
+      var part525 = match("MESSAGE#38:29:01/1_1", "nwparser.p0", " %{saddr->} dst= %{p0}");
+      
+      var part526 = match("MESSAGE#38:29:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} ");
+      
+      var part527 = match("MESSAGE#38:29:01/3_1", "nwparser.p0", "%{daddr->} ");
+      
+      var part528 = match("MESSAGE#40:30:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} src=%{p0}");
+      
+      var part529 = match("MESSAGE#49:33:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{p0}");
+      
+      var part530 = match("MESSAGE#54:36:01/2_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{p0}");
+      
+      var part531 = match("MESSAGE#54:36:01/2_1", "nwparser.p0", "%{saddr->} %{p0}");
+      
+      var part532 = match("MESSAGE#54:36:01/3", "nwparser.p0", "%{}dst= %{p0}");
+      
+      var part533 = match("MESSAGE#55:36:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src= %{p0}");
+      
+      var part534 = match("MESSAGE#55:36:02/1_1", "nwparser.p0", "%{saddr->} dst= %{p0}");
+      
+      var part535 = match("MESSAGE#57:37:01/1_1", "nwparser.p0", "n=%{fld1->} src=%{p0}");
+      
+      var part536 = match("MESSAGE#59:37:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto= %{p0}");
+      
+      var part537 = match("MESSAGE#59:37:03/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}");
+      
+      var part538 = match("MESSAGE#59:37:03/4", "nwparser.p0", "%{} %{protocol->} npcs=%{info}");
+      
+      var part539 = match("MESSAGE#62:38:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src= %{p0}");
+      
+      var part540 = match("MESSAGE#62:38:01/5_1", "nwparser.p0", "rule=%{rule->} ");
+      
+      var part541 = match("MESSAGE#63:38:02/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} type= %{p0}");
+      
+      var part542 = match("MESSAGE#63:38:02/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} type= %{p0}");
+      
+      var part543 = match("MESSAGE#64:38:03/0", "nwparser.payload", "msg=\"%{p0}");
+      
+      var part544 = match("MESSAGE#64:38:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}");
+      
+      var part545 = match("MESSAGE#64:38:03/3_1", "nwparser.p0", "%{daddr->} srcMac=%{p0}");
+      
+      var part546 = match("MESSAGE#135:97:01/0", "nwparser.payload", "n=%{fld1->} src= %{p0}");
+      
+      var part547 = match("MESSAGE#135:97:01/7_1", "nwparser.p0", "dstname=%{name->} ");
+      
+      var part548 = match("MESSAGE#137:97:03/0", "nwparser.payload", "sess=%{fld1->} n=%{fld2->} src= %{p0}");
+      
+      var part549 = match("MESSAGE#140:97:06/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{p0}");
+      
+      var part550 = match("MESSAGE#140:97:06/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}dst=%{p0}");
+      
+      var part551 = match("MESSAGE#145:98/2_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} %{p0}");
+      
+      var part552 = match("MESSAGE#145:98/3_0", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} fw_action=\"%{action}\"");
+      
+      var part553 = match("MESSAGE#147:98:01/4_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{p0}");
+      
+      var part554 = match("MESSAGE#147:98:01/4_2", "nwparser.p0", "%{saddr}dst=%{p0}");
+      
+      var part555 = match("MESSAGE#147:98:01/6_1", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} %{p0}");
+      
+      var part556 = match("MESSAGE#147:98:01/6_2", "nwparser.p0", " %{daddr->} %{p0}");
+      
+      var part557 = match("MESSAGE#148:98:06/5_2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}");
+      
+      var part558 = match("MESSAGE#148:98:06/5_3", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} proto=%{p0}");
+      
+      var part559 = match("MESSAGE#149:98:02/4", "nwparser.p0", "%{}proto=%{protocol}");
+      
+      var part560 = match("MESSAGE#154:427/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{p0}");
+      
+      var part561 = match("MESSAGE#155:428/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}");
+      
+      var part562 = match("MESSAGE#240:171:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} npcs= %{p0}");
+      
+      var part563 = match("MESSAGE#240:171:03/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} npcs= %{p0}");
+      
+      var part564 = match("MESSAGE#240:171:03/4", "nwparser.p0", "%{} %{info}");
+      
+      var part565 = match("MESSAGE#256:180:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} note= %{p0}");
+      
+      var part566 = match("MESSAGE#256:180:01/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note= %{p0}");
+      
+      var part567 = match("MESSAGE#256:180:01/4", "nwparser.p0", "%{}\"%{fld3}\" npcs=%{info}");
+      
+      var part568 = match("MESSAGE#260:194/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} sport=%{sport->} dport=%{dport->} %{p0}");
+      
+      var part569 = match("MESSAGE#260:194/1_0", "nwparser.p0", "sent=%{sbytes->} ");
+      
+      var part570 = match("MESSAGE#260:194/1_1", "nwparser.p0", " rcvd=%{rbytes}");
+      
+      var part571 = match("MESSAGE#262:196/1_0", "nwparser.p0", "sent=%{sbytes->} cmd=%{p0}");
+      
+      var part572 = match("MESSAGE#262:196/2", "nwparser.p0", "%{method}");
+      
+      var part573 = match("MESSAGE#280:261:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{p0}");
+      
+      var part574 = match("MESSAGE#283:273/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{p0}");
+      
+      var part575 = match("MESSAGE#302:401/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} %{p0}");
+      
+      var part576 = match("MESSAGE#302:401/1_1", "nwparser.p0", " %{space}");
+      
+      var part577 = match("MESSAGE#313:446/3_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=\"%{p0}");
+      
+      var part578 = match("MESSAGE#313:446/3_1", "nwparser.p0", "%{protocol->} fw_action=\"%{p0}");
+      
+      var part579 = match("MESSAGE#313:446/4", "nwparser.p0", "%{action}\"");
+      
+      var part580 = match("MESSAGE#318:522:01/4", "nwparser.p0", "%{}proto=%{protocol->} npcs=%{info}");
+      
+      var part581 = match("MESSAGE#321:524/5_0", "nwparser.p0", "proto=%{protocol->} ");
+      
+      var part582 = match("MESSAGE#330:537:01/0", "nwparser.payload", "msg=\"%{action}\" f=%{fld1->} n=%{fld2->} src= %{p0}");
+      
+      var part583 = match("MESSAGE#332:537:08/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld51->} appName=\"%{application}\"n=%{p0}");
+      
+      var part584 = match("MESSAGE#332:537:08/0_1", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld51->} sess=\"%{fld4}\" n=%{p0}");
+      
+      var part585 = match("MESSAGE#332:537:08/0_2", "nwparser.payload", " msg=\"%{event_description}\" app=%{fld51}n=%{p0}");
+      
+      var part586 = match("MESSAGE#332:537:08/0_3", "nwparser.payload", "msg=\"%{event_description}\"n=%{p0}");
+      
+      var part587 = match("MESSAGE#332:537:08/1_0", "nwparser.p0", "%{fld1->} usr=\"%{username}\"src=%{p0}");
+      
+      var part588 = match("MESSAGE#332:537:08/1_1", "nwparser.p0", "%{fld1}src=%{p0}");
+      
+      var part589 = match("MESSAGE#332:537:08/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{p0}");
+      
+      var part590 = match("MESSAGE#332:537:08/5_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{p0}");
+      
+      var part591 = match("MESSAGE#332:537:08/5_1", "nwparser.p0", " proto=%{protocol->} sent=%{p0}");
+      
+      var part592 = match("MESSAGE#333:537:09/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{p0}");
+      
+      var part593 = match("MESSAGE#333:537:09/5_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} %{p0}");
+      
+      var part594 = match("MESSAGE#333:537:09/5_1", "nwparser.p0", "%{sbytes->} %{p0}");
+      
+      var part595 = match("MESSAGE#333:537:09/6_0", "nwparser.p0", " spkt=%{fld3->} cdur=%{fld7->} fw_action=\"%{action}\"");
+      
+      var part596 = match("MESSAGE#333:537:09/6_1", "nwparser.p0", "spkt=%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} ");
+      
+      var part597 = match("MESSAGE#333:537:09/6_2", "nwparser.p0", "spkt=%{fld3->} cdur=%{fld7->} ");
+      
+      var part598 = match("MESSAGE#333:537:09/6_3", "nwparser.p0", " spkt=%{fld3}");
+      
+      var part599 = match("MESSAGE#336:537:04/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} src= %{p0}");
+      
+      var part600 = match("MESSAGE#336:537:04/3_2", "nwparser.p0", "%{daddr->} proto= %{p0}");
+      
+      var part601 = match("MESSAGE#338:537:10/1_0", "nwparser.p0", "%{fld2->} usr=\"%{username}\" %{p0}");
+      
+      var part602 = match("MESSAGE#338:537:10/1_1", "nwparser.p0", "%{fld2->} %{p0}");
+      
+      var part603 = match("MESSAGE#338:537:10/2", "nwparser.p0", "%{}src=%{p0}");
+      
+      var part604 = match("MESSAGE#338:537:10/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{p0}");
+      
+      var part605 = match("MESSAGE#338:537:10/3_1", "nwparser.p0", "%{saddr->} dst=%{p0}");
+      
+      var part606 = match("MESSAGE#338:537:10/6_0", "nwparser.p0", "npcs=%{info->} ");
+      
+      var part607 = match("MESSAGE#338:537:10/6_1", "nwparser.p0", "cdur=%{fld12->} ");
+      
+      var part608 = match("MESSAGE#355:598:01/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}");
+      
+      var part609 = match("MESSAGE#361:606/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}");
+      
+      var part610 = match("MESSAGE#361:606/1_1", "nwparser.p0", "%{daddr}:%{dport->} srcMac=%{p0}");
+      
+      var part611 = match("MESSAGE#361:606/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr}proto=%{p0}");
+      
+      var part612 = match("MESSAGE#366:712:02/0", "nwparser.payload", "msg=\"%{action}\" %{p0}");
+      
+      var part613 = match("MESSAGE#366:712:02/1_0", "nwparser.p0", "app=%{fld21->} appName=\"%{application}\" n=%{fld1->} src=%{p0}");
+      
+      var part614 = match("MESSAGE#366:712:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}");
+      
+      var part615 = match("MESSAGE#366:712:02/3_0", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}");
+      
+      var part616 = match("MESSAGE#366:712:02/3_1", "nwparser.p0", "%{smacaddr->} proto=%{p0}");
+      
+      var part617 = match("MESSAGE#366:712:02/4_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=%{p0}");
+      
+      var part618 = match("MESSAGE#366:712:02/4_1", "nwparser.p0", "%{protocol->} fw_action=%{p0}");
+      
+      var part619 = match("MESSAGE#366:712:02/5", "nwparser.p0", "%{fld51}");
+      
+      var part620 = match("MESSAGE#391:908/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{p0}");
+      
+      var part621 = match("MESSAGE#391:908/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}");
+      
+      var part622 = match("MESSAGE#439:1199/2", "nwparser.p0", "%{} %{daddr}:%{dport}:%{dinterface->} npcs=%{info}");
+      
+      var part623 = match("MESSAGE#444:1198/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}\" sess=%{fld1->} n=%{fld2->} src=%{p0}");
+      
+      var part624 = match("MESSAGE#461:1220/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note=%{p0}");
+      
+      var part625 = match("MESSAGE#461:1220/3_1", "nwparser.p0", "%{daddr}:%{dport->} note=%{p0}");
+      
+      var part626 = match("MESSAGE#461:1220/4", "nwparser.p0", "%{}\"%{info}\" fw_action=\"%{action}\"");
+      
+      var part627 = match("MESSAGE#471:1369/1_0", "nwparser.p0", "%{protocol}/%{fld3}fw_action=\"%{p0}");
+      
+      var part628 = match("MESSAGE#471:1369/1_1", "nwparser.p0", "%{protocol}fw_action=\"%{p0}");
+      
+      var select162 = linear_select([
+      	dup8,
+      	dup9,
+      ]);
+      
+      var select163 = linear_select([
+      	dup15,
+      	dup16,
+      ]);
+      
+      var part629 = match("MESSAGE#403:24:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([
+      	dup1,
+      	dup23,
+      ]));
+      
+      var select164 = linear_select([
+      	dup25,
+      	dup26,
+      ]);
+      
+      var select165 = linear_select([
+      	dup27,
+      	dup28,
+      ]);
+      
+      var select166 = linear_select([
+      	dup34,
+      	dup35,
+      ]);
+      
+      var select167 = linear_select([
+      	dup25,
+      	dup39,
+      ]);
+      
+      var select168 = linear_select([
+      	dup41,
+      	dup42,
+      ]);
+      
+      var select169 = linear_select([
+      	dup46,
+      	dup47,
+      ]);
+      
+      var select170 = linear_select([
+      	dup49,
+      	dup50,
+      ]);
+      
+      var part630 = match("MESSAGE#116:82:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([
+      	dup62,
+      ]));
+      
+      var part631 = match("MESSAGE#118:83:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([
+      	dup5,
+      ]));
+      
+      var select171 = linear_select([
+      	dup71,
+      	dup75,
+      	dup76,
+      ]);
+      
+      var select172 = linear_select([
+      	dup8,
+      	dup25,
+      ]);
+      
+      var part632 = match("MESSAGE#168:111:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=%{shost}", processor_chain([
+      	dup1,
+      ]));
+      
+      var select173 = linear_select([
+      	dup88,
+      	dup89,
+      ]);
+      
+      var part633 = match("MESSAGE#253:178", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([
+      	dup5,
+      ]));
+      
+      var select174 = linear_select([
+      	dup92,
+      	dup93,
+      ]);
+      
+      var select175 = linear_select([
+      	dup96,
+      	dup97,
+      ]);
+      
+      var part634 = match("MESSAGE#277:252", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([
+      	dup87,
+      ]));
+      
+      var part635 = match("MESSAGE#293:355", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([
+      	dup87,
+      ]));
+      
+      var part636 = match("MESSAGE#295:356", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([
+      	dup1,
+      ]));
+      
+      var part637 = match("MESSAGE#298:358", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([
+      	dup1,
+      ]));
+      
+      var part638 = match("MESSAGE#414:371:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} note=\"%{event_description}\"", processor_chain([
+      	dup1,
+      	dup23,
+      ]));
+      
+      var select176 = linear_select([
+      	dup66,
+      	dup108,
+      ]);
+      
+      var select177 = linear_select([
+      	dup110,
+      	dup111,
+      ]);
+      
+      var select178 = linear_select([
+      	dup115,
+      	dup45,
+      ]);
+      
+      var select179 = linear_select([
+      	dup8,
+      	dup26,
+      ]);
+      
+      var select180 = linear_select([
+      	dup8,
+      	dup25,
+      	dup39,
+      ]);
+      
+      var select181 = linear_select([
+      	dup71,
+      	dup15,
+      	dup16,
+      ]);
+      
+      var select182 = linear_select([
+      	dup121,
+      	dup122,
+      ]);
+      
+      var select183 = linear_select([
+      	dup68,
+      	dup69,
+      	dup74,
+      ]);
+      
+      var select184 = linear_select([
+      	dup127,
+      	dup128,
+      ]);
+      
+      var select185 = linear_select([
+      	dup41,
+      	dup42,
+      	dup134,
+      ]);
+      
+      var select186 = linear_select([
+      	dup135,
+      	dup136,
+      ]);
+      
+      var select187 = linear_select([
+      	dup138,
+      	dup139,
+      ]);
+      
+      var select188 = linear_select([
+      	dup140,
+      	dup141,
+      ]);
+      
+      var select189 = linear_select([
+      	dup49,
+      	dup148,
+      ]);
+      
+      var part639 = match("MESSAGE#365:710", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([
+      	dup150,
+      ]));
+      
+      var select190 = linear_select([
+      	dup152,
+      	dup40,
+      ]);
+      
+      var select191 = linear_select([
+      	dup154,
+      	dup155,
+      ]);
+      
+      var select192 = linear_select([
+      	dup156,
+      	dup157,
+      ]);
+      
+      var part640 = match("MESSAGE#375:766", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([
+      	dup5,
+      ]));
+      
+      var part641 = match("MESSAGE#377:860:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{ntype}", processor_chain([
+      	dup5,
+      ]));
+      
+      var part642 = match("MESSAGE#393:914", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{host->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{shost}", processor_chain([
+      	dup5,
+      	dup23,
+      ]));
+      
+      var part643 = match("MESSAGE#399:994", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([
+      	dup1,
+      	dup23,
+      ]));
+      
+      var part644 = match("MESSAGE#406:1110", "nwparser.payload", "msg=\"%{msg}\" %{space->} n=%{fld1}", processor_chain([
+      	dup1,
+      	dup23,
+      ]));
+      
+      var part645 = match("MESSAGE#420:614", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([
+      	dup163,
+      	dup37,
+      ]));
+      
+      var part646 = match("MESSAGE#454:654", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2}", processor_chain([
+      	dup1,
+      ]));
+      
+      var select193 = linear_select([
+      	dup169,
+      	dup170,
+      ]);
+      
+      var select194 = linear_select([
+      	dup172,
+      	dup173,
+      ]);
+      
+      var part647 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([
+      	dup1,
+      	dup54,
+      	dup17,
+      	dup82,
+      	dup19,
+      	dup20,
+      	dup21,
+      	dup37,
+      ]));
+      
+      var all114 = all_match({
+      	processors: [
+      		dup31,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup30,
+      	]),
+      });
+      
+      var all115 = all_match({
+      	processors: [
+      		dup31,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup85,
+      	]),
+      });
+      
+      var all116 = all_match({
+      	processors: [
+      		dup31,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup59,
+      	]),
+      });
+      
+      var all117 = all_match({
+      	processors: [
+      		dup95,
+      		dup192,
+      	],
+      	on_success: processor_chain([
+      		dup59,
+      	]),
+      });
+      
+      var all118 = all_match({
+      	processors: [
+      		dup31,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup100,
+      	]),
+      });
+      
+      var all119 = all_match({
+      	processors: [
+      		dup31,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup29,
+      	]),
+      });
+      
+      var all120 = all_match({
+      	processors: [
+      		dup102,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup103,
+      	]),
+      });
+      
+      var all121 = all_match({
+      	processors: [
+      		dup104,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup106,
+      	]),
+      });
+      
+      var all122 = all_match({
+      	processors: [
+      		dup107,
+      		dup198,
+      	],
+      	on_success: processor_chain([
+      		dup87,
+      	]),
+      });
+      
+      var all123 = all_match({
+      	processors: [
+      		dup104,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup109,
+      	]),
+      });
+      
+      var all124 = all_match({
+      	processors: [
+      		dup44,
+      		dup179,
+      		dup36,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      	]),
+      });
+      
+      var all125 = all_match({
+      	processors: [
+      		dup80,
+      		dup177,
+      		dup10,
+      		dup175,
+      		dup79,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var all126 = all_match({
+      	processors: [
+      		dup151,
+      		dup213,
+      		dup153,
+      		dup214,
+      		dup215,
+      		dup158,
+      	],
+      	on_success: processor_chain([
+      		dup150,
+      		dup51,
+      		dup52,
+      		dup53,
+      		dup54,
+      		dup37,
+      		dup55,
+      		dup17,
+      		dup18,
+      		dup19,
+      		dup20,
+      		dup21,
+      	]),
+      });
+      
+      var all127 = all_match({
+      	processors: [
+      		dup7,
+      		dup174,
+      		dup10,
+      		dup191,
+      		dup94,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var all128 = all_match({
+      	processors: [
+      		dup7,
+      		dup174,
+      		dup10,
+      		dup189,
+      		dup90,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+- community_id:
+- add_locale: ~
+- add_fields:
+    target: ''
+    fields:
+        ecs.version: 1.5.0
diff --git a/packages/sonicwall/0.1.0/dataset/firewall/agent/stream/udp.yml.hbs b/packages/sonicwall/0.1.0/dataset/firewall/agent/stream/udp.yml.hbs
new file mode 100644
index 0000000000..d682c1366a
--- /dev/null
+++ b/packages/sonicwall/0.1.0/dataset/firewall/agent/stream/udp.yml.hbs
@@ -0,0 +1,9578 @@
+udp:
+host: "{{udp_host}}:{{udp_port}}"
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "Sonicwall"
+        product: "Firewalls"
+        type: "Firewall"
+publisher_pipeline.disable_host: true
+
+processors:
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.error(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(populate_fields);
+      	builder.Add(restore_flags);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var dup1 = setc("eventcategory","1605000000");
+      
+      var dup2 = setc("eventcategory","1603090000");
+      
+      var dup3 = setc("eventcategory","1605030000");
+      
+      var dup4 = setc("eventcategory","1603060000");
+      
+      var dup5 = setc("eventcategory","1603000000");
+      
+      var dup6 = setc("eventcategory","1204020000");
+      
+      var dup7 = match("MESSAGE#14:14:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{p0}");
+      
+      var dup8 = match("MESSAGE#14:14:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}");
+      
+      var dup9 = match("MESSAGE#14:14:01/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst= %{p0}");
+      
+      var dup10 = match("MESSAGE#14:14:01/2", "nwparser.p0", "%{} %{p0}");
+      
+      var dup11 = date_time({
+      	dest: "event_time",
+      	args: ["hdate","htime"],
+      	fmts: [
+      		[dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup12 = setc("eventcategory","1502010000");
+      
+      var dup13 = setc("eventcategory","1502020000");
+      
+      var dup14 = setc("eventcategory","1002010000");
+      
+      var dup15 = match("MESSAGE#28:23:01/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}");
+      
+      var dup16 = match("MESSAGE#28:23:01/1_1", "nwparser.p0", "%{daddr->} %{p0}");
+      
+      var dup17 = setf("hostip","hhostip");
+      
+      var dup18 = setf("id","hid");
+      
+      var dup19 = setf("serial_number","hserial_number");
+      
+      var dup20 = setf("category","hcategory");
+      
+      var dup21 = setf("severity","hseverity");
+      
+      var dup22 = setc("eventcategory","1805010000");
+      
+      var dup23 = call({
+      	dest: "nwparser.msg",
+      	fn: RMQ,
+      	args: [
+      		field("msg"),
+      	],
+      });
+      
+      var dup24 = setc("eventcategory","1302000000");
+      
+      var dup25 = match("MESSAGE#38:29:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}");
+      
+      var dup26 = match("MESSAGE#38:29:01/1_1", "nwparser.p0", " %{saddr->} dst= %{p0}");
+      
+      var dup27 = match("MESSAGE#38:29:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} ");
+      
+      var dup28 = match("MESSAGE#38:29:01/3_1", "nwparser.p0", "%{daddr->} ");
+      
+      var dup29 = setc("eventcategory","1401050100");
+      
+      var dup30 = setc("eventcategory","1401030000");
+      
+      var dup31 = match("MESSAGE#40:30:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} src=%{p0}");
+      
+      var dup32 = setc("eventcategory","1301020000");
+      
+      var dup33 = match("MESSAGE#49:33:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{p0}");
+      
+      var dup34 = match("MESSAGE#54:36:01/2_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{p0}");
+      
+      var dup35 = match("MESSAGE#54:36:01/2_1", "nwparser.p0", "%{saddr->} %{p0}");
+      
+      var dup36 = match("MESSAGE#54:36:01/3", "nwparser.p0", "%{}dst= %{p0}");
+      
+      var dup37 = date_time({
+      	dest: "event_time",
+      	args: ["date","time"],
+      	fmts: [
+      		[dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup38 = match("MESSAGE#55:36:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src= %{p0}");
+      
+      var dup39 = match("MESSAGE#55:36:02/1_1", "nwparser.p0", "%{saddr->} dst= %{p0}");
+      
+      var dup40 = match("MESSAGE#57:37:01/1_1", "nwparser.p0", "n=%{fld1->} src=%{p0}");
+      
+      var dup41 = match("MESSAGE#59:37:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto= %{p0}");
+      
+      var dup42 = match("MESSAGE#59:37:03/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}");
+      
+      var dup43 = match("MESSAGE#59:37:03/4", "nwparser.p0", "%{} %{protocol->} npcs=%{info}");
+      
+      var dup44 = match("MESSAGE#62:38:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src= %{p0}");
+      
+      var dup45 = match("MESSAGE#62:38:01/5_1", "nwparser.p0", "rule=%{rule->} ");
+      
+      var dup46 = match("MESSAGE#63:38:02/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} type= %{p0}");
+      
+      var dup47 = match("MESSAGE#63:38:02/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} type= %{p0}");
+      
+      var dup48 = match("MESSAGE#64:38:03/0", "nwparser.payload", "msg=\"%{p0}");
+      
+      var dup49 = match("MESSAGE#64:38:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}");
+      
+      var dup50 = match("MESSAGE#64:38:03/3_1", "nwparser.p0", "%{daddr->} srcMac=%{p0}");
+      
+      var dup51 = setc("ec_subject","NetworkComm");
+      
+      var dup52 = setc("ec_activity","Deny");
+      
+      var dup53 = setc("ec_theme","Communication");
+      
+      var dup54 = setf("msg","$MSG");
+      
+      var dup55 = setc("action","dropped");
+      
+      var dup56 = setc("eventcategory","1608010000");
+      
+      var dup57 = setc("eventcategory","1302010000");
+      
+      var dup58 = setc("eventcategory","1301000000");
+      
+      var dup59 = setc("eventcategory","1001000000");
+      
+      var dup60 = setc("eventcategory","1003030000");
+      
+      var dup61 = setc("eventcategory","1003050000");
+      
+      var dup62 = setc("eventcategory","1103000000");
+      
+      var dup63 = setc("eventcategory","1603110000");
+      
+      var dup64 = setc("eventcategory","1605020000");
+      
+      var dup65 = match("MESSAGE#135:97:01/0", "nwparser.payload", "n=%{fld1->} src= %{p0}");
+      
+      var dup66 = match("MESSAGE#135:97:01/7_1", "nwparser.p0", "dstname=%{name->} ");
+      
+      var dup67 = match("MESSAGE#137:97:03/0", "nwparser.payload", "sess=%{fld1->} n=%{fld2->} src= %{p0}");
+      
+      var dup68 = match("MESSAGE#140:97:06/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{p0}");
+      
+      var dup69 = match("MESSAGE#140:97:06/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}dst=%{p0}");
+      
+      var dup70 = setc("eventcategory","1801000000");
+      
+      var dup71 = match("MESSAGE#145:98/2_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} %{p0}");
+      
+      var dup72 = match("MESSAGE#145:98/3_0", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} fw_action=\"%{action}\"");
+      
+      var dup73 = match("MESSAGE#147:98:01/4_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{p0}");
+      
+      var dup74 = match("MESSAGE#147:98:01/4_2", "nwparser.p0", "%{saddr}dst=%{p0}");
+      
+      var dup75 = match("MESSAGE#147:98:01/6_1", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} %{p0}");
+      
+      var dup76 = match("MESSAGE#147:98:01/6_2", "nwparser.p0", " %{daddr->} %{p0}");
+      
+      var dup77 = match("MESSAGE#148:98:06/5_2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}");
+      
+      var dup78 = match("MESSAGE#148:98:06/5_3", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} proto=%{p0}");
+      
+      var dup79 = match("MESSAGE#149:98:02/4", "nwparser.p0", "%{}proto=%{protocol}");
+      
+      var dup80 = match("MESSAGE#154:427/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{p0}");
+      
+      var dup81 = match("MESSAGE#155:428/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}");
+      
+      var dup82 = setf("id","hfld1");
+      
+      var dup83 = setc("eventcategory","1001020309");
+      
+      var dup84 = setc("eventcategory","1303000000");
+      
+      var dup85 = setc("eventcategory","1801010100");
+      
+      var dup86 = setc("eventcategory","1604010000");
+      
+      var dup87 = setc("eventcategory","1002020000");
+      
+      var dup88 = match("MESSAGE#240:171:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} npcs= %{p0}");
+      
+      var dup89 = match("MESSAGE#240:171:03/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} npcs= %{p0}");
+      
+      var dup90 = match("MESSAGE#240:171:03/4", "nwparser.p0", "%{} %{info}");
+      
+      var dup91 = setc("eventcategory","1001010000");
+      
+      var dup92 = match("MESSAGE#256:180:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} note= %{p0}");
+      
+      var dup93 = match("MESSAGE#256:180:01/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note= %{p0}");
+      
+      var dup94 = match("MESSAGE#256:180:01/4", "nwparser.p0", "%{}\"%{fld3}\" npcs=%{info}");
+      
+      var dup95 = match("MESSAGE#260:194/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} sport=%{sport->} dport=%{dport->} %{p0}");
+      
+      var dup96 = match("MESSAGE#260:194/1_0", "nwparser.p0", "sent=%{sbytes->} ");
+      
+      var dup97 = match("MESSAGE#260:194/1_1", "nwparser.p0", " rcvd=%{rbytes}");
+      
+      var dup98 = match("MESSAGE#262:196/1_0", "nwparser.p0", "sent=%{sbytes->} cmd=%{p0}");
+      
+      var dup99 = match("MESSAGE#262:196/2", "nwparser.p0", "%{method}");
+      
+      var dup100 = setc("eventcategory","1401060000");
+      
+      var dup101 = setc("eventcategory","1804000000");
+      
+      var dup102 = match("MESSAGE#280:261:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{p0}");
+      
+      var dup103 = setc("eventcategory","1401070000");
+      
+      var dup104 = match("MESSAGE#283:273/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{p0}");
+      
+      var dup105 = setc("eventcategory","1801030000");
+      
+      var dup106 = setc("eventcategory","1402020300");
+      
+      var dup107 = match("MESSAGE#302:401/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} %{p0}");
+      
+      var dup108 = match("MESSAGE#302:401/1_1", "nwparser.p0", " %{space}");
+      
+      var dup109 = setc("eventcategory","1402000000");
+      
+      var dup110 = match("MESSAGE#313:446/3_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=\"%{p0}");
+      
+      var dup111 = match("MESSAGE#313:446/3_1", "nwparser.p0", "%{protocol->} fw_action=\"%{p0}");
+      
+      var dup112 = match("MESSAGE#313:446/4", "nwparser.p0", "%{action}\"");
+      
+      var dup113 = setc("eventcategory","1803020000");
+      
+      var dup114 = match("MESSAGE#318:522:01/4", "nwparser.p0", "%{}proto=%{protocol->} npcs=%{info}");
+      
+      var dup115 = match("MESSAGE#321:524/5_0", "nwparser.p0", "proto=%{protocol->} ");
+      
+      var dup116 = match("MESSAGE#330:537:01/0", "nwparser.payload", "msg=\"%{action}\" f=%{fld1->} n=%{fld2->} src= %{p0}");
+      
+      var dup117 = match("MESSAGE#332:537:08/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld51->} appName=\"%{application}\"n=%{p0}");
+      
+      var dup118 = match("MESSAGE#332:537:08/0_1", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld51->} sess=\"%{fld4}\" n=%{p0}");
+      
+      var dup119 = match("MESSAGE#332:537:08/0_2", "nwparser.payload", " msg=\"%{event_description}\" app=%{fld51}n=%{p0}");
+      
+      var dup120 = match("MESSAGE#332:537:08/0_3", "nwparser.payload", "msg=\"%{event_description}\"n=%{p0}");
+      
+      var dup121 = match("MESSAGE#332:537:08/1_0", "nwparser.p0", "%{fld1->} usr=\"%{username}\"src=%{p0}");
+      
+      var dup122 = match("MESSAGE#332:537:08/1_1", "nwparser.p0", "%{fld1}src=%{p0}");
+      
+      var dup123 = match("MESSAGE#332:537:08/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{p0}");
+      
+      var dup124 = match("MESSAGE#332:537:08/5_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{p0}");
+      
+      var dup125 = match("MESSAGE#332:537:08/5_1", "nwparser.p0", " proto=%{protocol->} sent=%{p0}");
+      
+      var dup126 = match("MESSAGE#333:537:09/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{p0}");
+      
+      var dup127 = match("MESSAGE#333:537:09/5_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} %{p0}");
+      
+      var dup128 = match("MESSAGE#333:537:09/5_1", "nwparser.p0", "%{sbytes->} %{p0}");
+      
+      var dup129 = match("MESSAGE#333:537:09/6_0", "nwparser.p0", " spkt=%{fld3->} cdur=%{fld7->} fw_action=\"%{action}\"");
+      
+      var dup130 = match("MESSAGE#333:537:09/6_1", "nwparser.p0", "spkt=%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} ");
+      
+      var dup131 = match("MESSAGE#333:537:09/6_2", "nwparser.p0", "spkt=%{fld3->} cdur=%{fld7->} ");
+      
+      var dup132 = match("MESSAGE#333:537:09/6_3", "nwparser.p0", " spkt=%{fld3}");
+      
+      var dup133 = match("MESSAGE#336:537:04/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} src= %{p0}");
+      
+      var dup134 = match("MESSAGE#336:537:04/3_2", "nwparser.p0", "%{daddr->} proto= %{p0}");
+      
+      var dup135 = match("MESSAGE#338:537:10/1_0", "nwparser.p0", "%{fld2->} usr=\"%{username}\" %{p0}");
+      
+      var dup136 = match("MESSAGE#338:537:10/1_1", "nwparser.p0", "%{fld2->} %{p0}");
+      
+      var dup137 = match("MESSAGE#338:537:10/2", "nwparser.p0", "%{}src=%{p0}");
+      
+      var dup138 = match("MESSAGE#338:537:10/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{p0}");
+      
+      var dup139 = match("MESSAGE#338:537:10/3_1", "nwparser.p0", "%{saddr->} dst=%{p0}");
+      
+      var dup140 = match("MESSAGE#338:537:10/6_0", "nwparser.p0", "npcs=%{info->} ");
+      
+      var dup141 = match("MESSAGE#338:537:10/6_1", "nwparser.p0", "cdur=%{fld12->} ");
+      
+      var dup142 = setc("event_description","Connection Closed");
+      
+      var dup143 = setc("eventcategory","1801020000");
+      
+      var dup144 = setc("ec_activity","Permit");
+      
+      var dup145 = setc("action","allowed");
+      
+      var dup146 = match("MESSAGE#355:598:01/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}");
+      
+      var dup147 = match("MESSAGE#361:606/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}");
+      
+      var dup148 = match("MESSAGE#361:606/1_1", "nwparser.p0", "%{daddr}:%{dport->} srcMac=%{p0}");
+      
+      var dup149 = match("MESSAGE#361:606/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr}proto=%{p0}");
+      
+      var dup150 = setc("eventcategory","1001030500");
+      
+      var dup151 = match("MESSAGE#366:712:02/0", "nwparser.payload", "msg=\"%{action}\" %{p0}");
+      
+      var dup152 = match("MESSAGE#366:712:02/1_0", "nwparser.p0", "app=%{fld21->} appName=\"%{application}\" n=%{fld1->} src=%{p0}");
+      
+      var dup153 = match("MESSAGE#366:712:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}");
+      
+      var dup154 = match("MESSAGE#366:712:02/3_0", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}");
+      
+      var dup155 = match("MESSAGE#366:712:02/3_1", "nwparser.p0", "%{smacaddr->} proto=%{p0}");
+      
+      var dup156 = match("MESSAGE#366:712:02/4_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=%{p0}");
+      
+      var dup157 = match("MESSAGE#366:712:02/4_1", "nwparser.p0", "%{protocol->} fw_action=%{p0}");
+      
+      var dup158 = match("MESSAGE#366:712:02/5", "nwparser.p0", "%{fld51}");
+      
+      var dup159 = setc("eventcategory","1801010000");
+      
+      var dup160 = match("MESSAGE#391:908/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{p0}");
+      
+      var dup161 = match("MESSAGE#391:908/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}");
+      
+      var dup162 = setc("eventcategory","1003010000");
+      
+      var dup163 = setc("eventcategory","1609000000");
+      
+      var dup164 = setc("eventcategory","1204000000");
+      
+      var dup165 = setc("eventcategory","1602000000");
+      
+      var dup166 = match("MESSAGE#439:1199/2", "nwparser.p0", "%{} %{daddr}:%{dport}:%{dinterface->} npcs=%{info}");
+      
+      var dup167 = setc("eventcategory","1803000000");
+      
+      var dup168 = match("MESSAGE#444:1198/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}\" sess=%{fld1->} n=%{fld2->} src=%{p0}");
+      
+      var dup169 = match("MESSAGE#461:1220/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note=%{p0}");
+      
+      var dup170 = match("MESSAGE#461:1220/3_1", "nwparser.p0", "%{daddr}:%{dport->} note=%{p0}");
+      
+      var dup171 = match("MESSAGE#461:1220/4", "nwparser.p0", "%{}\"%{info}\" fw_action=\"%{action}\"");
+      
+      var dup172 = match("MESSAGE#471:1369/1_0", "nwparser.p0", "%{protocol}/%{fld3}fw_action=\"%{p0}");
+      
+      var dup173 = match("MESSAGE#471:1369/1_1", "nwparser.p0", "%{protocol}fw_action=\"%{p0}");
+      
+      var dup174 = linear_select([
+      	dup8,
+      	dup9,
+      ]);
+      
+      var dup175 = linear_select([
+      	dup15,
+      	dup16,
+      ]);
+      
+      var dup176 = match("MESSAGE#403:24:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([
+      	dup1,
+      	dup23,
+      ]));
+      
+      var dup177 = linear_select([
+      	dup25,
+      	dup26,
+      ]);
+      
+      var dup178 = linear_select([
+      	dup27,
+      	dup28,
+      ]);
+      
+      var dup179 = linear_select([
+      	dup34,
+      	dup35,
+      ]);
+      
+      var dup180 = linear_select([
+      	dup25,
+      	dup39,
+      ]);
+      
+      var dup181 = linear_select([
+      	dup41,
+      	dup42,
+      ]);
+      
+      var dup182 = linear_select([
+      	dup46,
+      	dup47,
+      ]);
+      
+      var dup183 = linear_select([
+      	dup49,
+      	dup50,
+      ]);
+      
+      var dup184 = match("MESSAGE#116:82:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([
+      	dup62,
+      ]));
+      
+      var dup185 = match("MESSAGE#118:83:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([
+      	dup5,
+      ]));
+      
+      var dup186 = linear_select([
+      	dup71,
+      	dup75,
+      	dup76,
+      ]);
+      
+      var dup187 = linear_select([
+      	dup8,
+      	dup25,
+      ]);
+      
+      var dup188 = match("MESSAGE#168:111:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=%{shost}", processor_chain([
+      	dup1,
+      ]));
+      
+      var dup189 = linear_select([
+      	dup88,
+      	dup89,
+      ]);
+      
+      var dup190 = match("MESSAGE#253:178", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([
+      	dup5,
+      ]));
+      
+      var dup191 = linear_select([
+      	dup92,
+      	dup93,
+      ]);
+      
+      var dup192 = linear_select([
+      	dup96,
+      	dup97,
+      ]);
+      
+      var dup193 = match("MESSAGE#277:252", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([
+      	dup87,
+      ]));
+      
+      var dup194 = match("MESSAGE#293:355", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([
+      	dup87,
+      ]));
+      
+      var dup195 = match("MESSAGE#295:356", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([
+      	dup1,
+      ]));
+      
+      var dup196 = match("MESSAGE#298:358", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([
+      	dup1,
+      ]));
+      
+      var dup197 = match("MESSAGE#414:371:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} note=\"%{event_description}\"", processor_chain([
+      	dup1,
+      	dup23,
+      ]));
+      
+      var dup198 = linear_select([
+      	dup66,
+      	dup108,
+      ]);
+      
+      var dup199 = linear_select([
+      	dup110,
+      	dup111,
+      ]);
+      
+      var dup200 = linear_select([
+      	dup115,
+      	dup45,
+      ]);
+      
+      var dup201 = linear_select([
+      	dup8,
+      	dup26,
+      ]);
+      
+      var dup202 = linear_select([
+      	dup8,
+      	dup25,
+      	dup39,
+      ]);
+      
+      var dup203 = linear_select([
+      	dup71,
+      	dup15,
+      	dup16,
+      ]);
+      
+      var dup204 = linear_select([
+      	dup121,
+      	dup122,
+      ]);
+      
+      var dup205 = linear_select([
+      	dup68,
+      	dup69,
+      	dup74,
+      ]);
+      
+      var dup206 = linear_select([
+      	dup127,
+      	dup128,
+      ]);
+      
+      var dup207 = linear_select([
+      	dup41,
+      	dup42,
+      	dup134,
+      ]);
+      
+      var dup208 = linear_select([
+      	dup135,
+      	dup136,
+      ]);
+      
+      var dup209 = linear_select([
+      	dup138,
+      	dup139,
+      ]);
+      
+      var dup210 = linear_select([
+      	dup140,
+      	dup141,
+      ]);
+      
+      var dup211 = linear_select([
+      	dup49,
+      	dup148,
+      ]);
+      
+      var dup212 = match("MESSAGE#365:710", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([
+      	dup150,
+      ]));
+      
+      var dup213 = linear_select([
+      	dup152,
+      	dup40,
+      ]);
+      
+      var dup214 = linear_select([
+      	dup154,
+      	dup155,
+      ]);
+      
+      var dup215 = linear_select([
+      	dup156,
+      	dup157,
+      ]);
+      
+      var dup216 = match("MESSAGE#375:766", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([
+      	dup5,
+      ]));
+      
+      var dup217 = match("MESSAGE#377:860:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{ntype}", processor_chain([
+      	dup5,
+      ]));
+      
+      var dup218 = match("MESSAGE#393:914", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{host->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{shost}", processor_chain([
+      	dup5,
+      	dup23,
+      ]));
+      
+      var dup219 = match("MESSAGE#399:994", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([
+      	dup1,
+      	dup23,
+      ]));
+      
+      var dup220 = match("MESSAGE#406:1110", "nwparser.payload", "msg=\"%{msg}\" %{space->} n=%{fld1}", processor_chain([
+      	dup1,
+      	dup23,
+      ]));
+      
+      var dup221 = match("MESSAGE#420:614", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([
+      	dup163,
+      	dup37,
+      ]));
+      
+      var dup222 = match("MESSAGE#454:654", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2}", processor_chain([
+      	dup1,
+      ]));
+      
+      var dup223 = linear_select([
+      	dup169,
+      	dup170,
+      ]);
+      
+      var dup224 = linear_select([
+      	dup172,
+      	dup173,
+      ]);
+      
+      var dup225 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([
+      	dup1,
+      	dup54,
+      	dup17,
+      	dup82,
+      	dup19,
+      	dup20,
+      	dup21,
+      	dup37,
+      ]));
+      
+      var dup226 = all_match({
+      	processors: [
+      		dup31,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup30,
+      	]),
+      });
+      
+      var dup227 = all_match({
+      	processors: [
+      		dup31,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup85,
+      	]),
+      });
+      
+      var dup228 = all_match({
+      	processors: [
+      		dup31,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup59,
+      	]),
+      });
+      
+      var dup229 = all_match({
+      	processors: [
+      		dup95,
+      		dup192,
+      	],
+      	on_success: processor_chain([
+      		dup59,
+      	]),
+      });
+      
+      var dup230 = all_match({
+      	processors: [
+      		dup31,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup100,
+      	]),
+      });
+      
+      var dup231 = all_match({
+      	processors: [
+      		dup31,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup29,
+      	]),
+      });
+      
+      var dup232 = all_match({
+      	processors: [
+      		dup102,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup103,
+      	]),
+      });
+      
+      var dup233 = all_match({
+      	processors: [
+      		dup104,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup106,
+      	]),
+      });
+      
+      var dup234 = all_match({
+      	processors: [
+      		dup107,
+      		dup198,
+      	],
+      	on_success: processor_chain([
+      		dup87,
+      	]),
+      });
+      
+      var dup235 = all_match({
+      	processors: [
+      		dup104,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup109,
+      	]),
+      });
+      
+      var dup236 = all_match({
+      	processors: [
+      		dup44,
+      		dup179,
+      		dup36,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      	]),
+      });
+      
+      var dup237 = all_match({
+      	processors: [
+      		dup80,
+      		dup177,
+      		dup10,
+      		dup175,
+      		dup79,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var dup238 = all_match({
+      	processors: [
+      		dup151,
+      		dup213,
+      		dup153,
+      		dup214,
+      		dup215,
+      		dup158,
+      	],
+      	on_success: processor_chain([
+      		dup150,
+      		dup51,
+      		dup52,
+      		dup53,
+      		dup54,
+      		dup37,
+      		dup55,
+      		dup17,
+      		dup18,
+      		dup19,
+      		dup20,
+      		dup21,
+      	]),
+      });
+      
+      var dup239 = all_match({
+      	processors: [
+      		dup7,
+      		dup174,
+      		dup10,
+      		dup191,
+      		dup94,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var dup240 = all_match({
+      	processors: [
+      		dup7,
+      		dup174,
+      		dup10,
+      		dup189,
+      		dup90,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var hdr1 = match("HEADER#0:0001", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{date->} %{time}\" fw=%{hhostip->} pri=%{hseverity->} c=%{hcategory->} m=%{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0001"),
+      ]));
+      
+      var hdr2 = match("HEADER#1:0002", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{date->} %{time}\" fw=%{hhostip->} pri=%{hseverity->} %{messageid}= %{payload}", processor_chain([
+      	setc("header_id","0002"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant("= "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr3 = match("HEADER#2:0003", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{hdate->} %{htime}\" fw=%{hhostip->} pri=%{hseverity->} c=%{hcategory->} m=%{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0003"),
+      ]));
+      
+      var hdr4 = match("HEADER#3:0004", "message", "%{hfld20->} id=%{hfld1->} sn=%{hserial_number->} time=\"%{hdate->} %{htime}\" fw=%{hhostip->} pri=%{hseverity->} c=%{hcategory->} m=%{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0004"),
+      ]));
+      
+      var select1 = linear_select([
+      	hdr1,
+      	hdr2,
+      	hdr3,
+      	hdr4,
+      ]);
+      
+      var part1 = match("MESSAGE#0:4", "nwparser.payload", "SonicWALL activated%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg1 = msg("4", part1);
+      
+      var part2 = match("MESSAGE#1:5", "nwparser.payload", "Log Cleared%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg2 = msg("5", part2);
+      
+      var part3 = match("MESSAGE#2:5:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg3 = msg("5:01", part3);
+      
+      var select2 = linear_select([
+      	msg2,
+      	msg3,
+      ]);
+      
+      var part4 = match("MESSAGE#3:6", "nwparser.payload", "Log successfully sent via email%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg4 = msg("6", part4);
+      
+      var part5 = match("MESSAGE#4:6:01", "nwparser.payload", "msg=\"Log successfully sent via email\" n=%{fld1}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg5 = msg("6:01", part5);
+      
+      var select3 = linear_select([
+      	msg4,
+      	msg5,
+      ]);
+      
+      var part6 = match("MESSAGE#5:7", "nwparser.payload", "Log full; deactivating SonicWALL%{}", processor_chain([
+      	dup2,
+      ]));
+      
+      var msg6 = msg("7", part6);
+      
+      var part7 = match("MESSAGE#6:8", "nwparser.payload", "New Filter list loaded%{}", processor_chain([
+      	dup3,
+      ]));
+      
+      var msg7 = msg("8", part7);
+      
+      var part8 = match("MESSAGE#7:9", "nwparser.payload", "No new Filter list available%{}", processor_chain([
+      	dup4,
+      ]));
+      
+      var msg8 = msg("9", part8);
+      
+      var part9 = match("MESSAGE#8:10", "nwparser.payload", "Problem loading the Filter list; check Filter settings%{}", processor_chain([
+      	dup4,
+      ]));
+      
+      var msg9 = msg("10", part9);
+      
+      var part10 = match("MESSAGE#9:11", "nwparser.payload", "Problem loading the Filter list; check your DNS server%{}", processor_chain([
+      	dup4,
+      ]));
+      
+      var msg10 = msg("11", part10);
+      
+      var part11 = match("MESSAGE#10:12", "nwparser.payload", "Problem sending log email; check log settings%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg11 = msg("12", part11);
+      
+      var part12 = match("MESSAGE#11:12:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg12 = msg("12:01", part12);
+      
+      var select4 = linear_select([
+      	msg11,
+      	msg12,
+      ]);
+      
+      var part13 = match("MESSAGE#12:13", "nwparser.payload", "Restarting SonicWALL; dumping log to email%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg13 = msg("13", part13);
+      
+      var part14 = match("MESSAGE#13:14/0", "nwparser.payload", "%{} %{p0}");
+      
+      var part15 = match("MESSAGE#13:14/1_0", "nwparser.p0", "msg=\"Web site access denied\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} dstname=%{dhost->} arg=%{fld2->} code=%{icmpcode->} ");
+      
+      var part16 = match("MESSAGE#13:14/1_1", "nwparser.p0", "Web site blocked %{}");
+      
+      var select5 = linear_select([
+      	part15,
+      	part16,
+      ]);
+      
+      var all1 = all_match({
+      	processors: [
+      		part14,
+      		select5,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		setc("action","Web site access denied"),
+      	]),
+      });
+      
+      var msg14 = msg("14", all1);
+      
+      var part17 = match("MESSAGE#14:14:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} code= %{p0}");
+      
+      var part18 = match("MESSAGE#14:14:01/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} code= %{p0}");
+      
+      var select6 = linear_select([
+      	part17,
+      	part18,
+      ]);
+      
+      var part19 = match("MESSAGE#14:14:01/4", "nwparser.p0", "%{} %{fld3->} Category=%{fld4->} npcs=%{info}");
+      
+      var all2 = all_match({
+      	processors: [
+      		dup7,
+      		dup174,
+      		dup10,
+      		select6,
+      		part19,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      	]),
+      });
+      
+      var msg15 = msg("14:01", all2);
+      
+      var part20 = match("MESSAGE#15:14:02", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{name->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([
+      	dup6,
+      	dup11,
+      ]));
+      
+      var msg16 = msg("14:02", part20);
+      
+      var part21 = match("MESSAGE#16:14:03", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([
+      	dup6,
+      	dup11,
+      ]));
+      
+      var msg17 = msg("14:03", part21);
+      
+      var part22 = match("MESSAGE#17:14:04", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{name->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([
+      	dup6,
+      	dup11,
+      ]));
+      
+      var msg18 = msg("14:04", part22);
+      
+      var part23 = match("MESSAGE#18:14:05", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr}dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{dhost->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([
+      	dup6,
+      	dup11,
+      ]));
+      
+      var msg19 = msg("14:05", part23);
+      
+      var select7 = linear_select([
+      	msg14,
+      	msg15,
+      	msg16,
+      	msg17,
+      	msg18,
+      	msg19,
+      ]);
+      
+      var part24 = match("MESSAGE#19:15", "nwparser.payload", "Newsgroup blocked%{}", processor_chain([
+      	dup12,
+      ]));
+      
+      var msg20 = msg("15", part24);
+      
+      var part25 = match("MESSAGE#20:16", "nwparser.payload", "Web site accessed%{}", processor_chain([
+      	dup13,
+      ]));
+      
+      var msg21 = msg("16", part25);
+      
+      var part26 = match("MESSAGE#21:17", "nwparser.payload", "Newsgroup accessed%{}", processor_chain([
+      	dup13,
+      ]));
+      
+      var msg22 = msg("17", part26);
+      
+      var part27 = match("MESSAGE#22:18", "nwparser.payload", "ActiveX blocked%{}", processor_chain([
+      	dup12,
+      ]));
+      
+      var msg23 = msg("18", part27);
+      
+      var part28 = match("MESSAGE#23:19", "nwparser.payload", "Java blocked%{}", processor_chain([
+      	dup12,
+      ]));
+      
+      var msg24 = msg("19", part28);
+      
+      var part29 = match("MESSAGE#24:20", "nwparser.payload", "ActiveX or Java archive blocked%{}", processor_chain([
+      	dup12,
+      ]));
+      
+      var msg25 = msg("20", part29);
+      
+      var part30 = match("MESSAGE#25:21", "nwparser.payload", "Cookie removed%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg26 = msg("21", part30);
+      
+      var part31 = match("MESSAGE#26:22", "nwparser.payload", "Ping of death blocked%{}", processor_chain([
+      	dup14,
+      ]));
+      
+      var msg27 = msg("22", part31);
+      
+      var part32 = match("MESSAGE#27:23", "nwparser.payload", "IP spoof detected%{}", processor_chain([
+      	dup14,
+      ]));
+      
+      var msg28 = msg("23", part32);
+      
+      var part33 = match("MESSAGE#28:23:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}");
+      
+      var part34 = match("MESSAGE#28:23:01/3_0", "nwparser.p0", "- MAC address: %{p0}");
+      
+      var part35 = match("MESSAGE#28:23:01/3_1", "nwparser.p0", "mac= %{p0}");
+      
+      var select8 = linear_select([
+      	part34,
+      	part35,
+      ]);
+      
+      var part36 = match("MESSAGE#28:23:01/4", "nwparser.p0", "%{} %{smacaddr}");
+      
+      var all3 = all_match({
+      	processors: [
+      		part33,
+      		dup175,
+      		dup10,
+      		select8,
+      		part36,
+      	],
+      	on_success: processor_chain([
+      		dup14,
+      	]),
+      });
+      
+      var msg29 = msg("23:01", all3);
+      
+      var part37 = match("MESSAGE#29:23:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} - MAC address: %{smacaddr}", processor_chain([
+      	dup14,
+      ]));
+      
+      var msg30 = msg("23:02", part37);
+      
+      var part38 = match("MESSAGE#30:23:03/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}");
+      
+      var part39 = match("MESSAGE#30:23:03/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac= %{p0}");
+      
+      var part40 = match("MESSAGE#30:23:03/1_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} srcMac= %{p0}");
+      
+      var select9 = linear_select([
+      	part39,
+      	part40,
+      ]);
+      
+      var part41 = match("MESSAGE#30:23:03/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol}");
+      
+      var all4 = all_match({
+      	processors: [
+      		part38,
+      		select9,
+      		part41,
+      	],
+      	on_success: processor_chain([
+      		dup14,
+      		dup11,
+      		dup17,
+      		dup18,
+      		dup19,
+      		dup20,
+      		dup21,
+      	]),
+      });
+      
+      var msg31 = msg("23:03", all4);
+      
+      var select10 = linear_select([
+      	msg28,
+      	msg29,
+      	msg30,
+      	msg31,
+      ]);
+      
+      var part42 = match("MESSAGE#31:24", "nwparser.payload", "Illegal LAN address in use%{}", processor_chain([
+      	dup22,
+      ]));
+      
+      var msg32 = msg("24", part42);
+      
+      var msg33 = msg("24:01", dup176);
+      
+      var select11 = linear_select([
+      	msg32,
+      	msg33,
+      ]);
+      
+      var part43 = match("MESSAGE#32:25", "nwparser.payload", "Possible SYN flood attack%{}", processor_chain([
+      	dup14,
+      ]));
+      
+      var msg34 = msg("25", part43);
+      
+      var part44 = match("MESSAGE#33:26", "nwparser.payload", "Probable SYN flood attack%{}", processor_chain([
+      	dup14,
+      ]));
+      
+      var msg35 = msg("26", part44);
+      
+      var part45 = match("MESSAGE#34:27", "nwparser.payload", "Land Attack Dropped%{}", processor_chain([
+      	dup14,
+      ]));
+      
+      var msg36 = msg("27", part45);
+      
+      var part46 = match("MESSAGE#35:28", "nwparser.payload", "Fragmented Packet Dropped%{}", processor_chain([
+      	dup14,
+      ]));
+      
+      var msg37 = msg("28", part46);
+      
+      var part47 = match("MESSAGE#36:28:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([
+      	dup14,
+      ]));
+      
+      var msg38 = msg("28:01", part47);
+      
+      var select12 = linear_select([
+      	msg37,
+      	msg38,
+      ]);
+      
+      var part48 = match("MESSAGE#37:29", "nwparser.payload", "Successful administrator login%{}", processor_chain([
+      	dup24,
+      ]));
+      
+      var msg39 = msg("29", part48);
+      
+      var part49 = match("MESSAGE#38:29:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} usr=%{username->} src=%{p0}");
+      
+      var all5 = all_match({
+      	processors: [
+      		part49,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup29,
+      	]),
+      });
+      
+      var msg40 = msg("29:01", all5);
+      
+      var select13 = linear_select([
+      	msg39,
+      	msg40,
+      ]);
+      
+      var part50 = match("MESSAGE#39:30", "nwparser.payload", "Administrator login failed - incorrect password%{}", processor_chain([
+      	dup30,
+      ]));
+      
+      var msg41 = msg("30", part50);
+      
+      var msg42 = msg("30:01", dup226);
+      
+      var select14 = linear_select([
+      	msg41,
+      	msg42,
+      ]);
+      
+      var part51 = match("MESSAGE#41:31", "nwparser.payload", "Successful user login%{}", processor_chain([
+      	dup24,
+      ]));
+      
+      var msg43 = msg("31", part51);
+      
+      var all6 = all_match({
+      	processors: [
+      		dup31,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup24,
+      	]),
+      });
+      
+      var msg44 = msg("31:01", all6);
+      
+      var part52 = match("MESSAGE#43:31:02", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([
+      	dup24,
+      	dup11,
+      ]));
+      
+      var msg45 = msg("31:02", part52);
+      
+      var part53 = match("MESSAGE#44:31:03", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration}n=%{fld1}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}proto=%{protocol}note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([
+      	dup24,
+      	dup11,
+      ]));
+      
+      var msg46 = msg("31:03", part53);
+      
+      var part54 = match("MESSAGE#45:31:04", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([
+      	dup24,
+      	dup11,
+      ]));
+      
+      var msg47 = msg("31:04", part54);
+      
+      var select15 = linear_select([
+      	msg43,
+      	msg44,
+      	msg45,
+      	msg46,
+      	msg47,
+      ]);
+      
+      var part55 = match("MESSAGE#46:32", "nwparser.payload", "User login failed - incorrect password%{}", processor_chain([
+      	dup30,
+      ]));
+      
+      var msg48 = msg("32", part55);
+      
+      var msg49 = msg("32:01", dup226);
+      
+      var select16 = linear_select([
+      	msg48,
+      	msg49,
+      ]);
+      
+      var part56 = match("MESSAGE#48:33", "nwparser.payload", "Unknown user attempted to log in%{}", processor_chain([
+      	dup32,
+      ]));
+      
+      var msg50 = msg("33", part56);
+      
+      var all7 = all_match({
+      	processors: [
+      		dup33,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup30,
+      	]),
+      });
+      
+      var msg51 = msg("33:01", all7);
+      
+      var select17 = linear_select([
+      	msg50,
+      	msg51,
+      ]);
+      
+      var part57 = match("MESSAGE#50:34", "nwparser.payload", "Login screen timed out%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg52 = msg("34", part57);
+      
+      var part58 = match("MESSAGE#51:35", "nwparser.payload", "Attempted administrator login from WAN%{}", processor_chain([
+      	setc("eventcategory","1401040000"),
+      ]));
+      
+      var msg53 = msg("35", part58);
+      
+      var part59 = match("MESSAGE#52:35:01/3_1", "nwparser.p0", "%{daddr}");
+      
+      var select18 = linear_select([
+      	dup27,
+      	part59,
+      ]);
+      
+      var all8 = all_match({
+      	processors: [
+      		dup31,
+      		dup177,
+      		dup10,
+      		select18,
+      	],
+      	on_success: processor_chain([
+      		setc("eventcategory","1401050200"),
+      	]),
+      });
+      
+      var msg54 = msg("35:01", all8);
+      
+      var select19 = linear_select([
+      	msg53,
+      	msg54,
+      ]);
+      
+      var part60 = match("MESSAGE#53:36", "nwparser.payload", "TCP connection dropped%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg55 = msg("36", part60);
+      
+      var part61 = match("MESSAGE#54:36:01/0", "nwparser.payload", "msg=\"%{msg}\" %{p0}");
+      
+      var part62 = match("MESSAGE#54:36:01/1_0", "nwparser.p0", "app=%{fld51->} appName=\"%{application}\" n=%{fld1->} src= %{p0}");
+      
+      var part63 = match("MESSAGE#54:36:01/1_1", "nwparser.p0", "n=%{fld1->} src= %{p0}");
+      
+      var select20 = linear_select([
+      	part62,
+      	part63,
+      ]);
+      
+      var part64 = match("MESSAGE#54:36:01/6_0", "nwparser.p0", "srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\" ");
+      
+      var part65 = match("MESSAGE#54:36:01/6_1", "nwparser.p0", " rule=%{rule->} ");
+      
+      var part66 = match("MESSAGE#54:36:01/6_2", "nwparser.p0", " proto=%{protocol->} ");
+      
+      var select21 = linear_select([
+      	part64,
+      	part65,
+      	part66,
+      ]);
+      
+      var all9 = all_match({
+      	processors: [
+      		part61,
+      		select20,
+      		dup179,
+      		dup36,
+      		dup175,
+      		dup10,
+      		select21,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		dup37,
+      	]),
+      });
+      
+      var msg56 = msg("36:01", all9);
+      
+      var part67 = match("MESSAGE#55:36:02/5_0", "nwparser.p0", "rule=%{rule->} %{p0}");
+      
+      var part68 = match("MESSAGE#55:36:02/5_1", "nwparser.p0", "proto=%{protocol->} %{p0}");
+      
+      var select22 = linear_select([
+      	part67,
+      	part68,
+      ]);
+      
+      var part69 = match("MESSAGE#55:36:02/6", "nwparser.p0", "%{}npcs=%{info}");
+      
+      var all10 = all_match({
+      	processors: [
+      		dup38,
+      		dup180,
+      		dup10,
+      		dup175,
+      		dup10,
+      		select22,
+      		part69,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      	]),
+      });
+      
+      var msg57 = msg("36:02", all10);
+      
+      var select23 = linear_select([
+      	msg55,
+      	msg56,
+      	msg57,
+      ]);
+      
+      var part70 = match("MESSAGE#56:37", "nwparser.payload", "UDP packet dropped%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg58 = msg("37", part70);
+      
+      var part71 = match("MESSAGE#57:37:01/0", "nwparser.payload", "msg=\"UDP packet dropped\" %{p0}");
+      
+      var part72 = match("MESSAGE#57:37:01/1_0", "nwparser.p0", "app=%{fld51->} appName=\"%{application}\" n=%{fld1->} src=%{p0}");
+      
+      var select24 = linear_select([
+      	part72,
+      	dup40,
+      ]);
+      
+      var part73 = match("MESSAGE#57:37:01/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{p0}");
+      
+      var part74 = match("MESSAGE#57:37:01/3_0", "nwparser.p0", "%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} %{p0}");
+      
+      var part75 = match("MESSAGE#57:37:01/3_1", "nwparser.p0", "%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} %{p0}");
+      
+      var part76 = match("MESSAGE#57:37:01/3_2", "nwparser.p0", "%{dport}:%{dinterface->} %{p0}");
+      
+      var select25 = linear_select([
+      	part74,
+      	part75,
+      	part76,
+      ]);
+      
+      var part77 = match("MESSAGE#57:37:01/4_0", "nwparser.p0", "proto=%{protocol->} fw_action=\"%{fld3}\" ");
+      
+      var part78 = match("MESSAGE#57:37:01/4_1", "nwparser.p0", " rule=%{rule}");
+      
+      var select26 = linear_select([
+      	part77,
+      	part78,
+      ]);
+      
+      var all11 = all_match({
+      	processors: [
+      		part71,
+      		select24,
+      		part73,
+      		select25,
+      		select26,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		dup37,
+      	]),
+      });
+      
+      var msg59 = msg("37:01", all11);
+      
+      var part79 = match("MESSAGE#58:37:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} rule=%{rule}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg60 = msg("37:02", part79);
+      
+      var all12 = all_match({
+      	processors: [
+      		dup7,
+      		dup174,
+      		dup10,
+      		dup181,
+      		dup43,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      	]),
+      });
+      
+      var msg61 = msg("37:03", all12);
+      
+      var part80 = match("MESSAGE#60:37:04", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([
+      	dup5,
+      	dup11,
+      ]));
+      
+      var msg62 = msg("37:04", part80);
+      
+      var select27 = linear_select([
+      	msg58,
+      	msg59,
+      	msg60,
+      	msg61,
+      	msg62,
+      ]);
+      
+      var part81 = match("MESSAGE#61:38", "nwparser.payload", "ICMP packet dropped%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg63 = msg("38", part81);
+      
+      var part82 = match("MESSAGE#62:38:01/5_0", "nwparser.p0", "type=%{type->} code=%{code->} ");
+      
+      var select28 = linear_select([
+      	part82,
+      	dup45,
+      ]);
+      
+      var all13 = all_match({
+      	processors: [
+      		dup44,
+      		dup179,
+      		dup36,
+      		dup175,
+      		dup10,
+      		select28,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      	]),
+      });
+      
+      var msg64 = msg("38:01", all13);
+      
+      var part83 = match("MESSAGE#63:38:02/4", "nwparser.p0", "%{} %{fld3->} icmpCode=%{fld4->} npcs=%{info}");
+      
+      var all14 = all_match({
+      	processors: [
+      		dup7,
+      		dup174,
+      		dup10,
+      		dup182,
+      		part83,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      	]),
+      });
+      
+      var msg65 = msg("38:02", all14);
+      
+      var part84 = match("MESSAGE#64:38:03/1_0", "nwparser.p0", "%{event_description}\" app=%{fld2->} appName=\"%{application}\"%{p0}");
+      
+      var part85 = match("MESSAGE#64:38:03/1_1", "nwparser.p0", "%{event_description}\"%{p0}");
+      
+      var select29 = linear_select([
+      	part84,
+      	part85,
+      ]);
+      
+      var part86 = match("MESSAGE#64:38:03/2", "nwparser.p0", "%{}n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}");
+      
+      var part87 = match("MESSAGE#64:38:03/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"");
+      
+      var all15 = all_match({
+      	processors: [
+      		dup48,
+      		select29,
+      		part86,
+      		dup183,
+      		part87,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		dup11,
+      		dup18,
+      		dup19,
+      		dup20,
+      		dup21,
+      	]),
+      });
+      
+      var msg66 = msg("38:03", all15);
+      
+      var select30 = linear_select([
+      	msg63,
+      	msg64,
+      	msg65,
+      	msg66,
+      ]);
+      
+      var part88 = match("MESSAGE#65:39", "nwparser.payload", "PPTP packet dropped%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg67 = msg("39", part88);
+      
+      var part89 = match("MESSAGE#66:40", "nwparser.payload", "IPSec packet dropped%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg68 = msg("40", part89);
+      
+      var part90 = match("MESSAGE#67:41:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} note=\"IP Protocol: %{dclass_counter1}\"", processor_chain([
+      	dup5,
+      	dup51,
+      	dup52,
+      	dup53,
+      	dup54,
+      	dup11,
+      	dup55,
+      	dup17,
+      	dup18,
+      	dup19,
+      	dup20,
+      	dup21,
+      ]));
+      
+      var msg69 = msg("41:01", part90);
+      
+      var part91 = match("MESSAGE#68:41:02", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport}:%{sinterface->} dst=%{dtransaddr}:%{dtransport}::%{dinterface}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg70 = msg("41:02", part91);
+      
+      var part92 = match("MESSAGE#69:41:03", "nwparser.payload", "Unknown protocol dropped%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg71 = msg("41:03", part92);
+      
+      var select31 = linear_select([
+      	msg69,
+      	msg70,
+      	msg71,
+      ]);
+      
+      var part93 = match("MESSAGE#70:42", "nwparser.payload", "IPSec packet dropped; waiting for pending IPSec connection%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg72 = msg("42", part93);
+      
+      var part94 = match("MESSAGE#71:43", "nwparser.payload", "IPSec connection interrupt%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg73 = msg("43", part94);
+      
+      var part95 = match("MESSAGE#72:44", "nwparser.payload", "NAT could not remap incoming packet%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg74 = msg("44", part95);
+      
+      var part96 = match("MESSAGE#73:45", "nwparser.payload", "ARP timeout%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg75 = msg("45", part96);
+      
+      var part97 = match("MESSAGE#74:45:01", "nwparser.payload", "msg=\"ARP timeout\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg76 = msg("45:01", part97);
+      
+      var part98 = match("MESSAGE#75:45:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr->} dst=%{daddr->} npcs=%{info}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg77 = msg("45:02", part98);
+      
+      var select32 = linear_select([
+      	msg75,
+      	msg76,
+      	msg77,
+      ]);
+      
+      var part99 = match("MESSAGE#76:46:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} proto=%{protocol}/%{fld4}", processor_chain([
+      	dup5,
+      	dup51,
+      	dup52,
+      	dup53,
+      	dup54,
+      	dup11,
+      	dup55,
+      	dup17,
+      	dup18,
+      	dup19,
+      	dup20,
+      	dup21,
+      ]));
+      
+      var msg78 = msg("46:01", part99);
+      
+      var part100 = match("MESSAGE#77:46:02", "nwparser.payload", "msg=\"Broadcast packet dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg79 = msg("46:02", part100);
+      
+      var part101 = match("MESSAGE#78:46", "nwparser.payload", "Broadcast packet dropped%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg80 = msg("46", part101);
+      
+      var part102 = match("MESSAGE#79:46:03/0", "nwparser.payload", "msg=\"Broadcast packet dropped\" sess=%{fld1->} n=%{fld2->} src=%{p0}");
+      
+      var all16 = all_match({
+      	processors: [
+      		part102,
+      		dup174,
+      		dup10,
+      		dup181,
+      		dup43,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      	]),
+      });
+      
+      var msg81 = msg("46:03", all16);
+      
+      var select33 = linear_select([
+      	msg78,
+      	msg79,
+      	msg80,
+      	msg81,
+      ]);
+      
+      var part103 = match("MESSAGE#80:47", "nwparser.payload", "No ICMP redirect sent%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg82 = msg("47", part103);
+      
+      var part104 = match("MESSAGE#81:48", "nwparser.payload", "Out-of-order command packet dropped%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg83 = msg("48", part104);
+      
+      var part105 = match("MESSAGE#82:49", "nwparser.payload", "Failure to add data channel%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg84 = msg("49", part105);
+      
+      var part106 = match("MESSAGE#83:50", "nwparser.payload", "RealAudio decode failure%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg85 = msg("50", part106);
+      
+      var part107 = match("MESSAGE#84:51", "nwparser.payload", "Duplicate packet dropped%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg86 = msg("51", part107);
+      
+      var part108 = match("MESSAGE#85:52", "nwparser.payload", "No HOST tag found in HTTP request%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg87 = msg("52", part108);
+      
+      var part109 = match("MESSAGE#86:53", "nwparser.payload", "The cache is full; too many open connections; some will be dropped%{}", processor_chain([
+      	dup2,
+      ]));
+      
+      var msg88 = msg("53", part109);
+      
+      var part110 = match("MESSAGE#87:58", "nwparser.payload", "License exceeded: Connection dropped because too many IP addresses are in use on your LAN%{}", processor_chain([
+      	dup56,
+      ]));
+      
+      var msg89 = msg("58", part110);
+      
+      var part111 = match("MESSAGE#88:60", "nwparser.payload", "Access to Proxy Server Blocked%{}", processor_chain([
+      	dup12,
+      ]));
+      
+      var msg90 = msg("60", part111);
+      
+      var part112 = match("MESSAGE#89:61", "nwparser.payload", "Diagnostic Code E%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg91 = msg("61", part112);
+      
+      var part113 = match("MESSAGE#90:62", "nwparser.payload", "Dynamic IPSec client connected%{}", processor_chain([
+      	dup57,
+      ]));
+      
+      var msg92 = msg("62", part113);
+      
+      var part114 = match("MESSAGE#91:63", "nwparser.payload", "IPSec packet too big%{}", processor_chain([
+      	dup58,
+      ]));
+      
+      var msg93 = msg("63", part114);
+      
+      var part115 = match("MESSAGE#92:63:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([
+      	dup58,
+      ]));
+      
+      var msg94 = msg("63:01", part115);
+      
+      var select34 = linear_select([
+      	msg93,
+      	msg94,
+      ]);
+      
+      var part116 = match("MESSAGE#93:64", "nwparser.payload", "Diagnostic Code D%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg95 = msg("64", part116);
+      
+      var part117 = match("MESSAGE#94:65", "nwparser.payload", "Illegal IPSec SPI%{}", processor_chain([
+      	dup58,
+      ]));
+      
+      var msg96 = msg("65", part117);
+      
+      var part118 = match("MESSAGE#95:66", "nwparser.payload", "Unknown IPSec SPI%{}", processor_chain([
+      	dup58,
+      ]));
+      
+      var msg97 = msg("66", part118);
+      
+      var part119 = match("MESSAGE#96:67", "nwparser.payload", "IPSec Authentication Failed%{}", processor_chain([
+      	dup58,
+      ]));
+      
+      var msg98 = msg("67", part119);
+      
+      var all17 = all_match({
+      	processors: [
+      		dup31,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      	]),
+      });
+      
+      var msg99 = msg("67:01", all17);
+      
+      var select35 = linear_select([
+      	msg98,
+      	msg99,
+      ]);
+      
+      var part120 = match("MESSAGE#98:68", "nwparser.payload", "IPSec Decryption Failed%{}", processor_chain([
+      	dup58,
+      ]));
+      
+      var msg100 = msg("68", part120);
+      
+      var part121 = match("MESSAGE#99:69", "nwparser.payload", "Incompatible IPSec Security Association%{}", processor_chain([
+      	dup58,
+      ]));
+      
+      var msg101 = msg("69", part121);
+      
+      var part122 = match("MESSAGE#100:70", "nwparser.payload", "IPSec packet from illegal host%{}", processor_chain([
+      	dup58,
+      ]));
+      
+      var msg102 = msg("70", part122);
+      
+      var part123 = match("MESSAGE#101:70:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} %{p0}");
+      
+      var part124 = match("MESSAGE#101:70:01/1_0", "nwparser.p0", "dst=%{daddr->} ");
+      
+      var part125 = match("MESSAGE#101:70:01/1_1", "nwparser.p0", " dstname=%{name}");
+      
+      var select36 = linear_select([
+      	part124,
+      	part125,
+      ]);
+      
+      var all18 = all_match({
+      	processors: [
+      		part123,
+      		select36,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      	]),
+      });
+      
+      var msg103 = msg("70:01", all18);
+      
+      var select37 = linear_select([
+      	msg102,
+      	msg103,
+      ]);
+      
+      var part126 = match("MESSAGE#102:72", "nwparser.payload", "NetBus Attack Dropped%{}", processor_chain([
+      	dup59,
+      ]));
+      
+      var msg104 = msg("72", part126);
+      
+      var part127 = match("MESSAGE#103:72:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([
+      	dup59,
+      ]));
+      
+      var msg105 = msg("72:01", part127);
+      
+      var select38 = linear_select([
+      	msg104,
+      	msg105,
+      ]);
+      
+      var part128 = match("MESSAGE#104:73", "nwparser.payload", "Back Orifice Attack Dropped%{}", processor_chain([
+      	dup60,
+      ]));
+      
+      var msg106 = msg("73", part128);
+      
+      var part129 = match("MESSAGE#105:74", "nwparser.payload", "Net Spy Attack Dropped%{}", processor_chain([
+      	dup61,
+      ]));
+      
+      var msg107 = msg("74", part129);
+      
+      var part130 = match("MESSAGE#106:75", "nwparser.payload", "Sub Seven Attack Dropped%{}", processor_chain([
+      	dup60,
+      ]));
+      
+      var msg108 = msg("75", part130);
+      
+      var part131 = match("MESSAGE#107:76", "nwparser.payload", "Ripper Attack Dropped%{}", processor_chain([
+      	dup59,
+      ]));
+      
+      var msg109 = msg("76", part131);
+      
+      var part132 = match("MESSAGE#108:77", "nwparser.payload", "Striker Attack Dropped%{}", processor_chain([
+      	dup59,
+      ]));
+      
+      var msg110 = msg("77", part132);
+      
+      var part133 = match("MESSAGE#109:78", "nwparser.payload", "Senna Spy Attack Dropped%{}", processor_chain([
+      	dup61,
+      ]));
+      
+      var msg111 = msg("78", part133);
+      
+      var part134 = match("MESSAGE#110:79", "nwparser.payload", "Priority Attack Dropped%{}", processor_chain([
+      	dup59,
+      ]));
+      
+      var msg112 = msg("79", part134);
+      
+      var part135 = match("MESSAGE#111:80", "nwparser.payload", "Ini Killer Attack Dropped%{}", processor_chain([
+      	dup59,
+      ]));
+      
+      var msg113 = msg("80", part135);
+      
+      var part136 = match("MESSAGE#112:81", "nwparser.payload", "Smurf Amplification Attack Dropped%{}", processor_chain([
+      	dup14,
+      ]));
+      
+      var msg114 = msg("81", part136);
+      
+      var part137 = match("MESSAGE#113:82", "nwparser.payload", "Possible Port Scan%{}", processor_chain([
+      	dup62,
+      ]));
+      
+      var msg115 = msg("82", part137);
+      
+      var part138 = match("MESSAGE#114:82:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{info}\"", processor_chain([
+      	dup62,
+      ]));
+      
+      var msg116 = msg("82:02", part138);
+      
+      var part139 = match("MESSAGE#115:82:03", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{fld3}\" npcs=%{info}", processor_chain([
+      	dup62,
+      ]));
+      
+      var msg117 = msg("82:03", part139);
+      
+      var msg118 = msg("82:01", dup184);
+      
+      var select39 = linear_select([
+      	msg115,
+      	msg116,
+      	msg117,
+      	msg118,
+      ]);
+      
+      var part140 = match("MESSAGE#117:83", "nwparser.payload", "Probable Port Scan%{}", processor_chain([
+      	dup62,
+      ]));
+      
+      var msg119 = msg("83", part140);
+      
+      var msg120 = msg("83:01", dup185);
+      
+      var part141 = match("MESSAGE#119:83:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{fld3}\" npcs=%{info}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg121 = msg("83:02", part141);
+      
+      var select40 = linear_select([
+      	msg119,
+      	msg120,
+      	msg121,
+      ]);
+      
+      var part142 = match("MESSAGE#120:84/0_0", "nwparser.payload", "msg=\"Failed to resolve name\" n=%{fld1->} dstname=%{dhost}");
+      
+      var part143 = match("MESSAGE#120:84/0_1", "nwparser.payload", "Failed to resolve name%{}");
+      
+      var select41 = linear_select([
+      	part142,
+      	part143,
+      ]);
+      
+      var all19 = all_match({
+      	processors: [
+      		select41,
+      	],
+      	on_success: processor_chain([
+      		dup63,
+      		setc("action","Failed to resolve name"),
+      	]),
+      });
+      
+      var msg122 = msg("84", all19);
+      
+      var part144 = match("MESSAGE#121:87", "nwparser.payload", "IKE Responder: Accepting IPSec proposal%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg123 = msg("87", part144);
+      
+      var part145 = match("MESSAGE#122:87:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg124 = msg("87:01", part145);
+      
+      var select42 = linear_select([
+      	msg123,
+      	msg124,
+      ]);
+      
+      var part146 = match("MESSAGE#123:88", "nwparser.payload", "IKE Responder: IPSec proposal not acceptable%{}", processor_chain([
+      	dup58,
+      ]));
+      
+      var msg125 = msg("88", part146);
+      
+      var part147 = match("MESSAGE#124:88:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{saddr->} dst=%{daddr}", processor_chain([
+      	dup58,
+      ]));
+      
+      var msg126 = msg("88:01", part147);
+      
+      var select43 = linear_select([
+      	msg125,
+      	msg126,
+      ]);
+      
+      var part148 = match("MESSAGE#125:89", "nwparser.payload", "IKE negotiation complete. Adding IPSec SA%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg127 = msg("89", part148);
+      
+      var part149 = match("MESSAGE#126:89:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} %{p0}");
+      
+      var part150 = match("MESSAGE#126:89:01/1_0", "nwparser.p0", "src=%{saddr}:::%{sinterface->} dst=%{daddr}:::%{dinterface->} ");
+      
+      var part151 = match("MESSAGE#126:89:01/1_1", "nwparser.p0", " src=%{saddr->} dst=%{daddr->} dstname=%{name}");
+      
+      var select44 = linear_select([
+      	part150,
+      	part151,
+      ]);
+      
+      var all20 = all_match({
+      	processors: [
+      		part149,
+      		select44,
+      	],
+      	on_success: processor_chain([
+      		dup64,
+      	]),
+      });
+      
+      var msg128 = msg("89:01", all20);
+      
+      var select45 = linear_select([
+      	msg127,
+      	msg128,
+      ]);
+      
+      var part152 = match("MESSAGE#127:90", "nwparser.payload", "Starting IKE negotiation%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg129 = msg("90", part152);
+      
+      var part153 = match("MESSAGE#128:91", "nwparser.payload", "Deleting IPSec SA for destination%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg130 = msg("91", part153);
+      
+      var part154 = match("MESSAGE#129:92", "nwparser.payload", "Deleting IPSec SA%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg131 = msg("92", part154);
+      
+      var part155 = match("MESSAGE#130:93", "nwparser.payload", "Diagnostic Code A%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg132 = msg("93", part155);
+      
+      var part156 = match("MESSAGE#131:94", "nwparser.payload", "Diagnostic Code B%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg133 = msg("94", part156);
+      
+      var part157 = match("MESSAGE#132:95", "nwparser.payload", "Diagnostic Code C%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg134 = msg("95", part157);
+      
+      var part158 = match("MESSAGE#133:96", "nwparser.payload", "Status%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg135 = msg("96", part158);
+      
+      var part159 = match("MESSAGE#134:97", "nwparser.payload", "Web site hit%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg136 = msg("97", part159);
+      
+      var part160 = match("MESSAGE#135:97:01/4", "nwparser.p0", "%{}proto=%{protocol->} op=%{fld->} %{p0}");
+      
+      var part161 = match("MESSAGE#135:97:01/5_0", "nwparser.p0", "rcvd=%{rbytes->} %{p0}");
+      
+      var part162 = match("MESSAGE#135:97:01/5_1", "nwparser.p0", "sent=%{sbytes->} %{p0}");
+      
+      var select46 = linear_select([
+      	part161,
+      	part162,
+      ]);
+      
+      var part163 = match("MESSAGE#135:97:01/7_0", "nwparser.p0", "result=%{result->} dstname=%{name->} ");
+      
+      var select47 = linear_select([
+      	part163,
+      	dup66,
+      ]);
+      
+      var all21 = all_match({
+      	processors: [
+      		dup65,
+      		dup179,
+      		dup36,
+      		dup175,
+      		part160,
+      		select46,
+      		dup10,
+      		select47,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg137 = msg("97:01", all21);
+      
+      var part164 = match("MESSAGE#136:97:02/4", "nwparser.p0", "%{}proto=%{protocol->} op=%{fld->} result=%{result}");
+      
+      var all22 = all_match({
+      	processors: [
+      		dup65,
+      		dup179,
+      		dup36,
+      		dup175,
+      		part164,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg138 = msg("97:02", all22);
+      
+      var part165 = match("MESSAGE#137:97:03/4", "nwparser.p0", "%{}proto=%{protocol->} op=%{fld3->} sent=%{sbytes->} rcvd=%{rbytes->} %{p0}");
+      
+      var part166 = match("MESSAGE#137:97:03/5_0", "nwparser.p0", "result=%{result->} dstname=%{name->} %{p0}");
+      
+      var part167 = match("MESSAGE#137:97:03/5_1", "nwparser.p0", "dstname=%{name->} %{p0}");
+      
+      var select48 = linear_select([
+      	part166,
+      	part167,
+      ]);
+      
+      var part168 = match("MESSAGE#137:97:03/6", "nwparser.p0", "%{}arg=%{fld4->} code=%{fld5->} Category=\"%{category}\" npcs=%{info}");
+      
+      var all23 = all_match({
+      	processors: [
+      		dup67,
+      		dup179,
+      		dup36,
+      		dup175,
+      		part165,
+      		select48,
+      		part168,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg139 = msg("97:03", all23);
+      
+      var part169 = match("MESSAGE#138:97:04/4", "nwparser.p0", "%{}proto=%{protocol->} op=%{fld3->} %{p0}");
+      
+      var part170 = match("MESSAGE#138:97:04/5_0", "nwparser.p0", "result=%{result->} dstname=%{name->} arg= %{p0}");
+      
+      var part171 = match("MESSAGE#138:97:04/5_1", "nwparser.p0", "dstname=%{name->} arg= %{p0}");
+      
+      var select49 = linear_select([
+      	part170,
+      	part171,
+      ]);
+      
+      var part172 = match("MESSAGE#138:97:04/6", "nwparser.p0", "%{} %{fld4->} code=%{fld5->} Category=\"%{category}\" npcs=%{info}");
+      
+      var all24 = all_match({
+      	processors: [
+      		dup67,
+      		dup179,
+      		dup36,
+      		dup175,
+      		part169,
+      		select49,
+      		part172,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg140 = msg("97:04", all24);
+      
+      var part173 = match("MESSAGE#139:97:05/4", "nwparser.p0", "%{}proto=%{protocol->} op=%{fld2->} dstname=%{name->} arg=%{fld3->} code=%{fld4->} Category=%{category}");
+      
+      var all25 = all_match({
+      	processors: [
+      		dup65,
+      		dup179,
+      		dup36,
+      		dup175,
+      		part173,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg141 = msg("97:05", all25);
+      
+      var part174 = match("MESSAGE#140:97:06/0", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{p0}");
+      
+      var select50 = linear_select([
+      	dup68,
+      	dup69,
+      ]);
+      
+      var part175 = match("MESSAGE#140:97:06/2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"");
+      
+      var all26 = all_match({
+      	processors: [
+      		part174,
+      		select50,
+      		part175,
+      	],
+      	on_success: processor_chain([
+      		dup70,
+      		dup11,
+      	]),
+      });
+      
+      var msg142 = msg("97:06", all26);
+      
+      var part176 = match("MESSAGE#141:97:07/0", "nwparser.payload", "app=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{p0}");
+      
+      var part177 = match("MESSAGE#141:97:07/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{fld3->} srcMac=%{p0}");
+      
+      var select51 = linear_select([
+      	part177,
+      	dup49,
+      ]);
+      
+      var part178 = match("MESSAGE#141:97:07/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} dstname=%{dhost->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"");
+      
+      var all27 = all_match({
+      	processors: [
+      		part176,
+      		select51,
+      		part178,
+      	],
+      	on_success: processor_chain([
+      		dup70,
+      		dup11,
+      	]),
+      });
+      
+      var msg143 = msg("97:07", all27);
+      
+      var part179 = match("MESSAGE#142:97:08", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([
+      	dup70,
+      	dup11,
+      ]));
+      
+      var msg144 = msg("97:08", part179);
+      
+      var part180 = match("MESSAGE#143:97:09", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([
+      	dup70,
+      	dup11,
+      ]));
+      
+      var msg145 = msg("97:09", part180);
+      
+      var part181 = match("MESSAGE#144:97:10", "nwparser.payload", "app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([
+      	dup70,
+      	dup11,
+      ]));
+      
+      var msg146 = msg("97:10", part181);
+      
+      var select52 = linear_select([
+      	msg136,
+      	msg137,
+      	msg138,
+      	msg139,
+      	msg140,
+      	msg141,
+      	msg142,
+      	msg143,
+      	msg144,
+      	msg145,
+      	msg146,
+      ]);
+      
+      var part182 = match("MESSAGE#145:98/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld2->} appName=\"%{application}\"%{p0}");
+      
+      var part183 = match("MESSAGE#145:98/0_1", "nwparser.payload", " msg=\"%{event_description}\"%{p0}");
+      
+      var select53 = linear_select([
+      	part182,
+      	part183,
+      ]);
+      
+      var part184 = match("MESSAGE#145:98/1", "nwparser.p0", "%{}n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{p0}");
+      
+      var part185 = match("MESSAGE#145:98/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} %{p0}");
+      
+      var select54 = linear_select([
+      	part185,
+      	dup71,
+      ]);
+      
+      var part186 = match("MESSAGE#145:98/3_1", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} ");
+      
+      var part187 = match("MESSAGE#145:98/3_2", "nwparser.p0", " proto=%{protocol}");
+      
+      var select55 = linear_select([
+      	dup72,
+      	part186,
+      	part187,
+      ]);
+      
+      var all28 = all_match({
+      	processors: [
+      		select53,
+      		part184,
+      		select54,
+      		select55,
+      	],
+      	on_success: processor_chain([
+      		dup70,
+      		dup51,
+      		setc("ec_activity","Stop"),
+      		dup53,
+      		dup54,
+      		dup11,
+      		setc("action","Opened"),
+      		dup17,
+      		dup18,
+      		dup19,
+      		dup20,
+      		dup21,
+      	]),
+      });
+      
+      var msg147 = msg("98", all28);
+      
+      var part188 = match("MESSAGE#146:98:07", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} proto=%{protocol}/%{fld4->} sent=%{sbytes->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([
+      	dup1,
+      	dup11,
+      	dup17,
+      	dup18,
+      	dup19,
+      	dup20,
+      	dup21,
+      ]));
+      
+      var msg148 = msg("98:07", part188);
+      
+      var part189 = match("MESSAGE#147:98:01/1_0", "nwparser.p0", "%{msg}\" app=%{fld2->} sess=\"%{fld3}\"%{p0}");
+      
+      var part190 = match("MESSAGE#147:98:01/1_1", "nwparser.p0", "%{msg}\"%{p0}");
+      
+      var select56 = linear_select([
+      	part189,
+      	part190,
+      ]);
+      
+      var part191 = match("MESSAGE#147:98:01/2", "nwparser.p0", "%{}n=%{p0}");
+      
+      var part192 = match("MESSAGE#147:98:01/3_0", "nwparser.p0", "%{fld1->} usr=%{username->} src=%{p0}");
+      
+      var part193 = match("MESSAGE#147:98:01/3_1", "nwparser.p0", "%{fld1->} src=%{p0}");
+      
+      var select57 = linear_select([
+      	part192,
+      	part193,
+      ]);
+      
+      var select58 = linear_select([
+      	dup73,
+      	dup69,
+      	dup74,
+      ]);
+      
+      var part194 = match("MESSAGE#147:98:01/7_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} fw_action=\"%{action}\"");
+      
+      var part195 = match("MESSAGE#147:98:01/7_1", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} ");
+      
+      var part196 = match("MESSAGE#147:98:01/7_2", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} rule=\"%{rulename}\" fw_action=\"%{action}\"");
+      
+      var part197 = match("MESSAGE#147:98:01/7_4", "nwparser.p0", " proto=%{protocol->} sent=%{sbytes}");
+      
+      var part198 = match("MESSAGE#147:98:01/7_5", "nwparser.p0", "proto=%{protocol}");
+      
+      var select59 = linear_select([
+      	part194,
+      	part195,
+      	part196,
+      	dup72,
+      	part197,
+      	part198,
+      ]);
+      
+      var all29 = all_match({
+      	processors: [
+      		dup48,
+      		select56,
+      		part191,
+      		select57,
+      		select58,
+      		dup10,
+      		dup186,
+      		select59,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg149 = msg("98:01", all29);
+      
+      var part199 = match("MESSAGE#148:98:06/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld2->} appName=\"%{application}\" %{p0}");
+      
+      var part200 = match("MESSAGE#148:98:06/0_1", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld2->} %{p0}");
+      
+      var part201 = match("MESSAGE#148:98:06/0_2", "nwparser.payload", " msg=\"%{event_description}\" sess=%{fld2->} %{p0}");
+      
+      var select60 = linear_select([
+      	part199,
+      	part200,
+      	part201,
+      ]);
+      
+      var part202 = match("MESSAGE#148:98:06/1_0", "nwparser.p0", "n=%{fld1->} usr=%{username->} %{p0}");
+      
+      var part203 = match("MESSAGE#148:98:06/1_1", "nwparser.p0", " n=%{fld1->} %{p0}");
+      
+      var select61 = linear_select([
+      	part202,
+      	part203,
+      ]);
+      
+      var part204 = match("MESSAGE#148:98:06/2", "nwparser.p0", "%{}src= %{p0}");
+      
+      var part205 = match("MESSAGE#148:98:06/5_0", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{dmacaddr->} proto=%{p0}");
+      
+      var part206 = match("MESSAGE#148:98:06/5_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} proto=%{p0}");
+      
+      var select62 = linear_select([
+      	part205,
+      	part206,
+      	dup77,
+      	dup78,
+      ]);
+      
+      var part207 = match("MESSAGE#148:98:06/6", "nwparser.p0", "%{protocol->} %{p0}");
+      
+      var part208 = match("MESSAGE#148:98:06/7_0", "nwparser.p0", "sent=%{sbytes->} rule=\"%{rulename}\" fw_action=\"%{action}\"");
+      
+      var part209 = match("MESSAGE#148:98:06/7_1", "nwparser.p0", "sent=%{sbytes->} rule=\"%{rulename}\" fw_action=%{action}");
+      
+      var part210 = match("MESSAGE#148:98:06/7_2", "nwparser.p0", "sent=%{sbytes->} fw_action=\"%{action}\"");
+      
+      var part211 = match("MESSAGE#148:98:06/7_3", "nwparser.p0", "sent=%{sbytes}");
+      
+      var part212 = match("MESSAGE#148:98:06/7_4", "nwparser.p0", "fw_action=\"%{action}\"");
+      
+      var select63 = linear_select([
+      	part208,
+      	part209,
+      	part210,
+      	part211,
+      	part212,
+      ]);
+      
+      var all30 = all_match({
+      	processors: [
+      		select60,
+      		select61,
+      		part204,
+      		dup187,
+      		dup10,
+      		select62,
+      		part207,
+      		select63,
+      	],
+      	on_success: processor_chain([
+      		dup70,
+      		dup11,
+      		dup17,
+      		dup18,
+      		dup19,
+      		dup20,
+      		dup21,
+      	]),
+      });
+      
+      var msg150 = msg("98:06", all30);
+      
+      var part213 = match("MESSAGE#149:98:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} usr=%{username->} src=%{p0}");
+      
+      var all31 = all_match({
+      	processors: [
+      		part213,
+      		dup177,
+      		dup10,
+      		dup175,
+      		dup79,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg151 = msg("98:02", all31);
+      
+      var part214 = match("MESSAGE#150:98:03/0_0", "nwparser.payload", "Connection %{}");
+      
+      var part215 = match("MESSAGE#150:98:03/0_1", "nwparser.payload", " msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} ");
+      
+      var select64 = linear_select([
+      	part214,
+      	part215,
+      ]);
+      
+      var all32 = all_match({
+      	processors: [
+      		select64,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup37,
+      	]),
+      });
+      
+      var msg152 = msg("98:03", all32);
+      
+      var part216 = match("MESSAGE#151:98:04/4", "nwparser.p0", "%{}proto=%{protocol->} sent=%{sbytes->} vpnpolicy=\"%{policyname}\" npcs=%{info}");
+      
+      var all33 = all_match({
+      	processors: [
+      		dup7,
+      		dup177,
+      		dup10,
+      		dup175,
+      		part216,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg153 = msg("98:04", all33);
+      
+      var part217 = match("MESSAGE#152:98:05/4", "nwparser.p0", "%{}proto=%{protocol->} sent=%{sbytes->} npcs=%{info}");
+      
+      var all34 = all_match({
+      	processors: [
+      		dup7,
+      		dup177,
+      		dup10,
+      		dup175,
+      		part217,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg154 = msg("98:05", all34);
+      
+      var select65 = linear_select([
+      	msg147,
+      	msg148,
+      	msg149,
+      	msg150,
+      	msg151,
+      	msg152,
+      	msg153,
+      	msg154,
+      ]);
+      
+      var part218 = match("MESSAGE#153:986", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([
+      	dup30,
+      	dup11,
+      ]));
+      
+      var msg155 = msg("986", part218);
+      
+      var part219 = match("MESSAGE#154:427/4", "nwparser.p0", "%{}note=\"%{event_description}\"");
+      
+      var all35 = all_match({
+      	processors: [
+      		dup80,
+      		dup177,
+      		dup10,
+      		dup175,
+      		part219,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg156 = msg("427", all35);
+      
+      var part220 = match("MESSAGE#155:428/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"");
+      
+      var all36 = all_match({
+      	processors: [
+      		dup81,
+      		dup183,
+      		part220,
+      	],
+      	on_success: processor_chain([
+      		dup22,
+      		dup54,
+      		dup17,
+      		dup82,
+      		dup19,
+      		dup20,
+      		dup21,
+      		dup37,
+      	]),
+      });
+      
+      var msg157 = msg("428", all36);
+      
+      var part221 = match("MESSAGE#156:99", "nwparser.payload", "Retransmitting DHCP DISCOVER.%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg158 = msg("99", part221);
+      
+      var part222 = match("MESSAGE#157:100", "nwparser.payload", "Retransmitting DHCP REQUEST (Requesting).%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg159 = msg("100", part222);
+      
+      var part223 = match("MESSAGE#158:101", "nwparser.payload", "Retransmitting DHCP REQUEST (Renewing).%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg160 = msg("101", part223);
+      
+      var part224 = match("MESSAGE#159:102", "nwparser.payload", "Retransmitting DHCP REQUEST (Rebinding).%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg161 = msg("102", part224);
+      
+      var part225 = match("MESSAGE#160:103", "nwparser.payload", "Retransmitting DHCP REQUEST (Rebooting).%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg162 = msg("103", part225);
+      
+      var part226 = match("MESSAGE#161:104", "nwparser.payload", "Retransmitting DHCP REQUEST (Verifying).%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg163 = msg("104", part226);
+      
+      var part227 = match("MESSAGE#162:105", "nwparser.payload", "Sending DHCP DISCOVER.%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg164 = msg("105", part227);
+      
+      var part228 = match("MESSAGE#163:106", "nwparser.payload", "DHCP Server not available. Did not get any DHCP OFFER.%{}", processor_chain([
+      	dup63,
+      ]));
+      
+      var msg165 = msg("106", part228);
+      
+      var part229 = match("MESSAGE#164:107", "nwparser.payload", "Got DHCP OFFER. Selecting.%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg166 = msg("107", part229);
+      
+      var part230 = match("MESSAGE#165:108", "nwparser.payload", "Sending DHCP REQUEST.%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg167 = msg("108", part230);
+      
+      var part231 = match("MESSAGE#166:109", "nwparser.payload", "DHCP Client did not get DHCP ACK.%{}", processor_chain([
+      	dup63,
+      ]));
+      
+      var msg168 = msg("109", part231);
+      
+      var part232 = match("MESSAGE#167:110", "nwparser.payload", "DHCP Client got NACK.%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg169 = msg("110", part232);
+      
+      var msg170 = msg("111:01", dup188);
+      
+      var part233 = match("MESSAGE#169:111", "nwparser.payload", "DHCP Client got ACK from server.%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg171 = msg("111", part233);
+      
+      var select66 = linear_select([
+      	msg170,
+      	msg171,
+      ]);
+      
+      var part234 = match("MESSAGE#170:112", "nwparser.payload", "DHCP Client is declining address offered by the server.%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg172 = msg("112", part234);
+      
+      var part235 = match("MESSAGE#171:113", "nwparser.payload", "DHCP Client sending REQUEST and going to REBIND state.%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg173 = msg("113", part235);
+      
+      var part236 = match("MESSAGE#172:114", "nwparser.payload", "DHCP Client sending REQUEST and going to RENEW state.%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg174 = msg("114", part236);
+      
+      var msg175 = msg("115:01", dup188);
+      
+      var part237 = match("MESSAGE#174:115", "nwparser.payload", "Sending DHCP REQUEST (Renewing).%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg176 = msg("115", part237);
+      
+      var select67 = linear_select([
+      	msg175,
+      	msg176,
+      ]);
+      
+      var part238 = match("MESSAGE#175:116", "nwparser.payload", "Sending DHCP REQUEST (Rebinding).%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg177 = msg("116", part238);
+      
+      var part239 = match("MESSAGE#176:117", "nwparser.payload", "Sending DHCP REQUEST (Rebooting).%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg178 = msg("117", part239);
+      
+      var part240 = match("MESSAGE#177:118", "nwparser.payload", "Sending DHCP REQUEST (Verifying).%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg179 = msg("118", part240);
+      
+      var part241 = match("MESSAGE#178:119", "nwparser.payload", "DHCP Client failed to verify and lease has expired. Go to INIT state.%{}", processor_chain([
+      	dup63,
+      ]));
+      
+      var msg180 = msg("119", part241);
+      
+      var part242 = match("MESSAGE#179:120", "nwparser.payload", "DHCP Client failed to verify and lease is still valid. Go to BOUND state.%{}", processor_chain([
+      	dup63,
+      ]));
+      
+      var msg181 = msg("120", part242);
+      
+      var part243 = match("MESSAGE#180:121", "nwparser.payload", "DHCP Client got a new IP address lease.%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg182 = msg("121", part243);
+      
+      var part244 = match("MESSAGE#181:122", "nwparser.payload", "Access attempt from host without Anti-Virus agent installed%{}", processor_chain([
+      	dup63,
+      ]));
+      
+      var msg183 = msg("122", part244);
+      
+      var part245 = match("MESSAGE#182:123", "nwparser.payload", "Anti-Virus agent out-of-date on host%{}", processor_chain([
+      	dup63,
+      ]));
+      
+      var msg184 = msg("123", part245);
+      
+      var part246 = match("MESSAGE#183:124", "nwparser.payload", "Received AV Alert: %s%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg185 = msg("124", part246);
+      
+      var part247 = match("MESSAGE#184:125", "nwparser.payload", "Unused AV log entry.%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg186 = msg("125", part247);
+      
+      var part248 = match("MESSAGE#185:1254", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([
+      	dup83,
+      	dup11,
+      ]));
+      
+      var msg187 = msg("1254", part248);
+      
+      var part249 = match("MESSAGE#186:1256", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([
+      	dup70,
+      	dup54,
+      	dup17,
+      	dup82,
+      	dup19,
+      	dup20,
+      	dup21,
+      	dup37,
+      ]));
+      
+      var msg188 = msg("1256", part249);
+      
+      var part250 = match("MESSAGE#187:1257", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([
+      	dup83,
+      	dup11,
+      ]));
+      
+      var msg189 = msg("1257", part250);
+      
+      var part251 = match("MESSAGE#188:126", "nwparser.payload", "Starting PPPoE discovery%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg190 = msg("126", part251);
+      
+      var part252 = match("MESSAGE#189:127", "nwparser.payload", "PPPoE LCP Link Up%{}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg191 = msg("127", part252);
+      
+      var part253 = match("MESSAGE#190:128", "nwparser.payload", "PPPoE LCP Link Down%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg192 = msg("128", part253);
+      
+      var part254 = match("MESSAGE#191:129", "nwparser.payload", "PPPoE terminated%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg193 = msg("129", part254);
+      
+      var part255 = match("MESSAGE#192:130", "nwparser.payload", "PPPoE Network Connected%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg194 = msg("130", part255);
+      
+      var part256 = match("MESSAGE#193:131", "nwparser.payload", "PPPoE Network Disconnected%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg195 = msg("131", part256);
+      
+      var part257 = match("MESSAGE#194:132", "nwparser.payload", "PPPoE discovery process complete%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg196 = msg("132", part257);
+      
+      var part258 = match("MESSAGE#195:133", "nwparser.payload", "PPPoE starting CHAP Authentication%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg197 = msg("133", part258);
+      
+      var part259 = match("MESSAGE#196:134", "nwparser.payload", "PPPoE starting PAP Authentication%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg198 = msg("134", part259);
+      
+      var part260 = match("MESSAGE#197:135", "nwparser.payload", "PPPoE CHAP Authentication Failed%{}", processor_chain([
+      	dup84,
+      ]));
+      
+      var msg199 = msg("135", part260);
+      
+      var part261 = match("MESSAGE#198:136", "nwparser.payload", "PPPoE PAP Authentication Failed%{}", processor_chain([
+      	dup84,
+      ]));
+      
+      var msg200 = msg("136", part261);
+      
+      var part262 = match("MESSAGE#199:137", "nwparser.payload", "Wan IP Changed%{}", processor_chain([
+      	dup3,
+      ]));
+      
+      var msg201 = msg("137", part262);
+      
+      var part263 = match("MESSAGE#200:138", "nwparser.payload", "XAUTH Succeeded%{}", processor_chain([
+      	dup3,
+      ]));
+      
+      var msg202 = msg("138", part263);
+      
+      var part264 = match("MESSAGE#201:139", "nwparser.payload", "XAUTH Failed%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg203 = msg("139", part264);
+      
+      var all37 = all_match({
+      	processors: [
+      		dup31,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		setc("eventcategory","1801020100"),
+      	]),
+      });
+      
+      var msg204 = msg("139:01", all37);
+      
+      var select68 = linear_select([
+      	msg203,
+      	msg204,
+      ]);
+      
+      var msg205 = msg("140", dup227);
+      
+      var msg206 = msg("141", dup227);
+      
+      var part265 = match("MESSAGE#205:142", "nwparser.payload", "Primary firewall has transitioned to Active%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg207 = msg("142", part265);
+      
+      var part266 = match("MESSAGE#206:143", "nwparser.payload", "Backup firewall has transitioned to Active%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg208 = msg("143", part266);
+      
+      var part267 = match("MESSAGE#207:1431", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=::%{sinterface->} dstV6=%{daddr_v6->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([
+      	dup70,
+      	dup11,
+      ]));
+      
+      var msg209 = msg("1431", part267);
+      
+      var part268 = match("MESSAGE#208:144", "nwparser.payload", "Primary firewall has transitioned to Idle%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg210 = msg("144", part268);
+      
+      var part269 = match("MESSAGE#209:145", "nwparser.payload", "Backup firewall has transitioned to Idle%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg211 = msg("145", part269);
+      
+      var part270 = match("MESSAGE#210:146", "nwparser.payload", "Primary missed heartbeats from Active Backup: Primary going Active%{}", processor_chain([
+      	dup86,
+      ]));
+      
+      var msg212 = msg("146", part270);
+      
+      var part271 = match("MESSAGE#211:147", "nwparser.payload", "Backup missed heartbeats from Active Primary: Backup going Active%{}", processor_chain([
+      	dup86,
+      ]));
+      
+      var msg213 = msg("147", part271);
+      
+      var part272 = match("MESSAGE#212:148", "nwparser.payload", "Primary received error signal from Active Backup: Primary going Active%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg214 = msg("148", part272);
+      
+      var part273 = match("MESSAGE#213:1480", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([
+      	setc("eventcategory","1204010000"),
+      	dup11,
+      ]));
+      
+      var msg215 = msg("1480", part273);
+      
+      var part274 = match("MESSAGE#214:149", "nwparser.payload", "Backup received error signal from Active Primary: Backup going Active%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg216 = msg("149", part274);
+      
+      var part275 = match("MESSAGE#215:150", "nwparser.payload", "Backup firewall being preempted by Primary%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg217 = msg("150", part275);
+      
+      var part276 = match("MESSAGE#216:151", "nwparser.payload", "Primary firewall preempting Backup%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg218 = msg("151", part276);
+      
+      var part277 = match("MESSAGE#217:152", "nwparser.payload", "Active Backup detects Active Primary: Backup rebooting%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg219 = msg("152", part277);
+      
+      var part278 = match("MESSAGE#218:153", "nwparser.payload", "Imported HA hardware ID did not match this firewall%{}", processor_chain([
+      	setc("eventcategory","1603010000"),
+      ]));
+      
+      var msg220 = msg("153", part278);
+      
+      var part279 = match("MESSAGE#219:154", "nwparser.payload", "Received AV Alert: Your SonicWALL Network Anti-Virus subscription has expired. %s%{}", processor_chain([
+      	dup56,
+      ]));
+      
+      var msg221 = msg("154", part279);
+      
+      var part280 = match("MESSAGE#220:155", "nwparser.payload", "Primary received heartbeat from wrong source%{}", processor_chain([
+      	dup86,
+      ]));
+      
+      var msg222 = msg("155", part280);
+      
+      var part281 = match("MESSAGE#221:156", "nwparser.payload", "Backup received heartbeat from wrong source%{}", processor_chain([
+      	dup86,
+      ]));
+      
+      var msg223 = msg("156", part281);
+      
+      var part282 = match("MESSAGE#222:157:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg224 = msg("157:01", part282);
+      
+      var part283 = match("MESSAGE#223:157", "nwparser.payload", "HA packet processing error%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg225 = msg("157", part283);
+      
+      var select69 = linear_select([
+      	msg224,
+      	msg225,
+      ]);
+      
+      var part284 = match("MESSAGE#224:158", "nwparser.payload", "Heartbeat received from incompatible source%{}", processor_chain([
+      	dup86,
+      ]));
+      
+      var msg226 = msg("158", part284);
+      
+      var part285 = match("MESSAGE#225:159", "nwparser.payload", "Diagnostic Code F%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg227 = msg("159", part285);
+      
+      var part286 = match("MESSAGE#226:160", "nwparser.payload", "Forbidden E-mail attachment altered%{}", processor_chain([
+      	setc("eventcategory","1203000000"),
+      ]));
+      
+      var msg228 = msg("160", part286);
+      
+      var part287 = match("MESSAGE#227:161", "nwparser.payload", "PPPoE PAP Authentication success.%{}", processor_chain([
+      	dup57,
+      ]));
+      
+      var msg229 = msg("161", part287);
+      
+      var part288 = match("MESSAGE#228:162", "nwparser.payload", "PPPoE PAP Authentication Failed. Please verify PPPoE username and password%{}", processor_chain([
+      	dup32,
+      ]));
+      
+      var msg230 = msg("162", part288);
+      
+      var part289 = match("MESSAGE#229:163", "nwparser.payload", "Disconnecting PPPoE due to traffic timeout%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg231 = msg("163", part289);
+      
+      var part290 = match("MESSAGE#230:164", "nwparser.payload", "No response from ISP Disconnecting PPPoE.%{}", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg232 = msg("164", part290);
+      
+      var part291 = match("MESSAGE#231:165", "nwparser.payload", "Backup going Active in preempt mode after reboot%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg233 = msg("165", part291);
+      
+      var part292 = match("MESSAGE#232:166", "nwparser.payload", "Denied TCP connection from LAN%{}", processor_chain([
+      	dup12,
+      ]));
+      
+      var msg234 = msg("166", part292);
+      
+      var part293 = match("MESSAGE#233:167", "nwparser.payload", "Denied UDP packet from LAN%{}", processor_chain([
+      	dup12,
+      ]));
+      
+      var msg235 = msg("167", part293);
+      
+      var part294 = match("MESSAGE#234:168", "nwparser.payload", "Denied ICMP packet from LAN%{}", processor_chain([
+      	dup12,
+      ]));
+      
+      var msg236 = msg("168", part294);
+      
+      var part295 = match("MESSAGE#235:169", "nwparser.payload", "Firewall access from LAN%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg237 = msg("169", part295);
+      
+      var part296 = match("MESSAGE#236:170", "nwparser.payload", "Received a path MTU icmp message from router/gateway%{}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg238 = msg("170", part296);
+      
+      var part297 = match("MESSAGE#237:171", "nwparser.payload", "Probable TCP FIN scan%{}", processor_chain([
+      	dup62,
+      ]));
+      
+      var msg239 = msg("171", part297);
+      
+      var part298 = match("MESSAGE#238:171:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([
+      	dup87,
+      ]));
+      
+      var msg240 = msg("171:01", part298);
+      
+      var part299 = match("MESSAGE#239:171:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}:%{dport}", processor_chain([
+      	dup87,
+      ]));
+      
+      var msg241 = msg("171:02", part299);
+      
+      var part300 = match("MESSAGE#240:171:03/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld1}\" sess=%{fld2->} n=%{fld3->} src=%{p0}");
+      
+      var all38 = all_match({
+      	processors: [
+      		part300,
+      		dup174,
+      		dup10,
+      		dup189,
+      		dup90,
+      	],
+      	on_success: processor_chain([
+      		dup87,
+      	]),
+      });
+      
+      var msg242 = msg("171:03", all38);
+      
+      var select70 = linear_select([
+      	msg239,
+      	msg240,
+      	msg241,
+      	msg242,
+      ]);
+      
+      var part301 = match("MESSAGE#241:172", "nwparser.payload", "Probable TCP XMAS scan%{}", processor_chain([
+      	dup62,
+      ]));
+      
+      var msg243 = msg("172", part301);
+      
+      var part302 = match("MESSAGE#242:172:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([
+      	dup62,
+      ]));
+      
+      var msg244 = msg("172:01", part302);
+      
+      var select71 = linear_select([
+      	msg243,
+      	msg244,
+      ]);
+      
+      var part303 = match("MESSAGE#243:173", "nwparser.payload", "Probable TCP NULL scan%{}", processor_chain([
+      	dup62,
+      ]));
+      
+      var msg245 = msg("173", part303);
+      
+      var part304 = match("MESSAGE#244:174", "nwparser.payload", "IPSEC Replay Detected%{}", processor_chain([
+      	dup59,
+      ]));
+      
+      var msg246 = msg("174", part304);
+      
+      var all39 = all_match({
+      	processors: [
+      		dup80,
+      		dup177,
+      		dup10,
+      		dup175,
+      		dup79,
+      	],
+      	on_success: processor_chain([
+      		dup59,
+      	]),
+      });
+      
+      var msg247 = msg("174:01", all39);
+      
+      var all40 = all_match({
+      	processors: [
+      		dup44,
+      		dup179,
+      		dup36,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      	]),
+      });
+      
+      var msg248 = msg("174:02", all40);
+      
+      var all41 = all_match({
+      	processors: [
+      		dup7,
+      		dup174,
+      		dup10,
+      		dup181,
+      		dup43,
+      	],
+      	on_success: processor_chain([
+      		dup12,
+      	]),
+      });
+      
+      var msg249 = msg("174:03", all41);
+      
+      var select72 = linear_select([
+      	msg246,
+      	msg247,
+      	msg248,
+      	msg249,
+      ]);
+      
+      var part305 = match("MESSAGE#248:175", "nwparser.payload", "TCP FIN packet dropped%{}", processor_chain([
+      	dup59,
+      ]));
+      
+      var msg250 = msg("175", part305);
+      
+      var part306 = match("MESSAGE#249:175:01", "nwparser.payload", "msg=\"ICMP packet from LAN dropped\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} type=%{type}", processor_chain([
+      	dup59,
+      ]));
+      
+      var msg251 = msg("175:01", part306);
+      
+      var part307 = match("MESSAGE#250:175:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr->} dst=%{daddr->} type=%{type->} icmpCode=%{fld3->} npcs=%{info}", processor_chain([
+      	dup59,
+      ]));
+      
+      var msg252 = msg("175:02", part307);
+      
+      var select73 = linear_select([
+      	msg250,
+      	msg251,
+      	msg252,
+      ]);
+      
+      var part308 = match("MESSAGE#251:176", "nwparser.payload", "Fraudulent Microsoft Certificate Blocked%{}", processor_chain([
+      	dup87,
+      ]));
+      
+      var msg253 = msg("176", part308);
+      
+      var msg254 = msg("177", dup185);
+      
+      var msg255 = msg("178", dup190);
+      
+      var msg256 = msg("179", dup185);
+      
+      var all42 = all_match({
+      	processors: [
+      		dup33,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup91,
+      	]),
+      });
+      
+      var msg257 = msg("180", all42);
+      
+      var all43 = all_match({
+      	processors: [
+      		dup7,
+      		dup174,
+      		dup10,
+      		dup191,
+      		dup94,
+      	],
+      	on_success: processor_chain([
+      		dup91,
+      	]),
+      });
+      
+      var msg258 = msg("180:01", all43);
+      
+      var select74 = linear_select([
+      	msg257,
+      	msg258,
+      ]);
+      
+      var msg259 = msg("181", dup184);
+      
+      var all44 = all_match({
+      	processors: [
+      		dup7,
+      		dup174,
+      		dup10,
+      		dup189,
+      		dup90,
+      	],
+      	on_success: processor_chain([
+      		dup62,
+      	]),
+      });
+      
+      var msg260 = msg("181:01", all44);
+      
+      var select75 = linear_select([
+      	msg259,
+      	msg260,
+      ]);
+      
+      var msg261 = msg("193", dup228);
+      
+      var msg262 = msg("194", dup229);
+      
+      var msg263 = msg("195", dup229);
+      
+      var part309 = match("MESSAGE#262:196/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{fld2->} dst=%{daddr}:%{fld3->} sport=%{sport->} dport=%{dport->} %{p0}");
+      
+      var part310 = match("MESSAGE#262:196/1_1", "nwparser.p0", " rcvd=%{rbytes->} cmd=%{p0}");
+      
+      var select76 = linear_select([
+      	dup98,
+      	part310,
+      ]);
+      
+      var all45 = all_match({
+      	processors: [
+      		part309,
+      		select76,
+      		dup99,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg264 = msg("196", all45);
+      
+      var part311 = match("MESSAGE#263:196:01/1_1", "nwparser.p0", "rcvd=%{rbytes->} cmd=%{p0}");
+      
+      var select77 = linear_select([
+      	dup98,
+      	part311,
+      ]);
+      
+      var all46 = all_match({
+      	processors: [
+      		dup95,
+      		select77,
+      		dup99,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg265 = msg("196:01", all46);
+      
+      var select78 = linear_select([
+      	msg264,
+      	msg265,
+      ]);
+      
+      var msg266 = msg("199", dup230);
+      
+      var msg267 = msg("200", dup226);
+      
+      var part312 = match("MESSAGE#266:235:02", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} usr=%{username->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([
+      	dup29,
+      ]));
+      
+      var msg268 = msg("235:02", part312);
+      
+      var part313 = match("MESSAGE#267:235/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} usr=%{username->} src=%{p0}");
+      
+      var all47 = all_match({
+      	processors: [
+      		part313,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup29,
+      	]),
+      });
+      
+      var msg269 = msg("235", all47);
+      
+      var msg270 = msg("235:01", dup231);
+      
+      var select79 = linear_select([
+      	msg268,
+      	msg269,
+      	msg270,
+      ]);
+      
+      var msg271 = msg("236", dup231);
+      
+      var msg272 = msg("237", dup230);
+      
+      var msg273 = msg("238", dup230);
+      
+      var part314 = match("MESSAGE#272:239", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr->} dst=%{dtransaddr}", processor_chain([
+      	dup101,
+      ]));
+      
+      var msg274 = msg("239", part314);
+      
+      var part315 = match("MESSAGE#273:240", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr->} dst=%{dtransaddr}", processor_chain([
+      	dup101,
+      ]));
+      
+      var msg275 = msg("240", part315);
+      
+      var part316 = match("MESSAGE#274:241", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([
+      	dup70,
+      ]));
+      
+      var msg276 = msg("241", part316);
+      
+      var part317 = match("MESSAGE#275:241:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([
+      	dup70,
+      ]));
+      
+      var msg277 = msg("241:01", part317);
+      
+      var select80 = linear_select([
+      	msg276,
+      	msg277,
+      ]);
+      
+      var part318 = match("MESSAGE#276:242/1_0", "nwparser.p0", "%{saddr}:%{sport}:: %{p0}");
+      
+      var part319 = match("MESSAGE#276:242/1_1", "nwparser.p0", "%{saddr}:%{sport->} %{p0}");
+      
+      var select81 = linear_select([
+      	part318,
+      	part319,
+      	dup35,
+      ]);
+      
+      var part320 = match("MESSAGE#276:242/3_0", "nwparser.p0", "%{daddr}:%{dport}:: ");
+      
+      var part321 = match("MESSAGE#276:242/3_1", "nwparser.p0", "%{daddr}:%{dport->} ");
+      
+      var select82 = linear_select([
+      	part320,
+      	part321,
+      	dup28,
+      ]);
+      
+      var all48 = all_match({
+      	processors: [
+      		dup44,
+      		select81,
+      		dup36,
+      		select82,
+      	],
+      	on_success: processor_chain([
+      		dup70,
+      	]),
+      });
+      
+      var msg278 = msg("242", all48);
+      
+      var msg279 = msg("252", dup193);
+      
+      var msg280 = msg("255", dup193);
+      
+      var msg281 = msg("257", dup193);
+      
+      var msg282 = msg("261:01", dup232);
+      
+      var msg283 = msg("261", dup193);
+      
+      var select83 = linear_select([
+      	msg282,
+      	msg283,
+      ]);
+      
+      var msg284 = msg("262", dup232);
+      
+      var all49 = all_match({
+      	processors: [
+      		dup104,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup105,
+      	]),
+      });
+      
+      var msg285 = msg("273", all49);
+      
+      var msg286 = msg("328", dup233);
+      
+      var msg287 = msg("329", dup226);
+      
+      var msg288 = msg("346", dup193);
+      
+      var msg289 = msg("350", dup193);
+      
+      var msg290 = msg("351", dup193);
+      
+      var msg291 = msg("352", dup193);
+      
+      var msg292 = msg("353:01", dup190);
+      
+      var part322 = match("MESSAGE#291:353", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr->} dst=%{dtransaddr->} dstname=%{shost->} lifeSeconds=%{misc}\"", processor_chain([
+      	dup5,
+      ]));
+      
+      var msg293 = msg("353", part322);
+      
+      var select84 = linear_select([
+      	msg292,
+      	msg293,
+      ]);
+      
+      var part323 = match("MESSAGE#292:354", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=\"%{shost->} lifeSeconds=%{misc}\"", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg294 = msg("354", part323);
+      
+      var msg295 = msg("355", dup194);
+      
+      var msg296 = msg("355:01", dup193);
+      
+      var select85 = linear_select([
+      	msg295,
+      	msg296,
+      ]);
+      
+      var msg297 = msg("356", dup195);
+      
+      var part324 = match("MESSAGE#296:357", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} dstname=%{name}", processor_chain([
+      	dup87,
+      ]));
+      
+      var msg298 = msg("357", part324);
+      
+      var part325 = match("MESSAGE#297:357:01", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([
+      	dup87,
+      ]));
+      
+      var msg299 = msg("357:01", part325);
+      
+      var select86 = linear_select([
+      	msg298,
+      	msg299,
+      ]);
+      
+      var msg300 = msg("358", dup196);
+      
+      var part326 = match("MESSAGE#299:371", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr->} dst=%{dtransaddr->} dstname=%{shost}", processor_chain([
+      	setc("eventcategory","1503000000"),
+      ]));
+      
+      var msg301 = msg("371", part326);
+      
+      var msg302 = msg("371:01", dup197);
+      
+      var select87 = linear_select([
+      	msg301,
+      	msg302,
+      ]);
+      
+      var msg303 = msg("372", dup193);
+      
+      var msg304 = msg("373", dup195);
+      
+      var msg305 = msg("401", dup234);
+      
+      var msg306 = msg("402", dup234);
+      
+      var msg307 = msg("406", dup196);
+      
+      var part327 = match("MESSAGE#305:413", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg308 = msg("413", part327);
+      
+      var msg309 = msg("414", dup193);
+      
+      var msg310 = msg("438", dup235);
+      
+      var msg311 = msg("439", dup235);
+      
+      var all50 = all_match({
+      	processors: [
+      		dup104,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		setc("eventcategory","1501020000"),
+      	]),
+      });
+      
+      var msg312 = msg("440", all50);
+      
+      var all51 = all_match({
+      	processors: [
+      		dup104,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		setc("eventcategory","1502050000"),
+      	]),
+      });
+      
+      var msg313 = msg("441", all51);
+      
+      var part328 = match("MESSAGE#311:441:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([
+      	setc("eventcategory","1001020000"),
+      ]));
+      
+      var msg314 = msg("441:01", part328);
+      
+      var select88 = linear_select([
+      	msg313,
+      	msg314,
+      ]);
+      
+      var all52 = all_match({
+      	processors: [
+      		dup104,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		setc("eventcategory","1501030000"),
+      	]),
+      });
+      
+      var msg315 = msg("442", all52);
+      
+      var part329 = match("MESSAGE#313:446/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{p0}");
+      
+      var part330 = match("MESSAGE#313:446/1_0", "nwparser.p0", "%{fld1->} appName=\"%{application}\" n=%{p0}");
+      
+      var part331 = match("MESSAGE#313:446/1_1", "nwparser.p0", "%{fld1->} n=%{p0}");
+      
+      var select89 = linear_select([
+      	part330,
+      	part331,
+      ]);
+      
+      var part332 = match("MESSAGE#313:446/2", "nwparser.p0", "%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}");
+      
+      var all53 = all_match({
+      	processors: [
+      		part329,
+      		select89,
+      		part332,
+      		dup199,
+      		dup112,
+      	],
+      	on_success: processor_chain([
+      		dup59,
+      		dup54,
+      		dup17,
+      		dup82,
+      		dup19,
+      		dup20,
+      		dup21,
+      		dup37,
+      	]),
+      });
+      
+      var msg316 = msg("446", all53);
+      
+      var part333 = match("MESSAGE#314:477", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=\"MAC=%{smacaddr->} HostName:%{hostname}\"", processor_chain([
+      	dup113,
+      	dup51,
+      	dup52,
+      	dup53,
+      	dup54,
+      	dup11,
+      	dup55,
+      	dup17,
+      	dup18,
+      	dup19,
+      	dup20,
+      	dup21,
+      ]));
+      
+      var msg317 = msg("477", part333);
+      
+      var all54 = all_match({
+      	processors: [
+      		dup80,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup29,
+      	]),
+      });
+      
+      var msg318 = msg("509", all54);
+      
+      var all55 = all_match({
+      	processors: [
+      		dup104,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup103,
+      	]),
+      });
+      
+      var msg319 = msg("520", all55);
+      
+      var msg320 = msg("522", dup236);
+      
+      var part334 = match("MESSAGE#318:522:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} srcV6=%{saddr_v6->} src= %{p0}");
+      
+      var part335 = match("MESSAGE#318:522:01/2", "nwparser.p0", "%{}dstV6=%{daddr_v6->} dst= %{p0}");
+      
+      var all56 = all_match({
+      	processors: [
+      		part334,
+      		dup179,
+      		part335,
+      		dup175,
+      		dup114,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      	]),
+      });
+      
+      var msg321 = msg("522:01", all56);
+      
+      var part336 = match("MESSAGE#319:522:02/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{shost->} dst= %{p0}");
+      
+      var select90 = linear_select([
+      	part336,
+      	dup39,
+      ]);
+      
+      var all57 = all_match({
+      	processors: [
+      		dup38,
+      		select90,
+      		dup10,
+      		dup175,
+      		dup114,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      	]),
+      });
+      
+      var msg322 = msg("522:02", all57);
+      
+      var select91 = linear_select([
+      	msg320,
+      	msg321,
+      	msg322,
+      ]);
+      
+      var msg323 = msg("523", dup236);
+      
+      var all58 = all_match({
+      	processors: [
+      		dup80,
+      		dup177,
+      		dup10,
+      		dup175,
+      		dup10,
+      		dup200,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg324 = msg("524", all58);
+      
+      var part337 = match("MESSAGE#322:524:01/5_0", "nwparser.p0", "proto=%{protocol->} npcs= %{p0}");
+      
+      var part338 = match("MESSAGE#322:524:01/5_1", "nwparser.p0", "rule=%{rule->} npcs= %{p0}");
+      
+      var select92 = linear_select([
+      	part337,
+      	part338,
+      ]);
+      
+      var all59 = all_match({
+      	processors: [
+      		dup7,
+      		dup177,
+      		dup10,
+      		dup175,
+      		dup10,
+      		select92,
+      		dup90,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg325 = msg("524:01", all59);
+      
+      var part339 = match("MESSAGE#323:524:02/0", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol}rule=\"%{p0}");
+      
+      var part340 = match("MESSAGE#323:524:02/1_0", "nwparser.p0", "%{rule}\" note=\"%{rulename}\"%{p0}");
+      
+      var part341 = match("MESSAGE#323:524:02/1_1", "nwparser.p0", "%{rule}\"%{p0}");
+      
+      var select93 = linear_select([
+      	part340,
+      	part341,
+      ]);
+      
+      var part342 = match("MESSAGE#323:524:02/2", "nwparser.p0", "%{}fw_action=\"%{action}\"");
+      
+      var all60 = all_match({
+      	processors: [
+      		part339,
+      		select93,
+      		part342,
+      	],
+      	on_success: processor_chain([
+      		dup6,
+      		dup11,
+      	]),
+      });
+      
+      var msg326 = msg("524:02", all60);
+      
+      var select94 = linear_select([
+      	msg324,
+      	msg325,
+      	msg326,
+      ]);
+      
+      var msg327 = msg("526", dup237);
+      
+      var part343 = match("MESSAGE#325:526:01/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{fld20->} dst= %{p0}");
+      
+      var select95 = linear_select([
+      	dup25,
+      	part343,
+      	dup39,
+      ]);
+      
+      var part344 = match("MESSAGE#325:526:01/3_1", "nwparser.p0", " %{daddr->} ");
+      
+      var select96 = linear_select([
+      	dup27,
+      	part344,
+      ]);
+      
+      var all61 = all_match({
+      	processors: [
+      		dup80,
+      		select95,
+      		dup10,
+      		select96,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg328 = msg("526:01", all61);
+      
+      var all62 = all_match({
+      	processors: [
+      		dup7,
+      		dup201,
+      		dup10,
+      		dup175,
+      		dup114,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg329 = msg("526:02", all62);
+      
+      var part345 = match("MESSAGE#327:526:03", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([
+      	dup1,
+      	dup11,
+      ]));
+      
+      var msg330 = msg("526:03", part345);
+      
+      var part346 = match("MESSAGE#328:526:04", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([
+      	dup1,
+      	dup11,
+      ]));
+      
+      var msg331 = msg("526:04", part346);
+      
+      var part347 = match("MESSAGE#329:526:05", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([
+      	dup1,
+      	dup11,
+      ]));
+      
+      var msg332 = msg("526:05", part347);
+      
+      var select97 = linear_select([
+      	msg327,
+      	msg328,
+      	msg329,
+      	msg330,
+      	msg331,
+      	msg332,
+      ]);
+      
+      var part348 = match("MESSAGE#330:537:01/4", "nwparser.p0", "%{}proto=%{protocol->} sent=%{sbytes->} rcvd=%{p0}");
+      
+      var part349 = match("MESSAGE#330:537:01/5_0", "nwparser.p0", "%{rbytes->} vpnpolicy=%{fld3->} ");
+      
+      var part350 = match("MESSAGE#330:537:01/5_1", "nwparser.p0", "%{rbytes->} ");
+      
+      var select98 = linear_select([
+      	part349,
+      	part350,
+      ]);
+      
+      var all63 = all_match({
+      	processors: [
+      		dup116,
+      		dup202,
+      		dup10,
+      		dup203,
+      		part348,
+      		select98,
+      	],
+      	on_success: processor_chain([
+      		dup105,
+      	]),
+      });
+      
+      var msg333 = msg("537:01", all63);
+      
+      var part351 = match("MESSAGE#331:537:02/4", "nwparser.p0", "%{}proto=%{protocol->} sent=%{sbytes}");
+      
+      var all64 = all_match({
+      	processors: [
+      		dup116,
+      		dup202,
+      		dup10,
+      		dup203,
+      		part351,
+      	],
+      	on_success: processor_chain([
+      		dup105,
+      	]),
+      });
+      
+      var msg334 = msg("537:02", all64);
+      
+      var select99 = linear_select([
+      	dup117,
+      	dup118,
+      	dup119,
+      	dup120,
+      ]);
+      
+      var part352 = match("MESSAGE#332:537:08/3_1", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}");
+      
+      var part353 = match("MESSAGE#332:537:08/3_2", "nwparser.p0", " %{daddr}srcMac=%{p0}");
+      
+      var select100 = linear_select([
+      	dup123,
+      	part352,
+      	part353,
+      ]);
+      
+      var part354 = match("MESSAGE#332:537:08/4", "nwparser.p0", "%{} %{smacaddr->} %{p0}");
+      
+      var select101 = linear_select([
+      	dup124,
+      	dup125,
+      ]);
+      
+      var part355 = match("MESSAGE#332:537:08/6_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{p0}");
+      
+      var part356 = match("MESSAGE#332:537:08/6_1", "nwparser.p0", "%{sbytes->} spkt=%{p0}");
+      
+      var select102 = linear_select([
+      	part355,
+      	part356,
+      ]);
+      
+      var part357 = match("MESSAGE#332:537:08/7_0", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} fw_action=\"%{action}\" ");
+      
+      var part358 = match("MESSAGE#332:537:08/7_1", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} ");
+      
+      var part359 = match("MESSAGE#332:537:08/7_2", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} fw_action=\"%{action}\" ");
+      
+      var part360 = match("MESSAGE#332:537:08/7_3", "nwparser.p0", "%{fld3->} cdur=%{fld7->} ");
+      
+      var part361 = match("MESSAGE#332:537:08/7_4", "nwparser.p0", "%{fld3}");
+      
+      var select103 = linear_select([
+      	part357,
+      	part358,
+      	part359,
+      	part360,
+      	part361,
+      ]);
+      
+      var all65 = all_match({
+      	processors: [
+      		select99,
+      		dup204,
+      		dup205,
+      		select100,
+      		part354,
+      		select101,
+      		select102,
+      		select103,
+      	],
+      	on_success: processor_chain([
+      		dup105,
+      		dup11,
+      		dup17,
+      		dup18,
+      		dup19,
+      		dup20,
+      		dup21,
+      	]),
+      });
+      
+      var msg335 = msg("537:08", all65);
+      
+      var select104 = linear_select([
+      	dup118,
+      	dup117,
+      	dup119,
+      	dup120,
+      ]);
+      
+      var part362 = match("MESSAGE#333:537:09/3_1", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} dstMac=%{p0}");
+      
+      var part363 = match("MESSAGE#333:537:09/3_2", "nwparser.p0", " %{daddr}dstMac=%{p0}");
+      
+      var select105 = linear_select([
+      	dup126,
+      	part362,
+      	part363,
+      ]);
+      
+      var part364 = match("MESSAGE#333:537:09/4", "nwparser.p0", "%{} %{dmacaddr->} proto=%{protocol->} sent=%{p0}");
+      
+      var select106 = linear_select([
+      	dup129,
+      	dup130,
+      	dup131,
+      	dup132,
+      ]);
+      
+      var all66 = all_match({
+      	processors: [
+      		select104,
+      		dup204,
+      		dup205,
+      		select105,
+      		part364,
+      		dup206,
+      		select106,
+      	],
+      	on_success: processor_chain([
+      		dup105,
+      		dup11,
+      		dup17,
+      		dup18,
+      		dup19,
+      		dup20,
+      		dup21,
+      	]),
+      });
+      
+      var msg336 = msg("537:09", all66);
+      
+      var part365 = match("MESSAGE#334:537:07/0_1", "nwparser.payload", " msg=\"%{event_description}\" app=%{fld51->} sess=\"%{fld4}\" n=%{p0}");
+      
+      var select107 = linear_select([
+      	dup117,
+      	part365,
+      	dup119,
+      	dup120,
+      ]);
+      
+      var part366 = match("MESSAGE#334:537:07/4_0", "nwparser.p0", "srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{p0}");
+      
+      var part367 = match("MESSAGE#334:537:07/4_1", "nwparser.p0", " srcMac=%{smacaddr->} proto=%{protocol->} sent=%{p0}");
+      
+      var select108 = linear_select([
+      	part366,
+      	part367,
+      	dup124,
+      	dup125,
+      ]);
+      
+      var part368 = match("MESSAGE#334:537:07/6_3", "nwparser.p0", " spkt=%{fld3->} fw_action=\"%{action}\"");
+      
+      var select109 = linear_select([
+      	dup129,
+      	dup130,
+      	dup131,
+      	part368,
+      	dup132,
+      ]);
+      
+      var all67 = all_match({
+      	processors: [
+      		select107,
+      		dup204,
+      		dup205,
+      		dup186,
+      		select108,
+      		dup206,
+      		select109,
+      	],
+      	on_success: processor_chain([
+      		dup105,
+      		dup11,
+      		dup17,
+      		dup18,
+      		dup19,
+      		dup20,
+      		dup21,
+      	]),
+      });
+      
+      var msg337 = msg("537:07", all67);
+      
+      var part369 = match("MESSAGE#335:537/1_0", "nwparser.p0", "%{action}\" app=%{fld51->} appName=\"%{application}\"%{p0}");
+      
+      var part370 = match("MESSAGE#335:537/1_1", "nwparser.p0", "%{action}\"%{p0}");
+      
+      var select110 = linear_select([
+      	part369,
+      	part370,
+      ]);
+      
+      var part371 = match("MESSAGE#335:537/2", "nwparser.p0", "%{}n=%{fld1->} src= %{p0}");
+      
+      var part372 = match("MESSAGE#335:537/4_0", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} sent=%{p0}");
+      
+      var part373 = match("MESSAGE#335:537/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}: proto=%{protocol->} sent=%{p0}");
+      
+      var part374 = match("MESSAGE#335:537/4_2", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} sent=%{p0}");
+      
+      var part375 = match("MESSAGE#335:537/4_3", "nwparser.p0", " %{daddr->} proto=%{protocol->} sent=%{p0}");
+      
+      var select111 = linear_select([
+      	part372,
+      	part373,
+      	part374,
+      	part375,
+      ]);
+      
+      var part376 = match("MESSAGE#335:537/5_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} cdur=%{fld5->} fw_action=\"%{fld6}\"");
+      
+      var part377 = match("MESSAGE#335:537/5_1", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} fw_action=\"%{fld5}\"");
+      
+      var part378 = match("MESSAGE#335:537/5_2", "nwparser.p0", "%{sbytes->} spkt=%{fld3}fw_action=\"%{fld4}\"");
+      
+      var part379 = match("MESSAGE#335:537/5_3", "nwparser.p0", "%{sbytes}rcvd=%{rbytes}");
+      
+      var part380 = match("MESSAGE#335:537/5_4", "nwparser.p0", "%{sbytes}");
+      
+      var select112 = linear_select([
+      	part376,
+      	part377,
+      	part378,
+      	part379,
+      	part380,
+      ]);
+      
+      var all68 = all_match({
+      	processors: [
+      		dup48,
+      		select110,
+      		part371,
+      		dup202,
+      		select111,
+      		select112,
+      	],
+      	on_success: processor_chain([
+      		dup105,
+      	]),
+      });
+      
+      var msg338 = msg("537", all68);
+      
+      var part381 = match("MESSAGE#336:537:04/4", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} cdur=%{fld5->} npcs=%{info}");
+      
+      var all69 = all_match({
+      	processors: [
+      		dup133,
+      		dup180,
+      		dup10,
+      		dup207,
+      		part381,
+      	],
+      	on_success: processor_chain([
+      		dup105,
+      	]),
+      });
+      
+      var msg339 = msg("537:04", all69);
+      
+      var part382 = match("MESSAGE#337:537:05/4", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} spkt=%{fld3->} cdur=%{p0}");
+      
+      var part383 = match("MESSAGE#337:537:05/5_0", "nwparser.p0", "%{fld4->} appcat=%{fld5->} appid=%{fld6->} npcs= %{p0}");
+      
+      var part384 = match("MESSAGE#337:537:05/5_1", "nwparser.p0", "%{fld4->} npcs= %{p0}");
+      
+      var select113 = linear_select([
+      	part383,
+      	part384,
+      ]);
+      
+      var all70 = all_match({
+      	processors: [
+      		dup133,
+      		dup180,
+      		dup10,
+      		dup207,
+      		part382,
+      		select113,
+      		dup90,
+      	],
+      	on_success: processor_chain([
+      		dup105,
+      	]),
+      });
+      
+      var msg340 = msg("537:05", all70);
+      
+      var part385 = match("MESSAGE#338:537:10/0", "nwparser.payload", "msg=\"%{event_description}\" sess=%{fld1->} n=%{p0}");
+      
+      var part386 = match("MESSAGE#338:537:10/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{p0}");
+      
+      var part387 = match("MESSAGE#338:537:10/4_2", "nwparser.p0", "%{daddr->} dstMac=%{p0}");
+      
+      var select114 = linear_select([
+      	dup126,
+      	part386,
+      	part387,
+      ]);
+      
+      var part388 = match("MESSAGE#338:537:10/5", "nwparser.p0", "%{} %{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld10->} rpkt=%{fld11->} %{p0}");
+      
+      var all71 = all_match({
+      	processors: [
+      		part385,
+      		dup208,
+      		dup137,
+      		dup209,
+      		select114,
+      		part388,
+      		dup210,
+      	],
+      	on_success: processor_chain([
+      		dup105,
+      		dup11,
+      		dup17,
+      		dup18,
+      		dup19,
+      		dup20,
+      		dup21,
+      	]),
+      });
+      
+      var msg341 = msg("537:10", all71);
+      
+      var part389 = match("MESSAGE#339:537:03/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{p0}");
+      
+      var part390 = match("MESSAGE#339:537:03/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto=%{p0}");
+      
+      var part391 = match("MESSAGE#339:537:03/4_2", "nwparser.p0", "%{daddr->} proto=%{p0}");
+      
+      var select115 = linear_select([
+      	dup77,
+      	part390,
+      	part391,
+      ]);
+      
+      var part392 = match("MESSAGE#339:537:03/5", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld10->} rpkt=%{fld11->} %{p0}");
+      
+      var all72 = all_match({
+      	processors: [
+      		part389,
+      		dup208,
+      		dup137,
+      		dup209,
+      		select115,
+      		part392,
+      		dup210,
+      	],
+      	on_success: processor_chain([
+      		dup105,
+      	]),
+      });
+      
+      var msg342 = msg("537:03", all72);
+      
+      var part393 = match("MESSAGE#340:537:06/4", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} spkt=%{fld3->} npcs=%{info}");
+      
+      var all73 = all_match({
+      	processors: [
+      		dup133,
+      		dup180,
+      		dup10,
+      		dup207,
+      		part393,
+      	],
+      	on_success: processor_chain([
+      		dup105,
+      	]),
+      });
+      
+      var msg343 = msg("537:06", all73);
+      
+      var part394 = match("MESSAGE#341:537:11", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}spkt=%{fld3}rpkt=%{fld4}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([
+      	dup105,
+      	dup54,
+      	dup11,
+      	dup142,
+      ]));
+      
+      var msg344 = msg("537:11", part394);
+      
+      var part395 = match("MESSAGE#342:537:12", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([
+      	dup105,
+      	dup54,
+      	dup11,
+      	dup142,
+      ]));
+      
+      var msg345 = msg("537:12", part395);
+      
+      var select116 = linear_select([
+      	msg333,
+      	msg334,
+      	msg335,
+      	msg336,
+      	msg337,
+      	msg338,
+      	msg339,
+      	msg340,
+      	msg341,
+      	msg342,
+      	msg343,
+      	msg344,
+      	msg345,
+      ]);
+      
+      var msg346 = msg("538", dup228);
+      
+      var msg347 = msg("549", dup226);
+      
+      var msg348 = msg("557", dup226);
+      
+      var all74 = all_match({
+      	processors: [
+      		dup104,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		setc("eventcategory","1402020200"),
+      	]),
+      });
+      
+      var msg349 = msg("558", all74);
+      
+      var msg350 = msg("561", dup233);
+      
+      var msg351 = msg("562", dup233);
+      
+      var msg352 = msg("563", dup233);
+      
+      var all75 = all_match({
+      	processors: [
+      		dup104,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		setc("eventcategory","1402020400"),
+      	]),
+      });
+      
+      var msg353 = msg("583", all75);
+      
+      var part396 = match("MESSAGE#351:597:01", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} type=%{icmptype->} code=%{icmpcode}", processor_chain([
+      	dup143,
+      	dup51,
+      	dup144,
+      	dup53,
+      	dup54,
+      	dup11,
+      	dup145,
+      	dup17,
+      	dup18,
+      	dup19,
+      	dup20,
+      	dup21,
+      ]));
+      
+      var msg354 = msg("597:01", part396);
+      
+      var part397 = match("MESSAGE#352:597:02", "nwparser.payload", "msg=%{msg->} n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} type=%{icmptype->} code=%{icmpcode}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg355 = msg("597:02", part397);
+      
+      var part398 = match("MESSAGE#353:597:03/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src= %{p0}");
+      
+      var all76 = all_match({
+      	processors: [
+      		part398,
+      		dup187,
+      		dup10,
+      		dup189,
+      		dup90,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg356 = msg("597:03", all76);
+      
+      var select117 = linear_select([
+      	msg354,
+      	msg355,
+      	msg356,
+      ]);
+      
+      var part399 = match("MESSAGE#354:598", "nwparser.payload", "msg=%{msg->} n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} type=%{type->} code=%{code}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg357 = msg("598", part399);
+      
+      var part400 = match("MESSAGE#355:598:01/2", "nwparser.p0", "%{} %{type->} npcs=%{info}");
+      
+      var all77 = all_match({
+      	processors: [
+      		dup146,
+      		dup182,
+      		part400,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg358 = msg("598:01", all77);
+      
+      var all78 = all_match({
+      	processors: [
+      		dup146,
+      		dup189,
+      		dup90,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg359 = msg("598:02", all78);
+      
+      var select118 = linear_select([
+      	msg357,
+      	msg358,
+      	msg359,
+      ]);
+      
+      var part401 = match("MESSAGE#357:602:01", "nwparser.payload", "msg=\"%{event_description}allowed\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} proto=%{protocol}/%{fld4}", processor_chain([
+      	dup143,
+      	dup51,
+      	dup144,
+      	dup53,
+      	dup54,
+      	dup11,
+      	dup145,
+      	dup17,
+      	dup18,
+      	dup19,
+      	dup20,
+      	dup21,
+      ]));
+      
+      var msg360 = msg("602:01", part401);
+      
+      var msg361 = msg("602:02", dup237);
+      
+      var all79 = all_match({
+      	processors: [
+      		dup7,
+      		dup177,
+      		dup10,
+      		dup175,
+      		dup79,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg362 = msg("602:03", all79);
+      
+      var select119 = linear_select([
+      	msg360,
+      	msg361,
+      	msg362,
+      ]);
+      
+      var msg363 = msg("605", dup196);
+      
+      var all80 = all_match({
+      	processors: [
+      		dup147,
+      		dup211,
+      		dup149,
+      		dup199,
+      		dup112,
+      	],
+      	on_success: processor_chain([
+      		dup87,
+      		dup54,
+      		dup17,
+      		dup82,
+      		dup19,
+      		dup20,
+      		dup21,
+      		dup37,
+      	]),
+      });
+      
+      var msg364 = msg("606", all80);
+      
+      var part402 = match("MESSAGE#362:608/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} ipscat=%{ipscat->} ipspri=%{p0}");
+      
+      var part403 = match("MESSAGE#362:608/1_0", "nwparser.p0", "%{fld66->} pktdatId=%{fld11->} n=%{p0}");
+      
+      var part404 = match("MESSAGE#362:608/1_1", "nwparser.p0", "%{ipspri->} n=%{p0}");
+      
+      var select120 = linear_select([
+      	part403,
+      	part404,
+      ]);
+      
+      var part405 = match("MESSAGE#362:608/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{p0}");
+      
+      var part406 = match("MESSAGE#362:608/3_0", "nwparser.p0", "%{sport}:%{sinterface->} dst=%{p0}");
+      
+      var part407 = match("MESSAGE#362:608/3_1", "nwparser.p0", "%{sport->} dst=%{p0}");
+      
+      var select121 = linear_select([
+      	part406,
+      	part407,
+      ]);
+      
+      var part408 = match("MESSAGE#362:608/4", "nwparser.p0", "%{daddr}:%{p0}");
+      
+      var part409 = match("MESSAGE#362:608/5_0", "nwparser.p0", "%{dport}:%{dinterface->} proto=%{protocol->} fw_action=\"%{fld2}\"");
+      
+      var part410 = match("MESSAGE#362:608/5_1", "nwparser.p0", "%{dport}:%{dinterface}");
+      
+      var part411 = match("MESSAGE#362:608/5_2", "nwparser.p0", "%{dport}");
+      
+      var select122 = linear_select([
+      	part409,
+      	part410,
+      	part411,
+      ]);
+      
+      var all81 = all_match({
+      	processors: [
+      		part402,
+      		select120,
+      		part405,
+      		select121,
+      		part408,
+      		select122,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup37,
+      	]),
+      });
+      
+      var msg365 = msg("608", all81);
+      
+      var msg366 = msg("616", dup194);
+      
+      var msg367 = msg("658", dup190);
+      
+      var msg368 = msg("710", dup212);
+      
+      var msg369 = msg("712:02", dup238);
+      
+      var msg370 = msg("712", dup212);
+      
+      var all82 = all_match({
+      	processors: [
+      		dup7,
+      		dup174,
+      		dup10,
+      		dup191,
+      		dup94,
+      	],
+      	on_success: processor_chain([
+      		dup150,
+      	]),
+      });
+      
+      var msg371 = msg("712:01", all82);
+      
+      var select123 = linear_select([
+      	msg369,
+      	msg370,
+      	msg371,
+      ]);
+      
+      var part412 = match("MESSAGE#369:713:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} note=%{info}", processor_chain([
+      	dup5,
+      	dup51,
+      	dup52,
+      	dup53,
+      	dup54,
+      	dup11,
+      	dup55,
+      	dup17,
+      	dup18,
+      	dup19,
+      	dup20,
+      	dup21,
+      ]));
+      
+      var msg372 = msg("713:01", part412);
+      
+      var msg373 = msg("713:04", dup238);
+      
+      var msg374 = msg("713:02", dup212);
+      
+      var part413 = match("MESSAGE#372:713:03", "nwparser.payload", "msg=\"%{event_description}dropped\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{action}\" npcs=%{info}", processor_chain([
+      	dup5,
+      	dup51,
+      	dup52,
+      	dup53,
+      	dup54,
+      	dup11,
+      	dup55,
+      	dup17,
+      	dup18,
+      	dup19,
+      	dup20,
+      	dup21,
+      ]));
+      
+      var msg375 = msg("713:03", part413);
+      
+      var select124 = linear_select([
+      	msg372,
+      	msg373,
+      	msg374,
+      	msg375,
+      ]);
+      
+      var part414 = match("MESSAGE#373:760", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=%{info}", processor_chain([
+      	dup113,
+      	dup51,
+      	dup52,
+      	dup53,
+      	dup54,
+      	dup11,
+      	dup55,
+      	dup17,
+      	dup18,
+      	dup19,
+      	dup20,
+      	dup21,
+      ]));
+      
+      var msg376 = msg("760", part414);
+      
+      var part415 = match("MESSAGE#374:760:01/0", "nwparser.payload", "msg=\"%{event_description}dropped\" sess=%{fld1->} n=%{fld2->} src=%{p0}");
+      
+      var part416 = match("MESSAGE#374:760:01/4", "nwparser.p0", "%{} %{action->} npcs=%{info}");
+      
+      var all83 = all_match({
+      	processors: [
+      		part415,
+      		dup174,
+      		dup10,
+      		dup191,
+      		part416,
+      	],
+      	on_success: processor_chain([
+      		dup113,
+      		dup51,
+      		dup52,
+      		dup53,
+      		dup54,
+      		dup11,
+      		dup55,
+      		dup17,
+      		dup18,
+      		dup19,
+      		dup20,
+      		dup21,
+      	]),
+      });
+      
+      var msg377 = msg("760:01", all83);
+      
+      var select125 = linear_select([
+      	msg376,
+      	msg377,
+      ]);
+      
+      var msg378 = msg("766", dup216);
+      
+      var msg379 = msg("860", dup216);
+      
+      var msg380 = msg("860:01", dup217);
+      
+      var select126 = linear_select([
+      	msg379,
+      	msg380,
+      ]);
+      
+      var part417 = match("MESSAGE#378:866/0", "nwparser.payload", "msg=\"%{msg}\" n=%{p0}");
+      
+      var part418 = match("MESSAGE#378:866/1_0", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\" ");
+      
+      var part419 = match("MESSAGE#378:866/1_1", "nwparser.p0", "%{ntype->} ");
+      
+      var select127 = linear_select([
+      	part418,
+      	part419,
+      ]);
+      
+      var all84 = all_match({
+      	processors: [
+      		part417,
+      		select127,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		dup37,
+      	]),
+      });
+      
+      var msg381 = msg("866", all84);
+      
+      var msg382 = msg("866:01", dup217);
+      
+      var select128 = linear_select([
+      	msg381,
+      	msg382,
+      ]);
+      
+      var msg383 = msg("867", dup216);
+      
+      var msg384 = msg("867:01", dup217);
+      
+      var select129 = linear_select([
+      	msg383,
+      	msg384,
+      ]);
+      
+      var part420 = match("MESSAGE#382:882", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg385 = msg("882", part420);
+      
+      var part421 = match("MESSAGE#383:882:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} npcs=%{info}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg386 = msg("882:01", part421);
+      
+      var select130 = linear_select([
+      	msg385,
+      	msg386,
+      ]);
+      
+      var part422 = match("MESSAGE#384:888", "nwparser.payload", "msg=\"%{reason};%{action}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}", processor_chain([
+      	dup159,
+      ]));
+      
+      var msg387 = msg("888", part422);
+      
+      var part423 = match("MESSAGE#385:888:01", "nwparser.payload", "msg=\"%{reason};%{action}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=%{fld3->} npcs=%{info}", processor_chain([
+      	dup159,
+      ]));
+      
+      var msg388 = msg("888:01", part423);
+      
+      var select131 = linear_select([
+      	msg387,
+      	msg388,
+      ]);
+      
+      var all85 = all_match({
+      	processors: [
+      		dup7,
+      		dup174,
+      		dup10,
+      		dup189,
+      		dup90,
+      	],
+      	on_success: processor_chain([
+      		dup159,
+      	]),
+      });
+      
+      var msg389 = msg("892", all85);
+      
+      var msg390 = msg("904", dup216);
+      
+      var msg391 = msg("905", dup216);
+      
+      var msg392 = msg("906", dup216);
+      
+      var msg393 = msg("907", dup216);
+      
+      var select132 = linear_select([
+      	dup73,
+      	dup138,
+      ]);
+      
+      var all86 = all_match({
+      	processors: [
+      		dup160,
+      		select132,
+      		dup10,
+      		dup211,
+      		dup161,
+      		dup199,
+      		dup112,
+      	],
+      	on_success: processor_chain([
+      		dup70,
+      		dup54,
+      		dup17,
+      		dup82,
+      		dup19,
+      		dup20,
+      		dup21,
+      		dup37,
+      	]),
+      });
+      
+      var msg394 = msg("908", all86);
+      
+      var msg395 = msg("909", dup216);
+      
+      var msg396 = msg("914", dup218);
+      
+      var part424 = match("MESSAGE#394:931", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([
+      	dup64,
+      ]));
+      
+      var msg397 = msg("931", part424);
+      
+      var msg398 = msg("657", dup218);
+      
+      var all87 = all_match({
+      	processors: [
+      		dup7,
+      		dup174,
+      		dup10,
+      		dup189,
+      		dup90,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      	]),
+      });
+      
+      var msg399 = msg("657:01", all87);
+      
+      var select133 = linear_select([
+      	msg398,
+      	msg399,
+      ]);
+      
+      var msg400 = msg("403", dup197);
+      
+      var msg401 = msg("534", dup176);
+      
+      var msg402 = msg("994", dup219);
+      
+      var part425 = match("MESSAGE#400:243", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} proto=%{protocol}", processor_chain([
+      	dup1,
+      	dup23,
+      ]));
+      
+      var msg403 = msg("243", part425);
+      
+      var msg404 = msg("995", dup176);
+      
+      var part426 = match("MESSAGE#402:997", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{fld3->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld4->} note=\"%{info}\"", processor_chain([
+      	dup1,
+      	dup51,
+      	dup53,
+      	dup54,
+      	dup11,
+      	dup17,
+      	dup18,
+      	dup19,
+      	dup20,
+      	dup21,
+      ]));
+      
+      var msg405 = msg("997", part426);
+      
+      var msg406 = msg("998", dup219);
+      
+      var part427 = match("MESSAGE#405:998:01", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([
+      	dup105,
+      	dup11,
+      ]));
+      
+      var msg407 = msg("998:01", part427);
+      
+      var select134 = linear_select([
+      	msg406,
+      	msg407,
+      ]);
+      
+      var msg408 = msg("1110", dup220);
+      
+      var msg409 = msg("565", dup220);
+      
+      var part428 = match("MESSAGE#408:404", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} note=\"%{event_description}\"", processor_chain([
+      	dup1,
+      	dup54,
+      ]));
+      
+      var msg410 = msg("404", part428);
+      
+      var select135 = linear_select([
+      	dup148,
+      	dup50,
+      ]);
+      
+      var part429 = match("MESSAGE#409:267:01/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} note=\"%{fld3}\" fw_action=\"%{action}\"");
+      
+      var all88 = all_match({
+      	processors: [
+      		dup81,
+      		select135,
+      		part429,
+      	],
+      	on_success: processor_chain([
+      		dup105,
+      		dup54,
+      		dup17,
+      		dup82,
+      		dup19,
+      		dup20,
+      		dup21,
+      		dup37,
+      	]),
+      });
+      
+      var msg411 = msg("267:01", all88);
+      
+      var part430 = match("MESSAGE#410:267", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}", processor_chain([
+      	dup1,
+      	dup54,
+      ]));
+      
+      var msg412 = msg("267", part430);
+      
+      var select136 = linear_select([
+      	msg411,
+      	msg412,
+      ]);
+      
+      var part431 = match("MESSAGE#411:263", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} proto=%{protocol}", processor_chain([
+      	dup1,
+      	dup23,
+      ]));
+      
+      var msg413 = msg("263", part431);
+      
+      var part432 = match("MESSAGE#412:264", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([
+      	dup103,
+      	dup11,
+      ]));
+      
+      var msg414 = msg("264", part432);
+      
+      var msg415 = msg("412", dup197);
+      
+      var part433 = match("MESSAGE#415:793", "nwparser.payload", "msg=\"%{msg}\" af_polid=%{fld1->} af_policy=\"%{fld2}\" af_type=\"%{fld3}\" af_service=\"%{fld4}\" af_action=\"%{fld5}\" n=%{fld6->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{shost->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{dhost}", processor_chain([
+      	dup1,
+      	dup23,
+      ]));
+      
+      var msg416 = msg("793", part433);
+      
+      var part434 = match("MESSAGE#416:805", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} if=%{fld2->} ucastRx=%{fld3->} bcastRx=%{fld4->} bytesRx=%{rbytes->} ucastTx=%{fld5->} bcastTx=%{fld6->} bytesTx=%{sbytes}", processor_chain([
+      	dup1,
+      	dup23,
+      ]));
+      
+      var msg417 = msg("805", part434);
+      
+      var part435 = match("MESSAGE#417:809", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([
+      	dup162,
+      	dup11,
+      ]));
+      
+      var msg418 = msg("809", part435);
+      
+      var part436 = match("MESSAGE#418:809:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([
+      	dup162,
+      	dup11,
+      ]));
+      
+      var msg419 = msg("809:01", part436);
+      
+      var select137 = linear_select([
+      	msg418,
+      	msg419,
+      ]);
+      
+      var msg420 = msg("935", dup218);
+      
+      var msg421 = msg("614", dup221);
+      
+      var part437 = match("MESSAGE#421:748/0", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{p0}");
+      
+      var all89 = all_match({
+      	processors: [
+      		part437,
+      		dup199,
+      		dup112,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup37,
+      	]),
+      });
+      
+      var msg422 = msg("748", all89);
+      
+      var part438 = match("MESSAGE#422:794/0", "nwparser.payload", "msg=\"%{event_description}\" sid=%{sid->} spycat=%{fld1->} spypri=%{fld2->} pktdatId=%{fld3->} n=%{fld4->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{p0}");
+      
+      var part439 = match("MESSAGE#422:794/1_0", "nwparser.p0", "%{protocol}/%{fld5->} fw_action=\"%{p0}");
+      
+      var select138 = linear_select([
+      	part439,
+      	dup111,
+      ]);
+      
+      var all90 = all_match({
+      	processors: [
+      		part438,
+      		select138,
+      		dup112,
+      	],
+      	on_success: processor_chain([
+      		dup163,
+      		dup37,
+      	]),
+      });
+      
+      var msg423 = msg("794", all90);
+      
+      var msg424 = msg("1086", dup221);
+      
+      var part440 = match("MESSAGE#424:1430", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([
+      	dup163,
+      	dup37,
+      ]));
+      
+      var msg425 = msg("1430", part440);
+      
+      var msg426 = msg("1149", dup221);
+      
+      var msg427 = msg("1159", dup221);
+      
+      var part441 = match("MESSAGE#427:1195", "nwparser.payload", "n=%{fld1->} fw_action=\"%{action}\"", processor_chain([
+      	dup163,
+      	dup37,
+      ]));
+      
+      var msg428 = msg("1195", part441);
+      
+      var part442 = match("MESSAGE#428:1195:01", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}", processor_chain([
+      	dup163,
+      	dup37,
+      ]));
+      
+      var msg429 = msg("1195:01", part442);
+      
+      var select139 = linear_select([
+      	msg428,
+      	msg429,
+      ]);
+      
+      var part443 = match("MESSAGE#429:1226", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([
+      	dup5,
+      	dup37,
+      ]));
+      
+      var msg430 = msg("1226", part443);
+      
+      var part444 = match("MESSAGE#430:1222", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} note=\"%{fld3}\" fw_action=\"%{action}\"", processor_chain([
+      	dup5,
+      	dup37,
+      ]));
+      
+      var msg431 = msg("1222", part444);
+      
+      var part445 = match("MESSAGE#431:1154", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{shost->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{dhost}", processor_chain([
+      	dup1,
+      	dup23,
+      ]));
+      
+      var msg432 = msg("1154", part445);
+      
+      var part446 = match("MESSAGE#432:1154:01/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{p0}");
+      
+      var all91 = all_match({
+      	processors: [
+      		part446,
+      		dup174,
+      		dup10,
+      		dup189,
+      		dup90,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup23,
+      	]),
+      });
+      
+      var msg433 = msg("1154:01", all91);
+      
+      var part447 = match("MESSAGE#433:1154:02", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=\"%{fld1}\" appid%{fld2->} catid=%{fld3->} sess=\"%{fld4}\" n=%{fld5->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([
+      	dup164,
+      	dup11,
+      ]));
+      
+      var msg434 = msg("1154:02", part447);
+      
+      var part448 = match("MESSAGE#434:1154:03/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=\"%{fld1}\" appid=%{fld2->} catid=%{fld3->} n=%{fld4->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}");
+      
+      var select140 = linear_select([
+      	dup123,
+      	dup49,
+      ]);
+      
+      var part449 = match("MESSAGE#434:1154:03/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\"");
+      
+      var all92 = all_match({
+      	processors: [
+      		part448,
+      		select140,
+      		part449,
+      	],
+      	on_success: processor_chain([
+      		dup164,
+      		dup11,
+      	]),
+      });
+      
+      var msg435 = msg("1154:03", all92);
+      
+      var select141 = linear_select([
+      	msg432,
+      	msg433,
+      	msg434,
+      	msg435,
+      ]);
+      
+      var part450 = match("MESSAGE#435:msg", "nwparser.payload", "msg=\"%{msg}\" src=%{stransaddr->} dst=%{dtransaddr->} %{result}", processor_chain([
+      	dup165,
+      ]));
+      
+      var msg436 = msg("msg", part450);
+      
+      var part451 = match("MESSAGE#436:src", "nwparser.payload", "src=%{stransaddr->} dst=%{dtransaddr->} %{msg}", processor_chain([
+      	dup165,
+      ]));
+      
+      var msg437 = msg("src", part451);
+      
+      var all93 = all_match({
+      	processors: [
+      		dup7,
+      		dup177,
+      		dup10,
+      		dup175,
+      		dup10,
+      		dup200,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg438 = msg("1235", all93);
+      
+      var part452 = match("MESSAGE#438:1197/4", "nwparser.p0", "%{}\"%{fld3->} Protocol:%{protocol}\" npcs=%{info}");
+      
+      var all94 = all_match({
+      	processors: [
+      		dup7,
+      		dup177,
+      		dup10,
+      		dup191,
+      		part452,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg439 = msg("1197", all94);
+      
+      var part453 = match("MESSAGE#439:1199/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3->} sess=%{fld1->} n=%{fld2->} src=%{p0}");
+      
+      var all95 = all_match({
+      	processors: [
+      		part453,
+      		dup177,
+      		dup166,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg440 = msg("1199", all95);
+      
+      var part454 = match("MESSAGE#440:1199:01", "nwparser.payload", "msg=\"Responder from country blocked: Responder IP:%{fld1}Country Name:%{location_country}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([
+      	dup167,
+      	dup11,
+      ]));
+      
+      var msg441 = msg("1199:01", part454);
+      
+      var part455 = match("MESSAGE#441:1199:02", "nwparser.payload", "msg=\"Responder from country blocked: Responder IP:%{fld1}Country Name:%{location_country}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([
+      	dup167,
+      	dup11,
+      ]));
+      
+      var msg442 = msg("1199:02", part455);
+      
+      var select142 = linear_select([
+      	msg440,
+      	msg441,
+      	msg442,
+      ]);
+      
+      var part456 = match("MESSAGE#442:1155/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} catid=%{fld3->} sess=%{fld4->} n=%{fld5->} src=%{p0}");
+      
+      var all96 = all_match({
+      	processors: [
+      		part456,
+      		dup174,
+      		dup10,
+      		dup189,
+      		dup90,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg443 = msg("1155", all96);
+      
+      var part457 = match("MESSAGE#443:1155:01", "nwparser.payload", "msg=\"%{action}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}", processor_chain([
+      	dup105,
+      ]));
+      
+      var msg444 = msg("1155:01", part457);
+      
+      var select143 = linear_select([
+      	msg443,
+      	msg444,
+      ]);
+      
+      var all97 = all_match({
+      	processors: [
+      		dup168,
+      		dup201,
+      		dup166,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg445 = msg("1198", all97);
+      
+      var all98 = all_match({
+      	processors: [
+      		dup7,
+      		dup177,
+      		dup166,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg446 = msg("714", all98);
+      
+      var msg447 = msg("709", dup239);
+      
+      var msg448 = msg("1005", dup239);
+      
+      var msg449 = msg("1003", dup239);
+      
+      var msg450 = msg("1007", dup240);
+      
+      var part458 = match("MESSAGE#450:1008", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}::%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([
+      	dup103,
+      	dup11,
+      ]));
+      
+      var msg451 = msg("1008", part458);
+      
+      var msg452 = msg("708", dup240);
+      
+      var all99 = all_match({
+      	processors: [
+      		dup168,
+      		dup174,
+      		dup10,
+      		dup189,
+      		dup90,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg453 = msg("1201", all99);
+      
+      var msg454 = msg("1201:01", dup240);
+      
+      var select144 = linear_select([
+      	msg453,
+      	msg454,
+      ]);
+      
+      var msg455 = msg("654", dup222);
+      
+      var msg456 = msg("670", dup222);
+      
+      var msg457 = msg("884", dup240);
+      
+      var part459 = match("MESSAGE#457:1153", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} rcvd=%{rbytes->} note=\"%{info}\"", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg458 = msg("1153", part459);
+      
+      var part460 = match("MESSAGE#458:1153:01/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1->} sess=%{fld2->} n=%{p0}");
+      
+      var part461 = match("MESSAGE#458:1153:01/0_1", "nwparser.payload", " msg=\"%{event_description}\" sess=%{fld2->} n=%{p0}");
+      
+      var part462 = match("MESSAGE#458:1153:01/0_2", "nwparser.payload", " msg=\"%{event_description}\" n=%{p0}");
+      
+      var select145 = linear_select([
+      	part460,
+      	part461,
+      	part462,
+      ]);
+      
+      var part463 = match("MESSAGE#458:1153:01/1", "nwparser.p0", "%{fld3->} usr=\"%{username}\" src=%{p0}");
+      
+      var part464 = match("MESSAGE#458:1153:01/2_0", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}");
+      
+      var select146 = linear_select([
+      	part464,
+      	dup25,
+      ]);
+      
+      var part465 = match("MESSAGE#458:1153:01/4_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac= %{p0}");
+      
+      var part466 = match("MESSAGE#458:1153:01/4_1", "nwparser.p0", "%{daddr}:%{dport}srcMac= %{p0}");
+      
+      var part467 = match("MESSAGE#458:1153:01/4_2", "nwparser.p0", "%{daddr}srcMac= %{p0}");
+      
+      var select147 = linear_select([
+      	part465,
+      	part466,
+      	part467,
+      ]);
+      
+      var part468 = match("MESSAGE#458:1153:01/5", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} %{p0}");
+      
+      var part469 = match("MESSAGE#458:1153:01/6_0", "nwparser.p0", "sent=%{sbytes}rcvd=%{rbytes->} ");
+      
+      var part470 = match("MESSAGE#458:1153:01/6_1", "nwparser.p0", "type=%{fld4->} icmpCode=%{fld5->} rcvd=%{rbytes->} ");
+      
+      var part471 = match("MESSAGE#458:1153:01/6_2", "nwparser.p0", "rcvd=%{rbytes->} ");
+      
+      var select148 = linear_select([
+      	part469,
+      	part470,
+      	part471,
+      ]);
+      
+      var all100 = all_match({
+      	processors: [
+      		select145,
+      		part463,
+      		select146,
+      		dup10,
+      		select147,
+      		part468,
+      		select148,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup11,
+      		dup17,
+      		dup18,
+      		dup19,
+      		dup20,
+      		dup21,
+      	]),
+      });
+      
+      var msg459 = msg("1153:01", all100);
+      
+      var part472 = match("MESSAGE#459:1153:02/0", "nwparser.payload", "msg=\"%{event_description}\" %{p0}");
+      
+      var part473 = match("MESSAGE#459:1153:02/1_0", "nwparser.p0", "app=%{fld1->} n=%{fld2->} src=%{p0}");
+      
+      var part474 = match("MESSAGE#459:1153:02/1_1", "nwparser.p0", " n=%{fld2->} src=%{p0}");
+      
+      var select149 = linear_select([
+      	part473,
+      	part474,
+      ]);
+      
+      var part475 = match("MESSAGE#459:1153:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes}");
+      
+      var all101 = all_match({
+      	processors: [
+      		part472,
+      		select149,
+      		part475,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup11,
+      		dup17,
+      		dup18,
+      		dup19,
+      		dup20,
+      		dup21,
+      	]),
+      });
+      
+      var msg460 = msg("1153:02", all101);
+      
+      var select150 = linear_select([
+      	msg458,
+      	msg459,
+      	msg460,
+      ]);
+      
+      var part476 = match("MESSAGE#460:1107", "nwparser.payload", "msg=\"%{msg}\"%{space}n=%{fld1}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg461 = msg("1107", part476);
+      
+      var part477 = match("MESSAGE#461:1220/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{p0}");
+      
+      var part478 = match("MESSAGE#461:1220/1_0", "nwparser.p0", "%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}");
+      
+      var part479 = match("MESSAGE#461:1220/1_1", "nwparser.p0", "%{fld2}src=%{saddr}:%{sport->} dst=%{p0}");
+      
+      var select151 = linear_select([
+      	part478,
+      	part479,
+      ]);
+      
+      var all102 = all_match({
+      	processors: [
+      		part477,
+      		select151,
+      		dup10,
+      		dup223,
+      		dup171,
+      	],
+      	on_success: processor_chain([
+      		dup159,
+      		dup54,
+      		dup17,
+      		dup82,
+      		dup19,
+      		dup20,
+      		dup21,
+      		dup37,
+      	]),
+      });
+      
+      var msg462 = msg("1220", all102);
+      
+      var all103 = all_match({
+      	processors: [
+      		dup147,
+      		dup223,
+      		dup171,
+      	],
+      	on_success: processor_chain([
+      		dup159,
+      		dup54,
+      		dup17,
+      		dup82,
+      		dup19,
+      		dup20,
+      		dup21,
+      		dup37,
+      	]),
+      });
+      
+      var msg463 = msg("1230", all103);
+      
+      var part480 = match("MESSAGE#463:1231", "nwparser.payload", "msg=\"%{msg}\"%{space}n=%{fld1->} note=\"%{info}\"", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg464 = msg("1231", part480);
+      
+      var part481 = match("MESSAGE#464:1233", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([
+      	dup167,
+      	dup11,
+      ]));
+      
+      var msg465 = msg("1233", part481);
+      
+      var part482 = match("MESSAGE#465:1079/0", "nwparser.payload", "msg=\"User%{username}log%{p0}");
+      
+      var part483 = match("MESSAGE#465:1079/1_0", "nwparser.p0", "in%{p0}");
+      
+      var part484 = match("MESSAGE#465:1079/1_1", "nwparser.p0", "out%{p0}");
+      
+      var select152 = linear_select([
+      	part483,
+      	part484,
+      ]);
+      
+      var part485 = match("MESSAGE#465:1079/2", "nwparser.p0", "\"%{p0}");
+      
+      var part486 = match("MESSAGE#465:1079/3_0", "nwparser.p0", "dur=%{duration->} %{space}n=%{fld1}");
+      
+      var part487 = match("MESSAGE#465:1079/3_1", "nwparser.p0", "sess=\"%{fld2}\" n=%{fld1->} ");
+      
+      var part488 = match("MESSAGE#465:1079/3_2", "nwparser.p0", "n=%{fld1}");
+      
+      var select153 = linear_select([
+      	part486,
+      	part487,
+      	part488,
+      ]);
+      
+      var all104 = all_match({
+      	processors: [
+      		part482,
+      		select152,
+      		part485,
+      		select153,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg466 = msg("1079", all104);
+      
+      var part489 = match("MESSAGE#466:1079:01", "nwparser.payload", "msg=\"Client%{username}is assigned IP:%{hostip}\" %{space->} n=%{fld1}", processor_chain([
+      	dup1,
+      ]));
+      
+      var msg467 = msg("1079:01", part489);
+      
+      var part490 = match("MESSAGE#467:1079:02", "nwparser.payload", "msg=\"destination for %{daddr->} is not allowed by access control\" n=%{fld2}", processor_chain([
+      	dup1,
+      	dup11,
+      	setc("event_description","destination is not allowed by access control"),
+      	dup17,
+      	dup18,
+      	dup19,
+      	dup20,
+      	dup21,
+      ]));
+      
+      var msg468 = msg("1079:02", part490);
+      
+      var part491 = match("MESSAGE#468:1079:03", "nwparser.payload", "msg=\"SSLVPN Client %{username->} matched device profile Default Device Profile for Windows\" n=%{fld2}", processor_chain([
+      	dup1,
+      	dup11,
+      	setc("event_description","SSLVPN Client matched device profile Default Device Profile for Windows"),
+      	dup17,
+      	dup18,
+      	dup19,
+      	dup20,
+      	dup21,
+      ]));
+      
+      var msg469 = msg("1079:03", part491);
+      
+      var select154 = linear_select([
+      	msg466,
+      	msg467,
+      	msg468,
+      	msg469,
+      ]);
+      
+      var part492 = match("MESSAGE#469:1080/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} usr=\"%{username}\" src= %{p0}");
+      
+      var part493 = match("MESSAGE#469:1080/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst=%{p0}");
+      
+      var select155 = linear_select([
+      	dup73,
+      	part493,
+      ]);
+      
+      var select156 = linear_select([
+      	dup77,
+      	dup78,
+      ]);
+      
+      var part494 = match("MESSAGE#469:1080/4", "nwparser.p0", "%{} %{protocol}");
+      
+      var all105 = all_match({
+      	processors: [
+      		part492,
+      		select155,
+      		dup10,
+      		select156,
+      		part494,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var msg470 = msg("1080", all105);
+      
+      var part495 = match("MESSAGE#470:580", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([
+      	dup5,
+      	dup54,
+      	dup17,
+      	dup82,
+      	dup19,
+      	dup20,
+      	dup21,
+      	dup37,
+      ]));
+      
+      var msg471 = msg("580", part495);
+      
+      var part496 = match("MESSAGE#471:1369/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{p0}");
+      
+      var all106 = all_match({
+      	processors: [
+      		part496,
+      		dup224,
+      		dup112,
+      	],
+      	on_success: processor_chain([
+      		dup70,
+      		dup54,
+      		dup17,
+      		dup82,
+      		dup19,
+      		dup20,
+      		dup21,
+      		dup37,
+      	]),
+      });
+      
+      var msg472 = msg("1369", all106);
+      
+      var all107 = all_match({
+      	processors: [
+      		dup147,
+      		dup211,
+      		dup149,
+      		dup224,
+      		dup112,
+      	],
+      	on_success: processor_chain([
+      		dup70,
+      		dup54,
+      		dup17,
+      		dup82,
+      		dup19,
+      		dup20,
+      		dup21,
+      		dup37,
+      	]),
+      });
+      
+      var msg473 = msg("1370", all107);
+      
+      var all108 = all_match({
+      	processors: [
+      		dup147,
+      		dup211,
+      		dup161,
+      		dup199,
+      		dup112,
+      	],
+      	on_success: processor_chain([
+      		dup70,
+      		dup54,
+      		dup17,
+      		dup82,
+      		dup19,
+      		dup20,
+      		dup21,
+      		dup37,
+      	]),
+      });
+      
+      var msg474 = msg("1371", all108);
+      
+      var part497 = match("MESSAGE#474:1387/1_1", "nwparser.p0", "%{saddr}:%{sport}: dst=%{p0}");
+      
+      var select157 = linear_select([
+      	dup138,
+      	part497,
+      ]);
+      
+      var all109 = all_match({
+      	processors: [
+      		dup160,
+      		select157,
+      		dup10,
+      		dup211,
+      		dup161,
+      		dup199,
+      		dup112,
+      	],
+      	on_success: processor_chain([
+      		dup159,
+      		dup54,
+      		dup17,
+      		dup82,
+      		dup19,
+      		dup20,
+      		dup21,
+      		dup37,
+      	]),
+      });
+      
+      var msg475 = msg("1387", all109);
+      
+      var part498 = match("MESSAGE#475:1391/0", "nwparser.payload", "pktdatId=%{fld1}pktdatNum=\"%{fld2}\" pktdatEnc=\"%{fld3}\" n=%{fld4}src=%{p0}");
+      
+      var part499 = match("MESSAGE#475:1391/1_1", "nwparser.p0", "%{saddr}:%{sport}dst=%{p0}");
+      
+      var select158 = linear_select([
+      	dup69,
+      	part499,
+      ]);
+      
+      var part500 = match("MESSAGE#475:1391/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost}");
+      
+      var part501 = match("MESSAGE#475:1391/2_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}");
+      
+      var part502 = match("MESSAGE#475:1391/2_2", "nwparser.p0", "%{daddr}:%{dport}");
+      
+      var select159 = linear_select([
+      	part500,
+      	part501,
+      	part502,
+      ]);
+      
+      var all110 = all_match({
+      	processors: [
+      		part498,
+      		select158,
+      		select159,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup54,
+      		dup17,
+      		dup82,
+      		dup19,
+      		dup20,
+      		dup21,
+      		dup37,
+      	]),
+      });
+      
+      var msg476 = msg("1391", all110);
+      
+      var part503 = match("MESSAGE#476:1253", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1}appName=\"%{application}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\"", processor_chain([
+      	dup5,
+      	dup54,
+      	dup17,
+      	dup82,
+      	dup19,
+      	dup20,
+      	dup21,
+      	dup37,
+      ]));
+      
+      var msg477 = msg("1253", part503);
+      
+      var part504 = match("MESSAGE#477:1009", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([
+      	dup5,
+      	dup54,
+      	dup17,
+      	dup82,
+      	dup19,
+      	dup20,
+      	dup21,
+      	dup37,
+      ]));
+      
+      var msg478 = msg("1009", part504);
+      
+      var part505 = match("MESSAGE#478:910/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld2}appName=\"%{application}\" n=%{fld3}src=%{saddr}:%{sport}:%{sinterface}dst=%{p0}");
+      
+      var part506 = match("MESSAGE#478:910/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{p0}");
+      
+      var part507 = match("MESSAGE#478:910/1_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac=%{p0}");
+      
+      var select160 = linear_select([
+      	part506,
+      	part507,
+      ]);
+      
+      var part508 = match("MESSAGE#478:910/2", "nwparser.p0", "%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\"");
+      
+      var all111 = all_match({
+      	processors: [
+      		part505,
+      		select160,
+      		part508,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      		dup54,
+      		dup17,
+      		dup82,
+      		dup19,
+      		dup20,
+      		dup21,
+      		dup37,
+      	]),
+      });
+      
+      var msg479 = msg("910", all111);
+      
+      var part509 = match("MESSAGE#479:m:01", "nwparser.payload", "m=%{id1}msg=\"%{event_description}\" n=%{fld2}if=%{interface}ucastRx=%{fld3}bcastRx=%{fld4}bytesRx=%{rbytes}ucastTx=%{fld5}bcastTx=%{fld6}bytesTx=%{sbytes}", processor_chain([
+      	dup1,
+      	dup54,
+      	dup17,
+      	dup82,
+      	dup19,
+      	dup21,
+      	dup37,
+      ]));
+      
+      var msg480 = msg("m:01", part509);
+      
+      var part510 = match("MESSAGE#480:1011", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([
+      	dup1,
+      	dup54,
+      	dup17,
+      	dup82,
+      	dup19,
+      	dup20,
+      	dup21,
+      	dup37,
+      ]));
+      
+      var msg481 = msg("1011", part510);
+      
+      var part511 = match("MESSAGE#481:609", "nwparser.payload", "msg=\"%{event_description}\" sid=%{sid->} ipscat=\"%{fld3}\" ipspri=%{fld4->} pktdatId=%{fld5->} n=%{fld6->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([
+      	dup164,
+      	dup54,
+      	dup17,
+      	dup82,
+      	dup19,
+      	dup20,
+      	dup21,
+      	dup37,
+      ]));
+      
+      var msg482 = msg("609", part511);
+      
+      var msg483 = msg("796", dup225);
+      
+      var part512 = match("MESSAGE#483:880", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([
+      	dup70,
+      	dup54,
+      	dup17,
+      	dup82,
+      	dup19,
+      	dup20,
+      	dup21,
+      	dup37,
+      ]));
+      
+      var msg484 = msg("880", part512);
+      
+      var part513 = match("MESSAGE#484:1309", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([
+      	dup159,
+      	dup54,
+      	dup17,
+      	dup82,
+      	dup19,
+      	dup20,
+      	dup21,
+      	dup37,
+      ]));
+      
+      var msg485 = msg("1309", part513);
+      
+      var msg486 = msg("1310", dup225);
+      
+      var part514 = match("MESSAGE#486:1232/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=\"%{p0}");
+      
+      var part515 = match("MESSAGE#486:1232/1_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note=\"%{p0}");
+      
+      var select161 = linear_select([
+      	part514,
+      	part515,
+      ]);
+      
+      var part516 = match("MESSAGE#486:1232/2", "nwparser.p0", "%{info}\" fw_action=\"%{action}\"");
+      
+      var all112 = all_match({
+      	processors: [
+      		dup81,
+      		select161,
+      		part516,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup54,
+      		dup17,
+      		dup82,
+      		dup19,
+      		dup20,
+      		dup21,
+      		dup37,
+      	]),
+      });
+      
+      var msg487 = msg("1232", all112);
+      
+      var part517 = match("MESSAGE#487:1447/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1->} appName=\"%{application}\" n=%{fld2->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}");
+      
+      var all113 = all_match({
+      	processors: [
+      		part517,
+      		dup199,
+      		dup112,
+      	],
+      	on_success: processor_chain([
+      		dup159,
+      		dup54,
+      		dup17,
+      		dup82,
+      		dup19,
+      		dup20,
+      		dup21,
+      		dup37,
+      	]),
+      });
+      
+      var msg488 = msg("1447", all113);
+      
+      var chain1 = processor_chain([
+      	select1,
+      	msgid_select({
+      		"10": msg9,
+      		"100": msg159,
+      		"1003": msg449,
+      		"1005": msg448,
+      		"1007": msg450,
+      		"1008": msg451,
+      		"1009": msg478,
+      		"101": msg160,
+      		"1011": msg481,
+      		"102": msg161,
+      		"103": msg162,
+      		"104": msg163,
+      		"105": msg164,
+      		"106": msg165,
+      		"107": msg166,
+      		"1079": select154,
+      		"108": msg167,
+      		"1080": msg470,
+      		"1086": msg424,
+      		"109": msg168,
+      		"11": msg10,
+      		"110": msg169,
+      		"1107": msg461,
+      		"111": select66,
+      		"1110": msg408,
+      		"112": msg172,
+      		"113": msg173,
+      		"114": msg174,
+      		"1149": msg426,
+      		"115": select67,
+      		"1153": select150,
+      		"1154": select141,
+      		"1155": select143,
+      		"1159": msg427,
+      		"116": msg177,
+      		"117": msg178,
+      		"118": msg179,
+      		"119": msg180,
+      		"1195": select139,
+      		"1197": msg439,
+      		"1198": msg445,
+      		"1199": select142,
+      		"12": select4,
+      		"120": msg181,
+      		"1201": select144,
+      		"121": msg182,
+      		"122": msg183,
+      		"1220": msg462,
+      		"1222": msg431,
+      		"1226": msg430,
+      		"123": msg184,
+      		"1230": msg463,
+      		"1231": msg464,
+      		"1232": msg487,
+      		"1233": msg465,
+      		"1235": msg438,
+      		"124": msg185,
+      		"125": msg186,
+      		"1253": msg477,
+      		"1254": msg187,
+      		"1256": msg188,
+      		"1257": msg189,
+      		"126": msg190,
+      		"127": msg191,
+      		"128": msg192,
+      		"129": msg193,
+      		"13": msg13,
+      		"130": msg194,
+      		"1309": msg485,
+      		"131": msg195,
+      		"1310": msg486,
+      		"132": msg196,
+      		"133": msg197,
+      		"134": msg198,
+      		"135": msg199,
+      		"136": msg200,
+      		"1369": msg472,
+      		"137": msg201,
+      		"1370": msg473,
+      		"1371": msg474,
+      		"138": msg202,
+      		"1387": msg475,
+      		"139": select68,
+      		"1391": msg476,
+      		"14": select7,
+      		"140": msg205,
+      		"141": msg206,
+      		"142": msg207,
+      		"143": msg208,
+      		"1430": msg425,
+      		"1431": msg209,
+      		"144": msg210,
+      		"1447": msg488,
+      		"145": msg211,
+      		"146": msg212,
+      		"147": msg213,
+      		"148": msg214,
+      		"1480": msg215,
+      		"149": msg216,
+      		"15": msg20,
+      		"150": msg217,
+      		"151": msg218,
+      		"152": msg219,
+      		"153": msg220,
+      		"154": msg221,
+      		"155": msg222,
+      		"156": msg223,
+      		"157": select69,
+      		"158": msg226,
+      		"159": msg227,
+      		"16": msg21,
+      		"160": msg228,
+      		"161": msg229,
+      		"162": msg230,
+      		"163": msg231,
+      		"164": msg232,
+      		"165": msg233,
+      		"166": msg234,
+      		"167": msg235,
+      		"168": msg236,
+      		"169": msg237,
+      		"17": msg22,
+      		"170": msg238,
+      		"171": select70,
+      		"172": select71,
+      		"173": msg245,
+      		"174": select72,
+      		"175": select73,
+      		"176": msg253,
+      		"177": msg254,
+      		"178": msg255,
+      		"179": msg256,
+      		"18": msg23,
+      		"180": select74,
+      		"181": select75,
+      		"19": msg24,
+      		"193": msg261,
+      		"194": msg262,
+      		"195": msg263,
+      		"196": select78,
+      		"199": msg266,
+      		"20": msg25,
+      		"200": msg267,
+      		"21": msg26,
+      		"22": msg27,
+      		"23": select10,
+      		"235": select79,
+      		"236": msg271,
+      		"237": msg272,
+      		"238": msg273,
+      		"239": msg274,
+      		"24": select11,
+      		"240": msg275,
+      		"241": select80,
+      		"242": msg278,
+      		"243": msg403,
+      		"25": msg34,
+      		"252": msg279,
+      		"255": msg280,
+      		"257": msg281,
+      		"26": msg35,
+      		"261": select83,
+      		"262": msg284,
+      		"263": msg413,
+      		"264": msg414,
+      		"267": select136,
+      		"27": msg36,
+      		"273": msg285,
+      		"28": select12,
+      		"29": select13,
+      		"30": select14,
+      		"31": select15,
+      		"32": select16,
+      		"328": msg286,
+      		"329": msg287,
+      		"33": select17,
+      		"34": msg52,
+      		"346": msg288,
+      		"35": select19,
+      		"350": msg289,
+      		"351": msg290,
+      		"352": msg291,
+      		"353": select84,
+      		"354": msg294,
+      		"355": select85,
+      		"356": msg297,
+      		"357": select86,
+      		"358": msg300,
+      		"36": select23,
+      		"37": select27,
+      		"371": select87,
+      		"372": msg303,
+      		"373": msg304,
+      		"38": select30,
+      		"39": msg67,
+      		"4": msg1,
+      		"40": msg68,
+      		"401": msg305,
+      		"402": msg306,
+      		"403": msg400,
+      		"404": msg410,
+      		"406": msg307,
+      		"41": select31,
+      		"412": msg415,
+      		"413": msg308,
+      		"414": msg309,
+      		"42": msg72,
+      		"427": msg156,
+      		"428": msg157,
+      		"43": msg73,
+      		"438": msg310,
+      		"439": msg311,
+      		"44": msg74,
+      		"440": msg312,
+      		"441": select88,
+      		"442": msg315,
+      		"446": msg316,
+      		"45": select32,
+      		"46": select33,
+      		"47": msg82,
+      		"477": msg317,
+      		"48": msg83,
+      		"49": msg84,
+      		"5": select2,
+      		"50": msg85,
+      		"509": msg318,
+      		"51": msg86,
+      		"52": msg87,
+      		"520": msg319,
+      		"522": select91,
+      		"523": msg323,
+      		"524": select94,
+      		"526": select97,
+      		"53": msg88,
+      		"534": msg401,
+      		"537": select116,
+      		"538": msg346,
+      		"549": msg347,
+      		"557": msg348,
+      		"558": msg349,
+      		"561": msg350,
+      		"562": msg351,
+      		"563": msg352,
+      		"565": msg409,
+      		"58": msg89,
+      		"580": msg471,
+      		"583": msg353,
+      		"597": select117,
+      		"598": select118,
+      		"6": select3,
+      		"60": msg90,
+      		"602": select119,
+      		"605": msg363,
+      		"606": msg364,
+      		"608": msg365,
+      		"609": msg482,
+      		"61": msg91,
+      		"614": msg421,
+      		"616": msg366,
+      		"62": msg92,
+      		"63": select34,
+      		"64": msg95,
+      		"65": msg96,
+      		"654": msg455,
+      		"657": select133,
+      		"658": msg367,
+      		"66": msg97,
+      		"67": select35,
+      		"670": msg456,
+      		"68": msg100,
+      		"69": msg101,
+      		"7": msg6,
+      		"70": select37,
+      		"708": msg452,
+      		"709": msg447,
+      		"710": msg368,
+      		"712": select123,
+      		"713": select124,
+      		"714": msg446,
+      		"72": select38,
+      		"73": msg106,
+      		"74": msg107,
+      		"748": msg422,
+      		"75": msg108,
+      		"76": msg109,
+      		"760": select125,
+      		"766": msg378,
+      		"77": msg110,
+      		"78": msg111,
+      		"79": msg112,
+      		"793": msg416,
+      		"794": msg423,
+      		"796": msg483,
+      		"8": msg7,
+      		"80": msg113,
+      		"805": msg417,
+      		"809": select137,
+      		"81": msg114,
+      		"82": select39,
+      		"83": select40,
+      		"84": msg122,
+      		"860": select126,
+      		"866": select128,
+      		"867": select129,
+      		"87": select42,
+      		"88": select43,
+      		"880": msg484,
+      		"882": select130,
+      		"884": msg457,
+      		"888": select131,
+      		"89": select45,
+      		"892": msg389,
+      		"9": msg8,
+      		"90": msg129,
+      		"904": msg390,
+      		"905": msg391,
+      		"906": msg392,
+      		"907": msg393,
+      		"908": msg394,
+      		"909": msg395,
+      		"91": msg130,
+      		"910": msg479,
+      		"914": msg396,
+      		"92": msg131,
+      		"93": msg132,
+      		"931": msg397,
+      		"935": msg420,
+      		"94": msg133,
+      		"95": msg134,
+      		"96": msg135,
+      		"97": select52,
+      		"98": select65,
+      		"986": msg155,
+      		"99": msg158,
+      		"994": msg402,
+      		"995": msg404,
+      		"997": msg405,
+      		"998": select134,
+      		"m": msg480,
+      		"msg": msg436,
+      		"src": msg437,
+      	}),
+      ]);
+      
+      var part518 = match("MESSAGE#14:14:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{p0}");
+      
+      var part519 = match("MESSAGE#14:14:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}");
+      
+      var part520 = match("MESSAGE#14:14:01/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst= %{p0}");
+      
+      var part521 = match("MESSAGE#14:14:01/2", "nwparser.p0", "%{} %{p0}");
+      
+      var part522 = match("MESSAGE#28:23:01/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}");
+      
+      var part523 = match("MESSAGE#28:23:01/1_1", "nwparser.p0", "%{daddr->} %{p0}");
+      
+      var part524 = match("MESSAGE#38:29:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}");
+      
+      var part525 = match("MESSAGE#38:29:01/1_1", "nwparser.p0", " %{saddr->} dst= %{p0}");
+      
+      var part526 = match("MESSAGE#38:29:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} ");
+      
+      var part527 = match("MESSAGE#38:29:01/3_1", "nwparser.p0", "%{daddr->} ");
+      
+      var part528 = match("MESSAGE#40:30:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} src=%{p0}");
+      
+      var part529 = match("MESSAGE#49:33:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{p0}");
+      
+      var part530 = match("MESSAGE#54:36:01/2_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{p0}");
+      
+      var part531 = match("MESSAGE#54:36:01/2_1", "nwparser.p0", "%{saddr->} %{p0}");
+      
+      var part532 = match("MESSAGE#54:36:01/3", "nwparser.p0", "%{}dst= %{p0}");
+      
+      var part533 = match("MESSAGE#55:36:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src= %{p0}");
+      
+      var part534 = match("MESSAGE#55:36:02/1_1", "nwparser.p0", "%{saddr->} dst= %{p0}");
+      
+      var part535 = match("MESSAGE#57:37:01/1_1", "nwparser.p0", "n=%{fld1->} src=%{p0}");
+      
+      var part536 = match("MESSAGE#59:37:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto= %{p0}");
+      
+      var part537 = match("MESSAGE#59:37:03/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}");
+      
+      var part538 = match("MESSAGE#59:37:03/4", "nwparser.p0", "%{} %{protocol->} npcs=%{info}");
+      
+      var part539 = match("MESSAGE#62:38:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src= %{p0}");
+      
+      var part540 = match("MESSAGE#62:38:01/5_1", "nwparser.p0", "rule=%{rule->} ");
+      
+      var part541 = match("MESSAGE#63:38:02/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} type= %{p0}");
+      
+      var part542 = match("MESSAGE#63:38:02/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} type= %{p0}");
+      
+      var part543 = match("MESSAGE#64:38:03/0", "nwparser.payload", "msg=\"%{p0}");
+      
+      var part544 = match("MESSAGE#64:38:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}");
+      
+      var part545 = match("MESSAGE#64:38:03/3_1", "nwparser.p0", "%{daddr->} srcMac=%{p0}");
+      
+      var part546 = match("MESSAGE#135:97:01/0", "nwparser.payload", "n=%{fld1->} src= %{p0}");
+      
+      var part547 = match("MESSAGE#135:97:01/7_1", "nwparser.p0", "dstname=%{name->} ");
+      
+      var part548 = match("MESSAGE#137:97:03/0", "nwparser.payload", "sess=%{fld1->} n=%{fld2->} src= %{p0}");
+      
+      var part549 = match("MESSAGE#140:97:06/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{p0}");
+      
+      var part550 = match("MESSAGE#140:97:06/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}dst=%{p0}");
+      
+      var part551 = match("MESSAGE#145:98/2_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} %{p0}");
+      
+      var part552 = match("MESSAGE#145:98/3_0", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} fw_action=\"%{action}\"");
+      
+      var part553 = match("MESSAGE#147:98:01/4_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{p0}");
+      
+      var part554 = match("MESSAGE#147:98:01/4_2", "nwparser.p0", "%{saddr}dst=%{p0}");
+      
+      var part555 = match("MESSAGE#147:98:01/6_1", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} %{p0}");
+      
+      var part556 = match("MESSAGE#147:98:01/6_2", "nwparser.p0", " %{daddr->} %{p0}");
+      
+      var part557 = match("MESSAGE#148:98:06/5_2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}");
+      
+      var part558 = match("MESSAGE#148:98:06/5_3", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} proto=%{p0}");
+      
+      var part559 = match("MESSAGE#149:98:02/4", "nwparser.p0", "%{}proto=%{protocol}");
+      
+      var part560 = match("MESSAGE#154:427/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{p0}");
+      
+      var part561 = match("MESSAGE#155:428/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}");
+      
+      var part562 = match("MESSAGE#240:171:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} npcs= %{p0}");
+      
+      var part563 = match("MESSAGE#240:171:03/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} npcs= %{p0}");
+      
+      var part564 = match("MESSAGE#240:171:03/4", "nwparser.p0", "%{} %{info}");
+      
+      var part565 = match("MESSAGE#256:180:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} note= %{p0}");
+      
+      var part566 = match("MESSAGE#256:180:01/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note= %{p0}");
+      
+      var part567 = match("MESSAGE#256:180:01/4", "nwparser.p0", "%{}\"%{fld3}\" npcs=%{info}");
+      
+      var part568 = match("MESSAGE#260:194/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} sport=%{sport->} dport=%{dport->} %{p0}");
+      
+      var part569 = match("MESSAGE#260:194/1_0", "nwparser.p0", "sent=%{sbytes->} ");
+      
+      var part570 = match("MESSAGE#260:194/1_1", "nwparser.p0", " rcvd=%{rbytes}");
+      
+      var part571 = match("MESSAGE#262:196/1_0", "nwparser.p0", "sent=%{sbytes->} cmd=%{p0}");
+      
+      var part572 = match("MESSAGE#262:196/2", "nwparser.p0", "%{method}");
+      
+      var part573 = match("MESSAGE#280:261:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{p0}");
+      
+      var part574 = match("MESSAGE#283:273/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{p0}");
+      
+      var part575 = match("MESSAGE#302:401/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} %{p0}");
+      
+      var part576 = match("MESSAGE#302:401/1_1", "nwparser.p0", " %{space}");
+      
+      var part577 = match("MESSAGE#313:446/3_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=\"%{p0}");
+      
+      var part578 = match("MESSAGE#313:446/3_1", "nwparser.p0", "%{protocol->} fw_action=\"%{p0}");
+      
+      var part579 = match("MESSAGE#313:446/4", "nwparser.p0", "%{action}\"");
+      
+      var part580 = match("MESSAGE#318:522:01/4", "nwparser.p0", "%{}proto=%{protocol->} npcs=%{info}");
+      
+      var part581 = match("MESSAGE#321:524/5_0", "nwparser.p0", "proto=%{protocol->} ");
+      
+      var part582 = match("MESSAGE#330:537:01/0", "nwparser.payload", "msg=\"%{action}\" f=%{fld1->} n=%{fld2->} src= %{p0}");
+      
+      var part583 = match("MESSAGE#332:537:08/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld51->} appName=\"%{application}\"n=%{p0}");
+      
+      var part584 = match("MESSAGE#332:537:08/0_1", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld51->} sess=\"%{fld4}\" n=%{p0}");
+      
+      var part585 = match("MESSAGE#332:537:08/0_2", "nwparser.payload", " msg=\"%{event_description}\" app=%{fld51}n=%{p0}");
+      
+      var part586 = match("MESSAGE#332:537:08/0_3", "nwparser.payload", "msg=\"%{event_description}\"n=%{p0}");
+      
+      var part587 = match("MESSAGE#332:537:08/1_0", "nwparser.p0", "%{fld1->} usr=\"%{username}\"src=%{p0}");
+      
+      var part588 = match("MESSAGE#332:537:08/1_1", "nwparser.p0", "%{fld1}src=%{p0}");
+      
+      var part589 = match("MESSAGE#332:537:08/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{p0}");
+      
+      var part590 = match("MESSAGE#332:537:08/5_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{p0}");
+      
+      var part591 = match("MESSAGE#332:537:08/5_1", "nwparser.p0", " proto=%{protocol->} sent=%{p0}");
+      
+      var part592 = match("MESSAGE#333:537:09/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{p0}");
+      
+      var part593 = match("MESSAGE#333:537:09/5_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} %{p0}");
+      
+      var part594 = match("MESSAGE#333:537:09/5_1", "nwparser.p0", "%{sbytes->} %{p0}");
+      
+      var part595 = match("MESSAGE#333:537:09/6_0", "nwparser.p0", " spkt=%{fld3->} cdur=%{fld7->} fw_action=\"%{action}\"");
+      
+      var part596 = match("MESSAGE#333:537:09/6_1", "nwparser.p0", "spkt=%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} ");
+      
+      var part597 = match("MESSAGE#333:537:09/6_2", "nwparser.p0", "spkt=%{fld3->} cdur=%{fld7->} ");
+      
+      var part598 = match("MESSAGE#333:537:09/6_3", "nwparser.p0", " spkt=%{fld3}");
+      
+      var part599 = match("MESSAGE#336:537:04/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} src= %{p0}");
+      
+      var part600 = match("MESSAGE#336:537:04/3_2", "nwparser.p0", "%{daddr->} proto= %{p0}");
+      
+      var part601 = match("MESSAGE#338:537:10/1_0", "nwparser.p0", "%{fld2->} usr=\"%{username}\" %{p0}");
+      
+      var part602 = match("MESSAGE#338:537:10/1_1", "nwparser.p0", "%{fld2->} %{p0}");
+      
+      var part603 = match("MESSAGE#338:537:10/2", "nwparser.p0", "%{}src=%{p0}");
+      
+      var part604 = match("MESSAGE#338:537:10/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{p0}");
+      
+      var part605 = match("MESSAGE#338:537:10/3_1", "nwparser.p0", "%{saddr->} dst=%{p0}");
+      
+      var part606 = match("MESSAGE#338:537:10/6_0", "nwparser.p0", "npcs=%{info->} ");
+      
+      var part607 = match("MESSAGE#338:537:10/6_1", "nwparser.p0", "cdur=%{fld12->} ");
+      
+      var part608 = match("MESSAGE#355:598:01/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}");
+      
+      var part609 = match("MESSAGE#361:606/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}");
+      
+      var part610 = match("MESSAGE#361:606/1_1", "nwparser.p0", "%{daddr}:%{dport->} srcMac=%{p0}");
+      
+      var part611 = match("MESSAGE#361:606/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr}proto=%{p0}");
+      
+      var part612 = match("MESSAGE#366:712:02/0", "nwparser.payload", "msg=\"%{action}\" %{p0}");
+      
+      var part613 = match("MESSAGE#366:712:02/1_0", "nwparser.p0", "app=%{fld21->} appName=\"%{application}\" n=%{fld1->} src=%{p0}");
+      
+      var part614 = match("MESSAGE#366:712:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}");
+      
+      var part615 = match("MESSAGE#366:712:02/3_0", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}");
+      
+      var part616 = match("MESSAGE#366:712:02/3_1", "nwparser.p0", "%{smacaddr->} proto=%{p0}");
+      
+      var part617 = match("MESSAGE#366:712:02/4_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=%{p0}");
+      
+      var part618 = match("MESSAGE#366:712:02/4_1", "nwparser.p0", "%{protocol->} fw_action=%{p0}");
+      
+      var part619 = match("MESSAGE#366:712:02/5", "nwparser.p0", "%{fld51}");
+      
+      var part620 = match("MESSAGE#391:908/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{p0}");
+      
+      var part621 = match("MESSAGE#391:908/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}");
+      
+      var part622 = match("MESSAGE#439:1199/2", "nwparser.p0", "%{} %{daddr}:%{dport}:%{dinterface->} npcs=%{info}");
+      
+      var part623 = match("MESSAGE#444:1198/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}\" sess=%{fld1->} n=%{fld2->} src=%{p0}");
+      
+      var part624 = match("MESSAGE#461:1220/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note=%{p0}");
+      
+      var part625 = match("MESSAGE#461:1220/3_1", "nwparser.p0", "%{daddr}:%{dport->} note=%{p0}");
+      
+      var part626 = match("MESSAGE#461:1220/4", "nwparser.p0", "%{}\"%{info}\" fw_action=\"%{action}\"");
+      
+      var part627 = match("MESSAGE#471:1369/1_0", "nwparser.p0", "%{protocol}/%{fld3}fw_action=\"%{p0}");
+      
+      var part628 = match("MESSAGE#471:1369/1_1", "nwparser.p0", "%{protocol}fw_action=\"%{p0}");
+      
+      var select162 = linear_select([
+      	dup8,
+      	dup9,
+      ]);
+      
+      var select163 = linear_select([
+      	dup15,
+      	dup16,
+      ]);
+      
+      var part629 = match("MESSAGE#403:24:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([
+      	dup1,
+      	dup23,
+      ]));
+      
+      var select164 = linear_select([
+      	dup25,
+      	dup26,
+      ]);
+      
+      var select165 = linear_select([
+      	dup27,
+      	dup28,
+      ]);
+      
+      var select166 = linear_select([
+      	dup34,
+      	dup35,
+      ]);
+      
+      var select167 = linear_select([
+      	dup25,
+      	dup39,
+      ]);
+      
+      var select168 = linear_select([
+      	dup41,
+      	dup42,
+      ]);
+      
+      var select169 = linear_select([
+      	dup46,
+      	dup47,
+      ]);
+      
+      var select170 = linear_select([
+      	dup49,
+      	dup50,
+      ]);
+      
+      var part630 = match("MESSAGE#116:82:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([
+      	dup62,
+      ]));
+      
+      var part631 = match("MESSAGE#118:83:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([
+      	dup5,
+      ]));
+      
+      var select171 = linear_select([
+      	dup71,
+      	dup75,
+      	dup76,
+      ]);
+      
+      var select172 = linear_select([
+      	dup8,
+      	dup25,
+      ]);
+      
+      var part632 = match("MESSAGE#168:111:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=%{shost}", processor_chain([
+      	dup1,
+      ]));
+      
+      var select173 = linear_select([
+      	dup88,
+      	dup89,
+      ]);
+      
+      var part633 = match("MESSAGE#253:178", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([
+      	dup5,
+      ]));
+      
+      var select174 = linear_select([
+      	dup92,
+      	dup93,
+      ]);
+      
+      var select175 = linear_select([
+      	dup96,
+      	dup97,
+      ]);
+      
+      var part634 = match("MESSAGE#277:252", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([
+      	dup87,
+      ]));
+      
+      var part635 = match("MESSAGE#293:355", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([
+      	dup87,
+      ]));
+      
+      var part636 = match("MESSAGE#295:356", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([
+      	dup1,
+      ]));
+      
+      var part637 = match("MESSAGE#298:358", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([
+      	dup1,
+      ]));
+      
+      var part638 = match("MESSAGE#414:371:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} note=\"%{event_description}\"", processor_chain([
+      	dup1,
+      	dup23,
+      ]));
+      
+      var select176 = linear_select([
+      	dup66,
+      	dup108,
+      ]);
+      
+      var select177 = linear_select([
+      	dup110,
+      	dup111,
+      ]);
+      
+      var select178 = linear_select([
+      	dup115,
+      	dup45,
+      ]);
+      
+      var select179 = linear_select([
+      	dup8,
+      	dup26,
+      ]);
+      
+      var select180 = linear_select([
+      	dup8,
+      	dup25,
+      	dup39,
+      ]);
+      
+      var select181 = linear_select([
+      	dup71,
+      	dup15,
+      	dup16,
+      ]);
+      
+      var select182 = linear_select([
+      	dup121,
+      	dup122,
+      ]);
+      
+      var select183 = linear_select([
+      	dup68,
+      	dup69,
+      	dup74,
+      ]);
+      
+      var select184 = linear_select([
+      	dup127,
+      	dup128,
+      ]);
+      
+      var select185 = linear_select([
+      	dup41,
+      	dup42,
+      	dup134,
+      ]);
+      
+      var select186 = linear_select([
+      	dup135,
+      	dup136,
+      ]);
+      
+      var select187 = linear_select([
+      	dup138,
+      	dup139,
+      ]);
+      
+      var select188 = linear_select([
+      	dup140,
+      	dup141,
+      ]);
+      
+      var select189 = linear_select([
+      	dup49,
+      	dup148,
+      ]);
+      
+      var part639 = match("MESSAGE#365:710", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([
+      	dup150,
+      ]));
+      
+      var select190 = linear_select([
+      	dup152,
+      	dup40,
+      ]);
+      
+      var select191 = linear_select([
+      	dup154,
+      	dup155,
+      ]);
+      
+      var select192 = linear_select([
+      	dup156,
+      	dup157,
+      ]);
+      
+      var part640 = match("MESSAGE#375:766", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([
+      	dup5,
+      ]));
+      
+      var part641 = match("MESSAGE#377:860:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{ntype}", processor_chain([
+      	dup5,
+      ]));
+      
+      var part642 = match("MESSAGE#393:914", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{host->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{shost}", processor_chain([
+      	dup5,
+      	dup23,
+      ]));
+      
+      var part643 = match("MESSAGE#399:994", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([
+      	dup1,
+      	dup23,
+      ]));
+      
+      var part644 = match("MESSAGE#406:1110", "nwparser.payload", "msg=\"%{msg}\" %{space->} n=%{fld1}", processor_chain([
+      	dup1,
+      	dup23,
+      ]));
+      
+      var part645 = match("MESSAGE#420:614", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([
+      	dup163,
+      	dup37,
+      ]));
+      
+      var part646 = match("MESSAGE#454:654", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2}", processor_chain([
+      	dup1,
+      ]));
+      
+      var select193 = linear_select([
+      	dup169,
+      	dup170,
+      ]);
+      
+      var select194 = linear_select([
+      	dup172,
+      	dup173,
+      ]);
+      
+      var part647 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([
+      	dup1,
+      	dup54,
+      	dup17,
+      	dup82,
+      	dup19,
+      	dup20,
+      	dup21,
+      	dup37,
+      ]));
+      
+      var all114 = all_match({
+      	processors: [
+      		dup31,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup30,
+      	]),
+      });
+      
+      var all115 = all_match({
+      	processors: [
+      		dup31,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup85,
+      	]),
+      });
+      
+      var all116 = all_match({
+      	processors: [
+      		dup31,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup59,
+      	]),
+      });
+      
+      var all117 = all_match({
+      	processors: [
+      		dup95,
+      		dup192,
+      	],
+      	on_success: processor_chain([
+      		dup59,
+      	]),
+      });
+      
+      var all118 = all_match({
+      	processors: [
+      		dup31,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup100,
+      	]),
+      });
+      
+      var all119 = all_match({
+      	processors: [
+      		dup31,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup29,
+      	]),
+      });
+      
+      var all120 = all_match({
+      	processors: [
+      		dup102,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup103,
+      	]),
+      });
+      
+      var all121 = all_match({
+      	processors: [
+      		dup104,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup106,
+      	]),
+      });
+      
+      var all122 = all_match({
+      	processors: [
+      		dup107,
+      		dup198,
+      	],
+      	on_success: processor_chain([
+      		dup87,
+      	]),
+      });
+      
+      var all123 = all_match({
+      	processors: [
+      		dup104,
+      		dup177,
+      		dup10,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup109,
+      	]),
+      });
+      
+      var all124 = all_match({
+      	processors: [
+      		dup44,
+      		dup179,
+      		dup36,
+      		dup178,
+      	],
+      	on_success: processor_chain([
+      		dup5,
+      	]),
+      });
+      
+      var all125 = all_match({
+      	processors: [
+      		dup80,
+      		dup177,
+      		dup10,
+      		dup175,
+      		dup79,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var all126 = all_match({
+      	processors: [
+      		dup151,
+      		dup213,
+      		dup153,
+      		dup214,
+      		dup215,
+      		dup158,
+      	],
+      	on_success: processor_chain([
+      		dup150,
+      		dup51,
+      		dup52,
+      		dup53,
+      		dup54,
+      		dup37,
+      		dup55,
+      		dup17,
+      		dup18,
+      		dup19,
+      		dup20,
+      		dup21,
+      	]),
+      });
+      
+      var all127 = all_match({
+      	processors: [
+      		dup7,
+      		dup174,
+      		dup10,
+      		dup191,
+      		dup94,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+      var all128 = all_match({
+      	processors: [
+      		dup7,
+      		dup174,
+      		dup10,
+      		dup189,
+      		dup90,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      	]),
+      });
+      
+- community_id:
+- add_locale: ~
+- add_fields:
+    target: ''
+    fields:
+        ecs.version: 1.5.0
diff --git a/packages/sonicwall/0.1.0/dataset/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/sonicwall/0.1.0/dataset/firewall/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 0000000000..75670b6f44
--- /dev/null
+++ b/packages/sonicwall/0.1.0/dataset/firewall/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,55 @@
+---
+description: Pipeline for Sonicwall-FW
+
+processors:
+  # User agent
+  - user_agent:
+        field: user_agent.original
+        ignore_missing: true
+  # IP Geolocation Lookup
+  - geoip:
+        field: source.ip
+        target_field: source.geo
+        ignore_missing: true
+  - geoip:
+        field: destination.ip
+        target_field: destination.geo
+        ignore_missing: true
+
+  # IP Autonomous System (AS) Lookup
+  - geoip:
+        database_file: GeoLite2-ASN.mmdb
+        field: source.ip
+        target_field: source.as
+        properties:
+            - asn
+            - organization_name
+        ignore_missing: true
+  - geoip:
+        database_file: GeoLite2-ASN.mmdb
+        field: destination.ip
+        target_field: destination.as
+        properties:
+            - asn
+            - organization_name
+        ignore_missing: true
+  - rename:
+        field: source.as.asn
+        target_field: source.as.number
+        ignore_missing: true
+  - rename:
+        field: source.as.organization_name
+        target_field: source.as.organization.name
+        ignore_missing: true
+  - rename:
+        field: destination.as.asn
+        target_field: destination.as.number
+        ignore_missing: true
+  - rename:
+        field: destination.as.organization_name
+        target_field: destination.as.organization.name
+        ignore_missing: true
+on_failure:
+  - append:
+        field: error.message
+        value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/sonicwall/0.1.0/dataset/firewall/fields/base-fields.yml b/packages/sonicwall/0.1.0/dataset/firewall/fields/base-fields.yml
new file mode 100644
index 0000000000..b294eaf20e
--- /dev/null
+++ b/packages/sonicwall/0.1.0/dataset/firewall/fields/base-fields.yml
@@ -0,0 +1,26 @@
+- name: datastream.type
+  type: constant_keyword
+  description: Datastream type.
+- name: datastream.dataset
+  type: constant_keyword
+  description: Datastream dataset.
+- name: datastream.namespace
+  type: constant_keyword
+  description: Datastream namespace.
+
+- name: dataset.type
+  type: constant_keyword
+  description: >
+    Dataset type.
+- name: dataset.name
+  type: constant_keyword
+  description: >
+    Dataset name.
+- name: dataset.namespace
+  type: constant_keyword
+  description: >
+    Dataset namespace.
+- name: "@timestamp"
+  type: date
+  description: >
+    Event timestamp.
diff --git a/packages/sonicwall/0.1.0/dataset/firewall/fields/ecs.yml b/packages/sonicwall/0.1.0/dataset/firewall/fields/ecs.yml
new file mode 100644
index 0000000000..92af91c339
--- /dev/null
+++ b/packages/sonicwall/0.1.0/dataset/firewall/fields/ecs.yml
@@ -0,0 +1,836 @@
+- name: log
+  type: group
+  fields:
+  - name: original
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'This is the original log message and contains the full log message
+      before splitting it up in multiple parts.
+
+      In contrast to the `message` field which can contain an extracted part of the
+      log message, this field contains the original, full log message. It can have
+      already some modifications applied like encoding or new lines removed to clean
+      up the log message.
+
+      This field is not indexed and doc_values are disabled so it can''t be queried
+      but the value can be retrieved from `_source`.'
+    example: Sep 19 08:26:10 localhost My log
+  - name: level
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Original log level of the log event.
+
+      If the source of the event provides a log level or textual severity, this is
+      the one that goes in `log.level`. If your source doesn''t specify one, you may
+      put your event transport''s severity here (e.g. Syslog severity).
+
+      Some examples are `warn`, `err`, `i`, `informational`.'
+    example: error
+  - name: syslog
+    type: group
+    fields:
+    - name: priority
+      level: extended
+      type: long
+      format: string
+      description: 'Syslog numeric priority of the event, if available.
+
+        According to RFCs 5424 and 3164, the priority is 8 * facility + severity.
+        This number is therefore expected to contain a value between 0 and 191.'
+      example: 135
+    - name: facility
+      type: group
+      fields:
+      - name: code
+        level: extended
+        type: long
+        format: string
+        description: 'The Syslog numeric facility of the log event, if available.
+
+          According to RFCs 5424 and 3164, this value should be an integer between
+          0 and 23.'
+        example: 23
+    - name: severity
+      type: group
+      fields:
+      - name: code
+        level: extended
+        type: long
+        description: 'The Syslog numeric severity of the log event, if available.
+
+          If the event source publishing via Syslog provides a different numeric severity
+          value (e.g. firewall, IDS), your source''s numeric severity should go to
+          `event.severity`. If the event source does not specify a distinct severity,
+          you can optionally copy the Syslog severity to `event.severity`.'
+        example: 3
+- name: event
+  type: group
+  fields:
+  - name: code
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Identification code for this event, if one exists.
+
+      Some event sources use event codes to identify messages unambiguously, regardless
+      of message language or wording adjustments over time. An example of this is
+      the Windows Event ID.'
+    example: 4648
+  - name: action
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'The action captured by the event.
+
+      This describes the information in the event. It is more specific than `event.category`.
+      Examples are `group-add`, `process-started`, `file-created`. The value is normally
+      defined by the implementer.'
+    example: user-password-change
+  - name: outcome
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'This is one of four ECS Categorization Fields, and indicates the
+      lowest level in the ECS category hierarchy.
+
+      `event.outcome` simply denotes whether the event represents a success or a failure
+      from the perspective of the entity that produced the event.
+
+      Note that when a single transaction is described in multiple events, each event
+      may populate different values of `event.outcome`, according to their perspective.
+
+      Also note that in the case of a compound event (a single event that contains
+      multiple logical events), this field should be populated with the value that
+      best captures the overall success or failure from the perspective of the event
+      producer.
+
+      Further note that not all events will have an associated outcome. For example,
+      this field is generally not populated for metric events, events with `event.type:info`,
+      or any events for which an outcome does not make logical sense.'
+    example: success
+  - name: category
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'This is one of four ECS Categorization Fields, and indicates the
+      second level in the ECS category hierarchy.
+
+      `event.category` represents the "big buckets" of ECS categories. For example,
+      filtering on `event.category:process` yields all events relating to process
+      activity. This field is closely related to `event.type`, which is used as a
+      subcategory.
+
+      This field is an array. This will allow proper categorization of some events
+      that fall in multiple categories.'
+    example: authentication
+  - name: timezone
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'This field should be populated when the event''s timestamp does
+      not include timezone information already (e.g. default Syslog timestamps). It''s
+      optional otherwise.
+
+      Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated
+      (e.g. "EST") or an HH:mm differential (e.g. "-05:00").'
+- name: '@timestamp'
+  level: core
+  required: true
+  type: date
+  description: 'Date/time when the event originated.
+
+    This is the date/time extracted from the event, typically representing when the
+    event was generated by the source.
+
+    If the event source has no original timestamp, this value is typically populated
+    by the first time the event was received by the pipeline.
+
+    Required field for all events.'
+  example: '2016-05-23T08:05:34.853Z'
+- name: user
+  type: group
+  fields:
+  - name: name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: Short name or login of the user.
+    example: albert
+  - name: full_name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: User's full name, if available.
+    example: Albert Einstein
+  - name: domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Name of the directory the user is a member of.
+
+      For example, an LDAP or Active Directory domain name.'
+  - name: id
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Unique identifiers of the user.
+- name: message
+  level: core
+  type: text
+  description: 'For log events the message field contains the log message, optimized
+    for viewing in a log viewer.
+
+    For structured logs without an original message field, other fields can be concatenated
+    to form a human-readable summary of the event.
+
+    If multiple messages exist, they can be combined into one message.'
+  example: Hello World
+- name: source
+  type: group
+  fields:
+  - name: ip
+    level: core
+    type: ip
+    description: 'IP address of the source.
+
+      Can be one or multiple IPv4 or IPv6 addresses.'
+  - name: port
+    level: core
+    type: long
+    format: string
+    description: Port of the source.
+  - name: address
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Some event source addresses are defined ambiguously. The event will
+      sometimes list an IP, a domain or a unix socket.  You should always store the
+      raw address in the `.address` field.
+
+      Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+      is.'
+  - name: mac
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: MAC address of the source.
+  - name: bytes
+    level: core
+    type: long
+    format: bytes
+    description: Bytes sent from the source to the destination.
+    example: 184
+  - name: nat
+    type: group
+    fields:
+    - name: ip
+      level: extended
+      type: ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+    - name: port
+      level: extended
+      type: long
+      format: string
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+  - name: domain
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Source domain.
+  - name: geo
+    type: group
+    fields:
+    - name: country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+    - name: location
+      type: group
+      fields:
+      - type: double
+        name: lat
+      - type: double
+        name: lon
+    - name: city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+- name: host
+  type: group
+  fields:
+  - name: name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Name of the host.
+
+      It can contain what `hostname` returns on Unix systems, the fully qualified
+      domain name, or a name specified by the user. The sender decides which value
+      to use.'
+  - name: ip
+    level: core
+    type: ip
+    description: Host ip addresses.
+  - name: hostname
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Hostname of the host.
+
+      It normally contains what the `hostname` command returns on the host machine.'
+  - name: mac
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Host mac addresses.
+- name: destination
+  type: group
+  fields:
+  - name: ip
+    level: core
+    type: ip
+    description: 'IP address of the destination.
+
+      Can be one or multiple IPv4 or IPv6 addresses.'
+  - name: port
+    level: core
+    type: long
+    format: string
+    description: Port of the destination.
+  - name: address
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Some event destination addresses are defined ambiguously. The event
+      will sometimes list an IP, a domain or a unix socket.  You should always store
+      the raw address in the `.address` field.
+
+      Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+      is.'
+  - name: bytes
+    level: core
+    type: long
+    format: bytes
+    description: Bytes sent from the destination to the source.
+    example: 184
+  - name: mac
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: MAC address of the destination.
+  - name: nat
+    type: group
+    fields:
+    - name: ip
+      level: extended
+      type: ip
+      description: 'Translated ip of destination based NAT sessions (e.g. internet
+        to private DMZ)
+
+        Typically used with load balancers, firewalls, or routers.'
+    - name: port
+      level: extended
+      type: long
+      format: string
+      description: 'Port the source session is translated to by NAT Device.
+
+        Typically used with load balancers, firewalls, or routers.'
+  - name: domain
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Destination domain.
+  - name: geo
+    type: group
+    fields:
+    - name: country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+    - name: location
+      type: group
+      fields:
+      - type: double
+        name: lat
+      - type: double
+        name: lon
+    - name: city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+- name: network
+  type: group
+  fields:
+  - name: protocol
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'L7 Network protocol name. ex. http, lumberjack, transport protocol.
+
+      The field value must be normalized to lowercase for querying. See the documentation
+      section "Implementing ECS".'
+    example: http
+  - name: application
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'A name given to an application level protocol. This can be arbitrarily
+      assigned for things like microservices, but also apply to things like skype,
+      icq, facebook, twitter. This would be used in situations where the vendor or
+      service can be decoded such as from the source/dest IP owners, ports, or wire
+      format.
+
+      The field value must be normalized to lowercase for querying. See the documentation
+      section "Implementing ECS".'
+    example: aim
+  - name: interface
+    type: group
+    fields:
+    - type: keyword
+      name: name
+  - name: bytes
+    level: core
+    type: long
+    format: bytes
+    description: 'Total bytes transferred in both directions.
+
+      If `source.bytes` and `destination.bytes` are known, `network.bytes` is their
+      sum.'
+    example: 368
+  - name: direction
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: "Direction of the network traffic.\nRecommended values are:\n  *\
+      \ inbound\n  * outbound\n  * internal\n  * external\n  * unknown\n\nWhen mapping\
+      \ events from a host-based monitoring context, populate this field from the\
+      \ host's point of view.\nWhen mapping events from a network or perimeter-based\
+      \ monitoring context, populate this field from the point of view of your network\
+      \ perimeter."
+    example: inbound
+  - name: packets
+    level: core
+    type: long
+    description: 'Total packets transferred in both directions.
+
+      If `source.packets` and `destination.packets` are known, `network.packets` is
+      their sum.'
+    example: 24
+  - name: forwarded_ip
+    level: core
+    type: ip
+    description: Host IP address when the source IP address is the proxy.
+    example: 192.1.1.2
+- name: observer
+  type: group
+  fields:
+  - name: version
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Observer version.
+  - name: product
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: The product name of the observer.
+    example: s200
+  - name: ingress
+    type: group
+    fields:
+    - name: interface
+      type: group
+      fields:
+      - name: name
+        level: extended
+        type: keyword
+        ignore_above: 1024
+        description: Interface name as reported by the system.
+        example: eth0
+        default_field: false
+  - name: egress
+    type: group
+    fields:
+    - name: interface
+      type: group
+      fields:
+      - name: name
+        level: extended
+        type: keyword
+        ignore_above: 1024
+        description: Interface name as reported by the system.
+        example: eth0
+        default_field: false
+- name: file
+  type: group
+  fields:
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: Name of the file including the extension, without the directory.
+    example: example.png
+  - name: directory
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: Directory where the file is located. It should include the drive
+      letter, when appropriate.
+    example: /home/alice
+  - name: size
+    level: extended
+    type: long
+    description: 'File size in bytes.
+
+      Only relevant when `file.type` is "file".'
+    example: 16384
+  - name: type
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: File type (file, dir, or symlink).
+    example: file
+  - name: extension
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: File extension.
+    example: png
+  - name: path
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: Full path to the file, including the file name. It should include
+      the drive letter, when appropriate.
+    example: /home/alice/example.png
+  - name: attributes
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Array of file attributes.
+
+      Attributes names will vary by platform. Here''s a non-exhaustive list of values
+      that are expected in this field: archive, compressed, directory, encrypted,
+      execute, hidden, read, readonly, system, write.'
+    example: '["readonly", "system"]'
+    default_field: false
+- name: url
+  type: group
+  fields:
+  - name: original
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: 'Unmodified original url as seen in the event source.
+
+      Note that in network monitoring, the observed URL may be a full URL, whereas
+      in access logs, the URL is often just represented as a path.
+
+      This field is meant to represent the URL as it was observed, complete or not.'
+    example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
+  - name: query
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'The query field describes the query string of the request, such
+      as "q=elasticsearch".
+
+      The `?` is excluded from the query string. If a URL contains no `?`, there is
+      no query field. If there is a `?` but no query, the query field exists with
+      an empty string. The `exists` query can be used to differentiate between the
+      two cases.'
+  - name: domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Domain of the url, such as "www.elastic.co".
+
+      In some cases a URL may refer to an IP and/or port directly, without a domain
+      name. In this case, the IP address would go to the `domain` field.'
+    example: www.elastic.co
+  - name: path
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: Path of the request, such as "/search".
+  - name: top_level_domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'The effective top level domain (eTLD), also known as the domain
+      suffix, is the last part of the domain name. For example, the top level domain
+      for google.com is "com".
+
+      This value can be determined precisely with a list like the public suffix list
+      (http://publicsuffix.org). Trying to approximate this by simply taking the last
+      label will not work well for effective TLDs such as "co.uk".'
+    example: co.uk
+  - name: registered_domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'The highest registered url domain, stripped of the subdomain.
+
+      For example, the registered domain for "foo.google.com" is "google.com".
+
+      This value can be determined precisely with a list like the public suffix list
+      (http://publicsuffix.org). Trying to approximate this by simply taking the last
+      two labels will not work well for TLDs such as "co.uk".'
+    example: google.com
+- name: service
+  type: group
+  fields:
+  - name: name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Name of the service data is collected from.
+
+      The name of the service is normally user given. This allows for distributed
+      services that run on multiple hosts to correlate the related instances based
+      on the name.
+
+      In the case of Elasticsearch the `service.name` could contain the cluster name.
+      For Beats the `service.name` is by default a copy of the `service.type` field
+      if no name is specified.'
+    example: elasticsearch-metrics
+- name: server
+  type: group
+  fields:
+  - name: domain
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Server domain.
+- name: process
+  type: group
+  fields:
+  - name: pid
+    level: core
+    type: long
+    format: string
+    description: Process id.
+    example: 4242
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: 'Process name.
+
+      Sometimes called program name or similar.'
+    example: ssh
+  - name: ppid
+    level: extended
+    type: long
+    format: string
+    description: Parent process' pid.
+    example: 4241
+  - name: parent
+    type: group
+    fields:
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      default_field: false
+    - name: title
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      default_field: false
+  - name: title
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: 'Process title.
+
+      The proctitle, some times the same as process name. Can also be different: for
+      example a browser setting its title to the web page currently opened.'
+- name: rule
+  type: group
+  fields:
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: The name of the rule or signature generating the event.
+    example: BLOCK_DNS_over_TLS
+    default_field: false
+- name: user_agent
+  type: group
+  fields:
+  - name: original
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+    description: Unparsed user_agent string.
+    example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15
+      (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
+- name: http
+  type: group
+  fields:
+  - name: response
+    type: group
+    fields:
+    - name: body
+      type: group
+      fields:
+      - name: content
+        level: extended
+        type: keyword
+        ignore_above: 1024
+        multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+        description: The full HTTP response body.
+        example: Hello world
+  - name: request
+    type: group
+    fields:
+    - name: referrer
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Referrer for this HTTP request.
+      example: https://blog.example.com/
+    - name: method
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'HTTP request method.
+
+        The field value must be normalized to lowercase for querying. See the documentation
+        section "Implementing ECS".'
+      example: get, post, put
+- name: geo
+  type: group
+  fields:
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'User-defined description of a location, at the level of granularity
+      they care about.
+
+      Could be the name of their data centers, the floor number, if this describes
+      a local physical entity, city names.
+
+      Not typically used in automated geolocation.'
+    example: boston-dc
+  - name: country_name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Country name.
+    example: Canada
+  - name: city_name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: City name.
+    example: Montreal
+  - name: region_name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Region name.
+    example: Quebec
+- name: dns
+  type: group
+  fields:
+  - name: question
+    type: group
+    fields:
+    - name: type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The type of record being queried.
+      example: AAAA
+  - name: answers
+    type: group
+    fields:
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The domain name to which this resource record pertains.
+
+        If a chain of CNAME is being resolved, each answer''s `name` should be the
+        one that corresponds with the answer''s `data`. It should not simply be the
+        original `question.name` repeated.'
+      example: www.google.com
+    - name: type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The type of data contained in this resource record.
+      example: CNAME
diff --git a/packages/sonicwall/0.1.0/dataset/firewall/fields/fields.yml b/packages/sonicwall/0.1.0/dataset/firewall/fields/fields.yml
new file mode 100644
index 0000000000..2abc947fe7
--- /dev/null
+++ b/packages/sonicwall/0.1.0/dataset/firewall/fields/fields.yml
@@ -0,0 +1,1939 @@
+- name: rsa
+  type: group
+  fields:
+  - name: internal
+    type: group
+    fields:
+    - name: msg
+      type: keyword
+      description: This key is used to capture the raw message that comes into the
+        Log Decoder
+    - name: messageid
+      type: keyword
+    - name: event_desc
+      type: keyword
+    - name: message
+      type: keyword
+      description: This key captures the contents of instant messages
+    - name: time
+      type: date
+      description: This is the time at which a session hits a NetWitness Decoder.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness.
+    - name: level
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: msg_id
+      type: keyword
+      description: This is the Message ID1 value that identifies the exact log parser
+        definition which parses a particular log session. This key should never be
+        used to parse Meta data from a session (Logs/Packets) Directly, this is a
+        Reserved key in NetWitness
+    - name: msg_vid
+      type: keyword
+      description: This is the Message ID2 value that identifies the exact log parser
+        definition which parses a particular log session. This key should never be
+        used to parse Meta data from a session (Logs/Packets) Directly, this is a
+        Reserved key in NetWitness
+    - name: data
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: obj_server
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: obj_val
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: resource
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: obj_id
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: statement
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: audit_class
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: entry
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: hcode
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: inode
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: resource_class
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: dead
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: feed_desc
+      type: keyword
+      description: This is used to capture the description of the feed. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: feed_name
+      type: keyword
+      description: This is used to capture the name of the feed. This key should never
+        be used to parse Meta data from a session (Logs/Packets) Directly, this is
+        a Reserved key in NetWitness
+    - name: cid
+      type: keyword
+      description: This is the unique identifier used to identify a NetWitness Concentrator.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: device_class
+      type: keyword
+      description: This is the Classification of the Log Event Source under a predefined
+        fixed set of Event Source Classifications. This key should never be used to
+        parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
+        key in NetWitness
+    - name: device_group
+      type: keyword
+      description: This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_host
+      type: keyword
+      description: This is the Hostname of the log Event Source sending the logs to
+        NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_ip
+      type: ip
+      description: This is the IPv4 address of the Log Event Source sending the logs
+        to NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_ipv6
+      type: ip
+      description: This is the IPv6 address of the Log Event Source sending the logs
+        to NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_type
+      type: keyword
+      description: This is the name of the log parser which parsed a given session.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: device_type_id
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: did
+      type: keyword
+      description: This is the unique identifier used to identify a NetWitness Decoder.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: entropy_req
+      type: long
+      description: This key is only used by the Entropy Parser, the Meta Type can
+        be either UInt16 or Float32 based on the configuration
+    - name: entropy_res
+      type: long
+      description: This key is only used by the Entropy Parser, the Meta Type can
+        be either UInt16 or Float32 based on the configuration
+    - name: event_name
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: feed_category
+      type: keyword
+      description: This is used to capture the category of the feed. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: forward_ip
+      type: ip
+      description: This key should be used to capture the IPV4 address of a relay
+        system which forwarded the events from the original system to NetWitness.
+    - name: forward_ipv6
+      type: ip
+      description: This key is used to capture the IPV6 address of a relay system
+        which forwarded the events from the original system to NetWitness. This key
+        should never be used to parse Meta data from a session (Logs/Packets) Directly,
+        this is a Reserved key in NetWitness
+    - name: header_id
+      type: keyword
+      description: This is the Header ID value that identifies the exact log parser
+        header definition that parses a particular log session. This key should never
+        be used to parse Meta data from a session (Logs/Packets) Directly, this is
+        a Reserved key in NetWitness
+    - name: lc_cid
+      type: keyword
+      description: This is a unique Identifier of a Log Collector. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: lc_ctime
+      type: date
+      description: This is the time at which a log is collected in a NetWitness Log
+        Collector. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: mcb_req
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        request is simply which byte for each side (0 thru 255) was seen the most
+    - name: mcb_res
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        response is simply which byte for each side (0 thru 255) was seen the most
+    - name: mcbc_req
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        count is the number of times the most common byte (above) was seen in the
+        session streams
+    - name: mcbc_res
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        count is the number of times the most common byte (above) was seen in the
+        session streams
+    - name: medium
+      type: long
+      description: "This key is used to identify if it\u2019s a log/packet session\
+        \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
+        \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
+        \ 32 = log, 33 = correlation session, &lt; 32 is packet session"
+    - name: node_name
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: nwe_callback_id
+      type: keyword
+      description: This key denotes that event is endpoint related
+    - name: parse_error
+      type: keyword
+      description: This is a special key that stores any Meta key validation error
+        found while parsing a log session. This key should never be used to parse
+        Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
+        NetWitness
+    - name: payload_req
+      type: long
+      description: This key is only used by the Entropy Parser, the payload size metrics
+        are the payload sizes of each session side at the time of parsing. However,
+        in order to keep
+    - name: payload_res
+      type: long
+      description: This key is only used by the Entropy Parser, the payload size metrics
+        are the payload sizes of each session side at the time of parsing. However,
+        in order to keep
+    - name: process_vid_dst
+      type: keyword
+      description: Endpoint generates and uses a unique virtual ID to identify any
+        similar group of process. This ID represents the target process.
+    - name: process_vid_src
+      type: keyword
+      description: Endpoint generates and uses a unique virtual ID to identify any
+        similar group of process. This ID represents the source process.
+    - name: rid
+      type: long
+      description: This is a special ID of the Remote Session created by NetWitness
+        Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: session_split
+      type: keyword
+      description: This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: site
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: size
+      type: long
+      description: This is the size of the session as seen by the NetWitness Decoder.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: sourcefile
+      type: keyword
+      description: This is the name of the log file or PCAPs that can be imported
+        into NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: ubc_req
+      type: long
+      description: This key is only used by the Entropy Parser, Unique byte count
+        is the number of unique bytes seen in each stream. 256 would mean all byte
+        values of 0 thru 255 were seen at least once
+    - name: ubc_res
+      type: long
+      description: This key is only used by the Entropy Parser, Unique byte count
+        is the number of unique bytes seen in each stream. 256 would mean all byte
+        values of 0 thru 255 were seen at least once
+    - name: word
+      type: keyword
+      description: This is used by the Word Parsing technology to capture the first
+        5 character of every word in an unparsed log
+  - name: time
+    type: group
+    fields:
+    - name: event_time
+      type: date
+      description: This key is used to capture the time mentioned in a raw session
+        that represents the actual time an event occured in a standard normalized
+        form
+    - name: duration_time
+      type: double
+      description: This key is used to capture the normalized duration/lifetime in
+        seconds.
+    - name: event_time_str
+      type: keyword
+      description: This key is used to capture the incomplete time mentioned in a
+        session as a string
+    - name: starttime
+      type: date
+      description: This key is used to capture the Start time mentioned in a session
+        in a standard form
+    - name: month
+      type: keyword
+    - name: day
+      type: keyword
+    - name: endtime
+      type: date
+      description: This key is used to capture the End time mentioned in a session
+        in a standard form
+    - name: timezone
+      type: keyword
+      description: This key is used to capture the timezone of the Event Time
+    - name: duration_str
+      type: keyword
+      description: A text string version of the duration
+    - name: date
+      type: keyword
+    - name: year
+      type: keyword
+    - name: recorded_time
+      type: date
+      description: The event time as recorded by the system the event is collected
+        from. The usage scenario is a multi-tier application where the management
+        layer of the system records it's own timestamp at the time of collection from
+        its child nodes. Must be in timestamp format.
+    - name: datetime
+      type: keyword
+    - name: effective_time
+      type: date
+      description: This key is the effective time referenced by an individual event
+        in a Standard Timestamp format
+    - name: expire_time
+      type: date
+      description: This key is the timestamp that explicitly refers to an expiration.
+    - name: process_time
+      type: keyword
+      description: Deprecated, use duration.time
+    - name: hour
+      type: keyword
+    - name: min
+      type: keyword
+    - name: timestamp
+      type: keyword
+    - name: event_queue_time
+      type: date
+      description: This key is the Time that the event was queued.
+    - name: p_time1
+      type: keyword
+    - name: tzone
+      type: keyword
+    - name: eventtime
+      type: keyword
+    - name: gmtdate
+      type: keyword
+    - name: gmttime
+      type: keyword
+    - name: p_date
+      type: keyword
+    - name: p_month
+      type: keyword
+    - name: p_time
+      type: keyword
+    - name: p_time2
+      type: keyword
+    - name: p_year
+      type: keyword
+    - name: expire_time_str
+      type: keyword
+      description: This key is used to capture incomplete timestamp that explicitly
+        refers to an expiration.
+    - name: stamp
+      type: date
+      description: Deprecated key defined only in table map.
+  - name: misc
+    type: group
+    fields:
+    - name: action
+      type: keyword
+    - name: result
+      type: keyword
+      description: This key is used to capture the outcome/result string value of
+        an action in a session.
+    - name: severity
+      type: keyword
+      description: This key is used to capture the severity given the session
+    - name: event_type
+      type: keyword
+      description: This key captures the event category type as specified by the event
+        source.
+    - name: reference_id
+      type: keyword
+      description: This key is used to capture an event id from the session directly
+    - name: version
+      type: keyword
+      description: This key captures Version of the application or OS which is generating
+        the event.
+    - name: disposition
+      type: keyword
+      description: This key captures the The end state of an action.
+    - name: result_code
+      type: keyword
+      description: This key is used to capture the outcome/result numeric value of
+        an action in a session
+    - name: category
+      type: keyword
+      description: This key is used to capture the category of an event given by the
+        vendor in the session
+    - name: obj_name
+      type: keyword
+      description: This is used to capture name of object
+    - name: obj_type
+      type: keyword
+      description: This is used to capture type of object
+    - name: event_source
+      type: keyword
+      description: "This key captures Source of the event that\u2019s not a hostname"
+    - name: log_session_id
+      type: keyword
+      description: This key is used to capture a sessionid from the session directly
+    - name: group
+      type: keyword
+      description: This key captures the Group Name value
+    - name: policy_name
+      type: keyword
+      description: This key is used to capture the Policy Name only.
+    - name: rule_name
+      type: keyword
+      description: This key captures the Rule Name
+    - name: context
+      type: keyword
+      description: This key captures Information which adds additional context to
+        the event.
+    - name: change_new
+      type: keyword
+      description: "This key is used to capture the new values of the attribute that\u2019\
+        s changing in a session"
+    - name: space
+      type: keyword
+    - name: client
+      type: keyword
+      description: This key is used to capture only the name of the client application
+        requesting resources of the server. See the user.agent meta key for capture
+        of the specific user agent identifier or browser identification string.
+    - name: msgIdPart1
+      type: keyword
+    - name: msgIdPart2
+      type: keyword
+    - name: change_old
+      type: keyword
+      description: "This key is used to capture the old value of the attribute that\u2019\
+        s changing in a session"
+    - name: operation_id
+      type: keyword
+      description: An alert number or operation number. The values should be unique
+        and non-repeating.
+    - name: event_state
+      type: keyword
+      description: This key captures the current state of the object/item referenced
+        within the event. Describing an on-going event.
+    - name: group_object
+      type: keyword
+      description: This key captures a collection/grouping of entities. Specific usage
+    - name: node
+      type: keyword
+      description: Common use case is the node name within a cluster. The cluster
+        name is reflected by the host name.
+    - name: rule
+      type: keyword
+      description: This key captures the Rule number
+    - name: device_name
+      type: keyword
+      description: 'This is used to capture name of the Device associated with the
+        node Like: a physical disk, printer, etc'
+    - name: param
+      type: keyword
+      description: This key is the parameters passed as part of a command or application,
+        etc.
+    - name: change_attrib
+      type: keyword
+      description: "This key is used to capture the name of the attribute that\u2019\
+        s changing in a session"
+    - name: event_computer
+      type: keyword
+      description: This key is a windows only concept, where this key is used to capture
+        fully qualified domain name in a windows log.
+    - name: reference_id1
+      type: keyword
+      description: This key is for Linked ID to be used as an addition to "reference.id"
+    - name: event_log
+      type: keyword
+      description: This key captures the Name of the event log
+    - name: OS
+      type: keyword
+      description: This key captures the Name of the Operating System
+    - name: terminal
+      type: keyword
+      description: This key captures the Terminal Names only
+    - name: msgIdPart3
+      type: keyword
+    - name: filter
+      type: keyword
+      description: This key captures Filter used to reduce result set
+    - name: serial_number
+      type: keyword
+      description: This key is the Serial number associated with a physical asset.
+    - name: checksum
+      type: keyword
+      description: This key is used to capture the checksum or hash of the entity
+        such as a file or process. Checksum should be used over checksum.src or checksum.dst
+        when it is unclear whether the entity is a source or target of an action.
+    - name: event_user
+      type: keyword
+      description: This key is a windows only concept, where this key is used to capture
+        combination of domain name and username in a windows log.
+    - name: virusname
+      type: keyword
+      description: This key captures the name of the virus
+    - name: content_type
+      type: keyword
+      description: This key is used to capture Content Type only.
+    - name: group_id
+      type: keyword
+      description: This key captures Group ID Number (related to the group name)
+    - name: policy_id
+      type: keyword
+      description: This key is used to capture the Policy ID only, this should be
+        a numeric value, use policy.name otherwise
+    - name: vsys
+      type: keyword
+      description: This key captures Virtual System Name
+    - name: connection_id
+      type: keyword
+      description: This key captures the Connection ID
+    - name: reference_id2
+      type: keyword
+      description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
+        or "reference.id1" value but should not be used unless the other two variables
+        are in play.
+    - name: sensor
+      type: keyword
+      description: This key captures Name of the sensor. Typically used in IDS/IPS
+        based devices
+    - name: sig_id
+      type: long
+      description: This key captures IDS/IPS Int Signature ID
+    - name: port_name
+      type: keyword
+      description: 'This key is used for Physical or logical port connection but does
+        NOT include a network port. (Example: Printer port name).'
+    - name: rule_group
+      type: keyword
+      description: This key captures the Rule group name
+    - name: risk_num
+      type: double
+      description: This key captures a Numeric Risk value
+    - name: trigger_val
+      type: keyword
+      description: This key captures the Value of the trigger or threshold condition.
+    - name: log_session_id1
+      type: keyword
+      description: This key is used to capture a Linked (Related) Session ID from
+        the session directly
+    - name: comp_version
+      type: keyword
+      description: This key captures the Version level of a sub-component of a product.
+    - name: content_version
+      type: keyword
+      description: This key captures Version level of a signature or database content.
+    - name: hardware_id
+      type: keyword
+      description: This key is used to capture unique identifier for a device or system
+        (NOT a Mac address)
+    - name: risk
+      type: keyword
+      description: This key captures the non-numeric risk value
+    - name: event_id
+      type: keyword
+    - name: reason
+      type: keyword
+    - name: status
+      type: keyword
+    - name: mail_id
+      type: keyword
+      description: This key is used to capture the mailbox id/name
+    - name: rule_uid
+      type: keyword
+      description: This key is the Unique Identifier for a rule.
+    - name: trigger_desc
+      type: keyword
+      description: This key captures the Description of the trigger or threshold condition.
+    - name: inout
+      type: keyword
+    - name: p_msgid
+      type: keyword
+    - name: data_type
+      type: keyword
+    - name: msgIdPart4
+      type: keyword
+    - name: error
+      type: keyword
+      description: This key captures All non successful Error codes or responses
+    - name: index
+      type: keyword
+    - name: listnum
+      type: keyword
+      description: This key is used to capture listname or listnumber, primarily for
+        collecting access-list
+    - name: ntype
+      type: keyword
+    - name: observed_val
+      type: keyword
+      description: This key captures the Value observed (from the perspective of the
+        device generating the log).
+    - name: policy_value
+      type: keyword
+      description: This key captures the contents of the policy. This contains details
+        about the policy
+    - name: pool_name
+      type: keyword
+      description: This key captures the name of a resource pool
+    - name: rule_template
+      type: keyword
+      description: A default set of parameters which are overlayed onto a rule (or
+        rulename) which efffectively constitutes a template
+    - name: count
+      type: keyword
+    - name: number
+      type: keyword
+    - name: sigcat
+      type: keyword
+    - name: type
+      type: keyword
+    - name: comments
+      type: keyword
+      description: Comment information provided in the log message
+    - name: doc_number
+      type: long
+      description: This key captures File Identification number
+    - name: expected_val
+      type: keyword
+      description: This key captures the Value expected (from the perspective of the
+        device generating the log).
+    - name: job_num
+      type: keyword
+      description: This key captures the Job Number
+    - name: spi_dst
+      type: keyword
+      description: Destination SPI Index
+    - name: spi_src
+      type: keyword
+      description: Source SPI Index
+    - name: code
+      type: keyword
+    - name: agent_id
+      type: keyword
+      description: This key is used to capture agent id
+    - name: message_body
+      type: keyword
+      description: This key captures the The contents of the message body.
+    - name: phone
+      type: keyword
+    - name: sig_id_str
+      type: keyword
+      description: This key captures a string object of the sigid variable.
+    - name: cmd
+      type: keyword
+    - name: misc
+      type: keyword
+    - name: name
+      type: keyword
+    - name: cpu
+      type: long
+      description: This key is the CPU time used in the execution of the event being
+        recorded.
+    - name: event_desc
+      type: keyword
+      description: This key is used to capture a description of an event available
+        directly or inferred
+    - name: sig_id1
+      type: long
+      description: This key captures IDS/IPS Int Signature ID. This must be linked
+        to the sig.id
+    - name: im_buddyid
+      type: keyword
+    - name: im_client
+      type: keyword
+    - name: im_userid
+      type: keyword
+    - name: pid
+      type: keyword
+    - name: priority
+      type: keyword
+    - name: context_subject
+      type: keyword
+      description: This key is to be used in an audit context where the subject is
+        the object being identified
+    - name: context_target
+      type: keyword
+    - name: cve
+      type: keyword
+      description: This key captures CVE (Common Vulnerabilities and Exposures) -
+        an identifier for known information security vulnerabilities.
+    - name: fcatnum
+      type: keyword
+      description: This key captures Filter Category Number. Legacy Usage
+    - name: library
+      type: keyword
+      description: This key is used to capture library information in mainframe devices
+    - name: parent_node
+      type: keyword
+      description: This key captures the Parent Node Name. Must be related to node
+        variable.
+    - name: risk_info
+      type: keyword
+      description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: tcp_flags
+      type: long
+      description: This key is captures the TCP flags set in any packet of session
+    - name: tos
+      type: long
+      description: This key describes the type of service
+    - name: vm_target
+      type: keyword
+      description: VMWare Target **VMWARE** only varaible.
+    - name: workspace
+      type: keyword
+      description: This key captures Workspace Description
+    - name: command
+      type: keyword
+    - name: event_category
+      type: keyword
+    - name: facilityname
+      type: keyword
+    - name: forensic_info
+      type: keyword
+    - name: jobname
+      type: keyword
+    - name: mode
+      type: keyword
+    - name: policy
+      type: keyword
+    - name: policy_waiver
+      type: keyword
+    - name: second
+      type: keyword
+    - name: space1
+      type: keyword
+    - name: subcategory
+      type: keyword
+    - name: tbdstr2
+      type: keyword
+    - name: alert_id
+      type: keyword
+      description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: checksum_dst
+      type: keyword
+      description: This key is used to capture the checksum or hash of the the target
+        entity such as a process or file.
+    - name: checksum_src
+      type: keyword
+      description: This key is used to capture the checksum or hash of the source
+        entity such as a file or process.
+    - name: fresult
+      type: long
+      description: This key captures the Filter Result
+    - name: payload_dst
+      type: keyword
+      description: This key is used to capture destination payload
+    - name: payload_src
+      type: keyword
+      description: This key is used to capture source payload
+    - name: pool_id
+      type: keyword
+      description: This key captures the identifier (typically numeric field) of a
+        resource pool
+    - name: process_id_val
+      type: keyword
+      description: This key is a failure key for Process ID when it is not an integer
+        value
+    - name: risk_num_comm
+      type: double
+      description: This key captures Risk Number Community
+    - name: risk_num_next
+      type: double
+      description: This key captures Risk Number NextGen
+    - name: risk_num_sand
+      type: double
+      description: This key captures Risk Number SandBox
+    - name: risk_num_static
+      type: double
+      description: This key captures Risk Number Static
+    - name: risk_suspicious
+      type: keyword
+      description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: risk_warning
+      type: keyword
+      description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: snmp_oid
+      type: keyword
+      description: SNMP Object Identifier
+    - name: sql
+      type: keyword
+      description: This key captures the SQL query
+    - name: vuln_ref
+      type: keyword
+      description: This key captures the Vulnerability Reference details
+    - name: acl_id
+      type: keyword
+    - name: acl_op
+      type: keyword
+    - name: acl_pos
+      type: keyword
+    - name: acl_table
+      type: keyword
+    - name: admin
+      type: keyword
+    - name: alarm_id
+      type: keyword
+    - name: alarmname
+      type: keyword
+    - name: app_id
+      type: keyword
+    - name: audit
+      type: keyword
+    - name: audit_object
+      type: keyword
+    - name: auditdata
+      type: keyword
+    - name: benchmark
+      type: keyword
+    - name: bypass
+      type: keyword
+    - name: cache
+      type: keyword
+    - name: cache_hit
+      type: keyword
+    - name: cefversion
+      type: keyword
+    - name: cfg_attr
+      type: keyword
+    - name: cfg_obj
+      type: keyword
+    - name: cfg_path
+      type: keyword
+    - name: changes
+      type: keyword
+    - name: client_ip
+      type: keyword
+    - name: clustermembers
+      type: keyword
+    - name: cn_acttimeout
+      type: keyword
+    - name: cn_asn_src
+      type: keyword
+    - name: cn_bgpv4nxthop
+      type: keyword
+    - name: cn_ctr_dst_code
+      type: keyword
+    - name: cn_dst_tos
+      type: keyword
+    - name: cn_dst_vlan
+      type: keyword
+    - name: cn_engine_id
+      type: keyword
+    - name: cn_engine_type
+      type: keyword
+    - name: cn_f_switch
+      type: keyword
+    - name: cn_flowsampid
+      type: keyword
+    - name: cn_flowsampintv
+      type: keyword
+    - name: cn_flowsampmode
+      type: keyword
+    - name: cn_inacttimeout
+      type: keyword
+    - name: cn_inpermbyts
+      type: keyword
+    - name: cn_inpermpckts
+      type: keyword
+    - name: cn_invalid
+      type: keyword
+    - name: cn_ip_proto_ver
+      type: keyword
+    - name: cn_ipv4_ident
+      type: keyword
+    - name: cn_l_switch
+      type: keyword
+    - name: cn_log_did
+      type: keyword
+    - name: cn_log_rid
+      type: keyword
+    - name: cn_max_ttl
+      type: keyword
+    - name: cn_maxpcktlen
+      type: keyword
+    - name: cn_min_ttl
+      type: keyword
+    - name: cn_minpcktlen
+      type: keyword
+    - name: cn_mpls_lbl_1
+      type: keyword
+    - name: cn_mpls_lbl_10
+      type: keyword
+    - name: cn_mpls_lbl_2
+      type: keyword
+    - name: cn_mpls_lbl_3
+      type: keyword
+    - name: cn_mpls_lbl_4
+      type: keyword
+    - name: cn_mpls_lbl_5
+      type: keyword
+    - name: cn_mpls_lbl_6
+      type: keyword
+    - name: cn_mpls_lbl_7
+      type: keyword
+    - name: cn_mpls_lbl_8
+      type: keyword
+    - name: cn_mpls_lbl_9
+      type: keyword
+    - name: cn_mplstoplabel
+      type: keyword
+    - name: cn_mplstoplabip
+      type: keyword
+    - name: cn_mul_dst_byt
+      type: keyword
+    - name: cn_mul_dst_pks
+      type: keyword
+    - name: cn_muligmptype
+      type: keyword
+    - name: cn_sampalgo
+      type: keyword
+    - name: cn_sampint
+      type: keyword
+    - name: cn_seqctr
+      type: keyword
+    - name: cn_spackets
+      type: keyword
+    - name: cn_src_tos
+      type: keyword
+    - name: cn_src_vlan
+      type: keyword
+    - name: cn_sysuptime
+      type: keyword
+    - name: cn_template_id
+      type: keyword
+    - name: cn_totbytsexp
+      type: keyword
+    - name: cn_totflowexp
+      type: keyword
+    - name: cn_totpcktsexp
+      type: keyword
+    - name: cn_unixnanosecs
+      type: keyword
+    - name: cn_v6flowlabel
+      type: keyword
+    - name: cn_v6optheaders
+      type: keyword
+    - name: comp_class
+      type: keyword
+    - name: comp_name
+      type: keyword
+    - name: comp_rbytes
+      type: keyword
+    - name: comp_sbytes
+      type: keyword
+    - name: cpu_data
+      type: keyword
+    - name: criticality
+      type: keyword
+    - name: cs_agency_dst
+      type: keyword
+    - name: cs_analyzedby
+      type: keyword
+    - name: cs_av_other
+      type: keyword
+    - name: cs_av_primary
+      type: keyword
+    - name: cs_av_secondary
+      type: keyword
+    - name: cs_bgpv6nxthop
+      type: keyword
+    - name: cs_bit9status
+      type: keyword
+    - name: cs_context
+      type: keyword
+    - name: cs_control
+      type: keyword
+    - name: cs_data
+      type: keyword
+    - name: cs_datecret
+      type: keyword
+    - name: cs_dst_tld
+      type: keyword
+    - name: cs_eth_dst_ven
+      type: keyword
+    - name: cs_eth_src_ven
+      type: keyword
+    - name: cs_event_uuid
+      type: keyword
+    - name: cs_filetype
+      type: keyword
+    - name: cs_fld
+      type: keyword
+    - name: cs_if_desc
+      type: keyword
+    - name: cs_if_name
+      type: keyword
+    - name: cs_ip_next_hop
+      type: keyword
+    - name: cs_ipv4dstpre
+      type: keyword
+    - name: cs_ipv4srcpre
+      type: keyword
+    - name: cs_lifetime
+      type: keyword
+    - name: cs_log_medium
+      type: keyword
+    - name: cs_loginname
+      type: keyword
+    - name: cs_modulescore
+      type: keyword
+    - name: cs_modulesign
+      type: keyword
+    - name: cs_opswatresult
+      type: keyword
+    - name: cs_payload
+      type: keyword
+    - name: cs_registrant
+      type: keyword
+    - name: cs_registrar
+      type: keyword
+    - name: cs_represult
+      type: keyword
+    - name: cs_rpayload
+      type: keyword
+    - name: cs_sampler_name
+      type: keyword
+    - name: cs_sourcemodule
+      type: keyword
+    - name: cs_streams
+      type: keyword
+    - name: cs_targetmodule
+      type: keyword
+    - name: cs_v6nxthop
+      type: keyword
+    - name: cs_whois_server
+      type: keyword
+    - name: cs_yararesult
+      type: keyword
+    - name: description
+      type: keyword
+    - name: devvendor
+      type: keyword
+    - name: distance
+      type: keyword
+    - name: dstburb
+      type: keyword
+    - name: edomain
+      type: keyword
+    - name: edomaub
+      type: keyword
+    - name: euid
+      type: keyword
+    - name: facility
+      type: keyword
+    - name: finterface
+      type: keyword
+    - name: flags
+      type: keyword
+    - name: gaddr
+      type: keyword
+    - name: id3
+      type: keyword
+    - name: im_buddyname
+      type: keyword
+    - name: im_croomid
+      type: keyword
+    - name: im_croomtype
+      type: keyword
+    - name: im_members
+      type: keyword
+    - name: im_username
+      type: keyword
+    - name: ipkt
+      type: keyword
+    - name: ipscat
+      type: keyword
+    - name: ipspri
+      type: keyword
+    - name: latitude
+      type: keyword
+    - name: linenum
+      type: keyword
+    - name: list_name
+      type: keyword
+    - name: load_data
+      type: keyword
+    - name: location_floor
+      type: keyword
+    - name: location_mark
+      type: keyword
+    - name: log_id
+      type: keyword
+    - name: log_type
+      type: keyword
+    - name: logid
+      type: keyword
+    - name: logip
+      type: keyword
+    - name: logname
+      type: keyword
+    - name: longitude
+      type: keyword
+    - name: lport
+      type: keyword
+    - name: mbug_data
+      type: keyword
+    - name: misc_name
+      type: keyword
+    - name: msg_type
+      type: keyword
+    - name: msgid
+      type: keyword
+    - name: netsessid
+      type: keyword
+    - name: num
+      type: keyword
+    - name: number1
+      type: keyword
+    - name: number2
+      type: keyword
+    - name: nwwn
+      type: keyword
+    - name: object
+      type: keyword
+    - name: operation
+      type: keyword
+    - name: opkt
+      type: keyword
+    - name: orig_from
+      type: keyword
+    - name: owner_id
+      type: keyword
+    - name: p_action
+      type: keyword
+    - name: p_filter
+      type: keyword
+    - name: p_group_object
+      type: keyword
+    - name: p_id
+      type: keyword
+    - name: p_msgid1
+      type: keyword
+    - name: p_msgid2
+      type: keyword
+    - name: p_result1
+      type: keyword
+    - name: password_chg
+      type: keyword
+    - name: password_expire
+      type: keyword
+    - name: permgranted
+      type: keyword
+    - name: permwanted
+      type: keyword
+    - name: pgid
+      type: keyword
+    - name: policyUUID
+      type: keyword
+    - name: prog_asp_num
+      type: keyword
+    - name: program
+      type: keyword
+    - name: real_data
+      type: keyword
+    - name: rec_asp_device
+      type: keyword
+    - name: rec_asp_num
+      type: keyword
+    - name: rec_library
+      type: keyword
+    - name: recordnum
+      type: keyword
+    - name: ruid
+      type: keyword
+    - name: sburb
+      type: keyword
+    - name: sdomain_fld
+      type: keyword
+    - name: sec
+      type: keyword
+    - name: sensorname
+      type: keyword
+    - name: seqnum
+      type: keyword
+    - name: session
+      type: keyword
+    - name: sessiontype
+      type: keyword
+    - name: sigUUID
+      type: keyword
+    - name: spi
+      type: keyword
+    - name: srcburb
+      type: keyword
+    - name: srcdom
+      type: keyword
+    - name: srcservice
+      type: keyword
+    - name: state
+      type: keyword
+    - name: status1
+      type: keyword
+    - name: svcno
+      type: keyword
+    - name: system
+      type: keyword
+    - name: tbdstr1
+      type: keyword
+    - name: tgtdom
+      type: keyword
+    - name: tgtdomain
+      type: keyword
+    - name: threshold
+      type: keyword
+    - name: type1
+      type: keyword
+    - name: udb_class
+      type: keyword
+    - name: url_fld
+      type: keyword
+    - name: user_div
+      type: keyword
+    - name: userid
+      type: keyword
+    - name: username_fld
+      type: keyword
+    - name: utcstamp
+      type: keyword
+    - name: v_instafname
+      type: keyword
+    - name: virt_data
+      type: keyword
+    - name: vpnid
+      type: keyword
+    - name: autorun_type
+      type: keyword
+      description: This is used to capture Auto Run type
+    - name: cc_number
+      type: long
+      description: Valid Credit Card Numbers only
+    - name: content
+      type: keyword
+      description: This key captures the content type from protocol headers
+    - name: ein_number
+      type: long
+      description: Employee Identification Numbers only
+    - name: found
+      type: keyword
+      description: This is used to capture the results of regex match
+    - name: language
+      type: keyword
+      description: This is used to capture list of languages the client support and
+        what it prefers
+    - name: lifetime
+      type: long
+      description: This key is used to capture the session lifetime in seconds.
+    - name: link
+      type: keyword
+      description: This key is used to link the sessions together. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: match
+      type: keyword
+      description: This key is for regex match name from search.ini
+    - name: param_dst
+      type: keyword
+      description: This key captures the command line/launch argument of the target
+        process or file
+    - name: param_src
+      type: keyword
+      description: This key captures source parameter
+    - name: search_text
+      type: keyword
+      description: This key captures the Search Text used
+    - name: sig_name
+      type: keyword
+      description: This key is used to capture the Signature Name only.
+    - name: snmp_value
+      type: keyword
+      description: SNMP set request value
+    - name: streams
+      type: long
+      description: This key captures number of streams in session
+  - name: db
+    type: group
+    fields:
+    - name: index
+      type: keyword
+      description: This key captures IndexID of the index.
+    - name: instance
+      type: keyword
+      description: This key is used to capture the database server instance name
+    - name: database
+      type: keyword
+      description: This key is used to capture the name of a database or an instance
+        as seen in a session
+    - name: transact_id
+      type: keyword
+      description: This key captures the SQL transantion ID of the current session
+    - name: permissions
+      type: keyword
+      description: This key captures permission or privilege level assigned to a resource.
+    - name: table_name
+      type: keyword
+      description: This key is used to capture the table name
+    - name: db_id
+      type: keyword
+      description: This key is used to capture the unique identifier for a database
+    - name: db_pid
+      type: long
+      description: This key captures the process id of a connection with database
+        server
+    - name: lread
+      type: long
+      description: This key is used for the number of logical reads
+    - name: lwrite
+      type: long
+      description: This key is used for the number of logical writes
+    - name: pread
+      type: long
+      description: This key is used for the number of physical writes
+  - name: network
+    type: group
+    fields:
+    - name: alias_host
+      type: keyword
+      description: This key should be used when the source or destination context
+        of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
+        that isnt ad.computer.
+    - name: domain
+      type: keyword
+    - name: host_dst
+      type: keyword
+      description: "This key should only be used when it\u2019s a Destination Hostname"
+    - name: network_service
+      type: keyword
+      description: This is used to capture layer 7 protocols/service names
+    - name: interface
+      type: keyword
+      description: This key should be used when the source or destination context
+        of an interface is not clear
+    - name: network_port
+      type: long
+      description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
+        used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
+    - name: eth_host
+      type: keyword
+      description: Deprecated, use alias.mac
+    - name: sinterface
+      type: keyword
+      description: "This key should only be used when it\u2019s a Source Interface"
+    - name: dinterface
+      type: keyword
+      description: "This key should only be used when it\u2019s a Destination Interface"
+    - name: vlan
+      type: long
+      description: This key should only be used to capture the ID of the Virtual LAN
+    - name: zone_src
+      type: keyword
+      description: "This key should only be used when it\u2019s a Source Zone."
+    - name: zone
+      type: keyword
+      description: This key should be used when the source or destination context
+        of a Zone is not clear
+    - name: zone_dst
+      type: keyword
+      description: "This key should only be used when it\u2019s a Destination Zone."
+    - name: gateway
+      type: keyword
+      description: This key is used to capture the IP Address of the gateway
+    - name: icmp_type
+      type: long
+      description: This key is used to capture the ICMP type only
+    - name: mask
+      type: keyword
+      description: This key is used to capture the device network IPmask.
+    - name: icmp_code
+      type: long
+      description: This key is used to capture the ICMP code only
+    - name: protocol_detail
+      type: keyword
+      description: This key should be used to capture additional protocol information
+    - name: dmask
+      type: keyword
+      description: This key is used for Destionation Device network mask
+    - name: port
+      type: long
+      description: This key should only be used to capture a Network Port when the
+        directionality is not clear
+    - name: smask
+      type: keyword
+      description: This key is used for capturing source Network Mask
+    - name: netname
+      type: keyword
+      description: This key is used to capture the network name associated with an
+        IP range. This is configured by the end user.
+    - name: paddr
+      type: ip
+      description: Deprecated
+    - name: faddr
+      type: keyword
+    - name: lhost
+      type: keyword
+    - name: origin
+      type: keyword
+    - name: remote_domain_id
+      type: keyword
+    - name: addr
+      type: keyword
+    - name: dns_a_record
+      type: keyword
+    - name: dns_ptr_record
+      type: keyword
+    - name: fhost
+      type: keyword
+    - name: fport
+      type: keyword
+    - name: laddr
+      type: keyword
+    - name: linterface
+      type: keyword
+    - name: phost
+      type: keyword
+    - name: ad_computer_dst
+      type: keyword
+      description: Deprecated, use host.dst
+    - name: eth_type
+      type: long
+      description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
+        Only
+    - name: ip_proto
+      type: long
+      description: This key should be used to capture the Protocol number, all the
+        protocol nubers are converted into string in UI
+    - name: dns_cname_record
+      type: keyword
+    - name: dns_id
+      type: keyword
+    - name: dns_opcode
+      type: keyword
+    - name: dns_resp
+      type: keyword
+    - name: dns_type
+      type: keyword
+    - name: domain1
+      type: keyword
+    - name: host_type
+      type: keyword
+    - name: packet_length
+      type: keyword
+    - name: host_orig
+      type: keyword
+      description: This is used to capture the original hostname in case of a Forwarding
+        Agent or a Proxy in between.
+    - name: rpayload
+      type: keyword
+      description: This key is used to capture the total number of payload bytes seen
+        in the retransmitted packets.
+    - name: vlan_name
+      type: keyword
+      description: This key should only be used to capture the name of the Virtual
+        LAN
+  - name: investigations
+    type: group
+    fields:
+    - name: ec_activity
+      type: keyword
+      description: This key captures the particular event activity(Ex:Logoff)
+    - name: ec_theme
+      type: keyword
+      description: This key captures the Theme of a particular Event(Ex:Authentication)
+    - name: ec_subject
+      type: keyword
+      description: This key captures the Subject of a particular Event(Ex:User)
+    - name: ec_outcome
+      type: keyword
+      description: This key captures the outcome of a particular Event(Ex:Success)
+    - name: event_cat
+      type: long
+      description: This key captures the Event category number
+    - name: event_cat_name
+      type: keyword
+      description: This key captures the event category name corresponding to the
+        event cat code
+    - name: event_vcat
+      type: keyword
+      description: This is a vendor supplied category. This should be used in situations
+        where the vendor has adopted their own event_category taxonomy.
+    - name: analysis_file
+      type: keyword
+      description: This is used to capture all indicators used in a File Analysis.
+        This key should be used to capture an analysis of a file
+    - name: analysis_service
+      type: keyword
+      description: This is used to capture all indicators used in a Service Analysis.
+        This key should be used to capture an analysis of a service
+    - name: analysis_session
+      type: keyword
+      description: This is used to capture all indicators used for a Session Analysis.
+        This key should be used to capture an analysis of a session
+    - name: boc
+      type: keyword
+      description: This is used to capture behaviour of compromise
+    - name: eoc
+      type: keyword
+      description: This is used to capture Enablers of Compromise
+    - name: inv_category
+      type: keyword
+      description: This used to capture investigation category
+    - name: inv_context
+      type: keyword
+      description: This used to capture investigation context
+    - name: ioc
+      type: keyword
+      description: This is key capture indicator of compromise
+  - name: counters
+    type: group
+    fields:
+    - name: dclass_c1
+      type: long
+      description: This is a generic counter key that should be used with the label
+        dclass.c1.str only
+    - name: dclass_c2
+      type: long
+      description: This is a generic counter key that should be used with the label
+        dclass.c2.str only
+    - name: event_counter
+      type: long
+      description: This is used to capture the number of times an event repeated
+    - name: dclass_r1
+      type: keyword
+      description: This is a generic ratio key that should be used with the label
+        dclass.r1.str only
+    - name: dclass_c3
+      type: long
+      description: This is a generic counter key that should be used with the label
+        dclass.c3.str only
+    - name: dclass_c1_str
+      type: keyword
+      description: This is a generic counter string key that should be used with the
+        label dclass.c1 only
+    - name: dclass_c2_str
+      type: keyword
+      description: This is a generic counter string key that should be used with the
+        label dclass.c2 only
+    - name: dclass_r1_str
+      type: keyword
+      description: This is a generic ratio string key that should be used with the
+        label dclass.r1 only
+    - name: dclass_r2
+      type: keyword
+      description: This is a generic ratio key that should be used with the label
+        dclass.r2.str only
+    - name: dclass_c3_str
+      type: keyword
+      description: This is a generic counter string key that should be used with the
+        label dclass.c3 only
+    - name: dclass_r3
+      type: keyword
+      description: This is a generic ratio key that should be used with the label
+        dclass.r3.str only
+    - name: dclass_r2_str
+      type: keyword
+      description: This is a generic ratio string key that should be used with the
+        label dclass.r2 only
+    - name: dclass_r3_str
+      type: keyword
+      description: This is a generic ratio string key that should be used with the
+        label dclass.r3 only
+  - name: identity
+    type: group
+    fields:
+    - name: auth_method
+      type: keyword
+      description: This key is used to capture authentication methods used only
+    - name: user_role
+      type: keyword
+      description: This key is used to capture the Role of a user only
+    - name: dn
+      type: keyword
+      description: X.500 (LDAP) Distinguished Name
+    - name: logon_type
+      type: keyword
+      description: This key is used to capture the type of logon method used.
+    - name: profile
+      type: keyword
+      description: This key is used to capture the user profile
+    - name: accesses
+      type: keyword
+      description: This key is used to capture actual privileges used in accessing
+        an object
+    - name: realm
+      type: keyword
+      description: Radius realm or similar grouping of accounts
+    - name: user_sid_dst
+      type: keyword
+      description: This key captures Destination User Session ID
+    - name: dn_src
+      type: keyword
+      description: An X.500 (LDAP) Distinguished name that is used in a context that
+        indicates a Source dn
+    - name: org
+      type: keyword
+      description: This key captures the User organization
+    - name: dn_dst
+      type: keyword
+      description: An X.500 (LDAP) Distinguished name that used in a context that
+        indicates a Destination dn
+    - name: firstname
+      type: keyword
+      description: This key is for First Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: lastname
+      type: keyword
+      description: This key is for Last Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: user_dept
+      type: keyword
+      description: User's Department Names only
+    - name: user_sid_src
+      type: keyword
+      description: This key captures Source User Session ID
+    - name: federated_sp
+      type: keyword
+      description: This key is the Federated Service Provider. This is the application
+        requesting authentication.
+    - name: federated_idp
+      type: keyword
+      description: This key is the federated Identity Provider. This is the server
+        providing the authentication.
+    - name: logon_type_desc
+      type: keyword
+      description: This key is used to capture the textual description of an integer
+        logon type as stored in the meta key 'logon.type'.
+    - name: middlename
+      type: keyword
+      description: This key is for Middle Names only, this is used for Healthcare
+        predominantly to capture Patients information
+    - name: password
+      type: keyword
+      description: This key is for Passwords seen in any session, plain text or encrypted
+    - name: host_role
+      type: keyword
+      description: This key should only be used to capture the role of a Host Machine
+    - name: ldap
+      type: keyword
+      description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
+        t have a clear query or response context"
+    - name: ldap_query
+      type: keyword
+      description: This key is the Search criteria from an LDAP search
+    - name: ldap_response
+      type: keyword
+      description: This key is to capture Results from an LDAP search
+    - name: owner
+      type: keyword
+      description: This is used to capture username the process or service is running
+        as, the author of the task
+    - name: service_account
+      type: keyword
+      description: This key is a windows specific key, used for capturing name of
+        the account a service (referenced in the event) is running under. Legacy Usage
+  - name: email
+    type: group
+    fields:
+    - name: email_dst
+      type: keyword
+      description: This key is used to capture the Destination email address only,
+        when the destination context is not clear use email
+    - name: email_src
+      type: keyword
+      description: This key is used to capture the source email address only, when
+        the source context is not clear use email
+    - name: subject
+      type: keyword
+      description: This key is used to capture the subject string from an Email only.
+    - name: email
+      type: keyword
+      description: This key is used to capture a generic email address where the source
+        or destination context is not clear
+    - name: trans_from
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: trans_to
+      type: keyword
+      description: Deprecated key defined only in table map.
+  - name: file
+    type: group
+    fields:
+    - name: privilege
+      type: keyword
+      description: Deprecated, use permissions
+    - name: attachment
+      type: keyword
+      description: This key captures the attachment file name
+    - name: filesystem
+      type: keyword
+    - name: binary
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: filename_dst
+      type: keyword
+      description: This is used to capture name of the file targeted by the action
+    - name: filename_src
+      type: keyword
+      description: This is used to capture name of the parent filename, the file which
+        performed the action
+    - name: filename_tmp
+      type: keyword
+    - name: directory_dst
+      type: keyword
+      description: <span>This key is used to capture the directory of the target process
+        or file</span>
+    - name: directory_src
+      type: keyword
+      description: This key is used to capture the directory of the source process
+        or file
+    - name: file_entropy
+      type: double
+      description: This is used to capture entropy vale of a file
+    - name: file_vendor
+      type: keyword
+      description: This is used to capture Company name of file located in version_info
+    - name: task_name
+      type: keyword
+      description: This is used to capture name of the task
+  - name: web
+    type: group
+    fields:
+    - name: fqdn
+      type: keyword
+      description: Fully Qualified Domain Names
+    - name: web_cookie
+      type: keyword
+      description: This key is used to capture the Web cookies specifically.
+    - name: alias_host
+      type: keyword
+    - name: reputation_num
+      type: double
+      description: Reputation Number of an entity. Typically used for Web Domains
+    - name: web_ref_domain
+      type: keyword
+      description: Web referer's domain
+    - name: web_ref_query
+      type: keyword
+      description: This key captures Web referer's query portion of the URL
+    - name: remote_domain
+      type: keyword
+    - name: web_ref_page
+      type: keyword
+      description: This key captures Web referer's page information
+    - name: web_ref_root
+      type: keyword
+      description: Web referer's root URL path
+    - name: cn_asn_dst
+      type: keyword
+    - name: cn_rpackets
+      type: keyword
+    - name: urlpage
+      type: keyword
+    - name: urlroot
+      type: keyword
+    - name: p_url
+      type: keyword
+    - name: p_user_agent
+      type: keyword
+    - name: p_web_cookie
+      type: keyword
+    - name: p_web_method
+      type: keyword
+    - name: p_web_referer
+      type: keyword
+    - name: web_extension_tmp
+      type: keyword
+    - name: web_page
+      type: keyword
+  - name: threat
+    type: group
+    fields:
+    - name: threat_category
+      type: keyword
+      description: This key captures Threat Name/Threat Category/Categorization of
+        alert
+    - name: threat_desc
+      type: keyword
+      description: This key is used to capture the threat description from the session
+        directly or inferred
+    - name: alert
+      type: keyword
+      description: This key is used to capture name of the alert
+    - name: threat_source
+      type: keyword
+      description: This key is used to capture source of the threat
+  - name: crypto
+    type: group
+    fields:
+    - name: crypto
+      type: keyword
+      description: This key is used to capture the Encryption Type or Encryption Key
+        only
+    - name: cipher_src
+      type: keyword
+      description: This key is for Source (Client) Cipher
+    - name: cert_subject
+      type: keyword
+      description: This key is used to capture the Certificate organization only
+    - name: peer
+      type: keyword
+      description: This key is for Encryption peer's IP Address
+    - name: cipher_size_src
+      type: long
+      description: This key captures Source (Client) Cipher Size
+    - name: ike
+      type: keyword
+      description: IKE negotiation phase.
+    - name: scheme
+      type: keyword
+      description: This key captures the Encryption scheme used
+    - name: peer_id
+      type: keyword
+      description: "This key is for Encryption peer\u2019s identity"
+    - name: sig_type
+      type: keyword
+      description: This key captures the Signature Type
+    - name: cert_issuer
+      type: keyword
+    - name: cert_host_name
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: cert_error
+      type: keyword
+      description: This key captures the Certificate Error String
+    - name: cipher_dst
+      type: keyword
+      description: This key is for Destination (Server) Cipher
+    - name: cipher_size_dst
+      type: long
+      description: This key captures Destination (Server) Cipher Size
+    - name: ssl_ver_src
+      type: keyword
+      description: Deprecated, use version
+    - name: d_certauth
+      type: keyword
+    - name: s_certauth
+      type: keyword
+    - name: ike_cookie1
+      type: keyword
+      description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
+    - name: ike_cookie2
+      type: keyword
+      description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
+    - name: cert_checksum
+      type: keyword
+    - name: cert_host_cat
+      type: keyword
+      description: This key is used for the hostname category value of a certificate
+    - name: cert_serial
+      type: keyword
+      description: This key is used to capture the Certificate serial number only
+    - name: cert_status
+      type: keyword
+      description: This key captures Certificate validation status
+    - name: ssl_ver_dst
+      type: keyword
+      description: Deprecated, use version
+    - name: cert_keysize
+      type: keyword
+    - name: cert_username
+      type: keyword
+    - name: https_insact
+      type: keyword
+    - name: https_valid
+      type: keyword
+    - name: cert_ca
+      type: keyword
+      description: This key is used to capture the Certificate signing authority only
+    - name: cert_common
+      type: keyword
+      description: This key is used to capture the Certificate common name only
+  - name: wireless
+    type: group
+    fields:
+    - name: wlan_ssid
+      type: keyword
+      description: This key is used to capture the ssid of a Wireless Session
+    - name: access_point
+      type: keyword
+      description: This key is used to capture the access point name.
+    - name: wlan_channel
+      type: long
+      description: This is used to capture the channel names
+    - name: wlan_name
+      type: keyword
+      description: This key captures either WLAN number/name
+  - name: storage
+    type: group
+    fields:
+    - name: disk_volume
+      type: keyword
+      description: A unique name assigned to logical units (volumes) within a physical
+        disk
+    - name: lun
+      type: keyword
+      description: Logical Unit Number.This key is a very useful concept in Storage.
+    - name: pwwn
+      type: keyword
+      description: This uniquely identifies a port on a HBA.
+  - name: physical
+    type: group
+    fields:
+    - name: org_dst
+      type: keyword
+      description: This is used to capture the destination organization based on the
+        GEOPIP Maxmind database.
+    - name: org_src
+      type: keyword
+      description: This is used to capture the source organization based on the GEOPIP
+        Maxmind database.
+  - name: healthcare
+    type: group
+    fields:
+    - name: patient_fname
+      type: keyword
+      description: This key is for First Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: patient_id
+      type: keyword
+      description: This key captures the unique ID for a patient
+    - name: patient_lname
+      type: keyword
+      description: This key is for Last Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: patient_mname
+      type: keyword
+      description: This key is for Middle Names only, this is used for Healthcare
+        predominantly to capture Patients information
+  - name: endpoint
+    type: group
+    fields:
+    - name: host_state
+      type: keyword
+      description: This key is used to capture the current state of the machine, such
+        as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
+        disabled</strong> and so on
+    - name: registry_key
+      type: keyword
+      description: This key captures the path to the registry key
+    - name: registry_value
+      type: keyword
+      description: This key captures values or decorators used within a registry entry
diff --git a/packages/sonicwall/0.1.0/dataset/firewall/manifest.yml b/packages/sonicwall/0.1.0/dataset/firewall/manifest.yml
new file mode 100644
index 0000000000..40b1a2239d
--- /dev/null
+++ b/packages/sonicwall/0.1.0/dataset/firewall/manifest.yml
@@ -0,0 +1,155 @@
+title: Sonicwall-FW logs
+release: experimental
+type: logs
+streams:
+- input: udp
+  title: Sonicwall-FW logs
+  description: Collect Sonicwall-FW logs
+  template_path: udp.yml.hbs
+  vars:
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - sonicwall-firewall
+      - forwarded
+  - name: udp_host
+    type: text
+    title: UDP host to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: localhost
+  - name: udp_port
+    type: integer
+    title: UDP port to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: 9518
+  - name: tz_offset
+    type: text
+    title: Timezone offset (+HH:mm format)
+    required: false
+    show_user: true
+    default: "local"
+  - name: rsa_fields
+    type: bool
+    title: Add non-ECS fields
+    required: false
+    show_user: true
+    default: true
+  - name: keep_raw_fields
+    type: bool
+    title: Keep raw parser fields
+    required: false
+    show_user: false
+    default: false
+  - name: debug
+    type: bool
+    title: Enable debug logging
+    required: false
+    show_user: false
+    default: false
+
+- input: tcp
+  title: Sonicwall-FW logs
+  description: Collect Sonicwall-FW logs
+  template_path: tcp.yml.hbs
+  vars:
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - sonicwall-firewall
+      - forwarded
+  - name: tcp_host
+    type: text
+    title: TCP host to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: localhost
+  - name: tcp_port
+    type: integer
+    title: TCP port to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: 9518
+  - name: tz_offset
+    type: text
+    title: Timezone offset (+HH:mm format)
+    required: false
+    show_user: true
+    default: "local"
+  - name: rsa_fields
+    type: bool
+    title: Add non-ECS fields
+    required: false
+    show_user: true
+    default: true
+  - name: keep_raw_fields
+    type: bool
+    title: Keep raw parser fields
+    required: false
+    show_user: false
+    default: false
+  - name: debug
+    type: bool
+    title: Enable debug logging
+    required: false
+    show_user: false
+    default: false
+
+- input: file
+  title: Sonicwall-FW logs
+  description: Collect Sonicwall-FW logs from file
+  vars:
+  - name: paths
+    type: text
+    title: Paths
+    multi: true
+    required: true
+    show_user: true
+    default:
+      - /var/log/sonicwall-firewall.log
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - sonicwall-firewall
+      - forwarded
+  - name: tz_offset
+    type: text
+    title: Timezone offset (+HH:mm format)
+    required: false
+    show_user: true
+    default: "local"
+  - name: rsa_fields
+    type: bool
+    title: Add non-ECS fields
+    required: false
+    show_user: true
+    default: true
+  - name: keep_raw_fields
+    type: bool
+    title: Keep raw parser fields
+    required: false
+    show_user: false
+    default: false
+  - name: debug
+    type: bool
+    title: Enable debug logging
+    required: false
+    show_user: false
+    default: false
diff --git a/packages/sonicwall/0.1.0/docs/README.md b/packages/sonicwall/0.1.0/docs/README.md
new file mode 100644
index 0000000000..4b3c66eff3
--- /dev/null
+++ b/packages/sonicwall/0.1.0/docs/README.md
@@ -0,0 +1,780 @@
+# Sonicwall integration
+
+This integration is for Sonicwall device's logs. It includes the following
+datasets for receiving logs over syslog or read from a file:
+- `firewall` dataset: supports Sonicwall-FW logs.
+
+### Firewall
+
+The `firewall` dataset collects Sonicwall-FW logs.
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
+| dataset.name | Dataset name. | constant_keyword |
+| dataset.namespace | Dataset namespace. | constant_keyword |
+| dataset.type | Dataset type. | constant_keyword |
+| datastream.dataset | Datastream dataset. | constant_keyword |
+| datastream.namespace | Datastream namespace. | constant_keyword |
+| datastream.type | Datastream type. | constant_keyword |
+| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| destination.bytes | Bytes sent from the destination to the source. | long |
+| destination.domain | Destination domain. | keyword |
+| destination.geo.city_name | City name. | keyword |
+| destination.geo.country_name | Country name. | keyword |
+| destination.geo.location.lat |  | double |
+| destination.geo.location.lon |  | double |
+| destination.ip | IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses. | ip |
+| destination.mac | MAC address of the destination. | keyword |
+| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip |
+| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long |
+| destination.port | Port of the destination. | long |
+| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword |
+| dns.answers.type | The type of data contained in this resource record. | keyword |
+| dns.question.type | The type of record being queried. | keyword |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword |
+| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword |
+| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword |
+| file.extension | File extension. | keyword |
+| file.name | Name of the file including the extension, without the directory. | keyword |
+| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword |
+| file.size | File size in bytes. Only relevant when `file.type` is "file". | long |
+| file.type | File type (file, dir, or symlink). | keyword |
+| geo.city_name | City name. | keyword |
+| geo.country_name | Country name. | keyword |
+| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| geo.region_name | Region name. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| http.request.method | HTTP request method. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| http.request.referrer | Referrer for this HTTP request. | keyword |
+| http.response.body.content | The full HTTP response body. | keyword |
+| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword |
+| log.original | This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. | keyword |
+| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long |
+| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. | long |
+| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text |
+| network.application | A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long |
+| network.direction | Direction of the network traffic. Recommended values are: * inbound * outbound * internal * external * unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view. When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. | keyword |
+| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip |
+| network.interface.name |  | keyword |
+| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long |
+| network.protocol | L7 Network protocol name. ex. http, lumberjack, transport protocol. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| observer.egress.interface.name | Interface name as reported by the system. | keyword |
+| observer.ingress.interface.name | Interface name as reported by the system. | keyword |
+| observer.product | The product name of the observer. | keyword |
+| observer.version | Observer version. | keyword |
+| process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.parent.name | Process name. Sometimes called program name or similar. | keyword |
+| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword |
+| process.pid | Process id. | long |
+| process.ppid | Parent process' pid. | long |
+| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword |
+| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long |
+| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword |
+| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long |
+| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword |
+| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long |
+| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword |
+| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword |
+| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword |
+| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword |
+| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword |
+| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword |
+| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword |
+| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long |
+| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword |
+| rsa.crypto.cert_checksum |  | keyword |
+| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword |
+| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword |
+| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword |
+| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword |
+| rsa.crypto.cert_issuer |  | keyword |
+| rsa.crypto.cert_keysize |  | keyword |
+| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword |
+| rsa.crypto.cert_status | This key captures Certificate validation status | keyword |
+| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword |
+| rsa.crypto.cert_username |  | keyword |
+| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword |
+| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long |
+| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long |
+| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword |
+| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword |
+| rsa.crypto.d_certauth |  | keyword |
+| rsa.crypto.https_insact |  | keyword |
+| rsa.crypto.https_valid |  | keyword |
+| rsa.crypto.ike | IKE negotiation phase. | keyword |
+| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword |
+| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword |
+| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword |
+| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword |
+| rsa.crypto.s_certauth |  | keyword |
+| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword |
+| rsa.crypto.sig_type | This key captures the Signature Type | keyword |
+| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword |
+| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword |
+| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword |
+| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword |
+| rsa.db.db_pid | This key captures the process id of a connection with database server | long |
+| rsa.db.index | This key captures IndexID of the index. | keyword |
+| rsa.db.instance | This key is used to capture the database server instance name | keyword |
+| rsa.db.lread | This key is used for the number of logical reads | long |
+| rsa.db.lwrite | This key is used for the number of logical writes | long |
+| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword |
+| rsa.db.pread | This key is used for the number of physical writes | long |
+| rsa.db.table_name | This key is used to capture the table name | keyword |
+| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword |
+| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword |
+| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword |
+| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword |
+| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword |
+| rsa.email.trans_from | Deprecated key defined only in table map. | keyword |
+| rsa.email.trans_to | Deprecated key defined only in table map. | keyword |
+| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall disabled</strong> and so on | keyword |
+| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword |
+| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword |
+| rsa.file.attachment | This key captures the attachment file name | keyword |
+| rsa.file.binary | Deprecated key defined only in table map. | keyword |
+| rsa.file.directory_dst | <span>This key is used to capture the directory of the target process or file</span> | keyword |
+| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword |
+| rsa.file.file_entropy | This is used to capture entropy vale of a file | double |
+| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword |
+| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword |
+| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword |
+| rsa.file.filename_tmp |  | keyword |
+| rsa.file.filesystem |  | keyword |
+| rsa.file.privilege | Deprecated, use permissions | keyword |
+| rsa.file.task_name | This is used to capture name of the task | keyword |
+| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword |
+| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword |
+| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword |
+| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword |
+| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword |
+| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword |
+| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword |
+| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword |
+| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword |
+| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword |
+| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword |
+| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword |
+| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword |
+| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword |
+| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.org | This key captures the User organization | keyword |
+| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword |
+| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword |
+| rsa.identity.profile | This key is used to capture the user profile | keyword |
+| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword |
+| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword |
+| rsa.identity.user_dept | User's Department Names only | keyword |
+| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword |
+| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword |
+| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword |
+| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword |
+| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.data | Deprecated key defined only in table map. | keyword |
+| rsa.internal.dead | Deprecated key defined only in table map. | long |
+| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_type_id | Deprecated key defined only in table map. | long |
+| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long |
+| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long |
+| rsa.internal.entry | Deprecated key defined only in table map. | keyword |
+| rsa.internal.event_desc |  | keyword |
+| rsa.internal.event_name | Deprecated key defined only in table map. | keyword |
+| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip |
+| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.hcode | Deprecated key defined only in table map. | keyword |
+| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.inode | Deprecated key defined only in table map. | long |
+| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date |
+| rsa.internal.level | Deprecated key defined only in table map. | long |
+| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long |
+| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long |
+| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long |
+| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long |
+| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, &lt; 32 is packet session | long |
+| rsa.internal.message | This key captures the contents of instant messages | keyword |
+| rsa.internal.messageid |  | keyword |
+| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword |
+| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.node_name | Deprecated key defined only in table map. | keyword |
+| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword |
+| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword |
+| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword |
+| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword |
+| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long |
+| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long |
+| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword |
+| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword |
+| rsa.internal.resource | Deprecated key defined only in table map. | keyword |
+| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword |
+| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long |
+| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.site | Deprecated key defined only in table map. | keyword |
+| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long |
+| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.statement | Deprecated key defined only in table map. | keyword |
+| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date |
+| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long |
+| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long |
+| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword |
+| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword |
+| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword |
+| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword |
+| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword |
+| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword |
+| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword |
+| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword |
+| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword |
+| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword |
+| rsa.investigations.event_cat | This key captures the Event category number | long |
+| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword |
+| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword |
+| rsa.investigations.inv_category | This used to capture investigation category | keyword |
+| rsa.investigations.inv_context | This used to capture investigation context | keyword |
+| rsa.investigations.ioc | This is key capture indicator of compromise | keyword |
+| rsa.misc.OS | This key captures the Name of the Operating System | keyword |
+| rsa.misc.acl_id |  | keyword |
+| rsa.misc.acl_op |  | keyword |
+| rsa.misc.acl_pos |  | keyword |
+| rsa.misc.acl_table |  | keyword |
+| rsa.misc.action |  | keyword |
+| rsa.misc.admin |  | keyword |
+| rsa.misc.agent_id | This key is used to capture agent id | keyword |
+| rsa.misc.alarm_id |  | keyword |
+| rsa.misc.alarmname |  | keyword |
+| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.app_id |  | keyword |
+| rsa.misc.audit |  | keyword |
+| rsa.misc.audit_object |  | keyword |
+| rsa.misc.auditdata |  | keyword |
+| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword |
+| rsa.misc.benchmark |  | keyword |
+| rsa.misc.bypass |  | keyword |
+| rsa.misc.cache |  | keyword |
+| rsa.misc.cache_hit |  | keyword |
+| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword |
+| rsa.misc.cc_number | Valid Credit Card Numbers only | long |
+| rsa.misc.cefversion |  | keyword |
+| rsa.misc.cfg_attr |  | keyword |
+| rsa.misc.cfg_obj |  | keyword |
+| rsa.misc.cfg_path |  | keyword |
+| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword |
+| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword |
+| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword |
+| rsa.misc.changes |  | keyword |
+| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword |
+| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword |
+| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword |
+| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword |
+| rsa.misc.client_ip |  | keyword |
+| rsa.misc.clustermembers |  | keyword |
+| rsa.misc.cmd |  | keyword |
+| rsa.misc.cn_acttimeout |  | keyword |
+| rsa.misc.cn_asn_src |  | keyword |
+| rsa.misc.cn_bgpv4nxthop |  | keyword |
+| rsa.misc.cn_ctr_dst_code |  | keyword |
+| rsa.misc.cn_dst_tos |  | keyword |
+| rsa.misc.cn_dst_vlan |  | keyword |
+| rsa.misc.cn_engine_id |  | keyword |
+| rsa.misc.cn_engine_type |  | keyword |
+| rsa.misc.cn_f_switch |  | keyword |
+| rsa.misc.cn_flowsampid |  | keyword |
+| rsa.misc.cn_flowsampintv |  | keyword |
+| rsa.misc.cn_flowsampmode |  | keyword |
+| rsa.misc.cn_inacttimeout |  | keyword |
+| rsa.misc.cn_inpermbyts |  | keyword |
+| rsa.misc.cn_inpermpckts |  | keyword |
+| rsa.misc.cn_invalid |  | keyword |
+| rsa.misc.cn_ip_proto_ver |  | keyword |
+| rsa.misc.cn_ipv4_ident |  | keyword |
+| rsa.misc.cn_l_switch |  | keyword |
+| rsa.misc.cn_log_did |  | keyword |
+| rsa.misc.cn_log_rid |  | keyword |
+| rsa.misc.cn_max_ttl |  | keyword |
+| rsa.misc.cn_maxpcktlen |  | keyword |
+| rsa.misc.cn_min_ttl |  | keyword |
+| rsa.misc.cn_minpcktlen |  | keyword |
+| rsa.misc.cn_mpls_lbl_1 |  | keyword |
+| rsa.misc.cn_mpls_lbl_10 |  | keyword |
+| rsa.misc.cn_mpls_lbl_2 |  | keyword |
+| rsa.misc.cn_mpls_lbl_3 |  | keyword |
+| rsa.misc.cn_mpls_lbl_4 |  | keyword |
+| rsa.misc.cn_mpls_lbl_5 |  | keyword |
+| rsa.misc.cn_mpls_lbl_6 |  | keyword |
+| rsa.misc.cn_mpls_lbl_7 |  | keyword |
+| rsa.misc.cn_mpls_lbl_8 |  | keyword |
+| rsa.misc.cn_mpls_lbl_9 |  | keyword |
+| rsa.misc.cn_mplstoplabel |  | keyword |
+| rsa.misc.cn_mplstoplabip |  | keyword |
+| rsa.misc.cn_mul_dst_byt |  | keyword |
+| rsa.misc.cn_mul_dst_pks |  | keyword |
+| rsa.misc.cn_muligmptype |  | keyword |
+| rsa.misc.cn_sampalgo |  | keyword |
+| rsa.misc.cn_sampint |  | keyword |
+| rsa.misc.cn_seqctr |  | keyword |
+| rsa.misc.cn_spackets |  | keyword |
+| rsa.misc.cn_src_tos |  | keyword |
+| rsa.misc.cn_src_vlan |  | keyword |
+| rsa.misc.cn_sysuptime |  | keyword |
+| rsa.misc.cn_template_id |  | keyword |
+| rsa.misc.cn_totbytsexp |  | keyword |
+| rsa.misc.cn_totflowexp |  | keyword |
+| rsa.misc.cn_totpcktsexp |  | keyword |
+| rsa.misc.cn_unixnanosecs |  | keyword |
+| rsa.misc.cn_v6flowlabel |  | keyword |
+| rsa.misc.cn_v6optheaders |  | keyword |
+| rsa.misc.code |  | keyword |
+| rsa.misc.command |  | keyword |
+| rsa.misc.comments | Comment information provided in the log message | keyword |
+| rsa.misc.comp_class |  | keyword |
+| rsa.misc.comp_name |  | keyword |
+| rsa.misc.comp_rbytes |  | keyword |
+| rsa.misc.comp_sbytes |  | keyword |
+| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword |
+| rsa.misc.connection_id | This key captures the Connection ID | keyword |
+| rsa.misc.content | This key captures the content type from protocol headers | keyword |
+| rsa.misc.content_type | This key is used to capture Content Type only. | keyword |
+| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword |
+| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword |
+| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword |
+| rsa.misc.context_target |  | keyword |
+| rsa.misc.count |  | keyword |
+| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long |
+| rsa.misc.cpu_data |  | keyword |
+| rsa.misc.criticality |  | keyword |
+| rsa.misc.cs_agency_dst |  | keyword |
+| rsa.misc.cs_analyzedby |  | keyword |
+| rsa.misc.cs_av_other |  | keyword |
+| rsa.misc.cs_av_primary |  | keyword |
+| rsa.misc.cs_av_secondary |  | keyword |
+| rsa.misc.cs_bgpv6nxthop |  | keyword |
+| rsa.misc.cs_bit9status |  | keyword |
+| rsa.misc.cs_context |  | keyword |
+| rsa.misc.cs_control |  | keyword |
+| rsa.misc.cs_data |  | keyword |
+| rsa.misc.cs_datecret |  | keyword |
+| rsa.misc.cs_dst_tld |  | keyword |
+| rsa.misc.cs_eth_dst_ven |  | keyword |
+| rsa.misc.cs_eth_src_ven |  | keyword |
+| rsa.misc.cs_event_uuid |  | keyword |
+| rsa.misc.cs_filetype |  | keyword |
+| rsa.misc.cs_fld |  | keyword |
+| rsa.misc.cs_if_desc |  | keyword |
+| rsa.misc.cs_if_name |  | keyword |
+| rsa.misc.cs_ip_next_hop |  | keyword |
+| rsa.misc.cs_ipv4dstpre |  | keyword |
+| rsa.misc.cs_ipv4srcpre |  | keyword |
+| rsa.misc.cs_lifetime |  | keyword |
+| rsa.misc.cs_log_medium |  | keyword |
+| rsa.misc.cs_loginname |  | keyword |
+| rsa.misc.cs_modulescore |  | keyword |
+| rsa.misc.cs_modulesign |  | keyword |
+| rsa.misc.cs_opswatresult |  | keyword |
+| rsa.misc.cs_payload |  | keyword |
+| rsa.misc.cs_registrant |  | keyword |
+| rsa.misc.cs_registrar |  | keyword |
+| rsa.misc.cs_represult |  | keyword |
+| rsa.misc.cs_rpayload |  | keyword |
+| rsa.misc.cs_sampler_name |  | keyword |
+| rsa.misc.cs_sourcemodule |  | keyword |
+| rsa.misc.cs_streams |  | keyword |
+| rsa.misc.cs_targetmodule |  | keyword |
+| rsa.misc.cs_v6nxthop |  | keyword |
+| rsa.misc.cs_whois_server |  | keyword |
+| rsa.misc.cs_yararesult |  | keyword |
+| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword |
+| rsa.misc.data_type |  | keyword |
+| rsa.misc.description |  | keyword |
+| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword |
+| rsa.misc.devvendor |  | keyword |
+| rsa.misc.disposition | This key captures the The end state of an action. | keyword |
+| rsa.misc.distance |  | keyword |
+| rsa.misc.doc_number | This key captures File Identification number | long |
+| rsa.misc.dstburb |  | keyword |
+| rsa.misc.edomain |  | keyword |
+| rsa.misc.edomaub |  | keyword |
+| rsa.misc.ein_number | Employee Identification Numbers only | long |
+| rsa.misc.error | This key captures All non successful Error codes or responses | keyword |
+| rsa.misc.euid |  | keyword |
+| rsa.misc.event_category |  | keyword |
+| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword |
+| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword |
+| rsa.misc.event_id |  | keyword |
+| rsa.misc.event_log | This key captures the Name of the event log | keyword |
+| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword |
+| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword |
+| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword |
+| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword |
+| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword |
+| rsa.misc.facility |  | keyword |
+| rsa.misc.facilityname |  | keyword |
+| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword |
+| rsa.misc.filter | This key captures Filter used to reduce result set | keyword |
+| rsa.misc.finterface |  | keyword |
+| rsa.misc.flags |  | keyword |
+| rsa.misc.forensic_info |  | keyword |
+| rsa.misc.found | This is used to capture the results of regex match | keyword |
+| rsa.misc.fresult | This key captures the Filter Result | long |
+| rsa.misc.gaddr |  | keyword |
+| rsa.misc.group | This key captures the Group Name value | keyword |
+| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword |
+| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword |
+| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword |
+| rsa.misc.id3 |  | keyword |
+| rsa.misc.im_buddyid |  | keyword |
+| rsa.misc.im_buddyname |  | keyword |
+| rsa.misc.im_client |  | keyword |
+| rsa.misc.im_croomid |  | keyword |
+| rsa.misc.im_croomtype |  | keyword |
+| rsa.misc.im_members |  | keyword |
+| rsa.misc.im_userid |  | keyword |
+| rsa.misc.im_username |  | keyword |
+| rsa.misc.index |  | keyword |
+| rsa.misc.inout |  | keyword |
+| rsa.misc.ipkt |  | keyword |
+| rsa.misc.ipscat |  | keyword |
+| rsa.misc.ipspri |  | keyword |
+| rsa.misc.job_num | This key captures the Job Number | keyword |
+| rsa.misc.jobname |  | keyword |
+| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword |
+| rsa.misc.latitude |  | keyword |
+| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword |
+| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long |
+| rsa.misc.linenum |  | keyword |
+| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.misc.list_name |  | keyword |
+| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword |
+| rsa.misc.load_data |  | keyword |
+| rsa.misc.location_floor |  | keyword |
+| rsa.misc.location_mark |  | keyword |
+| rsa.misc.log_id |  | keyword |
+| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword |
+| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword |
+| rsa.misc.log_type |  | keyword |
+| rsa.misc.logid |  | keyword |
+| rsa.misc.logip |  | keyword |
+| rsa.misc.logname |  | keyword |
+| rsa.misc.longitude |  | keyword |
+| rsa.misc.lport |  | keyword |
+| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword |
+| rsa.misc.match | This key is for regex match name from search.ini | keyword |
+| rsa.misc.mbug_data |  | keyword |
+| rsa.misc.message_body | This key captures the The contents of the message body. | keyword |
+| rsa.misc.misc |  | keyword |
+| rsa.misc.misc_name |  | keyword |
+| rsa.misc.mode |  | keyword |
+| rsa.misc.msgIdPart1 |  | keyword |
+| rsa.misc.msgIdPart2 |  | keyword |
+| rsa.misc.msgIdPart3 |  | keyword |
+| rsa.misc.msgIdPart4 |  | keyword |
+| rsa.misc.msg_type |  | keyword |
+| rsa.misc.msgid |  | keyword |
+| rsa.misc.name |  | keyword |
+| rsa.misc.netsessid |  | keyword |
+| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword |
+| rsa.misc.ntype |  | keyword |
+| rsa.misc.num |  | keyword |
+| rsa.misc.number |  | keyword |
+| rsa.misc.number1 |  | keyword |
+| rsa.misc.number2 |  | keyword |
+| rsa.misc.nwwn |  | keyword |
+| rsa.misc.obj_name | This is used to capture name of object | keyword |
+| rsa.misc.obj_type | This is used to capture type of object | keyword |
+| rsa.misc.object |  | keyword |
+| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword |
+| rsa.misc.operation |  | keyword |
+| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword |
+| rsa.misc.opkt |  | keyword |
+| rsa.misc.orig_from |  | keyword |
+| rsa.misc.owner_id |  | keyword |
+| rsa.misc.p_action |  | keyword |
+| rsa.misc.p_filter |  | keyword |
+| rsa.misc.p_group_object |  | keyword |
+| rsa.misc.p_id |  | keyword |
+| rsa.misc.p_msgid |  | keyword |
+| rsa.misc.p_msgid1 |  | keyword |
+| rsa.misc.p_msgid2 |  | keyword |
+| rsa.misc.p_result1 |  | keyword |
+| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword |
+| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword |
+| rsa.misc.param_src | This key captures source parameter | keyword |
+| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword |
+| rsa.misc.password_chg |  | keyword |
+| rsa.misc.password_expire |  | keyword |
+| rsa.misc.payload_dst | This key is used to capture destination payload | keyword |
+| rsa.misc.payload_src | This key is used to capture source payload | keyword |
+| rsa.misc.permgranted |  | keyword |
+| rsa.misc.permwanted |  | keyword |
+| rsa.misc.pgid |  | keyword |
+| rsa.misc.phone |  | keyword |
+| rsa.misc.pid |  | keyword |
+| rsa.misc.policy |  | keyword |
+| rsa.misc.policyUUID |  | keyword |
+| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword |
+| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword |
+| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword |
+| rsa.misc.policy_waiver |  | keyword |
+| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword |
+| rsa.misc.pool_name | This key captures the name of a resource pool | keyword |
+| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword |
+| rsa.misc.priority |  | keyword |
+| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword |
+| rsa.misc.prog_asp_num |  | keyword |
+| rsa.misc.program |  | keyword |
+| rsa.misc.real_data |  | keyword |
+| rsa.misc.reason |  | keyword |
+| rsa.misc.rec_asp_device |  | keyword |
+| rsa.misc.rec_asp_num |  | keyword |
+| rsa.misc.rec_library |  | keyword |
+| rsa.misc.recordnum |  | keyword |
+| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword |
+| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword |
+| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword |
+| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword |
+| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword |
+| rsa.misc.risk | This key captures the non-numeric risk value | keyword |
+| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.risk_num | This key captures a Numeric Risk value | double |
+| rsa.misc.risk_num_comm | This key captures Risk Number Community | double |
+| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double |
+| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double |
+| rsa.misc.risk_num_static | This key captures Risk Number Static | double |
+| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.ruid |  | keyword |
+| rsa.misc.rule | This key captures the Rule number | keyword |
+| rsa.misc.rule_group | This key captures the Rule group name | keyword |
+| rsa.misc.rule_name | This key captures the Rule Name | keyword |
+| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword |
+| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword |
+| rsa.misc.sburb |  | keyword |
+| rsa.misc.sdomain_fld |  | keyword |
+| rsa.misc.search_text | This key captures the Search Text used | keyword |
+| rsa.misc.sec |  | keyword |
+| rsa.misc.second |  | keyword |
+| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword |
+| rsa.misc.sensorname |  | keyword |
+| rsa.misc.seqnum |  | keyword |
+| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword |
+| rsa.misc.session |  | keyword |
+| rsa.misc.sessiontype |  | keyword |
+| rsa.misc.severity | This key is used to capture the severity given the session | keyword |
+| rsa.misc.sigUUID |  | keyword |
+| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long |
+| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long |
+| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword |
+| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword |
+| rsa.misc.sigcat |  | keyword |
+| rsa.misc.snmp_oid | SNMP Object Identifier | keyword |
+| rsa.misc.snmp_value | SNMP set request value | keyword |
+| rsa.misc.space |  | keyword |
+| rsa.misc.space1 |  | keyword |
+| rsa.misc.spi |  | keyword |
+| rsa.misc.spi_dst | Destination SPI Index | keyword |
+| rsa.misc.spi_src | Source SPI Index | keyword |
+| rsa.misc.sql | This key captures the SQL query | keyword |
+| rsa.misc.srcburb |  | keyword |
+| rsa.misc.srcdom |  | keyword |
+| rsa.misc.srcservice |  | keyword |
+| rsa.misc.state |  | keyword |
+| rsa.misc.status |  | keyword |
+| rsa.misc.status1 |  | keyword |
+| rsa.misc.streams | This key captures number of streams in session | long |
+| rsa.misc.subcategory |  | keyword |
+| rsa.misc.svcno |  | keyword |
+| rsa.misc.system |  | keyword |
+| rsa.misc.tbdstr1 |  | keyword |
+| rsa.misc.tbdstr2 |  | keyword |
+| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long |
+| rsa.misc.terminal | This key captures the Terminal Names only | keyword |
+| rsa.misc.tgtdom |  | keyword |
+| rsa.misc.tgtdomain |  | keyword |
+| rsa.misc.threshold |  | keyword |
+| rsa.misc.tos | This key describes the type of service | long |
+| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword |
+| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword |
+| rsa.misc.type |  | keyword |
+| rsa.misc.type1 |  | keyword |
+| rsa.misc.udb_class |  | keyword |
+| rsa.misc.url_fld |  | keyword |
+| rsa.misc.user_div |  | keyword |
+| rsa.misc.userid |  | keyword |
+| rsa.misc.username_fld |  | keyword |
+| rsa.misc.utcstamp |  | keyword |
+| rsa.misc.v_instafname |  | keyword |
+| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword |
+| rsa.misc.virt_data |  | keyword |
+| rsa.misc.virusname | This key captures the name of the virus | keyword |
+| rsa.misc.vm_target | VMWare Target **VMWARE** only varaible. | keyword |
+| rsa.misc.vpnid |  | keyword |
+| rsa.misc.vsys | This key captures Virtual System Name | keyword |
+| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword |
+| rsa.misc.workspace | This key captures Workspace Description | keyword |
+| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword |
+| rsa.network.addr |  | keyword |
+| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword |
+| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword |
+| rsa.network.dmask | This key is used for Destionation Device network mask | keyword |
+| rsa.network.dns_a_record |  | keyword |
+| rsa.network.dns_cname_record |  | keyword |
+| rsa.network.dns_id |  | keyword |
+| rsa.network.dns_opcode |  | keyword |
+| rsa.network.dns_ptr_record |  | keyword |
+| rsa.network.dns_resp |  | keyword |
+| rsa.network.dns_type |  | keyword |
+| rsa.network.domain |  | keyword |
+| rsa.network.domain1 |  | keyword |
+| rsa.network.eth_host | Deprecated, use alias.mac | keyword |
+| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long |
+| rsa.network.faddr |  | keyword |
+| rsa.network.fhost |  | keyword |
+| rsa.network.fport |  | keyword |
+| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword |
+| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword |
+| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword |
+| rsa.network.host_type |  | keyword |
+| rsa.network.icmp_code | This key is used to capture the ICMP code only | long |
+| rsa.network.icmp_type | This key is used to capture the ICMP type only | long |
+| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword |
+| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long |
+| rsa.network.laddr |  | keyword |
+| rsa.network.lhost |  | keyword |
+| rsa.network.linterface |  | keyword |
+| rsa.network.mask | This key is used to capture the device network IPmask. | keyword |
+| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword |
+| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long |
+| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword |
+| rsa.network.origin |  | keyword |
+| rsa.network.packet_length |  | keyword |
+| rsa.network.paddr | Deprecated | ip |
+| rsa.network.phost |  | keyword |
+| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long |
+| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword |
+| rsa.network.remote_domain_id |  | keyword |
+| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword |
+| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword |
+| rsa.network.smask | This key is used for capturing source Network Mask | keyword |
+| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long |
+| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword |
+| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword |
+| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword |
+| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword |
+| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword |
+| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword |
+| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword |
+| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword |
+| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword |
+| rsa.threat.alert | This key is used to capture name of the alert | keyword |
+| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword |
+| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword |
+| rsa.threat.threat_source | This key is used to capture source of the threat | keyword |
+| rsa.time.date |  | keyword |
+| rsa.time.datetime |  | keyword |
+| rsa.time.day |  | keyword |
+| rsa.time.duration_str | A text string version of the duration | keyword |
+| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double |
+| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date |
+| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date |
+| rsa.time.event_queue_time | This key is the Time that the event was queued. | date |
+| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date |
+| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword |
+| rsa.time.eventtime |  | keyword |
+| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date |
+| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword |
+| rsa.time.gmtdate |  | keyword |
+| rsa.time.gmttime |  | keyword |
+| rsa.time.hour |  | keyword |
+| rsa.time.min |  | keyword |
+| rsa.time.month |  | keyword |
+| rsa.time.p_date |  | keyword |
+| rsa.time.p_month |  | keyword |
+| rsa.time.p_time |  | keyword |
+| rsa.time.p_time1 |  | keyword |
+| rsa.time.p_time2 |  | keyword |
+| rsa.time.p_year |  | keyword |
+| rsa.time.process_time | Deprecated, use duration.time | keyword |
+| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date |
+| rsa.time.stamp | Deprecated key defined only in table map. | date |
+| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date |
+| rsa.time.timestamp |  | keyword |
+| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword |
+| rsa.time.tzone |  | keyword |
+| rsa.time.year |  | keyword |
+| rsa.web.alias_host |  | keyword |
+| rsa.web.cn_asn_dst |  | keyword |
+| rsa.web.cn_rpackets |  | keyword |
+| rsa.web.fqdn | Fully Qualified Domain Names | keyword |
+| rsa.web.p_url |  | keyword |
+| rsa.web.p_user_agent |  | keyword |
+| rsa.web.p_web_cookie |  | keyword |
+| rsa.web.p_web_method |  | keyword |
+| rsa.web.p_web_referer |  | keyword |
+| rsa.web.remote_domain |  | keyword |
+| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double |
+| rsa.web.urlpage |  | keyword |
+| rsa.web.urlroot |  | keyword |
+| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword |
+| rsa.web.web_extension_tmp |  | keyword |
+| rsa.web.web_page |  | keyword |
+| rsa.web.web_ref_domain | Web referer's domain | keyword |
+| rsa.web.web_ref_page | This key captures Web referer's page information | keyword |
+| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword |
+| rsa.web.web_ref_root | Web referer's root URL path | keyword |
+| rsa.wireless.access_point | This key is used to capture the access point name. | keyword |
+| rsa.wireless.wlan_channel | This is used to capture the channel names | long |
+| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword |
+| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword |
+| rule.name | The name of the rule or signature generating the event. | keyword |
+| server.domain | Server domain. | keyword |
+| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword |
+| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.bytes | Bytes sent from the source to the destination. | long |
+| source.domain | Source domain. | keyword |
+| source.geo.city_name | City name. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location.lat |  | double |
+| source.geo.location.lon |  | double |
+| source.ip | IP address of the source. Can be one or multiple IPv4 or IPv6 addresses. | ip |
+| source.mac | MAC address of the source. | keyword |
+| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip |
+| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long |
+| source.port | Port of the source. | long |
+| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. | keyword |
+| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | keyword |
+| url.path | Path of the request, such as "/search". | keyword |
+| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword |
+| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.google.com" is "google.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword |
+| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword |
+| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| user.full_name | User's full name, if available. | keyword |
+| user.id | Unique identifiers of the user. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user_agent.original | Unparsed user_agent string. | keyword |
diff --git a/packages/sonicwall/0.1.0/img/logo.svg b/packages/sonicwall/0.1.0/img/logo.svg
new file mode 100644
index 0000000000..fb1aded68a
--- /dev/null
+++ b/packages/sonicwall/0.1.0/img/logo.svg
@@ -0,0 +1 @@
+<svg id="Layer_1" data-name="Layer 1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 154 45"><defs><style>.cls-1{fill:#666;}.cls-2{fill:#ff791a;}</style></defs><path class="cls-1" d="M32.19,12.31a7.28,7.28,0,0,1,5.33,2.12,7.08,7.08,0,0,1,2.15,5.23A7.32,7.32,0,0,1,32.31,27a7.14,7.14,0,0,1-5.26-2.14,7,7,0,0,1-2.15-5.16,7.46,7.46,0,0,1,1-3.74,7.11,7.11,0,0,1,2.66-2.7A7.19,7.19,0,0,1,32.19,12.31Zm.07,1.36a6,6,0,0,0-5.13,3,6.06,6.06,0,0,0-.78,3.06,5.89,5.89,0,0,0,5.91,5.93,6,6,0,0,0,3-.79,5.67,5.67,0,0,0,2.16-2.16,6.07,6.07,0,0,0,.78-3.05,5.94,5.94,0,0,0-.78-3,5.82,5.82,0,0,0-2.19-2.16A5.92,5.92,0,0,0,32.26,13.67Z"/><path class="cls-1" d="M43.46,27.14V12.26h.33l9.9,11.41V12.26h1.47V27.14h-.34L45,15.87V27.14Z"/><path class="cls-1" d="M59.19,12.25h1.39V27.11H59.19Z"/><path class="cls-1" d="M109.53,12.26h-2.85l-4,10.74,8.07,0,1.55,4h2.93Zm-3.39,9,2-5.07,2,5.07Z"/><path class="cls-1" d="M118.25,12.26h2.82V24.35h5.6V27h-8.42Z"/><path class="cls-1" d="M129.66,12.26h2.81V24.35h5.61V27h-8.42Z"/><path class="cls-1" d="M77.17,23.53a6.28,6.28,0,0,1-4.87,2.23A6.14,6.14,0,0,1,67.84,24a5.78,5.78,0,0,1-1.76-4.3,5.94,5.94,0,0,1,.79-3.06,5.81,5.81,0,0,1,2.22-2.18,6.26,6.26,0,0,1,3.12-.81A6.48,6.48,0,0,1,75,14.3,6.13,6.13,0,0,1,77.17,16v-1.9a8,8,0,0,0-1.41-1,8,8,0,0,0-3.57-.78,7.48,7.48,0,0,0-5.43,2.12,7,7,0,0,0-2.17,5.2,7.46,7.46,0,0,0,1.79,5,7.33,7.33,0,0,0,5.83,2.46,8.21,8.21,0,0,0,3.52-.74,8,8,0,0,0,1.44-1Z"/><path class="cls-1" d="M17.31,19c-3.35-.69-4-1.56-4-2.93v0c0-1.46,1.38-2.51,3.29-2.51a5.91,5.91,0,0,1,4.11,1.55l.12.1,0,0V13.49a7.12,7.12,0,0,0-4.22-1.23C14,12.26,12,13.92,12,16.12v0c0,2.22,1.41,3.41,4.87,4.11,3.25.65,3.87,1.51,3.87,2.85v0c0,1.56-1.41,2.65-3.42,2.65a6.65,6.65,0,0,1-5-2l-.11-.11,0,0v1.7a8,8,0,0,0,5,1.68c2.84,0,4.82-1.64,4.82-4v0C22.06,20.87,20.64,19.67,17.31,19Z"/><polygon class="cls-1" points="98.42 12.26 95.05 22.31 94.97 22.53 94.9 22.31 91.58 12.22 88.87 12.22 85.54 22.31 85.47 22.53 85.4 22.31 82.02 12.26 78.67 12.26 84.01 27.1 86.76 27.1 90.11 17.42 90.18 17.22 90.25 17.42 93.6 27.1 96.35 27.1 101.69 12.26 98.42 12.26"/><path class="cls-1" d="M140.34,15.06A1.68,1.68,0,1,1,142,13.39,1.67,1.67,0,0,1,140.34,15.06Zm0-3.13a1.46,1.46,0,1,0,1.46,1.46A1.46,1.46,0,0,0,140.34,11.93Zm.41,2.44-.46-.77h-.19v.77h-.51v-2h.88a.6.6,0,0,1,.69.61.56.56,0,0,1-.37.55l.56.83Zm-.65-1.66v.55h.25c.2,0,.29-.09.29-.26a.26.26,0,0,0-.29-.29Z"/><path class="cls-2" d="M107,33.29s-6.88-2.48-8.39-6.6c-1.7-4.61,4.59-5.67,11-5.48,3.47.09,7.71.62,7.71.62s-10,1.28-13.64,4.2S107,33.29,107,33.29Z"/></svg>
\ No newline at end of file
diff --git a/packages/sonicwall/0.1.0/manifest.yml b/packages/sonicwall/0.1.0/manifest.yml
new file mode 100644
index 0000000000..61737049ed
--- /dev/null
+++ b/packages/sonicwall/0.1.0/manifest.yml
@@ -0,0 +1,36 @@
+format_version: 1.0.0
+name: sonicwall
+title: Sonicwall-FW
+version: 0.1.0
+description: Sonicwall-FW Integration
+categories: ["network","security"]
+release: experimental
+removable: true
+license: basic
+type: integration
+conditions:
+    kibana:
+        version: '>=7.9.0'
+    elasticsearch:
+        version: '>=7.9.0'
+config_templates:
+- name: firewall
+  title: Sonicwall-FW
+  description: Collect Sonicwall-FW logs from syslog or a file.
+  inputs:
+      - type: udp
+        title: Collect logs from Sonicwall-FW via UDP
+        description: Collecting syslog from Sonicwall-FW via UDP
+      - type: tcp
+        title: Collect logs from Sonicwall-FW via TCP
+        description: Collecting syslog from Sonicwall-FW via TCP
+      - type: file
+        title: Collect logs from Sonicwall-FW via file
+        description: Collecting syslog from Sonicwall-FW via file.
+# No icon
+icons:
+ - src: /img/logo.svg
+   title: Sonicwall-FW logo
+   size: 32x32
+   type: image/svg+xml
+
diff --git a/packages/squid/0.1.0/dataset/log/agent/stream/stream.yml.hbs b/packages/squid/0.1.0/dataset/log/agent/stream/stream.yml.hbs
new file mode 100644
index 0000000000..769e0f79d8
--- /dev/null
+++ b/packages/squid/0.1.0/dataset/log/agent/stream/stream.yml.hbs
@@ -0,0 +1,2842 @@
+paths:
+{{#each paths as |path i|}}
+  - {{path}}
+{{/each}}
+exclude_files: [".gz$"]
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "Squid"
+        product: "Proxy"
+        type: "Proxies"
+publisher_pipeline.disable_host: true
+
+processors:
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.error(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(populate_fields);
+      	builder.Add(restore_flags);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var dup1 = setc("eventcategory","1204000000");
+      
+      var dup2 = setc("ec_subject","NetworkComm");
+      
+      var dup3 = setc("ec_activity","Request");
+      
+      var dup4 = setc("ec_theme","ALM");
+      
+      var dup5 = domain("web_ref_domain","web_referer");
+      
+      var dup6 = root("web_root","web_referer");
+      
+      var dup7 = query("web_ref_query","web_referer");
+      
+      var dup8 = domain("web_domain","url");
+      
+      var dup9 = domain("domain","url");
+      
+      var dup10 = domain("web_host","url");
+      
+      var dup11 = date_time({
+      	dest: "event_time",
+      	args: ["fld20"],
+      	fmts: [
+      		[dD,dc("/"),dB,dc("/"),dW,dc(":"),dN,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup12 = setf("msg","$MSG");
+      
+      var dup13 = date_time({
+      	dest: "event_time",
+      	args: ["event_time_string"],
+      	fmts: [
+      		[dX],
+      	],
+      });
+      
+      var dup14 = page("webpage","url");
+      
+      var dup15 = match("MESSAGE#0:GET", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup6,
+      	dup7,
+      	dup8,
+      	dup9,
+      	dup10,
+      	dup11,
+      	dup12,
+      ]));
+      
+      var dup16 = match("MESSAGE#19:GET:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup13,
+      	dup8,
+      	dup9,
+      	dup10,
+      	dup14,
+      	dup12,
+      ]));
+      
+      var dup17 = match("MESSAGE#2:POST", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup6,
+      	dup7,
+      	dup8,
+      	dup9,
+      	dup10,
+      	dup11,
+      	dup12,
+      ]));
+      
+      var dup18 = match("MESSAGE#21:POST:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	dup13,
+      	dup8,
+      	dup9,
+      	dup10,
+      	dup14,
+      	dup12,
+      ]));
+      
+      var dup19 = match("MESSAGE#3:PUT", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([
+      	dup1,
+      	dup5,
+      	dup6,
+      	dup7,
+      	dup8,
+      	dup9,
+      	dup10,
+      	dup11,
+      	dup12,
+      ]));
+      
+      var dup20 = match("MESSAGE#22:PUT:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([
+      	dup1,
+      	dup13,
+      	dup8,
+      	dup9,
+      	dup10,
+      	dup14,
+      	dup12,
+      ]));
+      
+      var hdr1 = match("HEADER#0:0001", "message", "%{hsaddr->} %{hsport->} [%{fld20->} %{fld21}] \"%{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0001"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hsaddr"),
+      			constant(" "),
+      			field("hsport"),
+      			constant(" ["),
+      			field("fld20"),
+      			constant(" "),
+      			field("fld21"),
+      			constant("] \""),
+      			field("messageid"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr2 = match("HEADER#1:0002", "message", "%{hevent_time_string->} %{hduration->} %{hsaddr->} %{haction}/%{hresultcode->} %{hsbytes->} %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0002"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hevent_time_string"),
+      			constant(" "),
+      			field("hduration"),
+      			constant(" "),
+      			field("hsaddr"),
+      			constant(" "),
+      			field("haction"),
+      			constant("/"),
+      			field("hresultcode"),
+      			constant(" "),
+      			field("hsbytes"),
+      			constant(" "),
+      			field("messageid"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var select1 = linear_select([
+      	hdr1,
+      	hdr2,
+      ]);
+      
+      var msg1 = msg("GET", dup15);
+      
+      var part1 = match("MESSAGE#18:GET:02", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{resultcode->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action->} %{daddr->} %{content_type->} %{duration}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup6,
+      	dup7,
+      	dup8,
+      	dup9,
+      	dup10,
+      	dup11,
+      	dup12,
+      ]));
+      
+      var msg2 = msg("GET:02", part1);
+      
+      var msg3 = msg("GET:01", dup16);
+      
+      var select2 = linear_select([
+      	msg1,
+      	msg2,
+      	msg3,
+      ]);
+      
+      var msg4 = msg("HEAD", dup15);
+      
+      var msg5 = msg("HEAD:01", dup16);
+      
+      var select3 = linear_select([
+      	msg4,
+      	msg5,
+      ]);
+      
+      var msg6 = msg("POST", dup17);
+      
+      var msg7 = msg("POST:01", dup18);
+      
+      var select4 = linear_select([
+      	msg6,
+      	msg7,
+      ]);
+      
+      var msg8 = msg("PUT", dup19);
+      
+      var msg9 = msg("PUT:01", dup20);
+      
+      var select5 = linear_select([
+      	msg8,
+      	msg9,
+      ]);
+      
+      var msg10 = msg("DELETE", dup19);
+      
+      var msg11 = msg("DELETE:01", dup20);
+      
+      var select6 = linear_select([
+      	msg10,
+      	msg11,
+      ]);
+      
+      var msg12 = msg("TRACE", dup19);
+      
+      var msg13 = msg("TRACE:01", dup20);
+      
+      var select7 = linear_select([
+      	msg12,
+      	msg13,
+      ]);
+      
+      var msg14 = msg("OPTIONS", dup19);
+      
+      var msg15 = msg("OPTIONS:01", dup20);
+      
+      var select8 = linear_select([
+      	msg14,
+      	msg15,
+      ]);
+      
+      var msg16 = msg("CONNECT", dup17);
+      
+      var msg17 = msg("CONNECT:01", dup18);
+      
+      var select9 = linear_select([
+      	msg16,
+      	msg17,
+      ]);
+      
+      var msg18 = msg("ICP_QUERY", dup19);
+      
+      var msg19 = msg("ICP_QUERY:01", dup20);
+      
+      var select10 = linear_select([
+      	msg18,
+      	msg19,
+      ]);
+      
+      var msg20 = msg("PURGE", dup19);
+      
+      var msg21 = msg("PURGE:01", dup20);
+      
+      var select11 = linear_select([
+      	msg20,
+      	msg21,
+      ]);
+      
+      var msg22 = msg("PROPFIND", dup19);
+      
+      var msg23 = msg("PROPFIND:01", dup20);
+      
+      var select12 = linear_select([
+      	msg22,
+      	msg23,
+      ]);
+      
+      var msg24 = msg("PROPATCH", dup19);
+      
+      var msg25 = msg("PROPATCH:01", dup20);
+      
+      var select13 = linear_select([
+      	msg24,
+      	msg25,
+      ]);
+      
+      var msg26 = msg("MKOL", dup19);
+      
+      var msg27 = msg("MKOL:01", dup20);
+      
+      var select14 = linear_select([
+      	msg26,
+      	msg27,
+      ]);
+      
+      var msg28 = msg("COPY", dup19);
+      
+      var msg29 = msg("COPY:01", dup20);
+      
+      var select15 = linear_select([
+      	msg28,
+      	msg29,
+      ]);
+      
+      var msg30 = msg("MOVE", dup19);
+      
+      var msg31 = msg("MOVE:01", dup20);
+      
+      var select16 = linear_select([
+      	msg30,
+      	msg31,
+      ]);
+      
+      var msg32 = msg("LOCK", dup19);
+      
+      var msg33 = msg("LOCK:01", dup20);
+      
+      var select17 = linear_select([
+      	msg32,
+      	msg33,
+      ]);
+      
+      var msg34 = msg("UNLOCK", dup19);
+      
+      var msg35 = msg("UNLOCK:01", dup20);
+      
+      var select18 = linear_select([
+      	msg34,
+      	msg35,
+      ]);
+      
+      var msg36 = msg("NONE", dup19);
+      
+      var msg37 = msg("NONE:01", dup20);
+      
+      var select19 = linear_select([
+      	msg36,
+      	msg37,
+      ]);
+      
+      var chain1 = processor_chain([
+      	select1,
+      	msgid_select({
+      		"CONNECT": select9,
+      		"COPY": select15,
+      		"DELETE": select6,
+      		"GET": select2,
+      		"HEAD": select3,
+      		"ICP_QUERY": select10,
+      		"LOCK": select17,
+      		"MKOL": select14,
+      		"MOVE": select16,
+      		"NONE": select19,
+      		"OPTIONS": select8,
+      		"POST": select4,
+      		"PROPATCH": select13,
+      		"PROPFIND": select12,
+      		"PURGE": select11,
+      		"PUT": select5,
+      		"TRACE": select7,
+      		"UNLOCK": select18,
+      	}),
+      ]);
+      
+      var part2 = match("MESSAGE#0:GET", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup6,
+      	dup7,
+      	dup8,
+      	dup9,
+      	dup10,
+      	dup11,
+      	dup12,
+      ]));
+      
+      var part3 = match("MESSAGE#19:GET:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup13,
+      	dup8,
+      	dup9,
+      	dup10,
+      	dup14,
+      	dup12,
+      ]));
+      
+      var part4 = match("MESSAGE#2:POST", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup6,
+      	dup7,
+      	dup8,
+      	dup9,
+      	dup10,
+      	dup11,
+      	dup12,
+      ]));
+      
+      var part5 = match("MESSAGE#21:POST:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	dup13,
+      	dup8,
+      	dup9,
+      	dup10,
+      	dup14,
+      	dup12,
+      ]));
+      
+      var part6 = match("MESSAGE#3:PUT", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([
+      	dup1,
+      	dup5,
+      	dup6,
+      	dup7,
+      	dup8,
+      	dup9,
+      	dup10,
+      	dup11,
+      	dup12,
+      ]));
+      
+      var part7 = match("MESSAGE#22:PUT:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([
+      	dup1,
+      	dup13,
+      	dup8,
+      	dup9,
+      	dup10,
+      	dup14,
+      	dup12,
+      ]));
+      
+- community_id:
+- add_locale: ~
+- add_fields:
+    target: ''
+    fields:
+        ecs.version: 1.5.0
diff --git a/packages/squid/0.1.0/dataset/log/agent/stream/tcp.yml.hbs b/packages/squid/0.1.0/dataset/log/agent/stream/tcp.yml.hbs
new file mode 100644
index 0000000000..4b1d4b7807
--- /dev/null
+++ b/packages/squid/0.1.0/dataset/log/agent/stream/tcp.yml.hbs
@@ -0,0 +1,2839 @@
+tcp:
+host: "{{tcp_host}}:{{tcp_port}}"
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "Squid"
+        product: "Proxy"
+        type: "Proxies"
+publisher_pipeline.disable_host: true
+
+processors:
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.error(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(populate_fields);
+      	builder.Add(restore_flags);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var dup1 = setc("eventcategory","1204000000");
+      
+      var dup2 = setc("ec_subject","NetworkComm");
+      
+      var dup3 = setc("ec_activity","Request");
+      
+      var dup4 = setc("ec_theme","ALM");
+      
+      var dup5 = domain("web_ref_domain","web_referer");
+      
+      var dup6 = root("web_root","web_referer");
+      
+      var dup7 = query("web_ref_query","web_referer");
+      
+      var dup8 = domain("web_domain","url");
+      
+      var dup9 = domain("domain","url");
+      
+      var dup10 = domain("web_host","url");
+      
+      var dup11 = date_time({
+      	dest: "event_time",
+      	args: ["fld20"],
+      	fmts: [
+      		[dD,dc("/"),dB,dc("/"),dW,dc(":"),dN,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup12 = setf("msg","$MSG");
+      
+      var dup13 = date_time({
+      	dest: "event_time",
+      	args: ["event_time_string"],
+      	fmts: [
+      		[dX],
+      	],
+      });
+      
+      var dup14 = page("webpage","url");
+      
+      var dup15 = match("MESSAGE#0:GET", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup6,
+      	dup7,
+      	dup8,
+      	dup9,
+      	dup10,
+      	dup11,
+      	dup12,
+      ]));
+      
+      var dup16 = match("MESSAGE#19:GET:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup13,
+      	dup8,
+      	dup9,
+      	dup10,
+      	dup14,
+      	dup12,
+      ]));
+      
+      var dup17 = match("MESSAGE#2:POST", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup6,
+      	dup7,
+      	dup8,
+      	dup9,
+      	dup10,
+      	dup11,
+      	dup12,
+      ]));
+      
+      var dup18 = match("MESSAGE#21:POST:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	dup13,
+      	dup8,
+      	dup9,
+      	dup10,
+      	dup14,
+      	dup12,
+      ]));
+      
+      var dup19 = match("MESSAGE#3:PUT", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([
+      	dup1,
+      	dup5,
+      	dup6,
+      	dup7,
+      	dup8,
+      	dup9,
+      	dup10,
+      	dup11,
+      	dup12,
+      ]));
+      
+      var dup20 = match("MESSAGE#22:PUT:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([
+      	dup1,
+      	dup13,
+      	dup8,
+      	dup9,
+      	dup10,
+      	dup14,
+      	dup12,
+      ]));
+      
+      var hdr1 = match("HEADER#0:0001", "message", "%{hsaddr->} %{hsport->} [%{fld20->} %{fld21}] \"%{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0001"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hsaddr"),
+      			constant(" "),
+      			field("hsport"),
+      			constant(" ["),
+      			field("fld20"),
+      			constant(" "),
+      			field("fld21"),
+      			constant("] \""),
+      			field("messageid"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr2 = match("HEADER#1:0002", "message", "%{hevent_time_string->} %{hduration->} %{hsaddr->} %{haction}/%{hresultcode->} %{hsbytes->} %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0002"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hevent_time_string"),
+      			constant(" "),
+      			field("hduration"),
+      			constant(" "),
+      			field("hsaddr"),
+      			constant(" "),
+      			field("haction"),
+      			constant("/"),
+      			field("hresultcode"),
+      			constant(" "),
+      			field("hsbytes"),
+      			constant(" "),
+      			field("messageid"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var select1 = linear_select([
+      	hdr1,
+      	hdr2,
+      ]);
+      
+      var msg1 = msg("GET", dup15);
+      
+      var part1 = match("MESSAGE#18:GET:02", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{resultcode->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action->} %{daddr->} %{content_type->} %{duration}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup6,
+      	dup7,
+      	dup8,
+      	dup9,
+      	dup10,
+      	dup11,
+      	dup12,
+      ]));
+      
+      var msg2 = msg("GET:02", part1);
+      
+      var msg3 = msg("GET:01", dup16);
+      
+      var select2 = linear_select([
+      	msg1,
+      	msg2,
+      	msg3,
+      ]);
+      
+      var msg4 = msg("HEAD", dup15);
+      
+      var msg5 = msg("HEAD:01", dup16);
+      
+      var select3 = linear_select([
+      	msg4,
+      	msg5,
+      ]);
+      
+      var msg6 = msg("POST", dup17);
+      
+      var msg7 = msg("POST:01", dup18);
+      
+      var select4 = linear_select([
+      	msg6,
+      	msg7,
+      ]);
+      
+      var msg8 = msg("PUT", dup19);
+      
+      var msg9 = msg("PUT:01", dup20);
+      
+      var select5 = linear_select([
+      	msg8,
+      	msg9,
+      ]);
+      
+      var msg10 = msg("DELETE", dup19);
+      
+      var msg11 = msg("DELETE:01", dup20);
+      
+      var select6 = linear_select([
+      	msg10,
+      	msg11,
+      ]);
+      
+      var msg12 = msg("TRACE", dup19);
+      
+      var msg13 = msg("TRACE:01", dup20);
+      
+      var select7 = linear_select([
+      	msg12,
+      	msg13,
+      ]);
+      
+      var msg14 = msg("OPTIONS", dup19);
+      
+      var msg15 = msg("OPTIONS:01", dup20);
+      
+      var select8 = linear_select([
+      	msg14,
+      	msg15,
+      ]);
+      
+      var msg16 = msg("CONNECT", dup17);
+      
+      var msg17 = msg("CONNECT:01", dup18);
+      
+      var select9 = linear_select([
+      	msg16,
+      	msg17,
+      ]);
+      
+      var msg18 = msg("ICP_QUERY", dup19);
+      
+      var msg19 = msg("ICP_QUERY:01", dup20);
+      
+      var select10 = linear_select([
+      	msg18,
+      	msg19,
+      ]);
+      
+      var msg20 = msg("PURGE", dup19);
+      
+      var msg21 = msg("PURGE:01", dup20);
+      
+      var select11 = linear_select([
+      	msg20,
+      	msg21,
+      ]);
+      
+      var msg22 = msg("PROPFIND", dup19);
+      
+      var msg23 = msg("PROPFIND:01", dup20);
+      
+      var select12 = linear_select([
+      	msg22,
+      	msg23,
+      ]);
+      
+      var msg24 = msg("PROPATCH", dup19);
+      
+      var msg25 = msg("PROPATCH:01", dup20);
+      
+      var select13 = linear_select([
+      	msg24,
+      	msg25,
+      ]);
+      
+      var msg26 = msg("MKOL", dup19);
+      
+      var msg27 = msg("MKOL:01", dup20);
+      
+      var select14 = linear_select([
+      	msg26,
+      	msg27,
+      ]);
+      
+      var msg28 = msg("COPY", dup19);
+      
+      var msg29 = msg("COPY:01", dup20);
+      
+      var select15 = linear_select([
+      	msg28,
+      	msg29,
+      ]);
+      
+      var msg30 = msg("MOVE", dup19);
+      
+      var msg31 = msg("MOVE:01", dup20);
+      
+      var select16 = linear_select([
+      	msg30,
+      	msg31,
+      ]);
+      
+      var msg32 = msg("LOCK", dup19);
+      
+      var msg33 = msg("LOCK:01", dup20);
+      
+      var select17 = linear_select([
+      	msg32,
+      	msg33,
+      ]);
+      
+      var msg34 = msg("UNLOCK", dup19);
+      
+      var msg35 = msg("UNLOCK:01", dup20);
+      
+      var select18 = linear_select([
+      	msg34,
+      	msg35,
+      ]);
+      
+      var msg36 = msg("NONE", dup19);
+      
+      var msg37 = msg("NONE:01", dup20);
+      
+      var select19 = linear_select([
+      	msg36,
+      	msg37,
+      ]);
+      
+      var chain1 = processor_chain([
+      	select1,
+      	msgid_select({
+      		"CONNECT": select9,
+      		"COPY": select15,
+      		"DELETE": select6,
+      		"GET": select2,
+      		"HEAD": select3,
+      		"ICP_QUERY": select10,
+      		"LOCK": select17,
+      		"MKOL": select14,
+      		"MOVE": select16,
+      		"NONE": select19,
+      		"OPTIONS": select8,
+      		"POST": select4,
+      		"PROPATCH": select13,
+      		"PROPFIND": select12,
+      		"PURGE": select11,
+      		"PUT": select5,
+      		"TRACE": select7,
+      		"UNLOCK": select18,
+      	}),
+      ]);
+      
+      var part2 = match("MESSAGE#0:GET", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup6,
+      	dup7,
+      	dup8,
+      	dup9,
+      	dup10,
+      	dup11,
+      	dup12,
+      ]));
+      
+      var part3 = match("MESSAGE#19:GET:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup13,
+      	dup8,
+      	dup9,
+      	dup10,
+      	dup14,
+      	dup12,
+      ]));
+      
+      var part4 = match("MESSAGE#2:POST", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup6,
+      	dup7,
+      	dup8,
+      	dup9,
+      	dup10,
+      	dup11,
+      	dup12,
+      ]));
+      
+      var part5 = match("MESSAGE#21:POST:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	dup13,
+      	dup8,
+      	dup9,
+      	dup10,
+      	dup14,
+      	dup12,
+      ]));
+      
+      var part6 = match("MESSAGE#3:PUT", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([
+      	dup1,
+      	dup5,
+      	dup6,
+      	dup7,
+      	dup8,
+      	dup9,
+      	dup10,
+      	dup11,
+      	dup12,
+      ]));
+      
+      var part7 = match("MESSAGE#22:PUT:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([
+      	dup1,
+      	dup13,
+      	dup8,
+      	dup9,
+      	dup10,
+      	dup14,
+      	dup12,
+      ]));
+      
+- community_id:
+- add_locale: ~
+- add_fields:
+    target: ''
+    fields:
+        ecs.version: 1.5.0
diff --git a/packages/squid/0.1.0/dataset/log/agent/stream/udp.yml.hbs b/packages/squid/0.1.0/dataset/log/agent/stream/udp.yml.hbs
new file mode 100644
index 0000000000..8fbd21bfc7
--- /dev/null
+++ b/packages/squid/0.1.0/dataset/log/agent/stream/udp.yml.hbs
@@ -0,0 +1,2839 @@
+udp:
+host: "{{udp_host}}:{{udp_port}}"
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "Squid"
+        product: "Proxy"
+        type: "Proxies"
+publisher_pipeline.disable_host: true
+
+processors:
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.error(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(populate_fields);
+      	builder.Add(restore_flags);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var dup1 = setc("eventcategory","1204000000");
+      
+      var dup2 = setc("ec_subject","NetworkComm");
+      
+      var dup3 = setc("ec_activity","Request");
+      
+      var dup4 = setc("ec_theme","ALM");
+      
+      var dup5 = domain("web_ref_domain","web_referer");
+      
+      var dup6 = root("web_root","web_referer");
+      
+      var dup7 = query("web_ref_query","web_referer");
+      
+      var dup8 = domain("web_domain","url");
+      
+      var dup9 = domain("domain","url");
+      
+      var dup10 = domain("web_host","url");
+      
+      var dup11 = date_time({
+      	dest: "event_time",
+      	args: ["fld20"],
+      	fmts: [
+      		[dD,dc("/"),dB,dc("/"),dW,dc(":"),dN,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup12 = setf("msg","$MSG");
+      
+      var dup13 = date_time({
+      	dest: "event_time",
+      	args: ["event_time_string"],
+      	fmts: [
+      		[dX],
+      	],
+      });
+      
+      var dup14 = page("webpage","url");
+      
+      var dup15 = match("MESSAGE#0:GET", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup6,
+      	dup7,
+      	dup8,
+      	dup9,
+      	dup10,
+      	dup11,
+      	dup12,
+      ]));
+      
+      var dup16 = match("MESSAGE#19:GET:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup13,
+      	dup8,
+      	dup9,
+      	dup10,
+      	dup14,
+      	dup12,
+      ]));
+      
+      var dup17 = match("MESSAGE#2:POST", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup6,
+      	dup7,
+      	dup8,
+      	dup9,
+      	dup10,
+      	dup11,
+      	dup12,
+      ]));
+      
+      var dup18 = match("MESSAGE#21:POST:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	dup13,
+      	dup8,
+      	dup9,
+      	dup10,
+      	dup14,
+      	dup12,
+      ]));
+      
+      var dup19 = match("MESSAGE#3:PUT", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([
+      	dup1,
+      	dup5,
+      	dup6,
+      	dup7,
+      	dup8,
+      	dup9,
+      	dup10,
+      	dup11,
+      	dup12,
+      ]));
+      
+      var dup20 = match("MESSAGE#22:PUT:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([
+      	dup1,
+      	dup13,
+      	dup8,
+      	dup9,
+      	dup10,
+      	dup14,
+      	dup12,
+      ]));
+      
+      var hdr1 = match("HEADER#0:0001", "message", "%{hsaddr->} %{hsport->} [%{fld20->} %{fld21}] \"%{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0001"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hsaddr"),
+      			constant(" "),
+      			field("hsport"),
+      			constant(" ["),
+      			field("fld20"),
+      			constant(" "),
+      			field("fld21"),
+      			constant("] \""),
+      			field("messageid"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr2 = match("HEADER#1:0002", "message", "%{hevent_time_string->} %{hduration->} %{hsaddr->} %{haction}/%{hresultcode->} %{hsbytes->} %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0002"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hevent_time_string"),
+      			constant(" "),
+      			field("hduration"),
+      			constant(" "),
+      			field("hsaddr"),
+      			constant(" "),
+      			field("haction"),
+      			constant("/"),
+      			field("hresultcode"),
+      			constant(" "),
+      			field("hsbytes"),
+      			constant(" "),
+      			field("messageid"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var select1 = linear_select([
+      	hdr1,
+      	hdr2,
+      ]);
+      
+      var msg1 = msg("GET", dup15);
+      
+      var part1 = match("MESSAGE#18:GET:02", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{resultcode->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action->} %{daddr->} %{content_type->} %{duration}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup6,
+      	dup7,
+      	dup8,
+      	dup9,
+      	dup10,
+      	dup11,
+      	dup12,
+      ]));
+      
+      var msg2 = msg("GET:02", part1);
+      
+      var msg3 = msg("GET:01", dup16);
+      
+      var select2 = linear_select([
+      	msg1,
+      	msg2,
+      	msg3,
+      ]);
+      
+      var msg4 = msg("HEAD", dup15);
+      
+      var msg5 = msg("HEAD:01", dup16);
+      
+      var select3 = linear_select([
+      	msg4,
+      	msg5,
+      ]);
+      
+      var msg6 = msg("POST", dup17);
+      
+      var msg7 = msg("POST:01", dup18);
+      
+      var select4 = linear_select([
+      	msg6,
+      	msg7,
+      ]);
+      
+      var msg8 = msg("PUT", dup19);
+      
+      var msg9 = msg("PUT:01", dup20);
+      
+      var select5 = linear_select([
+      	msg8,
+      	msg9,
+      ]);
+      
+      var msg10 = msg("DELETE", dup19);
+      
+      var msg11 = msg("DELETE:01", dup20);
+      
+      var select6 = linear_select([
+      	msg10,
+      	msg11,
+      ]);
+      
+      var msg12 = msg("TRACE", dup19);
+      
+      var msg13 = msg("TRACE:01", dup20);
+      
+      var select7 = linear_select([
+      	msg12,
+      	msg13,
+      ]);
+      
+      var msg14 = msg("OPTIONS", dup19);
+      
+      var msg15 = msg("OPTIONS:01", dup20);
+      
+      var select8 = linear_select([
+      	msg14,
+      	msg15,
+      ]);
+      
+      var msg16 = msg("CONNECT", dup17);
+      
+      var msg17 = msg("CONNECT:01", dup18);
+      
+      var select9 = linear_select([
+      	msg16,
+      	msg17,
+      ]);
+      
+      var msg18 = msg("ICP_QUERY", dup19);
+      
+      var msg19 = msg("ICP_QUERY:01", dup20);
+      
+      var select10 = linear_select([
+      	msg18,
+      	msg19,
+      ]);
+      
+      var msg20 = msg("PURGE", dup19);
+      
+      var msg21 = msg("PURGE:01", dup20);
+      
+      var select11 = linear_select([
+      	msg20,
+      	msg21,
+      ]);
+      
+      var msg22 = msg("PROPFIND", dup19);
+      
+      var msg23 = msg("PROPFIND:01", dup20);
+      
+      var select12 = linear_select([
+      	msg22,
+      	msg23,
+      ]);
+      
+      var msg24 = msg("PROPATCH", dup19);
+      
+      var msg25 = msg("PROPATCH:01", dup20);
+      
+      var select13 = linear_select([
+      	msg24,
+      	msg25,
+      ]);
+      
+      var msg26 = msg("MKOL", dup19);
+      
+      var msg27 = msg("MKOL:01", dup20);
+      
+      var select14 = linear_select([
+      	msg26,
+      	msg27,
+      ]);
+      
+      var msg28 = msg("COPY", dup19);
+      
+      var msg29 = msg("COPY:01", dup20);
+      
+      var select15 = linear_select([
+      	msg28,
+      	msg29,
+      ]);
+      
+      var msg30 = msg("MOVE", dup19);
+      
+      var msg31 = msg("MOVE:01", dup20);
+      
+      var select16 = linear_select([
+      	msg30,
+      	msg31,
+      ]);
+      
+      var msg32 = msg("LOCK", dup19);
+      
+      var msg33 = msg("LOCK:01", dup20);
+      
+      var select17 = linear_select([
+      	msg32,
+      	msg33,
+      ]);
+      
+      var msg34 = msg("UNLOCK", dup19);
+      
+      var msg35 = msg("UNLOCK:01", dup20);
+      
+      var select18 = linear_select([
+      	msg34,
+      	msg35,
+      ]);
+      
+      var msg36 = msg("NONE", dup19);
+      
+      var msg37 = msg("NONE:01", dup20);
+      
+      var select19 = linear_select([
+      	msg36,
+      	msg37,
+      ]);
+      
+      var chain1 = processor_chain([
+      	select1,
+      	msgid_select({
+      		"CONNECT": select9,
+      		"COPY": select15,
+      		"DELETE": select6,
+      		"GET": select2,
+      		"HEAD": select3,
+      		"ICP_QUERY": select10,
+      		"LOCK": select17,
+      		"MKOL": select14,
+      		"MOVE": select16,
+      		"NONE": select19,
+      		"OPTIONS": select8,
+      		"POST": select4,
+      		"PROPATCH": select13,
+      		"PROPFIND": select12,
+      		"PURGE": select11,
+      		"PUT": select5,
+      		"TRACE": select7,
+      		"UNLOCK": select18,
+      	}),
+      ]);
+      
+      var part2 = match("MESSAGE#0:GET", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup6,
+      	dup7,
+      	dup8,
+      	dup9,
+      	dup10,
+      	dup11,
+      	dup12,
+      ]));
+      
+      var part3 = match("MESSAGE#19:GET:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup13,
+      	dup8,
+      	dup9,
+      	dup10,
+      	dup14,
+      	dup12,
+      ]));
+      
+      var part4 = match("MESSAGE#2:POST", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup6,
+      	dup7,
+      	dup8,
+      	dup9,
+      	dup10,
+      	dup11,
+      	dup12,
+      ]));
+      
+      var part5 = match("MESSAGE#21:POST:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	dup13,
+      	dup8,
+      	dup9,
+      	dup10,
+      	dup14,
+      	dup12,
+      ]));
+      
+      var part6 = match("MESSAGE#3:PUT", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([
+      	dup1,
+      	dup5,
+      	dup6,
+      	dup7,
+      	dup8,
+      	dup9,
+      	dup10,
+      	dup11,
+      	dup12,
+      ]));
+      
+      var part7 = match("MESSAGE#22:PUT:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([
+      	dup1,
+      	dup13,
+      	dup8,
+      	dup9,
+      	dup10,
+      	dup14,
+      	dup12,
+      ]));
+      
+- community_id:
+- add_locale: ~
+- add_fields:
+    target: ''
+    fields:
+        ecs.version: 1.5.0
diff --git a/packages/squid/0.1.0/dataset/log/elasticsearch/ingest_pipeline/default.yml b/packages/squid/0.1.0/dataset/log/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 0000000000..caeba41fcb
--- /dev/null
+++ b/packages/squid/0.1.0/dataset/log/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,55 @@
+---
+description: Pipeline for Squid
+
+processors:
+  # User agent
+  - user_agent:
+        field: user_agent.original
+        ignore_missing: true
+  # IP Geolocation Lookup
+  - geoip:
+        field: source.ip
+        target_field: source.geo
+        ignore_missing: true
+  - geoip:
+        field: destination.ip
+        target_field: destination.geo
+        ignore_missing: true
+
+  # IP Autonomous System (AS) Lookup
+  - geoip:
+        database_file: GeoLite2-ASN.mmdb
+        field: source.ip
+        target_field: source.as
+        properties:
+            - asn
+            - organization_name
+        ignore_missing: true
+  - geoip:
+        database_file: GeoLite2-ASN.mmdb
+        field: destination.ip
+        target_field: destination.as
+        properties:
+            - asn
+            - organization_name
+        ignore_missing: true
+  - rename:
+        field: source.as.asn
+        target_field: source.as.number
+        ignore_missing: true
+  - rename:
+        field: source.as.organization_name
+        target_field: source.as.organization.name
+        ignore_missing: true
+  - rename:
+        field: destination.as.asn
+        target_field: destination.as.number
+        ignore_missing: true
+  - rename:
+        field: destination.as.organization_name
+        target_field: destination.as.organization.name
+        ignore_missing: true
+on_failure:
+  - append:
+        field: error.message
+        value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/squid/0.1.0/dataset/log/fields/base-fields.yml b/packages/squid/0.1.0/dataset/log/fields/base-fields.yml
new file mode 100644
index 0000000000..b294eaf20e
--- /dev/null
+++ b/packages/squid/0.1.0/dataset/log/fields/base-fields.yml
@@ -0,0 +1,26 @@
+- name: datastream.type
+  type: constant_keyword
+  description: Datastream type.
+- name: datastream.dataset
+  type: constant_keyword
+  description: Datastream dataset.
+- name: datastream.namespace
+  type: constant_keyword
+  description: Datastream namespace.
+
+- name: dataset.type
+  type: constant_keyword
+  description: >
+    Dataset type.
+- name: dataset.name
+  type: constant_keyword
+  description: >
+    Dataset name.
+- name: dataset.namespace
+  type: constant_keyword
+  description: >
+    Dataset namespace.
+- name: "@timestamp"
+  type: date
+  description: >
+    Event timestamp.
diff --git a/packages/squid/0.1.0/dataset/log/fields/ecs.yml b/packages/squid/0.1.0/dataset/log/fields/ecs.yml
new file mode 100644
index 0000000000..92af91c339
--- /dev/null
+++ b/packages/squid/0.1.0/dataset/log/fields/ecs.yml
@@ -0,0 +1,836 @@
+- name: log
+  type: group
+  fields:
+  - name: original
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'This is the original log message and contains the full log message
+      before splitting it up in multiple parts.
+
+      In contrast to the `message` field which can contain an extracted part of the
+      log message, this field contains the original, full log message. It can have
+      already some modifications applied like encoding or new lines removed to clean
+      up the log message.
+
+      This field is not indexed and doc_values are disabled so it can''t be queried
+      but the value can be retrieved from `_source`.'
+    example: Sep 19 08:26:10 localhost My log
+  - name: level
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Original log level of the log event.
+
+      If the source of the event provides a log level or textual severity, this is
+      the one that goes in `log.level`. If your source doesn''t specify one, you may
+      put your event transport''s severity here (e.g. Syslog severity).
+
+      Some examples are `warn`, `err`, `i`, `informational`.'
+    example: error
+  - name: syslog
+    type: group
+    fields:
+    - name: priority
+      level: extended
+      type: long
+      format: string
+      description: 'Syslog numeric priority of the event, if available.
+
+        According to RFCs 5424 and 3164, the priority is 8 * facility + severity.
+        This number is therefore expected to contain a value between 0 and 191.'
+      example: 135
+    - name: facility
+      type: group
+      fields:
+      - name: code
+        level: extended
+        type: long
+        format: string
+        description: 'The Syslog numeric facility of the log event, if available.
+
+          According to RFCs 5424 and 3164, this value should be an integer between
+          0 and 23.'
+        example: 23
+    - name: severity
+      type: group
+      fields:
+      - name: code
+        level: extended
+        type: long
+        description: 'The Syslog numeric severity of the log event, if available.
+
+          If the event source publishing via Syslog provides a different numeric severity
+          value (e.g. firewall, IDS), your source''s numeric severity should go to
+          `event.severity`. If the event source does not specify a distinct severity,
+          you can optionally copy the Syslog severity to `event.severity`.'
+        example: 3
+- name: event
+  type: group
+  fields:
+  - name: code
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Identification code for this event, if one exists.
+
+      Some event sources use event codes to identify messages unambiguously, regardless
+      of message language or wording adjustments over time. An example of this is
+      the Windows Event ID.'
+    example: 4648
+  - name: action
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'The action captured by the event.
+
+      This describes the information in the event. It is more specific than `event.category`.
+      Examples are `group-add`, `process-started`, `file-created`. The value is normally
+      defined by the implementer.'
+    example: user-password-change
+  - name: outcome
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'This is one of four ECS Categorization Fields, and indicates the
+      lowest level in the ECS category hierarchy.
+
+      `event.outcome` simply denotes whether the event represents a success or a failure
+      from the perspective of the entity that produced the event.
+
+      Note that when a single transaction is described in multiple events, each event
+      may populate different values of `event.outcome`, according to their perspective.
+
+      Also note that in the case of a compound event (a single event that contains
+      multiple logical events), this field should be populated with the value that
+      best captures the overall success or failure from the perspective of the event
+      producer.
+
+      Further note that not all events will have an associated outcome. For example,
+      this field is generally not populated for metric events, events with `event.type:info`,
+      or any events for which an outcome does not make logical sense.'
+    example: success
+  - name: category
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'This is one of four ECS Categorization Fields, and indicates the
+      second level in the ECS category hierarchy.
+
+      `event.category` represents the "big buckets" of ECS categories. For example,
+      filtering on `event.category:process` yields all events relating to process
+      activity. This field is closely related to `event.type`, which is used as a
+      subcategory.
+
+      This field is an array. This will allow proper categorization of some events
+      that fall in multiple categories.'
+    example: authentication
+  - name: timezone
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'This field should be populated when the event''s timestamp does
+      not include timezone information already (e.g. default Syslog timestamps). It''s
+      optional otherwise.
+
+      Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated
+      (e.g. "EST") or an HH:mm differential (e.g. "-05:00").'
+- name: '@timestamp'
+  level: core
+  required: true
+  type: date
+  description: 'Date/time when the event originated.
+
+    This is the date/time extracted from the event, typically representing when the
+    event was generated by the source.
+
+    If the event source has no original timestamp, this value is typically populated
+    by the first time the event was received by the pipeline.
+
+    Required field for all events.'
+  example: '2016-05-23T08:05:34.853Z'
+- name: user
+  type: group
+  fields:
+  - name: name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: Short name or login of the user.
+    example: albert
+  - name: full_name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: User's full name, if available.
+    example: Albert Einstein
+  - name: domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Name of the directory the user is a member of.
+
+      For example, an LDAP or Active Directory domain name.'
+  - name: id
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Unique identifiers of the user.
+- name: message
+  level: core
+  type: text
+  description: 'For log events the message field contains the log message, optimized
+    for viewing in a log viewer.
+
+    For structured logs without an original message field, other fields can be concatenated
+    to form a human-readable summary of the event.
+
+    If multiple messages exist, they can be combined into one message.'
+  example: Hello World
+- name: source
+  type: group
+  fields:
+  - name: ip
+    level: core
+    type: ip
+    description: 'IP address of the source.
+
+      Can be one or multiple IPv4 or IPv6 addresses.'
+  - name: port
+    level: core
+    type: long
+    format: string
+    description: Port of the source.
+  - name: address
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Some event source addresses are defined ambiguously. The event will
+      sometimes list an IP, a domain or a unix socket.  You should always store the
+      raw address in the `.address` field.
+
+      Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+      is.'
+  - name: mac
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: MAC address of the source.
+  - name: bytes
+    level: core
+    type: long
+    format: bytes
+    description: Bytes sent from the source to the destination.
+    example: 184
+  - name: nat
+    type: group
+    fields:
+    - name: ip
+      level: extended
+      type: ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+    - name: port
+      level: extended
+      type: long
+      format: string
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+  - name: domain
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Source domain.
+  - name: geo
+    type: group
+    fields:
+    - name: country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+    - name: location
+      type: group
+      fields:
+      - type: double
+        name: lat
+      - type: double
+        name: lon
+    - name: city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+- name: host
+  type: group
+  fields:
+  - name: name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Name of the host.
+
+      It can contain what `hostname` returns on Unix systems, the fully qualified
+      domain name, or a name specified by the user. The sender decides which value
+      to use.'
+  - name: ip
+    level: core
+    type: ip
+    description: Host ip addresses.
+  - name: hostname
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Hostname of the host.
+
+      It normally contains what the `hostname` command returns on the host machine.'
+  - name: mac
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Host mac addresses.
+- name: destination
+  type: group
+  fields:
+  - name: ip
+    level: core
+    type: ip
+    description: 'IP address of the destination.
+
+      Can be one or multiple IPv4 or IPv6 addresses.'
+  - name: port
+    level: core
+    type: long
+    format: string
+    description: Port of the destination.
+  - name: address
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Some event destination addresses are defined ambiguously. The event
+      will sometimes list an IP, a domain or a unix socket.  You should always store
+      the raw address in the `.address` field.
+
+      Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+      is.'
+  - name: bytes
+    level: core
+    type: long
+    format: bytes
+    description: Bytes sent from the destination to the source.
+    example: 184
+  - name: mac
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: MAC address of the destination.
+  - name: nat
+    type: group
+    fields:
+    - name: ip
+      level: extended
+      type: ip
+      description: 'Translated ip of destination based NAT sessions (e.g. internet
+        to private DMZ)
+
+        Typically used with load balancers, firewalls, or routers.'
+    - name: port
+      level: extended
+      type: long
+      format: string
+      description: 'Port the source session is translated to by NAT Device.
+
+        Typically used with load balancers, firewalls, or routers.'
+  - name: domain
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Destination domain.
+  - name: geo
+    type: group
+    fields:
+    - name: country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+    - name: location
+      type: group
+      fields:
+      - type: double
+        name: lat
+      - type: double
+        name: lon
+    - name: city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+- name: network
+  type: group
+  fields:
+  - name: protocol
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'L7 Network protocol name. ex. http, lumberjack, transport protocol.
+
+      The field value must be normalized to lowercase for querying. See the documentation
+      section "Implementing ECS".'
+    example: http
+  - name: application
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'A name given to an application level protocol. This can be arbitrarily
+      assigned for things like microservices, but also apply to things like skype,
+      icq, facebook, twitter. This would be used in situations where the vendor or
+      service can be decoded such as from the source/dest IP owners, ports, or wire
+      format.
+
+      The field value must be normalized to lowercase for querying. See the documentation
+      section "Implementing ECS".'
+    example: aim
+  - name: interface
+    type: group
+    fields:
+    - type: keyword
+      name: name
+  - name: bytes
+    level: core
+    type: long
+    format: bytes
+    description: 'Total bytes transferred in both directions.
+
+      If `source.bytes` and `destination.bytes` are known, `network.bytes` is their
+      sum.'
+    example: 368
+  - name: direction
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: "Direction of the network traffic.\nRecommended values are:\n  *\
+      \ inbound\n  * outbound\n  * internal\n  * external\n  * unknown\n\nWhen mapping\
+      \ events from a host-based monitoring context, populate this field from the\
+      \ host's point of view.\nWhen mapping events from a network or perimeter-based\
+      \ monitoring context, populate this field from the point of view of your network\
+      \ perimeter."
+    example: inbound
+  - name: packets
+    level: core
+    type: long
+    description: 'Total packets transferred in both directions.
+
+      If `source.packets` and `destination.packets` are known, `network.packets` is
+      their sum.'
+    example: 24
+  - name: forwarded_ip
+    level: core
+    type: ip
+    description: Host IP address when the source IP address is the proxy.
+    example: 192.1.1.2
+- name: observer
+  type: group
+  fields:
+  - name: version
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Observer version.
+  - name: product
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: The product name of the observer.
+    example: s200
+  - name: ingress
+    type: group
+    fields:
+    - name: interface
+      type: group
+      fields:
+      - name: name
+        level: extended
+        type: keyword
+        ignore_above: 1024
+        description: Interface name as reported by the system.
+        example: eth0
+        default_field: false
+  - name: egress
+    type: group
+    fields:
+    - name: interface
+      type: group
+      fields:
+      - name: name
+        level: extended
+        type: keyword
+        ignore_above: 1024
+        description: Interface name as reported by the system.
+        example: eth0
+        default_field: false
+- name: file
+  type: group
+  fields:
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: Name of the file including the extension, without the directory.
+    example: example.png
+  - name: directory
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: Directory where the file is located. It should include the drive
+      letter, when appropriate.
+    example: /home/alice
+  - name: size
+    level: extended
+    type: long
+    description: 'File size in bytes.
+
+      Only relevant when `file.type` is "file".'
+    example: 16384
+  - name: type
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: File type (file, dir, or symlink).
+    example: file
+  - name: extension
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: File extension.
+    example: png
+  - name: path
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: Full path to the file, including the file name. It should include
+      the drive letter, when appropriate.
+    example: /home/alice/example.png
+  - name: attributes
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Array of file attributes.
+
+      Attributes names will vary by platform. Here''s a non-exhaustive list of values
+      that are expected in this field: archive, compressed, directory, encrypted,
+      execute, hidden, read, readonly, system, write.'
+    example: '["readonly", "system"]'
+    default_field: false
+- name: url
+  type: group
+  fields:
+  - name: original
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: 'Unmodified original url as seen in the event source.
+
+      Note that in network monitoring, the observed URL may be a full URL, whereas
+      in access logs, the URL is often just represented as a path.
+
+      This field is meant to represent the URL as it was observed, complete or not.'
+    example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
+  - name: query
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'The query field describes the query string of the request, such
+      as "q=elasticsearch".
+
+      The `?` is excluded from the query string. If a URL contains no `?`, there is
+      no query field. If there is a `?` but no query, the query field exists with
+      an empty string. The `exists` query can be used to differentiate between the
+      two cases.'
+  - name: domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Domain of the url, such as "www.elastic.co".
+
+      In some cases a URL may refer to an IP and/or port directly, without a domain
+      name. In this case, the IP address would go to the `domain` field.'
+    example: www.elastic.co
+  - name: path
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: Path of the request, such as "/search".
+  - name: top_level_domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'The effective top level domain (eTLD), also known as the domain
+      suffix, is the last part of the domain name. For example, the top level domain
+      for google.com is "com".
+
+      This value can be determined precisely with a list like the public suffix list
+      (http://publicsuffix.org). Trying to approximate this by simply taking the last
+      label will not work well for effective TLDs such as "co.uk".'
+    example: co.uk
+  - name: registered_domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'The highest registered url domain, stripped of the subdomain.
+
+      For example, the registered domain for "foo.google.com" is "google.com".
+
+      This value can be determined precisely with a list like the public suffix list
+      (http://publicsuffix.org). Trying to approximate this by simply taking the last
+      two labels will not work well for TLDs such as "co.uk".'
+    example: google.com
+- name: service
+  type: group
+  fields:
+  - name: name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Name of the service data is collected from.
+
+      The name of the service is normally user given. This allows for distributed
+      services that run on multiple hosts to correlate the related instances based
+      on the name.
+
+      In the case of Elasticsearch the `service.name` could contain the cluster name.
+      For Beats the `service.name` is by default a copy of the `service.type` field
+      if no name is specified.'
+    example: elasticsearch-metrics
+- name: server
+  type: group
+  fields:
+  - name: domain
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Server domain.
+- name: process
+  type: group
+  fields:
+  - name: pid
+    level: core
+    type: long
+    format: string
+    description: Process id.
+    example: 4242
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: 'Process name.
+
+      Sometimes called program name or similar.'
+    example: ssh
+  - name: ppid
+    level: extended
+    type: long
+    format: string
+    description: Parent process' pid.
+    example: 4241
+  - name: parent
+    type: group
+    fields:
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      default_field: false
+    - name: title
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      default_field: false
+  - name: title
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: 'Process title.
+
+      The proctitle, some times the same as process name. Can also be different: for
+      example a browser setting its title to the web page currently opened.'
+- name: rule
+  type: group
+  fields:
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: The name of the rule or signature generating the event.
+    example: BLOCK_DNS_over_TLS
+    default_field: false
+- name: user_agent
+  type: group
+  fields:
+  - name: original
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+    description: Unparsed user_agent string.
+    example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15
+      (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
+- name: http
+  type: group
+  fields:
+  - name: response
+    type: group
+    fields:
+    - name: body
+      type: group
+      fields:
+      - name: content
+        level: extended
+        type: keyword
+        ignore_above: 1024
+        multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+        description: The full HTTP response body.
+        example: Hello world
+  - name: request
+    type: group
+    fields:
+    - name: referrer
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Referrer for this HTTP request.
+      example: https://blog.example.com/
+    - name: method
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'HTTP request method.
+
+        The field value must be normalized to lowercase for querying. See the documentation
+        section "Implementing ECS".'
+      example: get, post, put
+- name: geo
+  type: group
+  fields:
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'User-defined description of a location, at the level of granularity
+      they care about.
+
+      Could be the name of their data centers, the floor number, if this describes
+      a local physical entity, city names.
+
+      Not typically used in automated geolocation.'
+    example: boston-dc
+  - name: country_name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Country name.
+    example: Canada
+  - name: city_name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: City name.
+    example: Montreal
+  - name: region_name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Region name.
+    example: Quebec
+- name: dns
+  type: group
+  fields:
+  - name: question
+    type: group
+    fields:
+    - name: type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The type of record being queried.
+      example: AAAA
+  - name: answers
+    type: group
+    fields:
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The domain name to which this resource record pertains.
+
+        If a chain of CNAME is being resolved, each answer''s `name` should be the
+        one that corresponds with the answer''s `data`. It should not simply be the
+        original `question.name` repeated.'
+      example: www.google.com
+    - name: type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The type of data contained in this resource record.
+      example: CNAME
diff --git a/packages/squid/0.1.0/dataset/log/fields/fields.yml b/packages/squid/0.1.0/dataset/log/fields/fields.yml
new file mode 100644
index 0000000000..2abc947fe7
--- /dev/null
+++ b/packages/squid/0.1.0/dataset/log/fields/fields.yml
@@ -0,0 +1,1939 @@
+- name: rsa
+  type: group
+  fields:
+  - name: internal
+    type: group
+    fields:
+    - name: msg
+      type: keyword
+      description: This key is used to capture the raw message that comes into the
+        Log Decoder
+    - name: messageid
+      type: keyword
+    - name: event_desc
+      type: keyword
+    - name: message
+      type: keyword
+      description: This key captures the contents of instant messages
+    - name: time
+      type: date
+      description: This is the time at which a session hits a NetWitness Decoder.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness.
+    - name: level
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: msg_id
+      type: keyword
+      description: This is the Message ID1 value that identifies the exact log parser
+        definition which parses a particular log session. This key should never be
+        used to parse Meta data from a session (Logs/Packets) Directly, this is a
+        Reserved key in NetWitness
+    - name: msg_vid
+      type: keyword
+      description: This is the Message ID2 value that identifies the exact log parser
+        definition which parses a particular log session. This key should never be
+        used to parse Meta data from a session (Logs/Packets) Directly, this is a
+        Reserved key in NetWitness
+    - name: data
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: obj_server
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: obj_val
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: resource
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: obj_id
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: statement
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: audit_class
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: entry
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: hcode
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: inode
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: resource_class
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: dead
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: feed_desc
+      type: keyword
+      description: This is used to capture the description of the feed. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: feed_name
+      type: keyword
+      description: This is used to capture the name of the feed. This key should never
+        be used to parse Meta data from a session (Logs/Packets) Directly, this is
+        a Reserved key in NetWitness
+    - name: cid
+      type: keyword
+      description: This is the unique identifier used to identify a NetWitness Concentrator.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: device_class
+      type: keyword
+      description: This is the Classification of the Log Event Source under a predefined
+        fixed set of Event Source Classifications. This key should never be used to
+        parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
+        key in NetWitness
+    - name: device_group
+      type: keyword
+      description: This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_host
+      type: keyword
+      description: This is the Hostname of the log Event Source sending the logs to
+        NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_ip
+      type: ip
+      description: This is the IPv4 address of the Log Event Source sending the logs
+        to NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_ipv6
+      type: ip
+      description: This is the IPv6 address of the Log Event Source sending the logs
+        to NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_type
+      type: keyword
+      description: This is the name of the log parser which parsed a given session.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: device_type_id
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: did
+      type: keyword
+      description: This is the unique identifier used to identify a NetWitness Decoder.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: entropy_req
+      type: long
+      description: This key is only used by the Entropy Parser, the Meta Type can
+        be either UInt16 or Float32 based on the configuration
+    - name: entropy_res
+      type: long
+      description: This key is only used by the Entropy Parser, the Meta Type can
+        be either UInt16 or Float32 based on the configuration
+    - name: event_name
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: feed_category
+      type: keyword
+      description: This is used to capture the category of the feed. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: forward_ip
+      type: ip
+      description: This key should be used to capture the IPV4 address of a relay
+        system which forwarded the events from the original system to NetWitness.
+    - name: forward_ipv6
+      type: ip
+      description: This key is used to capture the IPV6 address of a relay system
+        which forwarded the events from the original system to NetWitness. This key
+        should never be used to parse Meta data from a session (Logs/Packets) Directly,
+        this is a Reserved key in NetWitness
+    - name: header_id
+      type: keyword
+      description: This is the Header ID value that identifies the exact log parser
+        header definition that parses a particular log session. This key should never
+        be used to parse Meta data from a session (Logs/Packets) Directly, this is
+        a Reserved key in NetWitness
+    - name: lc_cid
+      type: keyword
+      description: This is a unique Identifier of a Log Collector. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: lc_ctime
+      type: date
+      description: This is the time at which a log is collected in a NetWitness Log
+        Collector. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: mcb_req
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        request is simply which byte for each side (0 thru 255) was seen the most
+    - name: mcb_res
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        response is simply which byte for each side (0 thru 255) was seen the most
+    - name: mcbc_req
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        count is the number of times the most common byte (above) was seen in the
+        session streams
+    - name: mcbc_res
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        count is the number of times the most common byte (above) was seen in the
+        session streams
+    - name: medium
+      type: long
+      description: "This key is used to identify if it\u2019s a log/packet session\
+        \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
+        \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
+        \ 32 = log, 33 = correlation session, &lt; 32 is packet session"
+    - name: node_name
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: nwe_callback_id
+      type: keyword
+      description: This key denotes that event is endpoint related
+    - name: parse_error
+      type: keyword
+      description: This is a special key that stores any Meta key validation error
+        found while parsing a log session. This key should never be used to parse
+        Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
+        NetWitness
+    - name: payload_req
+      type: long
+      description: This key is only used by the Entropy Parser, the payload size metrics
+        are the payload sizes of each session side at the time of parsing. However,
+        in order to keep
+    - name: payload_res
+      type: long
+      description: This key is only used by the Entropy Parser, the payload size metrics
+        are the payload sizes of each session side at the time of parsing. However,
+        in order to keep
+    - name: process_vid_dst
+      type: keyword
+      description: Endpoint generates and uses a unique virtual ID to identify any
+        similar group of process. This ID represents the target process.
+    - name: process_vid_src
+      type: keyword
+      description: Endpoint generates and uses a unique virtual ID to identify any
+        similar group of process. This ID represents the source process.
+    - name: rid
+      type: long
+      description: This is a special ID of the Remote Session created by NetWitness
+        Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: session_split
+      type: keyword
+      description: This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: site
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: size
+      type: long
+      description: This is the size of the session as seen by the NetWitness Decoder.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: sourcefile
+      type: keyword
+      description: This is the name of the log file or PCAPs that can be imported
+        into NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: ubc_req
+      type: long
+      description: This key is only used by the Entropy Parser, Unique byte count
+        is the number of unique bytes seen in each stream. 256 would mean all byte
+        values of 0 thru 255 were seen at least once
+    - name: ubc_res
+      type: long
+      description: This key is only used by the Entropy Parser, Unique byte count
+        is the number of unique bytes seen in each stream. 256 would mean all byte
+        values of 0 thru 255 were seen at least once
+    - name: word
+      type: keyword
+      description: This is used by the Word Parsing technology to capture the first
+        5 character of every word in an unparsed log
+  - name: time
+    type: group
+    fields:
+    - name: event_time
+      type: date
+      description: This key is used to capture the time mentioned in a raw session
+        that represents the actual time an event occured in a standard normalized
+        form
+    - name: duration_time
+      type: double
+      description: This key is used to capture the normalized duration/lifetime in
+        seconds.
+    - name: event_time_str
+      type: keyword
+      description: This key is used to capture the incomplete time mentioned in a
+        session as a string
+    - name: starttime
+      type: date
+      description: This key is used to capture the Start time mentioned in a session
+        in a standard form
+    - name: month
+      type: keyword
+    - name: day
+      type: keyword
+    - name: endtime
+      type: date
+      description: This key is used to capture the End time mentioned in a session
+        in a standard form
+    - name: timezone
+      type: keyword
+      description: This key is used to capture the timezone of the Event Time
+    - name: duration_str
+      type: keyword
+      description: A text string version of the duration
+    - name: date
+      type: keyword
+    - name: year
+      type: keyword
+    - name: recorded_time
+      type: date
+      description: The event time as recorded by the system the event is collected
+        from. The usage scenario is a multi-tier application where the management
+        layer of the system records it's own timestamp at the time of collection from
+        its child nodes. Must be in timestamp format.
+    - name: datetime
+      type: keyword
+    - name: effective_time
+      type: date
+      description: This key is the effective time referenced by an individual event
+        in a Standard Timestamp format
+    - name: expire_time
+      type: date
+      description: This key is the timestamp that explicitly refers to an expiration.
+    - name: process_time
+      type: keyword
+      description: Deprecated, use duration.time
+    - name: hour
+      type: keyword
+    - name: min
+      type: keyword
+    - name: timestamp
+      type: keyword
+    - name: event_queue_time
+      type: date
+      description: This key is the Time that the event was queued.
+    - name: p_time1
+      type: keyword
+    - name: tzone
+      type: keyword
+    - name: eventtime
+      type: keyword
+    - name: gmtdate
+      type: keyword
+    - name: gmttime
+      type: keyword
+    - name: p_date
+      type: keyword
+    - name: p_month
+      type: keyword
+    - name: p_time
+      type: keyword
+    - name: p_time2
+      type: keyword
+    - name: p_year
+      type: keyword
+    - name: expire_time_str
+      type: keyword
+      description: This key is used to capture incomplete timestamp that explicitly
+        refers to an expiration.
+    - name: stamp
+      type: date
+      description: Deprecated key defined only in table map.
+  - name: misc
+    type: group
+    fields:
+    - name: action
+      type: keyword
+    - name: result
+      type: keyword
+      description: This key is used to capture the outcome/result string value of
+        an action in a session.
+    - name: severity
+      type: keyword
+      description: This key is used to capture the severity given the session
+    - name: event_type
+      type: keyword
+      description: This key captures the event category type as specified by the event
+        source.
+    - name: reference_id
+      type: keyword
+      description: This key is used to capture an event id from the session directly
+    - name: version
+      type: keyword
+      description: This key captures Version of the application or OS which is generating
+        the event.
+    - name: disposition
+      type: keyword
+      description: This key captures the The end state of an action.
+    - name: result_code
+      type: keyword
+      description: This key is used to capture the outcome/result numeric value of
+        an action in a session
+    - name: category
+      type: keyword
+      description: This key is used to capture the category of an event given by the
+        vendor in the session
+    - name: obj_name
+      type: keyword
+      description: This is used to capture name of object
+    - name: obj_type
+      type: keyword
+      description: This is used to capture type of object
+    - name: event_source
+      type: keyword
+      description: "This key captures Source of the event that\u2019s not a hostname"
+    - name: log_session_id
+      type: keyword
+      description: This key is used to capture a sessionid from the session directly
+    - name: group
+      type: keyword
+      description: This key captures the Group Name value
+    - name: policy_name
+      type: keyword
+      description: This key is used to capture the Policy Name only.
+    - name: rule_name
+      type: keyword
+      description: This key captures the Rule Name
+    - name: context
+      type: keyword
+      description: This key captures Information which adds additional context to
+        the event.
+    - name: change_new
+      type: keyword
+      description: "This key is used to capture the new values of the attribute that\u2019\
+        s changing in a session"
+    - name: space
+      type: keyword
+    - name: client
+      type: keyword
+      description: This key is used to capture only the name of the client application
+        requesting resources of the server. See the user.agent meta key for capture
+        of the specific user agent identifier or browser identification string.
+    - name: msgIdPart1
+      type: keyword
+    - name: msgIdPart2
+      type: keyword
+    - name: change_old
+      type: keyword
+      description: "This key is used to capture the old value of the attribute that\u2019\
+        s changing in a session"
+    - name: operation_id
+      type: keyword
+      description: An alert number or operation number. The values should be unique
+        and non-repeating.
+    - name: event_state
+      type: keyword
+      description: This key captures the current state of the object/item referenced
+        within the event. Describing an on-going event.
+    - name: group_object
+      type: keyword
+      description: This key captures a collection/grouping of entities. Specific usage
+    - name: node
+      type: keyword
+      description: Common use case is the node name within a cluster. The cluster
+        name is reflected by the host name.
+    - name: rule
+      type: keyword
+      description: This key captures the Rule number
+    - name: device_name
+      type: keyword
+      description: 'This is used to capture name of the Device associated with the
+        node Like: a physical disk, printer, etc'
+    - name: param
+      type: keyword
+      description: This key is the parameters passed as part of a command or application,
+        etc.
+    - name: change_attrib
+      type: keyword
+      description: "This key is used to capture the name of the attribute that\u2019\
+        s changing in a session"
+    - name: event_computer
+      type: keyword
+      description: This key is a windows only concept, where this key is used to capture
+        fully qualified domain name in a windows log.
+    - name: reference_id1
+      type: keyword
+      description: This key is for Linked ID to be used as an addition to "reference.id"
+    - name: event_log
+      type: keyword
+      description: This key captures the Name of the event log
+    - name: OS
+      type: keyword
+      description: This key captures the Name of the Operating System
+    - name: terminal
+      type: keyword
+      description: This key captures the Terminal Names only
+    - name: msgIdPart3
+      type: keyword
+    - name: filter
+      type: keyword
+      description: This key captures Filter used to reduce result set
+    - name: serial_number
+      type: keyword
+      description: This key is the Serial number associated with a physical asset.
+    - name: checksum
+      type: keyword
+      description: This key is used to capture the checksum or hash of the entity
+        such as a file or process. Checksum should be used over checksum.src or checksum.dst
+        when it is unclear whether the entity is a source or target of an action.
+    - name: event_user
+      type: keyword
+      description: This key is a windows only concept, where this key is used to capture
+        combination of domain name and username in a windows log.
+    - name: virusname
+      type: keyword
+      description: This key captures the name of the virus
+    - name: content_type
+      type: keyword
+      description: This key is used to capture Content Type only.
+    - name: group_id
+      type: keyword
+      description: This key captures Group ID Number (related to the group name)
+    - name: policy_id
+      type: keyword
+      description: This key is used to capture the Policy ID only, this should be
+        a numeric value, use policy.name otherwise
+    - name: vsys
+      type: keyword
+      description: This key captures Virtual System Name
+    - name: connection_id
+      type: keyword
+      description: This key captures the Connection ID
+    - name: reference_id2
+      type: keyword
+      description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
+        or "reference.id1" value but should not be used unless the other two variables
+        are in play.
+    - name: sensor
+      type: keyword
+      description: This key captures Name of the sensor. Typically used in IDS/IPS
+        based devices
+    - name: sig_id
+      type: long
+      description: This key captures IDS/IPS Int Signature ID
+    - name: port_name
+      type: keyword
+      description: 'This key is used for Physical or logical port connection but does
+        NOT include a network port. (Example: Printer port name).'
+    - name: rule_group
+      type: keyword
+      description: This key captures the Rule group name
+    - name: risk_num
+      type: double
+      description: This key captures a Numeric Risk value
+    - name: trigger_val
+      type: keyword
+      description: This key captures the Value of the trigger or threshold condition.
+    - name: log_session_id1
+      type: keyword
+      description: This key is used to capture a Linked (Related) Session ID from
+        the session directly
+    - name: comp_version
+      type: keyword
+      description: This key captures the Version level of a sub-component of a product.
+    - name: content_version
+      type: keyword
+      description: This key captures Version level of a signature or database content.
+    - name: hardware_id
+      type: keyword
+      description: This key is used to capture unique identifier for a device or system
+        (NOT a Mac address)
+    - name: risk
+      type: keyword
+      description: This key captures the non-numeric risk value
+    - name: event_id
+      type: keyword
+    - name: reason
+      type: keyword
+    - name: status
+      type: keyword
+    - name: mail_id
+      type: keyword
+      description: This key is used to capture the mailbox id/name
+    - name: rule_uid
+      type: keyword
+      description: This key is the Unique Identifier for a rule.
+    - name: trigger_desc
+      type: keyword
+      description: This key captures the Description of the trigger or threshold condition.
+    - name: inout
+      type: keyword
+    - name: p_msgid
+      type: keyword
+    - name: data_type
+      type: keyword
+    - name: msgIdPart4
+      type: keyword
+    - name: error
+      type: keyword
+      description: This key captures All non successful Error codes or responses
+    - name: index
+      type: keyword
+    - name: listnum
+      type: keyword
+      description: This key is used to capture listname or listnumber, primarily for
+        collecting access-list
+    - name: ntype
+      type: keyword
+    - name: observed_val
+      type: keyword
+      description: This key captures the Value observed (from the perspective of the
+        device generating the log).
+    - name: policy_value
+      type: keyword
+      description: This key captures the contents of the policy. This contains details
+        about the policy
+    - name: pool_name
+      type: keyword
+      description: This key captures the name of a resource pool
+    - name: rule_template
+      type: keyword
+      description: A default set of parameters which are overlayed onto a rule (or
+        rulename) which efffectively constitutes a template
+    - name: count
+      type: keyword
+    - name: number
+      type: keyword
+    - name: sigcat
+      type: keyword
+    - name: type
+      type: keyword
+    - name: comments
+      type: keyword
+      description: Comment information provided in the log message
+    - name: doc_number
+      type: long
+      description: This key captures File Identification number
+    - name: expected_val
+      type: keyword
+      description: This key captures the Value expected (from the perspective of the
+        device generating the log).
+    - name: job_num
+      type: keyword
+      description: This key captures the Job Number
+    - name: spi_dst
+      type: keyword
+      description: Destination SPI Index
+    - name: spi_src
+      type: keyword
+      description: Source SPI Index
+    - name: code
+      type: keyword
+    - name: agent_id
+      type: keyword
+      description: This key is used to capture agent id
+    - name: message_body
+      type: keyword
+      description: This key captures the The contents of the message body.
+    - name: phone
+      type: keyword
+    - name: sig_id_str
+      type: keyword
+      description: This key captures a string object of the sigid variable.
+    - name: cmd
+      type: keyword
+    - name: misc
+      type: keyword
+    - name: name
+      type: keyword
+    - name: cpu
+      type: long
+      description: This key is the CPU time used in the execution of the event being
+        recorded.
+    - name: event_desc
+      type: keyword
+      description: This key is used to capture a description of an event available
+        directly or inferred
+    - name: sig_id1
+      type: long
+      description: This key captures IDS/IPS Int Signature ID. This must be linked
+        to the sig.id
+    - name: im_buddyid
+      type: keyword
+    - name: im_client
+      type: keyword
+    - name: im_userid
+      type: keyword
+    - name: pid
+      type: keyword
+    - name: priority
+      type: keyword
+    - name: context_subject
+      type: keyword
+      description: This key is to be used in an audit context where the subject is
+        the object being identified
+    - name: context_target
+      type: keyword
+    - name: cve
+      type: keyword
+      description: This key captures CVE (Common Vulnerabilities and Exposures) -
+        an identifier for known information security vulnerabilities.
+    - name: fcatnum
+      type: keyword
+      description: This key captures Filter Category Number. Legacy Usage
+    - name: library
+      type: keyword
+      description: This key is used to capture library information in mainframe devices
+    - name: parent_node
+      type: keyword
+      description: This key captures the Parent Node Name. Must be related to node
+        variable.
+    - name: risk_info
+      type: keyword
+      description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: tcp_flags
+      type: long
+      description: This key is captures the TCP flags set in any packet of session
+    - name: tos
+      type: long
+      description: This key describes the type of service
+    - name: vm_target
+      type: keyword
+      description: VMWare Target **VMWARE** only varaible.
+    - name: workspace
+      type: keyword
+      description: This key captures Workspace Description
+    - name: command
+      type: keyword
+    - name: event_category
+      type: keyword
+    - name: facilityname
+      type: keyword
+    - name: forensic_info
+      type: keyword
+    - name: jobname
+      type: keyword
+    - name: mode
+      type: keyword
+    - name: policy
+      type: keyword
+    - name: policy_waiver
+      type: keyword
+    - name: second
+      type: keyword
+    - name: space1
+      type: keyword
+    - name: subcategory
+      type: keyword
+    - name: tbdstr2
+      type: keyword
+    - name: alert_id
+      type: keyword
+      description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: checksum_dst
+      type: keyword
+      description: This key is used to capture the checksum or hash of the the target
+        entity such as a process or file.
+    - name: checksum_src
+      type: keyword
+      description: This key is used to capture the checksum or hash of the source
+        entity such as a file or process.
+    - name: fresult
+      type: long
+      description: This key captures the Filter Result
+    - name: payload_dst
+      type: keyword
+      description: This key is used to capture destination payload
+    - name: payload_src
+      type: keyword
+      description: This key is used to capture source payload
+    - name: pool_id
+      type: keyword
+      description: This key captures the identifier (typically numeric field) of a
+        resource pool
+    - name: process_id_val
+      type: keyword
+      description: This key is a failure key for Process ID when it is not an integer
+        value
+    - name: risk_num_comm
+      type: double
+      description: This key captures Risk Number Community
+    - name: risk_num_next
+      type: double
+      description: This key captures Risk Number NextGen
+    - name: risk_num_sand
+      type: double
+      description: This key captures Risk Number SandBox
+    - name: risk_num_static
+      type: double
+      description: This key captures Risk Number Static
+    - name: risk_suspicious
+      type: keyword
+      description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: risk_warning
+      type: keyword
+      description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: snmp_oid
+      type: keyword
+      description: SNMP Object Identifier
+    - name: sql
+      type: keyword
+      description: This key captures the SQL query
+    - name: vuln_ref
+      type: keyword
+      description: This key captures the Vulnerability Reference details
+    - name: acl_id
+      type: keyword
+    - name: acl_op
+      type: keyword
+    - name: acl_pos
+      type: keyword
+    - name: acl_table
+      type: keyword
+    - name: admin
+      type: keyword
+    - name: alarm_id
+      type: keyword
+    - name: alarmname
+      type: keyword
+    - name: app_id
+      type: keyword
+    - name: audit
+      type: keyword
+    - name: audit_object
+      type: keyword
+    - name: auditdata
+      type: keyword
+    - name: benchmark
+      type: keyword
+    - name: bypass
+      type: keyword
+    - name: cache
+      type: keyword
+    - name: cache_hit
+      type: keyword
+    - name: cefversion
+      type: keyword
+    - name: cfg_attr
+      type: keyword
+    - name: cfg_obj
+      type: keyword
+    - name: cfg_path
+      type: keyword
+    - name: changes
+      type: keyword
+    - name: client_ip
+      type: keyword
+    - name: clustermembers
+      type: keyword
+    - name: cn_acttimeout
+      type: keyword
+    - name: cn_asn_src
+      type: keyword
+    - name: cn_bgpv4nxthop
+      type: keyword
+    - name: cn_ctr_dst_code
+      type: keyword
+    - name: cn_dst_tos
+      type: keyword
+    - name: cn_dst_vlan
+      type: keyword
+    - name: cn_engine_id
+      type: keyword
+    - name: cn_engine_type
+      type: keyword
+    - name: cn_f_switch
+      type: keyword
+    - name: cn_flowsampid
+      type: keyword
+    - name: cn_flowsampintv
+      type: keyword
+    - name: cn_flowsampmode
+      type: keyword
+    - name: cn_inacttimeout
+      type: keyword
+    - name: cn_inpermbyts
+      type: keyword
+    - name: cn_inpermpckts
+      type: keyword
+    - name: cn_invalid
+      type: keyword
+    - name: cn_ip_proto_ver
+      type: keyword
+    - name: cn_ipv4_ident
+      type: keyword
+    - name: cn_l_switch
+      type: keyword
+    - name: cn_log_did
+      type: keyword
+    - name: cn_log_rid
+      type: keyword
+    - name: cn_max_ttl
+      type: keyword
+    - name: cn_maxpcktlen
+      type: keyword
+    - name: cn_min_ttl
+      type: keyword
+    - name: cn_minpcktlen
+      type: keyword
+    - name: cn_mpls_lbl_1
+      type: keyword
+    - name: cn_mpls_lbl_10
+      type: keyword
+    - name: cn_mpls_lbl_2
+      type: keyword
+    - name: cn_mpls_lbl_3
+      type: keyword
+    - name: cn_mpls_lbl_4
+      type: keyword
+    - name: cn_mpls_lbl_5
+      type: keyword
+    - name: cn_mpls_lbl_6
+      type: keyword
+    - name: cn_mpls_lbl_7
+      type: keyword
+    - name: cn_mpls_lbl_8
+      type: keyword
+    - name: cn_mpls_lbl_9
+      type: keyword
+    - name: cn_mplstoplabel
+      type: keyword
+    - name: cn_mplstoplabip
+      type: keyword
+    - name: cn_mul_dst_byt
+      type: keyword
+    - name: cn_mul_dst_pks
+      type: keyword
+    - name: cn_muligmptype
+      type: keyword
+    - name: cn_sampalgo
+      type: keyword
+    - name: cn_sampint
+      type: keyword
+    - name: cn_seqctr
+      type: keyword
+    - name: cn_spackets
+      type: keyword
+    - name: cn_src_tos
+      type: keyword
+    - name: cn_src_vlan
+      type: keyword
+    - name: cn_sysuptime
+      type: keyword
+    - name: cn_template_id
+      type: keyword
+    - name: cn_totbytsexp
+      type: keyword
+    - name: cn_totflowexp
+      type: keyword
+    - name: cn_totpcktsexp
+      type: keyword
+    - name: cn_unixnanosecs
+      type: keyword
+    - name: cn_v6flowlabel
+      type: keyword
+    - name: cn_v6optheaders
+      type: keyword
+    - name: comp_class
+      type: keyword
+    - name: comp_name
+      type: keyword
+    - name: comp_rbytes
+      type: keyword
+    - name: comp_sbytes
+      type: keyword
+    - name: cpu_data
+      type: keyword
+    - name: criticality
+      type: keyword
+    - name: cs_agency_dst
+      type: keyword
+    - name: cs_analyzedby
+      type: keyword
+    - name: cs_av_other
+      type: keyword
+    - name: cs_av_primary
+      type: keyword
+    - name: cs_av_secondary
+      type: keyword
+    - name: cs_bgpv6nxthop
+      type: keyword
+    - name: cs_bit9status
+      type: keyword
+    - name: cs_context
+      type: keyword
+    - name: cs_control
+      type: keyword
+    - name: cs_data
+      type: keyword
+    - name: cs_datecret
+      type: keyword
+    - name: cs_dst_tld
+      type: keyword
+    - name: cs_eth_dst_ven
+      type: keyword
+    - name: cs_eth_src_ven
+      type: keyword
+    - name: cs_event_uuid
+      type: keyword
+    - name: cs_filetype
+      type: keyword
+    - name: cs_fld
+      type: keyword
+    - name: cs_if_desc
+      type: keyword
+    - name: cs_if_name
+      type: keyword
+    - name: cs_ip_next_hop
+      type: keyword
+    - name: cs_ipv4dstpre
+      type: keyword
+    - name: cs_ipv4srcpre
+      type: keyword
+    - name: cs_lifetime
+      type: keyword
+    - name: cs_log_medium
+      type: keyword
+    - name: cs_loginname
+      type: keyword
+    - name: cs_modulescore
+      type: keyword
+    - name: cs_modulesign
+      type: keyword
+    - name: cs_opswatresult
+      type: keyword
+    - name: cs_payload
+      type: keyword
+    - name: cs_registrant
+      type: keyword
+    - name: cs_registrar
+      type: keyword
+    - name: cs_represult
+      type: keyword
+    - name: cs_rpayload
+      type: keyword
+    - name: cs_sampler_name
+      type: keyword
+    - name: cs_sourcemodule
+      type: keyword
+    - name: cs_streams
+      type: keyword
+    - name: cs_targetmodule
+      type: keyword
+    - name: cs_v6nxthop
+      type: keyword
+    - name: cs_whois_server
+      type: keyword
+    - name: cs_yararesult
+      type: keyword
+    - name: description
+      type: keyword
+    - name: devvendor
+      type: keyword
+    - name: distance
+      type: keyword
+    - name: dstburb
+      type: keyword
+    - name: edomain
+      type: keyword
+    - name: edomaub
+      type: keyword
+    - name: euid
+      type: keyword
+    - name: facility
+      type: keyword
+    - name: finterface
+      type: keyword
+    - name: flags
+      type: keyword
+    - name: gaddr
+      type: keyword
+    - name: id3
+      type: keyword
+    - name: im_buddyname
+      type: keyword
+    - name: im_croomid
+      type: keyword
+    - name: im_croomtype
+      type: keyword
+    - name: im_members
+      type: keyword
+    - name: im_username
+      type: keyword
+    - name: ipkt
+      type: keyword
+    - name: ipscat
+      type: keyword
+    - name: ipspri
+      type: keyword
+    - name: latitude
+      type: keyword
+    - name: linenum
+      type: keyword
+    - name: list_name
+      type: keyword
+    - name: load_data
+      type: keyword
+    - name: location_floor
+      type: keyword
+    - name: location_mark
+      type: keyword
+    - name: log_id
+      type: keyword
+    - name: log_type
+      type: keyword
+    - name: logid
+      type: keyword
+    - name: logip
+      type: keyword
+    - name: logname
+      type: keyword
+    - name: longitude
+      type: keyword
+    - name: lport
+      type: keyword
+    - name: mbug_data
+      type: keyword
+    - name: misc_name
+      type: keyword
+    - name: msg_type
+      type: keyword
+    - name: msgid
+      type: keyword
+    - name: netsessid
+      type: keyword
+    - name: num
+      type: keyword
+    - name: number1
+      type: keyword
+    - name: number2
+      type: keyword
+    - name: nwwn
+      type: keyword
+    - name: object
+      type: keyword
+    - name: operation
+      type: keyword
+    - name: opkt
+      type: keyword
+    - name: orig_from
+      type: keyword
+    - name: owner_id
+      type: keyword
+    - name: p_action
+      type: keyword
+    - name: p_filter
+      type: keyword
+    - name: p_group_object
+      type: keyword
+    - name: p_id
+      type: keyword
+    - name: p_msgid1
+      type: keyword
+    - name: p_msgid2
+      type: keyword
+    - name: p_result1
+      type: keyword
+    - name: password_chg
+      type: keyword
+    - name: password_expire
+      type: keyword
+    - name: permgranted
+      type: keyword
+    - name: permwanted
+      type: keyword
+    - name: pgid
+      type: keyword
+    - name: policyUUID
+      type: keyword
+    - name: prog_asp_num
+      type: keyword
+    - name: program
+      type: keyword
+    - name: real_data
+      type: keyword
+    - name: rec_asp_device
+      type: keyword
+    - name: rec_asp_num
+      type: keyword
+    - name: rec_library
+      type: keyword
+    - name: recordnum
+      type: keyword
+    - name: ruid
+      type: keyword
+    - name: sburb
+      type: keyword
+    - name: sdomain_fld
+      type: keyword
+    - name: sec
+      type: keyword
+    - name: sensorname
+      type: keyword
+    - name: seqnum
+      type: keyword
+    - name: session
+      type: keyword
+    - name: sessiontype
+      type: keyword
+    - name: sigUUID
+      type: keyword
+    - name: spi
+      type: keyword
+    - name: srcburb
+      type: keyword
+    - name: srcdom
+      type: keyword
+    - name: srcservice
+      type: keyword
+    - name: state
+      type: keyword
+    - name: status1
+      type: keyword
+    - name: svcno
+      type: keyword
+    - name: system
+      type: keyword
+    - name: tbdstr1
+      type: keyword
+    - name: tgtdom
+      type: keyword
+    - name: tgtdomain
+      type: keyword
+    - name: threshold
+      type: keyword
+    - name: type1
+      type: keyword
+    - name: udb_class
+      type: keyword
+    - name: url_fld
+      type: keyword
+    - name: user_div
+      type: keyword
+    - name: userid
+      type: keyword
+    - name: username_fld
+      type: keyword
+    - name: utcstamp
+      type: keyword
+    - name: v_instafname
+      type: keyword
+    - name: virt_data
+      type: keyword
+    - name: vpnid
+      type: keyword
+    - name: autorun_type
+      type: keyword
+      description: This is used to capture Auto Run type
+    - name: cc_number
+      type: long
+      description: Valid Credit Card Numbers only
+    - name: content
+      type: keyword
+      description: This key captures the content type from protocol headers
+    - name: ein_number
+      type: long
+      description: Employee Identification Numbers only
+    - name: found
+      type: keyword
+      description: This is used to capture the results of regex match
+    - name: language
+      type: keyword
+      description: This is used to capture list of languages the client support and
+        what it prefers
+    - name: lifetime
+      type: long
+      description: This key is used to capture the session lifetime in seconds.
+    - name: link
+      type: keyword
+      description: This key is used to link the sessions together. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: match
+      type: keyword
+      description: This key is for regex match name from search.ini
+    - name: param_dst
+      type: keyword
+      description: This key captures the command line/launch argument of the target
+        process or file
+    - name: param_src
+      type: keyword
+      description: This key captures source parameter
+    - name: search_text
+      type: keyword
+      description: This key captures the Search Text used
+    - name: sig_name
+      type: keyword
+      description: This key is used to capture the Signature Name only.
+    - name: snmp_value
+      type: keyword
+      description: SNMP set request value
+    - name: streams
+      type: long
+      description: This key captures number of streams in session
+  - name: db
+    type: group
+    fields:
+    - name: index
+      type: keyword
+      description: This key captures IndexID of the index.
+    - name: instance
+      type: keyword
+      description: This key is used to capture the database server instance name
+    - name: database
+      type: keyword
+      description: This key is used to capture the name of a database or an instance
+        as seen in a session
+    - name: transact_id
+      type: keyword
+      description: This key captures the SQL transantion ID of the current session
+    - name: permissions
+      type: keyword
+      description: This key captures permission or privilege level assigned to a resource.
+    - name: table_name
+      type: keyword
+      description: This key is used to capture the table name
+    - name: db_id
+      type: keyword
+      description: This key is used to capture the unique identifier for a database
+    - name: db_pid
+      type: long
+      description: This key captures the process id of a connection with database
+        server
+    - name: lread
+      type: long
+      description: This key is used for the number of logical reads
+    - name: lwrite
+      type: long
+      description: This key is used for the number of logical writes
+    - name: pread
+      type: long
+      description: This key is used for the number of physical writes
+  - name: network
+    type: group
+    fields:
+    - name: alias_host
+      type: keyword
+      description: This key should be used when the source or destination context
+        of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
+        that isnt ad.computer.
+    - name: domain
+      type: keyword
+    - name: host_dst
+      type: keyword
+      description: "This key should only be used when it\u2019s a Destination Hostname"
+    - name: network_service
+      type: keyword
+      description: This is used to capture layer 7 protocols/service names
+    - name: interface
+      type: keyword
+      description: This key should be used when the source or destination context
+        of an interface is not clear
+    - name: network_port
+      type: long
+      description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
+        used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
+    - name: eth_host
+      type: keyword
+      description: Deprecated, use alias.mac
+    - name: sinterface
+      type: keyword
+      description: "This key should only be used when it\u2019s a Source Interface"
+    - name: dinterface
+      type: keyword
+      description: "This key should only be used when it\u2019s a Destination Interface"
+    - name: vlan
+      type: long
+      description: This key should only be used to capture the ID of the Virtual LAN
+    - name: zone_src
+      type: keyword
+      description: "This key should only be used when it\u2019s a Source Zone."
+    - name: zone
+      type: keyword
+      description: This key should be used when the source or destination context
+        of a Zone is not clear
+    - name: zone_dst
+      type: keyword
+      description: "This key should only be used when it\u2019s a Destination Zone."
+    - name: gateway
+      type: keyword
+      description: This key is used to capture the IP Address of the gateway
+    - name: icmp_type
+      type: long
+      description: This key is used to capture the ICMP type only
+    - name: mask
+      type: keyword
+      description: This key is used to capture the device network IPmask.
+    - name: icmp_code
+      type: long
+      description: This key is used to capture the ICMP code only
+    - name: protocol_detail
+      type: keyword
+      description: This key should be used to capture additional protocol information
+    - name: dmask
+      type: keyword
+      description: This key is used for Destionation Device network mask
+    - name: port
+      type: long
+      description: This key should only be used to capture a Network Port when the
+        directionality is not clear
+    - name: smask
+      type: keyword
+      description: This key is used for capturing source Network Mask
+    - name: netname
+      type: keyword
+      description: This key is used to capture the network name associated with an
+        IP range. This is configured by the end user.
+    - name: paddr
+      type: ip
+      description: Deprecated
+    - name: faddr
+      type: keyword
+    - name: lhost
+      type: keyword
+    - name: origin
+      type: keyword
+    - name: remote_domain_id
+      type: keyword
+    - name: addr
+      type: keyword
+    - name: dns_a_record
+      type: keyword
+    - name: dns_ptr_record
+      type: keyword
+    - name: fhost
+      type: keyword
+    - name: fport
+      type: keyword
+    - name: laddr
+      type: keyword
+    - name: linterface
+      type: keyword
+    - name: phost
+      type: keyword
+    - name: ad_computer_dst
+      type: keyword
+      description: Deprecated, use host.dst
+    - name: eth_type
+      type: long
+      description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
+        Only
+    - name: ip_proto
+      type: long
+      description: This key should be used to capture the Protocol number, all the
+        protocol nubers are converted into string in UI
+    - name: dns_cname_record
+      type: keyword
+    - name: dns_id
+      type: keyword
+    - name: dns_opcode
+      type: keyword
+    - name: dns_resp
+      type: keyword
+    - name: dns_type
+      type: keyword
+    - name: domain1
+      type: keyword
+    - name: host_type
+      type: keyword
+    - name: packet_length
+      type: keyword
+    - name: host_orig
+      type: keyword
+      description: This is used to capture the original hostname in case of a Forwarding
+        Agent or a Proxy in between.
+    - name: rpayload
+      type: keyword
+      description: This key is used to capture the total number of payload bytes seen
+        in the retransmitted packets.
+    - name: vlan_name
+      type: keyword
+      description: This key should only be used to capture the name of the Virtual
+        LAN
+  - name: investigations
+    type: group
+    fields:
+    - name: ec_activity
+      type: keyword
+      description: This key captures the particular event activity(Ex:Logoff)
+    - name: ec_theme
+      type: keyword
+      description: This key captures the Theme of a particular Event(Ex:Authentication)
+    - name: ec_subject
+      type: keyword
+      description: This key captures the Subject of a particular Event(Ex:User)
+    - name: ec_outcome
+      type: keyword
+      description: This key captures the outcome of a particular Event(Ex:Success)
+    - name: event_cat
+      type: long
+      description: This key captures the Event category number
+    - name: event_cat_name
+      type: keyword
+      description: This key captures the event category name corresponding to the
+        event cat code
+    - name: event_vcat
+      type: keyword
+      description: This is a vendor supplied category. This should be used in situations
+        where the vendor has adopted their own event_category taxonomy.
+    - name: analysis_file
+      type: keyword
+      description: This is used to capture all indicators used in a File Analysis.
+        This key should be used to capture an analysis of a file
+    - name: analysis_service
+      type: keyword
+      description: This is used to capture all indicators used in a Service Analysis.
+        This key should be used to capture an analysis of a service
+    - name: analysis_session
+      type: keyword
+      description: This is used to capture all indicators used for a Session Analysis.
+        This key should be used to capture an analysis of a session
+    - name: boc
+      type: keyword
+      description: This is used to capture behaviour of compromise
+    - name: eoc
+      type: keyword
+      description: This is used to capture Enablers of Compromise
+    - name: inv_category
+      type: keyword
+      description: This used to capture investigation category
+    - name: inv_context
+      type: keyword
+      description: This used to capture investigation context
+    - name: ioc
+      type: keyword
+      description: This is key capture indicator of compromise
+  - name: counters
+    type: group
+    fields:
+    - name: dclass_c1
+      type: long
+      description: This is a generic counter key that should be used with the label
+        dclass.c1.str only
+    - name: dclass_c2
+      type: long
+      description: This is a generic counter key that should be used with the label
+        dclass.c2.str only
+    - name: event_counter
+      type: long
+      description: This is used to capture the number of times an event repeated
+    - name: dclass_r1
+      type: keyword
+      description: This is a generic ratio key that should be used with the label
+        dclass.r1.str only
+    - name: dclass_c3
+      type: long
+      description: This is a generic counter key that should be used with the label
+        dclass.c3.str only
+    - name: dclass_c1_str
+      type: keyword
+      description: This is a generic counter string key that should be used with the
+        label dclass.c1 only
+    - name: dclass_c2_str
+      type: keyword
+      description: This is a generic counter string key that should be used with the
+        label dclass.c2 only
+    - name: dclass_r1_str
+      type: keyword
+      description: This is a generic ratio string key that should be used with the
+        label dclass.r1 only
+    - name: dclass_r2
+      type: keyword
+      description: This is a generic ratio key that should be used with the label
+        dclass.r2.str only
+    - name: dclass_c3_str
+      type: keyword
+      description: This is a generic counter string key that should be used with the
+        label dclass.c3 only
+    - name: dclass_r3
+      type: keyword
+      description: This is a generic ratio key that should be used with the label
+        dclass.r3.str only
+    - name: dclass_r2_str
+      type: keyword
+      description: This is a generic ratio string key that should be used with the
+        label dclass.r2 only
+    - name: dclass_r3_str
+      type: keyword
+      description: This is a generic ratio string key that should be used with the
+        label dclass.r3 only
+  - name: identity
+    type: group
+    fields:
+    - name: auth_method
+      type: keyword
+      description: This key is used to capture authentication methods used only
+    - name: user_role
+      type: keyword
+      description: This key is used to capture the Role of a user only
+    - name: dn
+      type: keyword
+      description: X.500 (LDAP) Distinguished Name
+    - name: logon_type
+      type: keyword
+      description: This key is used to capture the type of logon method used.
+    - name: profile
+      type: keyword
+      description: This key is used to capture the user profile
+    - name: accesses
+      type: keyword
+      description: This key is used to capture actual privileges used in accessing
+        an object
+    - name: realm
+      type: keyword
+      description: Radius realm or similar grouping of accounts
+    - name: user_sid_dst
+      type: keyword
+      description: This key captures Destination User Session ID
+    - name: dn_src
+      type: keyword
+      description: An X.500 (LDAP) Distinguished name that is used in a context that
+        indicates a Source dn
+    - name: org
+      type: keyword
+      description: This key captures the User organization
+    - name: dn_dst
+      type: keyword
+      description: An X.500 (LDAP) Distinguished name that used in a context that
+        indicates a Destination dn
+    - name: firstname
+      type: keyword
+      description: This key is for First Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: lastname
+      type: keyword
+      description: This key is for Last Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: user_dept
+      type: keyword
+      description: User's Department Names only
+    - name: user_sid_src
+      type: keyword
+      description: This key captures Source User Session ID
+    - name: federated_sp
+      type: keyword
+      description: This key is the Federated Service Provider. This is the application
+        requesting authentication.
+    - name: federated_idp
+      type: keyword
+      description: This key is the federated Identity Provider. This is the server
+        providing the authentication.
+    - name: logon_type_desc
+      type: keyword
+      description: This key is used to capture the textual description of an integer
+        logon type as stored in the meta key 'logon.type'.
+    - name: middlename
+      type: keyword
+      description: This key is for Middle Names only, this is used for Healthcare
+        predominantly to capture Patients information
+    - name: password
+      type: keyword
+      description: This key is for Passwords seen in any session, plain text or encrypted
+    - name: host_role
+      type: keyword
+      description: This key should only be used to capture the role of a Host Machine
+    - name: ldap
+      type: keyword
+      description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
+        t have a clear query or response context"
+    - name: ldap_query
+      type: keyword
+      description: This key is the Search criteria from an LDAP search
+    - name: ldap_response
+      type: keyword
+      description: This key is to capture Results from an LDAP search
+    - name: owner
+      type: keyword
+      description: This is used to capture username the process or service is running
+        as, the author of the task
+    - name: service_account
+      type: keyword
+      description: This key is a windows specific key, used for capturing name of
+        the account a service (referenced in the event) is running under. Legacy Usage
+  - name: email
+    type: group
+    fields:
+    - name: email_dst
+      type: keyword
+      description: This key is used to capture the Destination email address only,
+        when the destination context is not clear use email
+    - name: email_src
+      type: keyword
+      description: This key is used to capture the source email address only, when
+        the source context is not clear use email
+    - name: subject
+      type: keyword
+      description: This key is used to capture the subject string from an Email only.
+    - name: email
+      type: keyword
+      description: This key is used to capture a generic email address where the source
+        or destination context is not clear
+    - name: trans_from
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: trans_to
+      type: keyword
+      description: Deprecated key defined only in table map.
+  - name: file
+    type: group
+    fields:
+    - name: privilege
+      type: keyword
+      description: Deprecated, use permissions
+    - name: attachment
+      type: keyword
+      description: This key captures the attachment file name
+    - name: filesystem
+      type: keyword
+    - name: binary
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: filename_dst
+      type: keyword
+      description: This is used to capture name of the file targeted by the action
+    - name: filename_src
+      type: keyword
+      description: This is used to capture name of the parent filename, the file which
+        performed the action
+    - name: filename_tmp
+      type: keyword
+    - name: directory_dst
+      type: keyword
+      description: <span>This key is used to capture the directory of the target process
+        or file</span>
+    - name: directory_src
+      type: keyword
+      description: This key is used to capture the directory of the source process
+        or file
+    - name: file_entropy
+      type: double
+      description: This is used to capture entropy vale of a file
+    - name: file_vendor
+      type: keyword
+      description: This is used to capture Company name of file located in version_info
+    - name: task_name
+      type: keyword
+      description: This is used to capture name of the task
+  - name: web
+    type: group
+    fields:
+    - name: fqdn
+      type: keyword
+      description: Fully Qualified Domain Names
+    - name: web_cookie
+      type: keyword
+      description: This key is used to capture the Web cookies specifically.
+    - name: alias_host
+      type: keyword
+    - name: reputation_num
+      type: double
+      description: Reputation Number of an entity. Typically used for Web Domains
+    - name: web_ref_domain
+      type: keyword
+      description: Web referer's domain
+    - name: web_ref_query
+      type: keyword
+      description: This key captures Web referer's query portion of the URL
+    - name: remote_domain
+      type: keyword
+    - name: web_ref_page
+      type: keyword
+      description: This key captures Web referer's page information
+    - name: web_ref_root
+      type: keyword
+      description: Web referer's root URL path
+    - name: cn_asn_dst
+      type: keyword
+    - name: cn_rpackets
+      type: keyword
+    - name: urlpage
+      type: keyword
+    - name: urlroot
+      type: keyword
+    - name: p_url
+      type: keyword
+    - name: p_user_agent
+      type: keyword
+    - name: p_web_cookie
+      type: keyword
+    - name: p_web_method
+      type: keyword
+    - name: p_web_referer
+      type: keyword
+    - name: web_extension_tmp
+      type: keyword
+    - name: web_page
+      type: keyword
+  - name: threat
+    type: group
+    fields:
+    - name: threat_category
+      type: keyword
+      description: This key captures Threat Name/Threat Category/Categorization of
+        alert
+    - name: threat_desc
+      type: keyword
+      description: This key is used to capture the threat description from the session
+        directly or inferred
+    - name: alert
+      type: keyword
+      description: This key is used to capture name of the alert
+    - name: threat_source
+      type: keyword
+      description: This key is used to capture source of the threat
+  - name: crypto
+    type: group
+    fields:
+    - name: crypto
+      type: keyword
+      description: This key is used to capture the Encryption Type or Encryption Key
+        only
+    - name: cipher_src
+      type: keyword
+      description: This key is for Source (Client) Cipher
+    - name: cert_subject
+      type: keyword
+      description: This key is used to capture the Certificate organization only
+    - name: peer
+      type: keyword
+      description: This key is for Encryption peer's IP Address
+    - name: cipher_size_src
+      type: long
+      description: This key captures Source (Client) Cipher Size
+    - name: ike
+      type: keyword
+      description: IKE negotiation phase.
+    - name: scheme
+      type: keyword
+      description: This key captures the Encryption scheme used
+    - name: peer_id
+      type: keyword
+      description: "This key is for Encryption peer\u2019s identity"
+    - name: sig_type
+      type: keyword
+      description: This key captures the Signature Type
+    - name: cert_issuer
+      type: keyword
+    - name: cert_host_name
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: cert_error
+      type: keyword
+      description: This key captures the Certificate Error String
+    - name: cipher_dst
+      type: keyword
+      description: This key is for Destination (Server) Cipher
+    - name: cipher_size_dst
+      type: long
+      description: This key captures Destination (Server) Cipher Size
+    - name: ssl_ver_src
+      type: keyword
+      description: Deprecated, use version
+    - name: d_certauth
+      type: keyword
+    - name: s_certauth
+      type: keyword
+    - name: ike_cookie1
+      type: keyword
+      description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
+    - name: ike_cookie2
+      type: keyword
+      description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
+    - name: cert_checksum
+      type: keyword
+    - name: cert_host_cat
+      type: keyword
+      description: This key is used for the hostname category value of a certificate
+    - name: cert_serial
+      type: keyword
+      description: This key is used to capture the Certificate serial number only
+    - name: cert_status
+      type: keyword
+      description: This key captures Certificate validation status
+    - name: ssl_ver_dst
+      type: keyword
+      description: Deprecated, use version
+    - name: cert_keysize
+      type: keyword
+    - name: cert_username
+      type: keyword
+    - name: https_insact
+      type: keyword
+    - name: https_valid
+      type: keyword
+    - name: cert_ca
+      type: keyword
+      description: This key is used to capture the Certificate signing authority only
+    - name: cert_common
+      type: keyword
+      description: This key is used to capture the Certificate common name only
+  - name: wireless
+    type: group
+    fields:
+    - name: wlan_ssid
+      type: keyword
+      description: This key is used to capture the ssid of a Wireless Session
+    - name: access_point
+      type: keyword
+      description: This key is used to capture the access point name.
+    - name: wlan_channel
+      type: long
+      description: This is used to capture the channel names
+    - name: wlan_name
+      type: keyword
+      description: This key captures either WLAN number/name
+  - name: storage
+    type: group
+    fields:
+    - name: disk_volume
+      type: keyword
+      description: A unique name assigned to logical units (volumes) within a physical
+        disk
+    - name: lun
+      type: keyword
+      description: Logical Unit Number.This key is a very useful concept in Storage.
+    - name: pwwn
+      type: keyword
+      description: This uniquely identifies a port on a HBA.
+  - name: physical
+    type: group
+    fields:
+    - name: org_dst
+      type: keyword
+      description: This is used to capture the destination organization based on the
+        GEOPIP Maxmind database.
+    - name: org_src
+      type: keyword
+      description: This is used to capture the source organization based on the GEOPIP
+        Maxmind database.
+  - name: healthcare
+    type: group
+    fields:
+    - name: patient_fname
+      type: keyword
+      description: This key is for First Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: patient_id
+      type: keyword
+      description: This key captures the unique ID for a patient
+    - name: patient_lname
+      type: keyword
+      description: This key is for Last Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: patient_mname
+      type: keyword
+      description: This key is for Middle Names only, this is used for Healthcare
+        predominantly to capture Patients information
+  - name: endpoint
+    type: group
+    fields:
+    - name: host_state
+      type: keyword
+      description: This key is used to capture the current state of the machine, such
+        as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
+        disabled</strong> and so on
+    - name: registry_key
+      type: keyword
+      description: This key captures the path to the registry key
+    - name: registry_value
+      type: keyword
+      description: This key captures values or decorators used within a registry entry
diff --git a/packages/squid/0.1.0/dataset/log/manifest.yml b/packages/squid/0.1.0/dataset/log/manifest.yml
new file mode 100644
index 0000000000..f628992596
--- /dev/null
+++ b/packages/squid/0.1.0/dataset/log/manifest.yml
@@ -0,0 +1,155 @@
+title: Squid logs
+release: experimental
+type: logs
+streams:
+- input: udp
+  title: Squid logs
+  description: Collect Squid logs
+  template_path: udp.yml.hbs
+  vars:
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - squid-log
+      - forwarded
+  - name: udp_host
+    type: text
+    title: UDP host to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: localhost
+  - name: udp_port
+    type: integer
+    title: UDP port to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: 9520
+  - name: tz_offset
+    type: text
+    title: Timezone offset (+HH:mm format)
+    required: false
+    show_user: true
+    default: "local"
+  - name: rsa_fields
+    type: bool
+    title: Add non-ECS fields
+    required: false
+    show_user: true
+    default: true
+  - name: keep_raw_fields
+    type: bool
+    title: Keep raw parser fields
+    required: false
+    show_user: false
+    default: false
+  - name: debug
+    type: bool
+    title: Enable debug logging
+    required: false
+    show_user: false
+    default: false
+
+- input: tcp
+  title: Squid logs
+  description: Collect Squid logs
+  template_path: tcp.yml.hbs
+  vars:
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - squid-log
+      - forwarded
+  - name: tcp_host
+    type: text
+    title: TCP host to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: localhost
+  - name: tcp_port
+    type: integer
+    title: TCP port to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: 9520
+  - name: tz_offset
+    type: text
+    title: Timezone offset (+HH:mm format)
+    required: false
+    show_user: true
+    default: "local"
+  - name: rsa_fields
+    type: bool
+    title: Add non-ECS fields
+    required: false
+    show_user: true
+    default: true
+  - name: keep_raw_fields
+    type: bool
+    title: Keep raw parser fields
+    required: false
+    show_user: false
+    default: false
+  - name: debug
+    type: bool
+    title: Enable debug logging
+    required: false
+    show_user: false
+    default: false
+
+- input: file
+  title: Squid logs
+  description: Collect Squid logs from file
+  vars:
+  - name: paths
+    type: text
+    title: Paths
+    multi: true
+    required: true
+    show_user: true
+    default:
+      - /var/log/squid-log.log
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - squid-log
+      - forwarded
+  - name: tz_offset
+    type: text
+    title: Timezone offset (+HH:mm format)
+    required: false
+    show_user: true
+    default: "local"
+  - name: rsa_fields
+    type: bool
+    title: Add non-ECS fields
+    required: false
+    show_user: true
+    default: true
+  - name: keep_raw_fields
+    type: bool
+    title: Keep raw parser fields
+    required: false
+    show_user: false
+    default: false
+  - name: debug
+    type: bool
+    title: Enable debug logging
+    required: false
+    show_user: false
+    default: false
diff --git a/packages/squid/0.1.0/docs/README.md b/packages/squid/0.1.0/docs/README.md
new file mode 100644
index 0000000000..e9d3db7949
--- /dev/null
+++ b/packages/squid/0.1.0/docs/README.md
@@ -0,0 +1,780 @@
+# Squid integration
+
+This integration is for Squid device's logs. It includes the following
+datasets for receiving logs over syslog or read from a file:
+- `log` dataset: supports Squid logs.
+
+### Log
+
+The `log` dataset collects Squid logs.
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
+| dataset.name | Dataset name. | constant_keyword |
+| dataset.namespace | Dataset namespace. | constant_keyword |
+| dataset.type | Dataset type. | constant_keyword |
+| datastream.dataset | Datastream dataset. | constant_keyword |
+| datastream.namespace | Datastream namespace. | constant_keyword |
+| datastream.type | Datastream type. | constant_keyword |
+| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| destination.bytes | Bytes sent from the destination to the source. | long |
+| destination.domain | Destination domain. | keyword |
+| destination.geo.city_name | City name. | keyword |
+| destination.geo.country_name | Country name. | keyword |
+| destination.geo.location.lat |  | double |
+| destination.geo.location.lon |  | double |
+| destination.ip | IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses. | ip |
+| destination.mac | MAC address of the destination. | keyword |
+| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip |
+| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long |
+| destination.port | Port of the destination. | long |
+| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword |
+| dns.answers.type | The type of data contained in this resource record. | keyword |
+| dns.question.type | The type of record being queried. | keyword |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword |
+| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword |
+| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword |
+| file.extension | File extension. | keyword |
+| file.name | Name of the file including the extension, without the directory. | keyword |
+| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword |
+| file.size | File size in bytes. Only relevant when `file.type` is "file". | long |
+| file.type | File type (file, dir, or symlink). | keyword |
+| geo.city_name | City name. | keyword |
+| geo.country_name | Country name. | keyword |
+| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| geo.region_name | Region name. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| http.request.method | HTTP request method. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| http.request.referrer | Referrer for this HTTP request. | keyword |
+| http.response.body.content | The full HTTP response body. | keyword |
+| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword |
+| log.original | This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. | keyword |
+| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long |
+| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. | long |
+| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text |
+| network.application | A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long |
+| network.direction | Direction of the network traffic. Recommended values are: * inbound * outbound * internal * external * unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view. When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. | keyword |
+| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip |
+| network.interface.name |  | keyword |
+| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long |
+| network.protocol | L7 Network protocol name. ex. http, lumberjack, transport protocol. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| observer.egress.interface.name | Interface name as reported by the system. | keyword |
+| observer.ingress.interface.name | Interface name as reported by the system. | keyword |
+| observer.product | The product name of the observer. | keyword |
+| observer.version | Observer version. | keyword |
+| process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.parent.name | Process name. Sometimes called program name or similar. | keyword |
+| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword |
+| process.pid | Process id. | long |
+| process.ppid | Parent process' pid. | long |
+| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword |
+| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long |
+| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword |
+| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long |
+| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword |
+| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long |
+| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword |
+| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword |
+| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword |
+| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword |
+| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword |
+| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword |
+| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword |
+| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long |
+| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword |
+| rsa.crypto.cert_checksum |  | keyword |
+| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword |
+| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword |
+| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword |
+| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword |
+| rsa.crypto.cert_issuer |  | keyword |
+| rsa.crypto.cert_keysize |  | keyword |
+| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword |
+| rsa.crypto.cert_status | This key captures Certificate validation status | keyword |
+| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword |
+| rsa.crypto.cert_username |  | keyword |
+| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword |
+| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long |
+| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long |
+| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword |
+| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword |
+| rsa.crypto.d_certauth |  | keyword |
+| rsa.crypto.https_insact |  | keyword |
+| rsa.crypto.https_valid |  | keyword |
+| rsa.crypto.ike | IKE negotiation phase. | keyword |
+| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword |
+| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword |
+| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword |
+| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword |
+| rsa.crypto.s_certauth |  | keyword |
+| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword |
+| rsa.crypto.sig_type | This key captures the Signature Type | keyword |
+| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword |
+| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword |
+| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword |
+| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword |
+| rsa.db.db_pid | This key captures the process id of a connection with database server | long |
+| rsa.db.index | This key captures IndexID of the index. | keyword |
+| rsa.db.instance | This key is used to capture the database server instance name | keyword |
+| rsa.db.lread | This key is used for the number of logical reads | long |
+| rsa.db.lwrite | This key is used for the number of logical writes | long |
+| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword |
+| rsa.db.pread | This key is used for the number of physical writes | long |
+| rsa.db.table_name | This key is used to capture the table name | keyword |
+| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword |
+| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword |
+| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword |
+| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword |
+| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword |
+| rsa.email.trans_from | Deprecated key defined only in table map. | keyword |
+| rsa.email.trans_to | Deprecated key defined only in table map. | keyword |
+| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall disabled</strong> and so on | keyword |
+| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword |
+| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword |
+| rsa.file.attachment | This key captures the attachment file name | keyword |
+| rsa.file.binary | Deprecated key defined only in table map. | keyword |
+| rsa.file.directory_dst | <span>This key is used to capture the directory of the target process or file</span> | keyword |
+| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword |
+| rsa.file.file_entropy | This is used to capture entropy vale of a file | double |
+| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword |
+| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword |
+| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword |
+| rsa.file.filename_tmp |  | keyword |
+| rsa.file.filesystem |  | keyword |
+| rsa.file.privilege | Deprecated, use permissions | keyword |
+| rsa.file.task_name | This is used to capture name of the task | keyword |
+| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword |
+| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword |
+| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword |
+| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword |
+| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword |
+| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword |
+| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword |
+| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword |
+| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword |
+| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword |
+| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword |
+| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword |
+| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword |
+| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword |
+| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.org | This key captures the User organization | keyword |
+| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword |
+| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword |
+| rsa.identity.profile | This key is used to capture the user profile | keyword |
+| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword |
+| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword |
+| rsa.identity.user_dept | User's Department Names only | keyword |
+| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword |
+| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword |
+| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword |
+| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword |
+| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.data | Deprecated key defined only in table map. | keyword |
+| rsa.internal.dead | Deprecated key defined only in table map. | long |
+| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_type_id | Deprecated key defined only in table map. | long |
+| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long |
+| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long |
+| rsa.internal.entry | Deprecated key defined only in table map. | keyword |
+| rsa.internal.event_desc |  | keyword |
+| rsa.internal.event_name | Deprecated key defined only in table map. | keyword |
+| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip |
+| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.hcode | Deprecated key defined only in table map. | keyword |
+| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.inode | Deprecated key defined only in table map. | long |
+| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date |
+| rsa.internal.level | Deprecated key defined only in table map. | long |
+| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long |
+| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long |
+| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long |
+| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long |
+| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, &lt; 32 is packet session | long |
+| rsa.internal.message | This key captures the contents of instant messages | keyword |
+| rsa.internal.messageid |  | keyword |
+| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword |
+| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.node_name | Deprecated key defined only in table map. | keyword |
+| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword |
+| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword |
+| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword |
+| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword |
+| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long |
+| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long |
+| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword |
+| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword |
+| rsa.internal.resource | Deprecated key defined only in table map. | keyword |
+| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword |
+| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long |
+| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.site | Deprecated key defined only in table map. | keyword |
+| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long |
+| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.statement | Deprecated key defined only in table map. | keyword |
+| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date |
+| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long |
+| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long |
+| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword |
+| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword |
+| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword |
+| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword |
+| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword |
+| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword |
+| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword |
+| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword |
+| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword |
+| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword |
+| rsa.investigations.event_cat | This key captures the Event category number | long |
+| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword |
+| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword |
+| rsa.investigations.inv_category | This used to capture investigation category | keyword |
+| rsa.investigations.inv_context | This used to capture investigation context | keyword |
+| rsa.investigations.ioc | This is key capture indicator of compromise | keyword |
+| rsa.misc.OS | This key captures the Name of the Operating System | keyword |
+| rsa.misc.acl_id |  | keyword |
+| rsa.misc.acl_op |  | keyword |
+| rsa.misc.acl_pos |  | keyword |
+| rsa.misc.acl_table |  | keyword |
+| rsa.misc.action |  | keyword |
+| rsa.misc.admin |  | keyword |
+| rsa.misc.agent_id | This key is used to capture agent id | keyword |
+| rsa.misc.alarm_id |  | keyword |
+| rsa.misc.alarmname |  | keyword |
+| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.app_id |  | keyword |
+| rsa.misc.audit |  | keyword |
+| rsa.misc.audit_object |  | keyword |
+| rsa.misc.auditdata |  | keyword |
+| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword |
+| rsa.misc.benchmark |  | keyword |
+| rsa.misc.bypass |  | keyword |
+| rsa.misc.cache |  | keyword |
+| rsa.misc.cache_hit |  | keyword |
+| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword |
+| rsa.misc.cc_number | Valid Credit Card Numbers only | long |
+| rsa.misc.cefversion |  | keyword |
+| rsa.misc.cfg_attr |  | keyword |
+| rsa.misc.cfg_obj |  | keyword |
+| rsa.misc.cfg_path |  | keyword |
+| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword |
+| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword |
+| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword |
+| rsa.misc.changes |  | keyword |
+| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword |
+| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword |
+| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword |
+| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword |
+| rsa.misc.client_ip |  | keyword |
+| rsa.misc.clustermembers |  | keyword |
+| rsa.misc.cmd |  | keyword |
+| rsa.misc.cn_acttimeout |  | keyword |
+| rsa.misc.cn_asn_src |  | keyword |
+| rsa.misc.cn_bgpv4nxthop |  | keyword |
+| rsa.misc.cn_ctr_dst_code |  | keyword |
+| rsa.misc.cn_dst_tos |  | keyword |
+| rsa.misc.cn_dst_vlan |  | keyword |
+| rsa.misc.cn_engine_id |  | keyword |
+| rsa.misc.cn_engine_type |  | keyword |
+| rsa.misc.cn_f_switch |  | keyword |
+| rsa.misc.cn_flowsampid |  | keyword |
+| rsa.misc.cn_flowsampintv |  | keyword |
+| rsa.misc.cn_flowsampmode |  | keyword |
+| rsa.misc.cn_inacttimeout |  | keyword |
+| rsa.misc.cn_inpermbyts |  | keyword |
+| rsa.misc.cn_inpermpckts |  | keyword |
+| rsa.misc.cn_invalid |  | keyword |
+| rsa.misc.cn_ip_proto_ver |  | keyword |
+| rsa.misc.cn_ipv4_ident |  | keyword |
+| rsa.misc.cn_l_switch |  | keyword |
+| rsa.misc.cn_log_did |  | keyword |
+| rsa.misc.cn_log_rid |  | keyword |
+| rsa.misc.cn_max_ttl |  | keyword |
+| rsa.misc.cn_maxpcktlen |  | keyword |
+| rsa.misc.cn_min_ttl |  | keyword |
+| rsa.misc.cn_minpcktlen |  | keyword |
+| rsa.misc.cn_mpls_lbl_1 |  | keyword |
+| rsa.misc.cn_mpls_lbl_10 |  | keyword |
+| rsa.misc.cn_mpls_lbl_2 |  | keyword |
+| rsa.misc.cn_mpls_lbl_3 |  | keyword |
+| rsa.misc.cn_mpls_lbl_4 |  | keyword |
+| rsa.misc.cn_mpls_lbl_5 |  | keyword |
+| rsa.misc.cn_mpls_lbl_6 |  | keyword |
+| rsa.misc.cn_mpls_lbl_7 |  | keyword |
+| rsa.misc.cn_mpls_lbl_8 |  | keyword |
+| rsa.misc.cn_mpls_lbl_9 |  | keyword |
+| rsa.misc.cn_mplstoplabel |  | keyword |
+| rsa.misc.cn_mplstoplabip |  | keyword |
+| rsa.misc.cn_mul_dst_byt |  | keyword |
+| rsa.misc.cn_mul_dst_pks |  | keyword |
+| rsa.misc.cn_muligmptype |  | keyword |
+| rsa.misc.cn_sampalgo |  | keyword |
+| rsa.misc.cn_sampint |  | keyword |
+| rsa.misc.cn_seqctr |  | keyword |
+| rsa.misc.cn_spackets |  | keyword |
+| rsa.misc.cn_src_tos |  | keyword |
+| rsa.misc.cn_src_vlan |  | keyword |
+| rsa.misc.cn_sysuptime |  | keyword |
+| rsa.misc.cn_template_id |  | keyword |
+| rsa.misc.cn_totbytsexp |  | keyword |
+| rsa.misc.cn_totflowexp |  | keyword |
+| rsa.misc.cn_totpcktsexp |  | keyword |
+| rsa.misc.cn_unixnanosecs |  | keyword |
+| rsa.misc.cn_v6flowlabel |  | keyword |
+| rsa.misc.cn_v6optheaders |  | keyword |
+| rsa.misc.code |  | keyword |
+| rsa.misc.command |  | keyword |
+| rsa.misc.comments | Comment information provided in the log message | keyword |
+| rsa.misc.comp_class |  | keyword |
+| rsa.misc.comp_name |  | keyword |
+| rsa.misc.comp_rbytes |  | keyword |
+| rsa.misc.comp_sbytes |  | keyword |
+| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword |
+| rsa.misc.connection_id | This key captures the Connection ID | keyword |
+| rsa.misc.content | This key captures the content type from protocol headers | keyword |
+| rsa.misc.content_type | This key is used to capture Content Type only. | keyword |
+| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword |
+| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword |
+| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword |
+| rsa.misc.context_target |  | keyword |
+| rsa.misc.count |  | keyword |
+| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long |
+| rsa.misc.cpu_data |  | keyword |
+| rsa.misc.criticality |  | keyword |
+| rsa.misc.cs_agency_dst |  | keyword |
+| rsa.misc.cs_analyzedby |  | keyword |
+| rsa.misc.cs_av_other |  | keyword |
+| rsa.misc.cs_av_primary |  | keyword |
+| rsa.misc.cs_av_secondary |  | keyword |
+| rsa.misc.cs_bgpv6nxthop |  | keyword |
+| rsa.misc.cs_bit9status |  | keyword |
+| rsa.misc.cs_context |  | keyword |
+| rsa.misc.cs_control |  | keyword |
+| rsa.misc.cs_data |  | keyword |
+| rsa.misc.cs_datecret |  | keyword |
+| rsa.misc.cs_dst_tld |  | keyword |
+| rsa.misc.cs_eth_dst_ven |  | keyword |
+| rsa.misc.cs_eth_src_ven |  | keyword |
+| rsa.misc.cs_event_uuid |  | keyword |
+| rsa.misc.cs_filetype |  | keyword |
+| rsa.misc.cs_fld |  | keyword |
+| rsa.misc.cs_if_desc |  | keyword |
+| rsa.misc.cs_if_name |  | keyword |
+| rsa.misc.cs_ip_next_hop |  | keyword |
+| rsa.misc.cs_ipv4dstpre |  | keyword |
+| rsa.misc.cs_ipv4srcpre |  | keyword |
+| rsa.misc.cs_lifetime |  | keyword |
+| rsa.misc.cs_log_medium |  | keyword |
+| rsa.misc.cs_loginname |  | keyword |
+| rsa.misc.cs_modulescore |  | keyword |
+| rsa.misc.cs_modulesign |  | keyword |
+| rsa.misc.cs_opswatresult |  | keyword |
+| rsa.misc.cs_payload |  | keyword |
+| rsa.misc.cs_registrant |  | keyword |
+| rsa.misc.cs_registrar |  | keyword |
+| rsa.misc.cs_represult |  | keyword |
+| rsa.misc.cs_rpayload |  | keyword |
+| rsa.misc.cs_sampler_name |  | keyword |
+| rsa.misc.cs_sourcemodule |  | keyword |
+| rsa.misc.cs_streams |  | keyword |
+| rsa.misc.cs_targetmodule |  | keyword |
+| rsa.misc.cs_v6nxthop |  | keyword |
+| rsa.misc.cs_whois_server |  | keyword |
+| rsa.misc.cs_yararesult |  | keyword |
+| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword |
+| rsa.misc.data_type |  | keyword |
+| rsa.misc.description |  | keyword |
+| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword |
+| rsa.misc.devvendor |  | keyword |
+| rsa.misc.disposition | This key captures the The end state of an action. | keyword |
+| rsa.misc.distance |  | keyword |
+| rsa.misc.doc_number | This key captures File Identification number | long |
+| rsa.misc.dstburb |  | keyword |
+| rsa.misc.edomain |  | keyword |
+| rsa.misc.edomaub |  | keyword |
+| rsa.misc.ein_number | Employee Identification Numbers only | long |
+| rsa.misc.error | This key captures All non successful Error codes or responses | keyword |
+| rsa.misc.euid |  | keyword |
+| rsa.misc.event_category |  | keyword |
+| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword |
+| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword |
+| rsa.misc.event_id |  | keyword |
+| rsa.misc.event_log | This key captures the Name of the event log | keyword |
+| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword |
+| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword |
+| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword |
+| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword |
+| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword |
+| rsa.misc.facility |  | keyword |
+| rsa.misc.facilityname |  | keyword |
+| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword |
+| rsa.misc.filter | This key captures Filter used to reduce result set | keyword |
+| rsa.misc.finterface |  | keyword |
+| rsa.misc.flags |  | keyword |
+| rsa.misc.forensic_info |  | keyword |
+| rsa.misc.found | This is used to capture the results of regex match | keyword |
+| rsa.misc.fresult | This key captures the Filter Result | long |
+| rsa.misc.gaddr |  | keyword |
+| rsa.misc.group | This key captures the Group Name value | keyword |
+| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword |
+| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword |
+| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword |
+| rsa.misc.id3 |  | keyword |
+| rsa.misc.im_buddyid |  | keyword |
+| rsa.misc.im_buddyname |  | keyword |
+| rsa.misc.im_client |  | keyword |
+| rsa.misc.im_croomid |  | keyword |
+| rsa.misc.im_croomtype |  | keyword |
+| rsa.misc.im_members |  | keyword |
+| rsa.misc.im_userid |  | keyword |
+| rsa.misc.im_username |  | keyword |
+| rsa.misc.index |  | keyword |
+| rsa.misc.inout |  | keyword |
+| rsa.misc.ipkt |  | keyword |
+| rsa.misc.ipscat |  | keyword |
+| rsa.misc.ipspri |  | keyword |
+| rsa.misc.job_num | This key captures the Job Number | keyword |
+| rsa.misc.jobname |  | keyword |
+| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword |
+| rsa.misc.latitude |  | keyword |
+| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword |
+| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long |
+| rsa.misc.linenum |  | keyword |
+| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.misc.list_name |  | keyword |
+| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword |
+| rsa.misc.load_data |  | keyword |
+| rsa.misc.location_floor |  | keyword |
+| rsa.misc.location_mark |  | keyword |
+| rsa.misc.log_id |  | keyword |
+| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword |
+| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword |
+| rsa.misc.log_type |  | keyword |
+| rsa.misc.logid |  | keyword |
+| rsa.misc.logip |  | keyword |
+| rsa.misc.logname |  | keyword |
+| rsa.misc.longitude |  | keyword |
+| rsa.misc.lport |  | keyword |
+| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword |
+| rsa.misc.match | This key is for regex match name from search.ini | keyword |
+| rsa.misc.mbug_data |  | keyword |
+| rsa.misc.message_body | This key captures the The contents of the message body. | keyword |
+| rsa.misc.misc |  | keyword |
+| rsa.misc.misc_name |  | keyword |
+| rsa.misc.mode |  | keyword |
+| rsa.misc.msgIdPart1 |  | keyword |
+| rsa.misc.msgIdPart2 |  | keyword |
+| rsa.misc.msgIdPart3 |  | keyword |
+| rsa.misc.msgIdPart4 |  | keyword |
+| rsa.misc.msg_type |  | keyword |
+| rsa.misc.msgid |  | keyword |
+| rsa.misc.name |  | keyword |
+| rsa.misc.netsessid |  | keyword |
+| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword |
+| rsa.misc.ntype |  | keyword |
+| rsa.misc.num |  | keyword |
+| rsa.misc.number |  | keyword |
+| rsa.misc.number1 |  | keyword |
+| rsa.misc.number2 |  | keyword |
+| rsa.misc.nwwn |  | keyword |
+| rsa.misc.obj_name | This is used to capture name of object | keyword |
+| rsa.misc.obj_type | This is used to capture type of object | keyword |
+| rsa.misc.object |  | keyword |
+| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword |
+| rsa.misc.operation |  | keyword |
+| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword |
+| rsa.misc.opkt |  | keyword |
+| rsa.misc.orig_from |  | keyword |
+| rsa.misc.owner_id |  | keyword |
+| rsa.misc.p_action |  | keyword |
+| rsa.misc.p_filter |  | keyword |
+| rsa.misc.p_group_object |  | keyword |
+| rsa.misc.p_id |  | keyword |
+| rsa.misc.p_msgid |  | keyword |
+| rsa.misc.p_msgid1 |  | keyword |
+| rsa.misc.p_msgid2 |  | keyword |
+| rsa.misc.p_result1 |  | keyword |
+| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword |
+| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword |
+| rsa.misc.param_src | This key captures source parameter | keyword |
+| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword |
+| rsa.misc.password_chg |  | keyword |
+| rsa.misc.password_expire |  | keyword |
+| rsa.misc.payload_dst | This key is used to capture destination payload | keyword |
+| rsa.misc.payload_src | This key is used to capture source payload | keyword |
+| rsa.misc.permgranted |  | keyword |
+| rsa.misc.permwanted |  | keyword |
+| rsa.misc.pgid |  | keyword |
+| rsa.misc.phone |  | keyword |
+| rsa.misc.pid |  | keyword |
+| rsa.misc.policy |  | keyword |
+| rsa.misc.policyUUID |  | keyword |
+| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword |
+| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword |
+| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword |
+| rsa.misc.policy_waiver |  | keyword |
+| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword |
+| rsa.misc.pool_name | This key captures the name of a resource pool | keyword |
+| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword |
+| rsa.misc.priority |  | keyword |
+| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword |
+| rsa.misc.prog_asp_num |  | keyword |
+| rsa.misc.program |  | keyword |
+| rsa.misc.real_data |  | keyword |
+| rsa.misc.reason |  | keyword |
+| rsa.misc.rec_asp_device |  | keyword |
+| rsa.misc.rec_asp_num |  | keyword |
+| rsa.misc.rec_library |  | keyword |
+| rsa.misc.recordnum |  | keyword |
+| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword |
+| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword |
+| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword |
+| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword |
+| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword |
+| rsa.misc.risk | This key captures the non-numeric risk value | keyword |
+| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.risk_num | This key captures a Numeric Risk value | double |
+| rsa.misc.risk_num_comm | This key captures Risk Number Community | double |
+| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double |
+| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double |
+| rsa.misc.risk_num_static | This key captures Risk Number Static | double |
+| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.ruid |  | keyword |
+| rsa.misc.rule | This key captures the Rule number | keyword |
+| rsa.misc.rule_group | This key captures the Rule group name | keyword |
+| rsa.misc.rule_name | This key captures the Rule Name | keyword |
+| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword |
+| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword |
+| rsa.misc.sburb |  | keyword |
+| rsa.misc.sdomain_fld |  | keyword |
+| rsa.misc.search_text | This key captures the Search Text used | keyword |
+| rsa.misc.sec |  | keyword |
+| rsa.misc.second |  | keyword |
+| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword |
+| rsa.misc.sensorname |  | keyword |
+| rsa.misc.seqnum |  | keyword |
+| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword |
+| rsa.misc.session |  | keyword |
+| rsa.misc.sessiontype |  | keyword |
+| rsa.misc.severity | This key is used to capture the severity given the session | keyword |
+| rsa.misc.sigUUID |  | keyword |
+| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long |
+| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long |
+| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword |
+| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword |
+| rsa.misc.sigcat |  | keyword |
+| rsa.misc.snmp_oid | SNMP Object Identifier | keyword |
+| rsa.misc.snmp_value | SNMP set request value | keyword |
+| rsa.misc.space |  | keyword |
+| rsa.misc.space1 |  | keyword |
+| rsa.misc.spi |  | keyword |
+| rsa.misc.spi_dst | Destination SPI Index | keyword |
+| rsa.misc.spi_src | Source SPI Index | keyword |
+| rsa.misc.sql | This key captures the SQL query | keyword |
+| rsa.misc.srcburb |  | keyword |
+| rsa.misc.srcdom |  | keyword |
+| rsa.misc.srcservice |  | keyword |
+| rsa.misc.state |  | keyword |
+| rsa.misc.status |  | keyword |
+| rsa.misc.status1 |  | keyword |
+| rsa.misc.streams | This key captures number of streams in session | long |
+| rsa.misc.subcategory |  | keyword |
+| rsa.misc.svcno |  | keyword |
+| rsa.misc.system |  | keyword |
+| rsa.misc.tbdstr1 |  | keyword |
+| rsa.misc.tbdstr2 |  | keyword |
+| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long |
+| rsa.misc.terminal | This key captures the Terminal Names only | keyword |
+| rsa.misc.tgtdom |  | keyword |
+| rsa.misc.tgtdomain |  | keyword |
+| rsa.misc.threshold |  | keyword |
+| rsa.misc.tos | This key describes the type of service | long |
+| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword |
+| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword |
+| rsa.misc.type |  | keyword |
+| rsa.misc.type1 |  | keyword |
+| rsa.misc.udb_class |  | keyword |
+| rsa.misc.url_fld |  | keyword |
+| rsa.misc.user_div |  | keyword |
+| rsa.misc.userid |  | keyword |
+| rsa.misc.username_fld |  | keyword |
+| rsa.misc.utcstamp |  | keyword |
+| rsa.misc.v_instafname |  | keyword |
+| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword |
+| rsa.misc.virt_data |  | keyword |
+| rsa.misc.virusname | This key captures the name of the virus | keyword |
+| rsa.misc.vm_target | VMWare Target **VMWARE** only varaible. | keyword |
+| rsa.misc.vpnid |  | keyword |
+| rsa.misc.vsys | This key captures Virtual System Name | keyword |
+| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword |
+| rsa.misc.workspace | This key captures Workspace Description | keyword |
+| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword |
+| rsa.network.addr |  | keyword |
+| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword |
+| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword |
+| rsa.network.dmask | This key is used for Destionation Device network mask | keyword |
+| rsa.network.dns_a_record |  | keyword |
+| rsa.network.dns_cname_record |  | keyword |
+| rsa.network.dns_id |  | keyword |
+| rsa.network.dns_opcode |  | keyword |
+| rsa.network.dns_ptr_record |  | keyword |
+| rsa.network.dns_resp |  | keyword |
+| rsa.network.dns_type |  | keyword |
+| rsa.network.domain |  | keyword |
+| rsa.network.domain1 |  | keyword |
+| rsa.network.eth_host | Deprecated, use alias.mac | keyword |
+| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long |
+| rsa.network.faddr |  | keyword |
+| rsa.network.fhost |  | keyword |
+| rsa.network.fport |  | keyword |
+| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword |
+| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword |
+| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword |
+| rsa.network.host_type |  | keyword |
+| rsa.network.icmp_code | This key is used to capture the ICMP code only | long |
+| rsa.network.icmp_type | This key is used to capture the ICMP type only | long |
+| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword |
+| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long |
+| rsa.network.laddr |  | keyword |
+| rsa.network.lhost |  | keyword |
+| rsa.network.linterface |  | keyword |
+| rsa.network.mask | This key is used to capture the device network IPmask. | keyword |
+| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword |
+| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long |
+| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword |
+| rsa.network.origin |  | keyword |
+| rsa.network.packet_length |  | keyword |
+| rsa.network.paddr | Deprecated | ip |
+| rsa.network.phost |  | keyword |
+| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long |
+| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword |
+| rsa.network.remote_domain_id |  | keyword |
+| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword |
+| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword |
+| rsa.network.smask | This key is used for capturing source Network Mask | keyword |
+| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long |
+| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword |
+| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword |
+| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword |
+| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword |
+| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword |
+| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword |
+| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword |
+| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword |
+| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword |
+| rsa.threat.alert | This key is used to capture name of the alert | keyword |
+| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword |
+| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword |
+| rsa.threat.threat_source | This key is used to capture source of the threat | keyword |
+| rsa.time.date |  | keyword |
+| rsa.time.datetime |  | keyword |
+| rsa.time.day |  | keyword |
+| rsa.time.duration_str | A text string version of the duration | keyword |
+| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double |
+| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date |
+| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date |
+| rsa.time.event_queue_time | This key is the Time that the event was queued. | date |
+| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date |
+| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword |
+| rsa.time.eventtime |  | keyword |
+| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date |
+| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword |
+| rsa.time.gmtdate |  | keyword |
+| rsa.time.gmttime |  | keyword |
+| rsa.time.hour |  | keyword |
+| rsa.time.min |  | keyword |
+| rsa.time.month |  | keyword |
+| rsa.time.p_date |  | keyword |
+| rsa.time.p_month |  | keyword |
+| rsa.time.p_time |  | keyword |
+| rsa.time.p_time1 |  | keyword |
+| rsa.time.p_time2 |  | keyword |
+| rsa.time.p_year |  | keyword |
+| rsa.time.process_time | Deprecated, use duration.time | keyword |
+| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date |
+| rsa.time.stamp | Deprecated key defined only in table map. | date |
+| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date |
+| rsa.time.timestamp |  | keyword |
+| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword |
+| rsa.time.tzone |  | keyword |
+| rsa.time.year |  | keyword |
+| rsa.web.alias_host |  | keyword |
+| rsa.web.cn_asn_dst |  | keyword |
+| rsa.web.cn_rpackets |  | keyword |
+| rsa.web.fqdn | Fully Qualified Domain Names | keyword |
+| rsa.web.p_url |  | keyword |
+| rsa.web.p_user_agent |  | keyword |
+| rsa.web.p_web_cookie |  | keyword |
+| rsa.web.p_web_method |  | keyword |
+| rsa.web.p_web_referer |  | keyword |
+| rsa.web.remote_domain |  | keyword |
+| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double |
+| rsa.web.urlpage |  | keyword |
+| rsa.web.urlroot |  | keyword |
+| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword |
+| rsa.web.web_extension_tmp |  | keyword |
+| rsa.web.web_page |  | keyword |
+| rsa.web.web_ref_domain | Web referer's domain | keyword |
+| rsa.web.web_ref_page | This key captures Web referer's page information | keyword |
+| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword |
+| rsa.web.web_ref_root | Web referer's root URL path | keyword |
+| rsa.wireless.access_point | This key is used to capture the access point name. | keyword |
+| rsa.wireless.wlan_channel | This is used to capture the channel names | long |
+| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword |
+| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword |
+| rule.name | The name of the rule or signature generating the event. | keyword |
+| server.domain | Server domain. | keyword |
+| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword |
+| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.bytes | Bytes sent from the source to the destination. | long |
+| source.domain | Source domain. | keyword |
+| source.geo.city_name | City name. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location.lat |  | double |
+| source.geo.location.lon |  | double |
+| source.ip | IP address of the source. Can be one or multiple IPv4 or IPv6 addresses. | ip |
+| source.mac | MAC address of the source. | keyword |
+| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip |
+| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long |
+| source.port | Port of the source. | long |
+| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. | keyword |
+| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | keyword |
+| url.path | Path of the request, such as "/search". | keyword |
+| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword |
+| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.google.com" is "google.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword |
+| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword |
+| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| user.full_name | User's full name, if available. | keyword |
+| user.id | Unique identifiers of the user. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user_agent.original | Unparsed user_agent string. | keyword |
diff --git a/packages/squid/0.1.0/manifest.yml b/packages/squid/0.1.0/manifest.yml
new file mode 100644
index 0000000000..480a8a7284
--- /dev/null
+++ b/packages/squid/0.1.0/manifest.yml
@@ -0,0 +1,31 @@
+format_version: 1.0.0
+name: squid
+title: Squid
+version: 0.1.0
+description: Squid Integration
+categories: ["security"]
+release: experimental
+removable: true
+license: basic
+type: integration
+conditions:
+    kibana:
+        version: '>=7.9.0'
+    elasticsearch:
+        version: '>=7.9.0'
+config_templates:
+- name: log
+  title: Squid
+  description: Collect Squid logs from syslog or a file.
+  inputs:
+      - type: udp
+        title: Collect logs from Squid via UDP
+        description: Collecting syslog from Squid via UDP
+      - type: tcp
+        title: Collect logs from Squid via TCP
+        description: Collecting syslog from Squid via TCP
+      - type: file
+        title: Collect logs from Squid via file
+        description: Collecting syslog from Squid via file.
+# No icon
+icons:
diff --git a/packages/tenable/0.1.0/dataset/nessus_security/agent/stream/stream.yml.hbs b/packages/tenable/0.1.0/dataset/nessus_security/agent/stream/stream.yml.hbs
new file mode 100644
index 0000000000..059119a209
--- /dev/null
+++ b/packages/tenable/0.1.0/dataset/nessus_security/agent/stream/stream.yml.hbs
@@ -0,0 +1,2931 @@
+paths:
+{{#each paths as |path i|}}
+  - {{path}}
+{{/each}}
+exclude_files: [".gz$"]
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "Tenable"
+        product: "Nessus"
+        type: "Vulnerability"
+publisher_pipeline.disable_host: true
+
+processors:
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.error(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(populate_fields);
+      	builder.Add(restore_flags);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var dup1 = setc("eventcategory","1605000000");
+      
+      var dup2 = setf("msg","$MSG");
+      
+      var dup3 = setc("eventcategory","1801020000");
+      
+      var dup4 = date_time({
+      	dest: "event_time",
+      	args: ["hfld21","hfld22","hfld23","hfld24"],
+      	fmts: [
+      		[dB,dF,dN,dc(":"),dU,dc(":"),dO,dW],
+      	],
+      });
+      
+      var dup5 = setc("eventcategory","1614000000");
+      
+      var dup6 = setc("action","scan started");
+      
+      var dup7 = setc("eventcategory","1609000000");
+      
+      var dup8 = setc("action","started");
+      
+      var dup9 = setc("eventcategory","1401030000");
+      
+      var dup10 = setc("action","login failure");
+      
+      var dup11 = setc("ec_outcome","Failure");
+      
+      var dup12 = setc("ec_activity","Scan");
+      
+      var dup13 = setc("eventcategory","1607000000");
+      
+      var dup14 = match("MESSAGE#10:Total", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      ]));
+      
+      var dup15 = match("MESSAGE#12:started", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	dup8,
+      ]));
+      
+      var dup16 = match("MESSAGE#45:Could", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup13,
+      	dup2,
+      	dup4,
+      ]));
+      
+      var hdr1 = match("HEADER#0:0001", "message", "%{hfld1->} %NESSUSVS-%{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0001"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant(": "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr2 = match("HEADER#1:0002", "message", "%NESSUSVS-%{hfld49}: [%{hfld20->} %{hfld21->} %{hfld22->} %{hfld23->} %{hfld24}][%{hfld2}.%{hfld3}] %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0002"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr3 = match("HEADER#2:0003", "message", "%NESSUSVS-%{hfld49}: [%{hfld20->} %{hfld21->} %{hfld22->} %{hfld23->} %{hfld24}][%{hfld2}.%{hfld3}] %{hfld4}: %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0003"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld4"),
+      			constant(": "),
+      			field("messageid"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr4 = match("HEADER#3:0004", "message", "%NESSUSVS-%{hfld49}: [%{hfld20->} %{hfld21->} %{hfld22->} %{hfld23->} %{hfld24}][%{hfld2}.%{hfld3}] %{hfld4}: %{hfld5->} %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0004"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld4"),
+      			constant(": "),
+      			field("hfld5"),
+      			constant(" "),
+      			field("messageid"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr5 = match("HEADER#4:0005", "message", "%NESSUSVS-%{hfld49}: [%{hfld20->} %{hfld21->} %{hfld22->} %{hfld23->} %{hfld24}][%{hfld2}.%{hfld3}] %{hfld4->} %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0005"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld4"),
+      			constant(" "),
+      			field("messageid"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr6 = match("HEADER#5:0006", "message", "%NESSUSVS-%{hfld49}: [%{hfld20->} %{hfld21->} %{hfld22->} %{hfld23->} %{hfld24}][%{hfld2}.%{hfld3}] %{hfld4->} (%{messageid->} %{hfld5}) %{hfld6->} %{payload}", processor_chain([
+      	setc("header_id","0006"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld4"),
+      			constant(" ("),
+      			field("messageid"),
+      			constant(" "),
+      			field("hfld5"),
+      			constant(") "),
+      			field("hfld6"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var select1 = linear_select([
+      	hdr1,
+      	hdr2,
+      	hdr3,
+      	hdr4,
+      	hdr5,
+      	hdr6,
+      ]);
+      
+      var part1 = match("MESSAGE#0:REPORTITEM", "nwparser.payload", "%{fld1}:Hostname=%{hostname}^^Host_ip=%{hostip}^^FQDN=%{fqdn}^^Port=%{network_port}^^OS=%{os}^^MAC_address=%{macaddr}^^Host_start=%{fld30}^^Host_end=%{fld31}^^Severity=%{severity}^^Risk_factor=%{risk}^^Service_name=%{service}^^Protocol=%{protocol}^^Vulnerability_refs=%{vuln_ref}^^CVSS_base_score=%{risk_num}^^CVSS_vector=%{fld32}^^PluginID=%{rule}^^Plugin_name=%{rulename}^^Plugin Family=%{rule_group}^^Synopsis=%{event_description}", processor_chain([
+      	dup1,
+      	dup2,
+      ]));
+      
+      var msg1 = msg("REPORTITEM", part1);
+      
+      var part2 = match("MESSAGE#1:REPORTITEM:01", "nwparser.payload", "%{fld1}:Hostname=%{hostname}^^Host_ip=%{hostip}^^FQDN=%{fqdn}^^Port=%{network_port}^^OS=%{os}^^MAC_address=%{macaddr}^^%{event_description}", processor_chain([
+      	dup1,
+      	dup2,
+      ]));
+      
+      var msg2 = msg("REPORTITEM:01", part2);
+      
+      var select2 = linear_select([
+      	msg1,
+      	msg2,
+      ]);
+      
+      var part3 = match("MESSAGE#2:connection", "nwparser.payload", "connection from %{hostip}", processor_chain([
+      	dup3,
+      	dup2,
+      	dup4,
+      	setc("action","connecting"),
+      ]));
+      
+      var msg3 = msg("connection", part3);
+      
+      var part4 = match("MESSAGE#3:Deleting", "nwparser.payload", "Deleting user %{username}", processor_chain([
+      	dup3,
+      	setc("ec_subject","User"),
+      	setc("ec_activity","Delete"),
+      	dup2,
+      	dup4,
+      	setc("action","Deleting"),
+      ]));
+      
+      var msg4 = msg("Deleting", part4);
+      
+      var part5 = match("MESSAGE#4:Finished", "nwparser.payload", "Finished testing %{hostip}. %{fld5}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	setc("action","Finished testing"),
+      ]));
+      
+      var msg5 = msg("Finished", part5);
+      
+      var part6 = match("MESSAGE#5:Finished:01", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	setc("action","Finished"),
+      ]));
+      
+      var msg6 = msg("Finished:01", part6);
+      
+      var select3 = linear_select([
+      	msg5,
+      	msg6,
+      ]);
+      
+      var part7 = match("MESSAGE#6:finished", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	setc("action","finished"),
+      ]));
+      
+      var msg7 = msg("finished", part7);
+      
+      var part8 = match("MESSAGE#7:user", "nwparser.payload", "user %{username->} : test complete", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	setc("action","Test Complete"),
+      ]));
+      
+      var msg8 = msg("user", part8);
+      
+      var part9 = match("MESSAGE#8:user:01", "nwparser.payload", "user %{username->} : testing %{hostname->} (%{hostip}) %{fld1}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	setc("action","testing"),
+      ]));
+      
+      var msg9 = msg("user:01", part9);
+      
+      var part10 = match("MESSAGE#21:user:02", "nwparser.payload", "user %{username->} starts a new scan. Target(s) : %{hostname}, %{info}", processor_chain([
+      	dup5,
+      	dup2,
+      	dup4,
+      	dup6,
+      ]));
+      
+      var msg10 = msg("user:02", part10);
+      
+      var part11 = match("MESSAGE#26:user_launching", "nwparser.payload", "user %{username->} : launching %{rulename->} against %{url->} [%{process_id}]", processor_chain([
+      	setc("eventcategory","1401000000"),
+      	dup2,
+      	dup4,
+      	setc("event_description","User launched rule scan"),
+      ]));
+      
+      var msg11 = msg("user_launching", part11);
+      
+      var part12 = match("MESSAGE#27:user_not_launching", "nwparser.payload", "user %{username->} : Not launching %{rulename->} against %{url->} %{reason}", processor_chain([
+      	dup7,
+      	dup2,
+      	dup4,
+      ]));
+      
+      var msg12 = msg("user_not_launching", part12);
+      
+      var select4 = linear_select([
+      	msg8,
+      	msg9,
+      	msg10,
+      	msg11,
+      	msg12,
+      ]);
+      
+      var part13 = match("MESSAGE#9:Scan", "nwparser.payload", "Scan done: %{info}", processor_chain([
+      	dup5,
+      	dup2,
+      	dup4,
+      	setc("action","Scan complete"),
+      ]));
+      
+      var msg13 = msg("Scan", part13);
+      
+      var msg14 = msg("Total", dup14);
+      
+      var msg15 = msg("Task", dup14);
+      
+      var msg16 = msg("started", dup15);
+      
+      var part14 = match("MESSAGE#13:failed", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	setc("action","failed"),
+      ]));
+      
+      var msg17 = msg("failed", part14);
+      
+      var part15 = match("MESSAGE#14:Nessus", "nwparser.payload", "%{event_description->} (pid=%{process_id})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      ]));
+      
+      var msg18 = msg("Nessus", part15);
+      
+      var part16 = match("MESSAGE#15:Reloading", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	setc("action","Reloading"),
+      ]));
+      
+      var msg19 = msg("Reloading", part16);
+      
+      var part17 = match("MESSAGE#16:New", "nwparser.payload", "New connection timeout -- closing the socket%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	setc("action","connection timeout"),
+      ]));
+      
+      var msg20 = msg("New", part17);
+      
+      var part18 = match("MESSAGE#17:Invalid", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	setc("action","Invalid"),
+      ]));
+      
+      var msg21 = msg("Invalid", part18);
+      
+      var msg22 = msg("Client", dup14);
+      
+      var msg23 = msg("auth_check_user", dup14);
+      
+      var part19 = match("MESSAGE#20:bad", "nwparser.payload", "bad login attempt from %{hostip}", processor_chain([
+      	dup9,
+      	dup2,
+      	dup4,
+      	dup10,
+      ]));
+      
+      var msg24 = msg("bad", part19);
+      
+      var msg25 = msg("Reducing", dup14);
+      
+      var msg26 = msg("Redirecting", dup14);
+      
+      var msg27 = msg("Missing", dup14);
+      
+      var part20 = match("MESSAGE#25:User", "nwparser.payload", "User '%{username}' %{event_description}", processor_chain([
+      	setc("eventcategory","1401060000"),
+      	dup2,
+      	dup4,
+      ]));
+      
+      var msg28 = msg("User", part20);
+      
+      var part21 = match("MESSAGE#32:User:01", "nwparser.payload", "User %{username->} starts a new scan (%{fld25})", processor_chain([
+      	dup5,
+      	dup2,
+      	dup4,
+      	dup6,
+      ]));
+      
+      var msg29 = msg("User:01", part21);
+      
+      var select5 = linear_select([
+      	msg28,
+      	msg29,
+      ]);
+      
+      var part22 = match("MESSAGE#28:Plugins", "nwparser.payload", "%{event_description}, as %{reason}", processor_chain([
+      	dup1,
+      	dup11,
+      	dup2,
+      	dup4,
+      ]));
+      
+      var msg30 = msg("Plugins", part22);
+      
+      var part23 = match("MESSAGE#29:process_finished", "nwparser.payload", "%{rulename->} (process %{process_id}) finished its job in %{duration->} seconds", processor_chain([
+      	dup1,
+      	dup12,
+      	setc("ec_outcome","Success"),
+      	dup2,
+      	dup4,
+      	setc("event_description","Rule scan finished"),
+      ]));
+      
+      var msg31 = msg("process_finished", part23);
+      
+      var part24 = match("MESSAGE#30:process_notfinished_killed", "nwparser.payload", "%{rulename->} (pid %{process_id}) is slow to finish - killing it", processor_chain([
+      	dup7,
+      	dup12,
+      	dup11,
+      	dup2,
+      	dup4,
+      	setc("event_description","Rule scan killed due to slow response"),
+      ]));
+      
+      var msg32 = msg("process_notfinished_killed", part24);
+      
+      var part25 = match("MESSAGE#31:TCP", "nwparser.payload", "%{fld1->} TCP sessions in parallel", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	setc("event_description","TCP sessions in parallel"),
+      ]));
+      
+      var msg33 = msg("TCP", part25);
+      
+      var msg34 = msg("nessusd", dup14);
+      
+      var msg35 = msg("installation", dup14);
+      
+      var msg36 = msg("Running", dup14);
+      
+      var msg37 = msg("started.", dup15);
+      
+      var msg38 = msg("scanner", dup14);
+      
+      var part26 = match("MESSAGE#38:Another", "nwparser.payload", "%{event_description->} (pid %{process_id})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      ]));
+      
+      var msg39 = msg("Another", part26);
+      
+      var part27 = match("MESSAGE#39:Bad", "nwparser.payload", "Bad login attempt for user '%{username}' %{info}", processor_chain([
+      	dup9,
+      	dup2,
+      	dup4,
+      	dup10,
+      ]));
+      
+      var msg40 = msg("Bad", part27);
+      
+      var msg41 = msg("Full", dup14);
+      
+      var msg42 = msg("System", dup14);
+      
+      var msg43 = msg("Initial", dup14);
+      
+      var part28 = match("MESSAGE#43:Adding", "nwparser.payload", "Adding new user '%{username}'", processor_chain([
+      	setc("eventcategory","1402020200"),
+      	dup2,
+      	dup4,
+      ]));
+      
+      var msg44 = msg("Adding", part28);
+      
+      var part29 = match("MESSAGE#44:Granting", "nwparser.payload", "Granting admin privileges to user '%{username}'", processor_chain([
+      	setc("eventcategory","1402030000"),
+      	dup2,
+      	dup4,
+      ]));
+      
+      var msg45 = msg("Granting", part29);
+      
+      var msg46 = msg("Could", dup16);
+      
+      var msg47 = msg("depends", dup16);
+      
+      var msg48 = msg("Converting", dup14);
+      
+      var chain1 = processor_chain([
+      	select1,
+      	msgid_select({
+      		"Adding": msg44,
+      		"Another": msg39,
+      		"Bad": msg40,
+      		"Client": msg22,
+      		"Converting": msg48,
+      		"Could": msg46,
+      		"Deleting": msg4,
+      		"Finished": select3,
+      		"Full": msg41,
+      		"Granting": msg45,
+      		"Initial": msg43,
+      		"Invalid": msg21,
+      		"Missing": msg27,
+      		"Nessus": msg18,
+      		"New": msg20,
+      		"Plugins": msg30,
+      		"REPORTITEM": select2,
+      		"Redirecting": msg26,
+      		"Reducing": msg25,
+      		"Reloading": msg19,
+      		"Running": msg36,
+      		"Scan": msg13,
+      		"System": msg42,
+      		"TCP": msg33,
+      		"Task": msg15,
+      		"Total": msg14,
+      		"User": select5,
+      		"auth_check_user": msg23,
+      		"bad": msg24,
+      		"connection": msg3,
+      		"depends": msg47,
+      		"failed": msg17,
+      		"finished": msg7,
+      		"installation": msg35,
+      		"nessusd": msg34,
+      		"pid": msg32,
+      		"process": msg31,
+      		"scanner": msg38,
+      		"started": msg16,
+      		"started.": msg37,
+      		"user": select4,
+      	}),
+      ]);
+      
+      var part30 = match("MESSAGE#10:Total", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      ]));
+      
+      var part31 = match("MESSAGE#12:started", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	dup8,
+      ]));
+      
+      var part32 = match("MESSAGE#45:Could", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup13,
+      	dup2,
+      	dup4,
+      ]));
+      
+- community_id:
+- add_locale: ~
+- add_fields:
+    target: ''
+    fields:
+        ecs.version: 1.5.0
diff --git a/packages/tenable/0.1.0/dataset/nessus_security/agent/stream/tcp.yml.hbs b/packages/tenable/0.1.0/dataset/nessus_security/agent/stream/tcp.yml.hbs
new file mode 100644
index 0000000000..000cf0563e
--- /dev/null
+++ b/packages/tenable/0.1.0/dataset/nessus_security/agent/stream/tcp.yml.hbs
@@ -0,0 +1,2928 @@
+tcp:
+host: "{{tcp_host}}:{{tcp_port}}"
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "Tenable"
+        product: "Nessus"
+        type: "Vulnerability"
+publisher_pipeline.disable_host: true
+
+processors:
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.error(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(populate_fields);
+      	builder.Add(restore_flags);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var dup1 = setc("eventcategory","1605000000");
+      
+      var dup2 = setf("msg","$MSG");
+      
+      var dup3 = setc("eventcategory","1801020000");
+      
+      var dup4 = date_time({
+      	dest: "event_time",
+      	args: ["hfld21","hfld22","hfld23","hfld24"],
+      	fmts: [
+      		[dB,dF,dN,dc(":"),dU,dc(":"),dO,dW],
+      	],
+      });
+      
+      var dup5 = setc("eventcategory","1614000000");
+      
+      var dup6 = setc("action","scan started");
+      
+      var dup7 = setc("eventcategory","1609000000");
+      
+      var dup8 = setc("action","started");
+      
+      var dup9 = setc("eventcategory","1401030000");
+      
+      var dup10 = setc("action","login failure");
+      
+      var dup11 = setc("ec_outcome","Failure");
+      
+      var dup12 = setc("ec_activity","Scan");
+      
+      var dup13 = setc("eventcategory","1607000000");
+      
+      var dup14 = match("MESSAGE#10:Total", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      ]));
+      
+      var dup15 = match("MESSAGE#12:started", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	dup8,
+      ]));
+      
+      var dup16 = match("MESSAGE#45:Could", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup13,
+      	dup2,
+      	dup4,
+      ]));
+      
+      var hdr1 = match("HEADER#0:0001", "message", "%{hfld1->} %NESSUSVS-%{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0001"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant(": "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr2 = match("HEADER#1:0002", "message", "%NESSUSVS-%{hfld49}: [%{hfld20->} %{hfld21->} %{hfld22->} %{hfld23->} %{hfld24}][%{hfld2}.%{hfld3}] %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0002"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr3 = match("HEADER#2:0003", "message", "%NESSUSVS-%{hfld49}: [%{hfld20->} %{hfld21->} %{hfld22->} %{hfld23->} %{hfld24}][%{hfld2}.%{hfld3}] %{hfld4}: %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0003"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld4"),
+      			constant(": "),
+      			field("messageid"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr4 = match("HEADER#3:0004", "message", "%NESSUSVS-%{hfld49}: [%{hfld20->} %{hfld21->} %{hfld22->} %{hfld23->} %{hfld24}][%{hfld2}.%{hfld3}] %{hfld4}: %{hfld5->} %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0004"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld4"),
+      			constant(": "),
+      			field("hfld5"),
+      			constant(" "),
+      			field("messageid"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr5 = match("HEADER#4:0005", "message", "%NESSUSVS-%{hfld49}: [%{hfld20->} %{hfld21->} %{hfld22->} %{hfld23->} %{hfld24}][%{hfld2}.%{hfld3}] %{hfld4->} %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0005"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld4"),
+      			constant(" "),
+      			field("messageid"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr6 = match("HEADER#5:0006", "message", "%NESSUSVS-%{hfld49}: [%{hfld20->} %{hfld21->} %{hfld22->} %{hfld23->} %{hfld24}][%{hfld2}.%{hfld3}] %{hfld4->} (%{messageid->} %{hfld5}) %{hfld6->} %{payload}", processor_chain([
+      	setc("header_id","0006"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld4"),
+      			constant(" ("),
+      			field("messageid"),
+      			constant(" "),
+      			field("hfld5"),
+      			constant(") "),
+      			field("hfld6"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var select1 = linear_select([
+      	hdr1,
+      	hdr2,
+      	hdr3,
+      	hdr4,
+      	hdr5,
+      	hdr6,
+      ]);
+      
+      var part1 = match("MESSAGE#0:REPORTITEM", "nwparser.payload", "%{fld1}:Hostname=%{hostname}^^Host_ip=%{hostip}^^FQDN=%{fqdn}^^Port=%{network_port}^^OS=%{os}^^MAC_address=%{macaddr}^^Host_start=%{fld30}^^Host_end=%{fld31}^^Severity=%{severity}^^Risk_factor=%{risk}^^Service_name=%{service}^^Protocol=%{protocol}^^Vulnerability_refs=%{vuln_ref}^^CVSS_base_score=%{risk_num}^^CVSS_vector=%{fld32}^^PluginID=%{rule}^^Plugin_name=%{rulename}^^Plugin Family=%{rule_group}^^Synopsis=%{event_description}", processor_chain([
+      	dup1,
+      	dup2,
+      ]));
+      
+      var msg1 = msg("REPORTITEM", part1);
+      
+      var part2 = match("MESSAGE#1:REPORTITEM:01", "nwparser.payload", "%{fld1}:Hostname=%{hostname}^^Host_ip=%{hostip}^^FQDN=%{fqdn}^^Port=%{network_port}^^OS=%{os}^^MAC_address=%{macaddr}^^%{event_description}", processor_chain([
+      	dup1,
+      	dup2,
+      ]));
+      
+      var msg2 = msg("REPORTITEM:01", part2);
+      
+      var select2 = linear_select([
+      	msg1,
+      	msg2,
+      ]);
+      
+      var part3 = match("MESSAGE#2:connection", "nwparser.payload", "connection from %{hostip}", processor_chain([
+      	dup3,
+      	dup2,
+      	dup4,
+      	setc("action","connecting"),
+      ]));
+      
+      var msg3 = msg("connection", part3);
+      
+      var part4 = match("MESSAGE#3:Deleting", "nwparser.payload", "Deleting user %{username}", processor_chain([
+      	dup3,
+      	setc("ec_subject","User"),
+      	setc("ec_activity","Delete"),
+      	dup2,
+      	dup4,
+      	setc("action","Deleting"),
+      ]));
+      
+      var msg4 = msg("Deleting", part4);
+      
+      var part5 = match("MESSAGE#4:Finished", "nwparser.payload", "Finished testing %{hostip}. %{fld5}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	setc("action","Finished testing"),
+      ]));
+      
+      var msg5 = msg("Finished", part5);
+      
+      var part6 = match("MESSAGE#5:Finished:01", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	setc("action","Finished"),
+      ]));
+      
+      var msg6 = msg("Finished:01", part6);
+      
+      var select3 = linear_select([
+      	msg5,
+      	msg6,
+      ]);
+      
+      var part7 = match("MESSAGE#6:finished", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	setc("action","finished"),
+      ]));
+      
+      var msg7 = msg("finished", part7);
+      
+      var part8 = match("MESSAGE#7:user", "nwparser.payload", "user %{username->} : test complete", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	setc("action","Test Complete"),
+      ]));
+      
+      var msg8 = msg("user", part8);
+      
+      var part9 = match("MESSAGE#8:user:01", "nwparser.payload", "user %{username->} : testing %{hostname->} (%{hostip}) %{fld1}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	setc("action","testing"),
+      ]));
+      
+      var msg9 = msg("user:01", part9);
+      
+      var part10 = match("MESSAGE#21:user:02", "nwparser.payload", "user %{username->} starts a new scan. Target(s) : %{hostname}, %{info}", processor_chain([
+      	dup5,
+      	dup2,
+      	dup4,
+      	dup6,
+      ]));
+      
+      var msg10 = msg("user:02", part10);
+      
+      var part11 = match("MESSAGE#26:user_launching", "nwparser.payload", "user %{username->} : launching %{rulename->} against %{url->} [%{process_id}]", processor_chain([
+      	setc("eventcategory","1401000000"),
+      	dup2,
+      	dup4,
+      	setc("event_description","User launched rule scan"),
+      ]));
+      
+      var msg11 = msg("user_launching", part11);
+      
+      var part12 = match("MESSAGE#27:user_not_launching", "nwparser.payload", "user %{username->} : Not launching %{rulename->} against %{url->} %{reason}", processor_chain([
+      	dup7,
+      	dup2,
+      	dup4,
+      ]));
+      
+      var msg12 = msg("user_not_launching", part12);
+      
+      var select4 = linear_select([
+      	msg8,
+      	msg9,
+      	msg10,
+      	msg11,
+      	msg12,
+      ]);
+      
+      var part13 = match("MESSAGE#9:Scan", "nwparser.payload", "Scan done: %{info}", processor_chain([
+      	dup5,
+      	dup2,
+      	dup4,
+      	setc("action","Scan complete"),
+      ]));
+      
+      var msg13 = msg("Scan", part13);
+      
+      var msg14 = msg("Total", dup14);
+      
+      var msg15 = msg("Task", dup14);
+      
+      var msg16 = msg("started", dup15);
+      
+      var part14 = match("MESSAGE#13:failed", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	setc("action","failed"),
+      ]));
+      
+      var msg17 = msg("failed", part14);
+      
+      var part15 = match("MESSAGE#14:Nessus", "nwparser.payload", "%{event_description->} (pid=%{process_id})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      ]));
+      
+      var msg18 = msg("Nessus", part15);
+      
+      var part16 = match("MESSAGE#15:Reloading", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	setc("action","Reloading"),
+      ]));
+      
+      var msg19 = msg("Reloading", part16);
+      
+      var part17 = match("MESSAGE#16:New", "nwparser.payload", "New connection timeout -- closing the socket%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	setc("action","connection timeout"),
+      ]));
+      
+      var msg20 = msg("New", part17);
+      
+      var part18 = match("MESSAGE#17:Invalid", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	setc("action","Invalid"),
+      ]));
+      
+      var msg21 = msg("Invalid", part18);
+      
+      var msg22 = msg("Client", dup14);
+      
+      var msg23 = msg("auth_check_user", dup14);
+      
+      var part19 = match("MESSAGE#20:bad", "nwparser.payload", "bad login attempt from %{hostip}", processor_chain([
+      	dup9,
+      	dup2,
+      	dup4,
+      	dup10,
+      ]));
+      
+      var msg24 = msg("bad", part19);
+      
+      var msg25 = msg("Reducing", dup14);
+      
+      var msg26 = msg("Redirecting", dup14);
+      
+      var msg27 = msg("Missing", dup14);
+      
+      var part20 = match("MESSAGE#25:User", "nwparser.payload", "User '%{username}' %{event_description}", processor_chain([
+      	setc("eventcategory","1401060000"),
+      	dup2,
+      	dup4,
+      ]));
+      
+      var msg28 = msg("User", part20);
+      
+      var part21 = match("MESSAGE#32:User:01", "nwparser.payload", "User %{username->} starts a new scan (%{fld25})", processor_chain([
+      	dup5,
+      	dup2,
+      	dup4,
+      	dup6,
+      ]));
+      
+      var msg29 = msg("User:01", part21);
+      
+      var select5 = linear_select([
+      	msg28,
+      	msg29,
+      ]);
+      
+      var part22 = match("MESSAGE#28:Plugins", "nwparser.payload", "%{event_description}, as %{reason}", processor_chain([
+      	dup1,
+      	dup11,
+      	dup2,
+      	dup4,
+      ]));
+      
+      var msg30 = msg("Plugins", part22);
+      
+      var part23 = match("MESSAGE#29:process_finished", "nwparser.payload", "%{rulename->} (process %{process_id}) finished its job in %{duration->} seconds", processor_chain([
+      	dup1,
+      	dup12,
+      	setc("ec_outcome","Success"),
+      	dup2,
+      	dup4,
+      	setc("event_description","Rule scan finished"),
+      ]));
+      
+      var msg31 = msg("process_finished", part23);
+      
+      var part24 = match("MESSAGE#30:process_notfinished_killed", "nwparser.payload", "%{rulename->} (pid %{process_id}) is slow to finish - killing it", processor_chain([
+      	dup7,
+      	dup12,
+      	dup11,
+      	dup2,
+      	dup4,
+      	setc("event_description","Rule scan killed due to slow response"),
+      ]));
+      
+      var msg32 = msg("process_notfinished_killed", part24);
+      
+      var part25 = match("MESSAGE#31:TCP", "nwparser.payload", "%{fld1->} TCP sessions in parallel", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	setc("event_description","TCP sessions in parallel"),
+      ]));
+      
+      var msg33 = msg("TCP", part25);
+      
+      var msg34 = msg("nessusd", dup14);
+      
+      var msg35 = msg("installation", dup14);
+      
+      var msg36 = msg("Running", dup14);
+      
+      var msg37 = msg("started.", dup15);
+      
+      var msg38 = msg("scanner", dup14);
+      
+      var part26 = match("MESSAGE#38:Another", "nwparser.payload", "%{event_description->} (pid %{process_id})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      ]));
+      
+      var msg39 = msg("Another", part26);
+      
+      var part27 = match("MESSAGE#39:Bad", "nwparser.payload", "Bad login attempt for user '%{username}' %{info}", processor_chain([
+      	dup9,
+      	dup2,
+      	dup4,
+      	dup10,
+      ]));
+      
+      var msg40 = msg("Bad", part27);
+      
+      var msg41 = msg("Full", dup14);
+      
+      var msg42 = msg("System", dup14);
+      
+      var msg43 = msg("Initial", dup14);
+      
+      var part28 = match("MESSAGE#43:Adding", "nwparser.payload", "Adding new user '%{username}'", processor_chain([
+      	setc("eventcategory","1402020200"),
+      	dup2,
+      	dup4,
+      ]));
+      
+      var msg44 = msg("Adding", part28);
+      
+      var part29 = match("MESSAGE#44:Granting", "nwparser.payload", "Granting admin privileges to user '%{username}'", processor_chain([
+      	setc("eventcategory","1402030000"),
+      	dup2,
+      	dup4,
+      ]));
+      
+      var msg45 = msg("Granting", part29);
+      
+      var msg46 = msg("Could", dup16);
+      
+      var msg47 = msg("depends", dup16);
+      
+      var msg48 = msg("Converting", dup14);
+      
+      var chain1 = processor_chain([
+      	select1,
+      	msgid_select({
+      		"Adding": msg44,
+      		"Another": msg39,
+      		"Bad": msg40,
+      		"Client": msg22,
+      		"Converting": msg48,
+      		"Could": msg46,
+      		"Deleting": msg4,
+      		"Finished": select3,
+      		"Full": msg41,
+      		"Granting": msg45,
+      		"Initial": msg43,
+      		"Invalid": msg21,
+      		"Missing": msg27,
+      		"Nessus": msg18,
+      		"New": msg20,
+      		"Plugins": msg30,
+      		"REPORTITEM": select2,
+      		"Redirecting": msg26,
+      		"Reducing": msg25,
+      		"Reloading": msg19,
+      		"Running": msg36,
+      		"Scan": msg13,
+      		"System": msg42,
+      		"TCP": msg33,
+      		"Task": msg15,
+      		"Total": msg14,
+      		"User": select5,
+      		"auth_check_user": msg23,
+      		"bad": msg24,
+      		"connection": msg3,
+      		"depends": msg47,
+      		"failed": msg17,
+      		"finished": msg7,
+      		"installation": msg35,
+      		"nessusd": msg34,
+      		"pid": msg32,
+      		"process": msg31,
+      		"scanner": msg38,
+      		"started": msg16,
+      		"started.": msg37,
+      		"user": select4,
+      	}),
+      ]);
+      
+      var part30 = match("MESSAGE#10:Total", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      ]));
+      
+      var part31 = match("MESSAGE#12:started", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	dup8,
+      ]));
+      
+      var part32 = match("MESSAGE#45:Could", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup13,
+      	dup2,
+      	dup4,
+      ]));
+      
+- community_id:
+- add_locale: ~
+- add_fields:
+    target: ''
+    fields:
+        ecs.version: 1.5.0
diff --git a/packages/tenable/0.1.0/dataset/nessus_security/agent/stream/udp.yml.hbs b/packages/tenable/0.1.0/dataset/nessus_security/agent/stream/udp.yml.hbs
new file mode 100644
index 0000000000..fd1a763426
--- /dev/null
+++ b/packages/tenable/0.1.0/dataset/nessus_security/agent/stream/udp.yml.hbs
@@ -0,0 +1,2928 @@
+udp:
+host: "{{udp_host}}:{{udp_port}}"
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "Tenable"
+        product: "Nessus"
+        type: "Vulnerability"
+publisher_pipeline.disable_host: true
+
+processors:
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.error(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(populate_fields);
+      	builder.Add(restore_flags);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var dup1 = setc("eventcategory","1605000000");
+      
+      var dup2 = setf("msg","$MSG");
+      
+      var dup3 = setc("eventcategory","1801020000");
+      
+      var dup4 = date_time({
+      	dest: "event_time",
+      	args: ["hfld21","hfld22","hfld23","hfld24"],
+      	fmts: [
+      		[dB,dF,dN,dc(":"),dU,dc(":"),dO,dW],
+      	],
+      });
+      
+      var dup5 = setc("eventcategory","1614000000");
+      
+      var dup6 = setc("action","scan started");
+      
+      var dup7 = setc("eventcategory","1609000000");
+      
+      var dup8 = setc("action","started");
+      
+      var dup9 = setc("eventcategory","1401030000");
+      
+      var dup10 = setc("action","login failure");
+      
+      var dup11 = setc("ec_outcome","Failure");
+      
+      var dup12 = setc("ec_activity","Scan");
+      
+      var dup13 = setc("eventcategory","1607000000");
+      
+      var dup14 = match("MESSAGE#10:Total", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      ]));
+      
+      var dup15 = match("MESSAGE#12:started", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	dup8,
+      ]));
+      
+      var dup16 = match("MESSAGE#45:Could", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup13,
+      	dup2,
+      	dup4,
+      ]));
+      
+      var hdr1 = match("HEADER#0:0001", "message", "%{hfld1->} %NESSUSVS-%{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0001"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant(": "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr2 = match("HEADER#1:0002", "message", "%NESSUSVS-%{hfld49}: [%{hfld20->} %{hfld21->} %{hfld22->} %{hfld23->} %{hfld24}][%{hfld2}.%{hfld3}] %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0002"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("messageid"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr3 = match("HEADER#2:0003", "message", "%NESSUSVS-%{hfld49}: [%{hfld20->} %{hfld21->} %{hfld22->} %{hfld23->} %{hfld24}][%{hfld2}.%{hfld3}] %{hfld4}: %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0003"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld4"),
+      			constant(": "),
+      			field("messageid"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr4 = match("HEADER#3:0004", "message", "%NESSUSVS-%{hfld49}: [%{hfld20->} %{hfld21->} %{hfld22->} %{hfld23->} %{hfld24}][%{hfld2}.%{hfld3}] %{hfld4}: %{hfld5->} %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0004"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld4"),
+      			constant(": "),
+      			field("hfld5"),
+      			constant(" "),
+      			field("messageid"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr5 = match("HEADER#4:0005", "message", "%NESSUSVS-%{hfld49}: [%{hfld20->} %{hfld21->} %{hfld22->} %{hfld23->} %{hfld24}][%{hfld2}.%{hfld3}] %{hfld4->} %{messageid->} %{payload}", processor_chain([
+      	setc("header_id","0005"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld4"),
+      			constant(" "),
+      			field("messageid"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var hdr6 = match("HEADER#5:0006", "message", "%NESSUSVS-%{hfld49}: [%{hfld20->} %{hfld21->} %{hfld22->} %{hfld23->} %{hfld24}][%{hfld2}.%{hfld3}] %{hfld4->} (%{messageid->} %{hfld5}) %{hfld6->} %{payload}", processor_chain([
+      	setc("header_id","0006"),
+      	call({
+      		dest: "nwparser.payload",
+      		fn: STRCAT,
+      		args: [
+      			field("hfld4"),
+      			constant(" ("),
+      			field("messageid"),
+      			constant(" "),
+      			field("hfld5"),
+      			constant(") "),
+      			field("hfld6"),
+      			constant(" "),
+      			field("payload"),
+      		],
+      	}),
+      ]));
+      
+      var select1 = linear_select([
+      	hdr1,
+      	hdr2,
+      	hdr3,
+      	hdr4,
+      	hdr5,
+      	hdr6,
+      ]);
+      
+      var part1 = match("MESSAGE#0:REPORTITEM", "nwparser.payload", "%{fld1}:Hostname=%{hostname}^^Host_ip=%{hostip}^^FQDN=%{fqdn}^^Port=%{network_port}^^OS=%{os}^^MAC_address=%{macaddr}^^Host_start=%{fld30}^^Host_end=%{fld31}^^Severity=%{severity}^^Risk_factor=%{risk}^^Service_name=%{service}^^Protocol=%{protocol}^^Vulnerability_refs=%{vuln_ref}^^CVSS_base_score=%{risk_num}^^CVSS_vector=%{fld32}^^PluginID=%{rule}^^Plugin_name=%{rulename}^^Plugin Family=%{rule_group}^^Synopsis=%{event_description}", processor_chain([
+      	dup1,
+      	dup2,
+      ]));
+      
+      var msg1 = msg("REPORTITEM", part1);
+      
+      var part2 = match("MESSAGE#1:REPORTITEM:01", "nwparser.payload", "%{fld1}:Hostname=%{hostname}^^Host_ip=%{hostip}^^FQDN=%{fqdn}^^Port=%{network_port}^^OS=%{os}^^MAC_address=%{macaddr}^^%{event_description}", processor_chain([
+      	dup1,
+      	dup2,
+      ]));
+      
+      var msg2 = msg("REPORTITEM:01", part2);
+      
+      var select2 = linear_select([
+      	msg1,
+      	msg2,
+      ]);
+      
+      var part3 = match("MESSAGE#2:connection", "nwparser.payload", "connection from %{hostip}", processor_chain([
+      	dup3,
+      	dup2,
+      	dup4,
+      	setc("action","connecting"),
+      ]));
+      
+      var msg3 = msg("connection", part3);
+      
+      var part4 = match("MESSAGE#3:Deleting", "nwparser.payload", "Deleting user %{username}", processor_chain([
+      	dup3,
+      	setc("ec_subject","User"),
+      	setc("ec_activity","Delete"),
+      	dup2,
+      	dup4,
+      	setc("action","Deleting"),
+      ]));
+      
+      var msg4 = msg("Deleting", part4);
+      
+      var part5 = match("MESSAGE#4:Finished", "nwparser.payload", "Finished testing %{hostip}. %{fld5}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	setc("action","Finished testing"),
+      ]));
+      
+      var msg5 = msg("Finished", part5);
+      
+      var part6 = match("MESSAGE#5:Finished:01", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	setc("action","Finished"),
+      ]));
+      
+      var msg6 = msg("Finished:01", part6);
+      
+      var select3 = linear_select([
+      	msg5,
+      	msg6,
+      ]);
+      
+      var part7 = match("MESSAGE#6:finished", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	setc("action","finished"),
+      ]));
+      
+      var msg7 = msg("finished", part7);
+      
+      var part8 = match("MESSAGE#7:user", "nwparser.payload", "user %{username->} : test complete", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	setc("action","Test Complete"),
+      ]));
+      
+      var msg8 = msg("user", part8);
+      
+      var part9 = match("MESSAGE#8:user:01", "nwparser.payload", "user %{username->} : testing %{hostname->} (%{hostip}) %{fld1}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	setc("action","testing"),
+      ]));
+      
+      var msg9 = msg("user:01", part9);
+      
+      var part10 = match("MESSAGE#21:user:02", "nwparser.payload", "user %{username->} starts a new scan. Target(s) : %{hostname}, %{info}", processor_chain([
+      	dup5,
+      	dup2,
+      	dup4,
+      	dup6,
+      ]));
+      
+      var msg10 = msg("user:02", part10);
+      
+      var part11 = match("MESSAGE#26:user_launching", "nwparser.payload", "user %{username->} : launching %{rulename->} against %{url->} [%{process_id}]", processor_chain([
+      	setc("eventcategory","1401000000"),
+      	dup2,
+      	dup4,
+      	setc("event_description","User launched rule scan"),
+      ]));
+      
+      var msg11 = msg("user_launching", part11);
+      
+      var part12 = match("MESSAGE#27:user_not_launching", "nwparser.payload", "user %{username->} : Not launching %{rulename->} against %{url->} %{reason}", processor_chain([
+      	dup7,
+      	dup2,
+      	dup4,
+      ]));
+      
+      var msg12 = msg("user_not_launching", part12);
+      
+      var select4 = linear_select([
+      	msg8,
+      	msg9,
+      	msg10,
+      	msg11,
+      	msg12,
+      ]);
+      
+      var part13 = match("MESSAGE#9:Scan", "nwparser.payload", "Scan done: %{info}", processor_chain([
+      	dup5,
+      	dup2,
+      	dup4,
+      	setc("action","Scan complete"),
+      ]));
+      
+      var msg13 = msg("Scan", part13);
+      
+      var msg14 = msg("Total", dup14);
+      
+      var msg15 = msg("Task", dup14);
+      
+      var msg16 = msg("started", dup15);
+      
+      var part14 = match("MESSAGE#13:failed", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	setc("action","failed"),
+      ]));
+      
+      var msg17 = msg("failed", part14);
+      
+      var part15 = match("MESSAGE#14:Nessus", "nwparser.payload", "%{event_description->} (pid=%{process_id})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      ]));
+      
+      var msg18 = msg("Nessus", part15);
+      
+      var part16 = match("MESSAGE#15:Reloading", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	setc("action","Reloading"),
+      ]));
+      
+      var msg19 = msg("Reloading", part16);
+      
+      var part17 = match("MESSAGE#16:New", "nwparser.payload", "New connection timeout -- closing the socket%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	setc("action","connection timeout"),
+      ]));
+      
+      var msg20 = msg("New", part17);
+      
+      var part18 = match("MESSAGE#17:Invalid", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	setc("action","Invalid"),
+      ]));
+      
+      var msg21 = msg("Invalid", part18);
+      
+      var msg22 = msg("Client", dup14);
+      
+      var msg23 = msg("auth_check_user", dup14);
+      
+      var part19 = match("MESSAGE#20:bad", "nwparser.payload", "bad login attempt from %{hostip}", processor_chain([
+      	dup9,
+      	dup2,
+      	dup4,
+      	dup10,
+      ]));
+      
+      var msg24 = msg("bad", part19);
+      
+      var msg25 = msg("Reducing", dup14);
+      
+      var msg26 = msg("Redirecting", dup14);
+      
+      var msg27 = msg("Missing", dup14);
+      
+      var part20 = match("MESSAGE#25:User", "nwparser.payload", "User '%{username}' %{event_description}", processor_chain([
+      	setc("eventcategory","1401060000"),
+      	dup2,
+      	dup4,
+      ]));
+      
+      var msg28 = msg("User", part20);
+      
+      var part21 = match("MESSAGE#32:User:01", "nwparser.payload", "User %{username->} starts a new scan (%{fld25})", processor_chain([
+      	dup5,
+      	dup2,
+      	dup4,
+      	dup6,
+      ]));
+      
+      var msg29 = msg("User:01", part21);
+      
+      var select5 = linear_select([
+      	msg28,
+      	msg29,
+      ]);
+      
+      var part22 = match("MESSAGE#28:Plugins", "nwparser.payload", "%{event_description}, as %{reason}", processor_chain([
+      	dup1,
+      	dup11,
+      	dup2,
+      	dup4,
+      ]));
+      
+      var msg30 = msg("Plugins", part22);
+      
+      var part23 = match("MESSAGE#29:process_finished", "nwparser.payload", "%{rulename->} (process %{process_id}) finished its job in %{duration->} seconds", processor_chain([
+      	dup1,
+      	dup12,
+      	setc("ec_outcome","Success"),
+      	dup2,
+      	dup4,
+      	setc("event_description","Rule scan finished"),
+      ]));
+      
+      var msg31 = msg("process_finished", part23);
+      
+      var part24 = match("MESSAGE#30:process_notfinished_killed", "nwparser.payload", "%{rulename->} (pid %{process_id}) is slow to finish - killing it", processor_chain([
+      	dup7,
+      	dup12,
+      	dup11,
+      	dup2,
+      	dup4,
+      	setc("event_description","Rule scan killed due to slow response"),
+      ]));
+      
+      var msg32 = msg("process_notfinished_killed", part24);
+      
+      var part25 = match("MESSAGE#31:TCP", "nwparser.payload", "%{fld1->} TCP sessions in parallel", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	setc("event_description","TCP sessions in parallel"),
+      ]));
+      
+      var msg33 = msg("TCP", part25);
+      
+      var msg34 = msg("nessusd", dup14);
+      
+      var msg35 = msg("installation", dup14);
+      
+      var msg36 = msg("Running", dup14);
+      
+      var msg37 = msg("started.", dup15);
+      
+      var msg38 = msg("scanner", dup14);
+      
+      var part26 = match("MESSAGE#38:Another", "nwparser.payload", "%{event_description->} (pid %{process_id})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      ]));
+      
+      var msg39 = msg("Another", part26);
+      
+      var part27 = match("MESSAGE#39:Bad", "nwparser.payload", "Bad login attempt for user '%{username}' %{info}", processor_chain([
+      	dup9,
+      	dup2,
+      	dup4,
+      	dup10,
+      ]));
+      
+      var msg40 = msg("Bad", part27);
+      
+      var msg41 = msg("Full", dup14);
+      
+      var msg42 = msg("System", dup14);
+      
+      var msg43 = msg("Initial", dup14);
+      
+      var part28 = match("MESSAGE#43:Adding", "nwparser.payload", "Adding new user '%{username}'", processor_chain([
+      	setc("eventcategory","1402020200"),
+      	dup2,
+      	dup4,
+      ]));
+      
+      var msg44 = msg("Adding", part28);
+      
+      var part29 = match("MESSAGE#44:Granting", "nwparser.payload", "Granting admin privileges to user '%{username}'", processor_chain([
+      	setc("eventcategory","1402030000"),
+      	dup2,
+      	dup4,
+      ]));
+      
+      var msg45 = msg("Granting", part29);
+      
+      var msg46 = msg("Could", dup16);
+      
+      var msg47 = msg("depends", dup16);
+      
+      var msg48 = msg("Converting", dup14);
+      
+      var chain1 = processor_chain([
+      	select1,
+      	msgid_select({
+      		"Adding": msg44,
+      		"Another": msg39,
+      		"Bad": msg40,
+      		"Client": msg22,
+      		"Converting": msg48,
+      		"Could": msg46,
+      		"Deleting": msg4,
+      		"Finished": select3,
+      		"Full": msg41,
+      		"Granting": msg45,
+      		"Initial": msg43,
+      		"Invalid": msg21,
+      		"Missing": msg27,
+      		"Nessus": msg18,
+      		"New": msg20,
+      		"Plugins": msg30,
+      		"REPORTITEM": select2,
+      		"Redirecting": msg26,
+      		"Reducing": msg25,
+      		"Reloading": msg19,
+      		"Running": msg36,
+      		"Scan": msg13,
+      		"System": msg42,
+      		"TCP": msg33,
+      		"Task": msg15,
+      		"Total": msg14,
+      		"User": select5,
+      		"auth_check_user": msg23,
+      		"bad": msg24,
+      		"connection": msg3,
+      		"depends": msg47,
+      		"failed": msg17,
+      		"finished": msg7,
+      		"installation": msg35,
+      		"nessusd": msg34,
+      		"pid": msg32,
+      		"process": msg31,
+      		"scanner": msg38,
+      		"started": msg16,
+      		"started.": msg37,
+      		"user": select4,
+      	}),
+      ]);
+      
+      var part30 = match("MESSAGE#10:Total", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      ]));
+      
+      var part31 = match("MESSAGE#12:started", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	dup8,
+      ]));
+      
+      var part32 = match("MESSAGE#45:Could", "nwparser.payload", "%{event_description}", processor_chain([
+      	dup13,
+      	dup2,
+      	dup4,
+      ]));
+      
+- community_id:
+- add_locale: ~
+- add_fields:
+    target: ''
+    fields:
+        ecs.version: 1.5.0
diff --git a/packages/tenable/0.1.0/dataset/nessus_security/elasticsearch/ingest_pipeline/default.yml b/packages/tenable/0.1.0/dataset/nessus_security/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 0000000000..7482d9c4c9
--- /dev/null
+++ b/packages/tenable/0.1.0/dataset/nessus_security/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,55 @@
+---
+description: Pipeline for Tenable Network Security Nessus
+
+processors:
+  # User agent
+  - user_agent:
+        field: user_agent.original
+        ignore_missing: true
+  # IP Geolocation Lookup
+  - geoip:
+        field: source.ip
+        target_field: source.geo
+        ignore_missing: true
+  - geoip:
+        field: destination.ip
+        target_field: destination.geo
+        ignore_missing: true
+
+  # IP Autonomous System (AS) Lookup
+  - geoip:
+        database_file: GeoLite2-ASN.mmdb
+        field: source.ip
+        target_field: source.as
+        properties:
+            - asn
+            - organization_name
+        ignore_missing: true
+  - geoip:
+        database_file: GeoLite2-ASN.mmdb
+        field: destination.ip
+        target_field: destination.as
+        properties:
+            - asn
+            - organization_name
+        ignore_missing: true
+  - rename:
+        field: source.as.asn
+        target_field: source.as.number
+        ignore_missing: true
+  - rename:
+        field: source.as.organization_name
+        target_field: source.as.organization.name
+        ignore_missing: true
+  - rename:
+        field: destination.as.asn
+        target_field: destination.as.number
+        ignore_missing: true
+  - rename:
+        field: destination.as.organization_name
+        target_field: destination.as.organization.name
+        ignore_missing: true
+on_failure:
+  - append:
+        field: error.message
+        value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/tenable/0.1.0/dataset/nessus_security/fields/base-fields.yml b/packages/tenable/0.1.0/dataset/nessus_security/fields/base-fields.yml
new file mode 100644
index 0000000000..b294eaf20e
--- /dev/null
+++ b/packages/tenable/0.1.0/dataset/nessus_security/fields/base-fields.yml
@@ -0,0 +1,26 @@
+- name: datastream.type
+  type: constant_keyword
+  description: Datastream type.
+- name: datastream.dataset
+  type: constant_keyword
+  description: Datastream dataset.
+- name: datastream.namespace
+  type: constant_keyword
+  description: Datastream namespace.
+
+- name: dataset.type
+  type: constant_keyword
+  description: >
+    Dataset type.
+- name: dataset.name
+  type: constant_keyword
+  description: >
+    Dataset name.
+- name: dataset.namespace
+  type: constant_keyword
+  description: >
+    Dataset namespace.
+- name: "@timestamp"
+  type: date
+  description: >
+    Event timestamp.
diff --git a/packages/tenable/0.1.0/dataset/nessus_security/fields/ecs.yml b/packages/tenable/0.1.0/dataset/nessus_security/fields/ecs.yml
new file mode 100644
index 0000000000..92af91c339
--- /dev/null
+++ b/packages/tenable/0.1.0/dataset/nessus_security/fields/ecs.yml
@@ -0,0 +1,836 @@
+- name: log
+  type: group
+  fields:
+  - name: original
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'This is the original log message and contains the full log message
+      before splitting it up in multiple parts.
+
+      In contrast to the `message` field which can contain an extracted part of the
+      log message, this field contains the original, full log message. It can have
+      already some modifications applied like encoding or new lines removed to clean
+      up the log message.
+
+      This field is not indexed and doc_values are disabled so it can''t be queried
+      but the value can be retrieved from `_source`.'
+    example: Sep 19 08:26:10 localhost My log
+  - name: level
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Original log level of the log event.
+
+      If the source of the event provides a log level or textual severity, this is
+      the one that goes in `log.level`. If your source doesn''t specify one, you may
+      put your event transport''s severity here (e.g. Syslog severity).
+
+      Some examples are `warn`, `err`, `i`, `informational`.'
+    example: error
+  - name: syslog
+    type: group
+    fields:
+    - name: priority
+      level: extended
+      type: long
+      format: string
+      description: 'Syslog numeric priority of the event, if available.
+
+        According to RFCs 5424 and 3164, the priority is 8 * facility + severity.
+        This number is therefore expected to contain a value between 0 and 191.'
+      example: 135
+    - name: facility
+      type: group
+      fields:
+      - name: code
+        level: extended
+        type: long
+        format: string
+        description: 'The Syslog numeric facility of the log event, if available.
+
+          According to RFCs 5424 and 3164, this value should be an integer between
+          0 and 23.'
+        example: 23
+    - name: severity
+      type: group
+      fields:
+      - name: code
+        level: extended
+        type: long
+        description: 'The Syslog numeric severity of the log event, if available.
+
+          If the event source publishing via Syslog provides a different numeric severity
+          value (e.g. firewall, IDS), your source''s numeric severity should go to
+          `event.severity`. If the event source does not specify a distinct severity,
+          you can optionally copy the Syslog severity to `event.severity`.'
+        example: 3
+- name: event
+  type: group
+  fields:
+  - name: code
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Identification code for this event, if one exists.
+
+      Some event sources use event codes to identify messages unambiguously, regardless
+      of message language or wording adjustments over time. An example of this is
+      the Windows Event ID.'
+    example: 4648
+  - name: action
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'The action captured by the event.
+
+      This describes the information in the event. It is more specific than `event.category`.
+      Examples are `group-add`, `process-started`, `file-created`. The value is normally
+      defined by the implementer.'
+    example: user-password-change
+  - name: outcome
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'This is one of four ECS Categorization Fields, and indicates the
+      lowest level in the ECS category hierarchy.
+
+      `event.outcome` simply denotes whether the event represents a success or a failure
+      from the perspective of the entity that produced the event.
+
+      Note that when a single transaction is described in multiple events, each event
+      may populate different values of `event.outcome`, according to their perspective.
+
+      Also note that in the case of a compound event (a single event that contains
+      multiple logical events), this field should be populated with the value that
+      best captures the overall success or failure from the perspective of the event
+      producer.
+
+      Further note that not all events will have an associated outcome. For example,
+      this field is generally not populated for metric events, events with `event.type:info`,
+      or any events for which an outcome does not make logical sense.'
+    example: success
+  - name: category
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'This is one of four ECS Categorization Fields, and indicates the
+      second level in the ECS category hierarchy.
+
+      `event.category` represents the "big buckets" of ECS categories. For example,
+      filtering on `event.category:process` yields all events relating to process
+      activity. This field is closely related to `event.type`, which is used as a
+      subcategory.
+
+      This field is an array. This will allow proper categorization of some events
+      that fall in multiple categories.'
+    example: authentication
+  - name: timezone
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'This field should be populated when the event''s timestamp does
+      not include timezone information already (e.g. default Syslog timestamps). It''s
+      optional otherwise.
+
+      Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated
+      (e.g. "EST") or an HH:mm differential (e.g. "-05:00").'
+- name: '@timestamp'
+  level: core
+  required: true
+  type: date
+  description: 'Date/time when the event originated.
+
+    This is the date/time extracted from the event, typically representing when the
+    event was generated by the source.
+
+    If the event source has no original timestamp, this value is typically populated
+    by the first time the event was received by the pipeline.
+
+    Required field for all events.'
+  example: '2016-05-23T08:05:34.853Z'
+- name: user
+  type: group
+  fields:
+  - name: name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: Short name or login of the user.
+    example: albert
+  - name: full_name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: User's full name, if available.
+    example: Albert Einstein
+  - name: domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Name of the directory the user is a member of.
+
+      For example, an LDAP or Active Directory domain name.'
+  - name: id
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Unique identifiers of the user.
+- name: message
+  level: core
+  type: text
+  description: 'For log events the message field contains the log message, optimized
+    for viewing in a log viewer.
+
+    For structured logs without an original message field, other fields can be concatenated
+    to form a human-readable summary of the event.
+
+    If multiple messages exist, they can be combined into one message.'
+  example: Hello World
+- name: source
+  type: group
+  fields:
+  - name: ip
+    level: core
+    type: ip
+    description: 'IP address of the source.
+
+      Can be one or multiple IPv4 or IPv6 addresses.'
+  - name: port
+    level: core
+    type: long
+    format: string
+    description: Port of the source.
+  - name: address
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Some event source addresses are defined ambiguously. The event will
+      sometimes list an IP, a domain or a unix socket.  You should always store the
+      raw address in the `.address` field.
+
+      Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+      is.'
+  - name: mac
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: MAC address of the source.
+  - name: bytes
+    level: core
+    type: long
+    format: bytes
+    description: Bytes sent from the source to the destination.
+    example: 184
+  - name: nat
+    type: group
+    fields:
+    - name: ip
+      level: extended
+      type: ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+    - name: port
+      level: extended
+      type: long
+      format: string
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+  - name: domain
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Source domain.
+  - name: geo
+    type: group
+    fields:
+    - name: country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+    - name: location
+      type: group
+      fields:
+      - type: double
+        name: lat
+      - type: double
+        name: lon
+    - name: city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+- name: host
+  type: group
+  fields:
+  - name: name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Name of the host.
+
+      It can contain what `hostname` returns on Unix systems, the fully qualified
+      domain name, or a name specified by the user. The sender decides which value
+      to use.'
+  - name: ip
+    level: core
+    type: ip
+    description: Host ip addresses.
+  - name: hostname
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Hostname of the host.
+
+      It normally contains what the `hostname` command returns on the host machine.'
+  - name: mac
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Host mac addresses.
+- name: destination
+  type: group
+  fields:
+  - name: ip
+    level: core
+    type: ip
+    description: 'IP address of the destination.
+
+      Can be one or multiple IPv4 or IPv6 addresses.'
+  - name: port
+    level: core
+    type: long
+    format: string
+    description: Port of the destination.
+  - name: address
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Some event destination addresses are defined ambiguously. The event
+      will sometimes list an IP, a domain or a unix socket.  You should always store
+      the raw address in the `.address` field.
+
+      Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+      is.'
+  - name: bytes
+    level: core
+    type: long
+    format: bytes
+    description: Bytes sent from the destination to the source.
+    example: 184
+  - name: mac
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: MAC address of the destination.
+  - name: nat
+    type: group
+    fields:
+    - name: ip
+      level: extended
+      type: ip
+      description: 'Translated ip of destination based NAT sessions (e.g. internet
+        to private DMZ)
+
+        Typically used with load balancers, firewalls, or routers.'
+    - name: port
+      level: extended
+      type: long
+      format: string
+      description: 'Port the source session is translated to by NAT Device.
+
+        Typically used with load balancers, firewalls, or routers.'
+  - name: domain
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Destination domain.
+  - name: geo
+    type: group
+    fields:
+    - name: country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+    - name: location
+      type: group
+      fields:
+      - type: double
+        name: lat
+      - type: double
+        name: lon
+    - name: city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+- name: network
+  type: group
+  fields:
+  - name: protocol
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'L7 Network protocol name. ex. http, lumberjack, transport protocol.
+
+      The field value must be normalized to lowercase for querying. See the documentation
+      section "Implementing ECS".'
+    example: http
+  - name: application
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'A name given to an application level protocol. This can be arbitrarily
+      assigned for things like microservices, but also apply to things like skype,
+      icq, facebook, twitter. This would be used in situations where the vendor or
+      service can be decoded such as from the source/dest IP owners, ports, or wire
+      format.
+
+      The field value must be normalized to lowercase for querying. See the documentation
+      section "Implementing ECS".'
+    example: aim
+  - name: interface
+    type: group
+    fields:
+    - type: keyword
+      name: name
+  - name: bytes
+    level: core
+    type: long
+    format: bytes
+    description: 'Total bytes transferred in both directions.
+
+      If `source.bytes` and `destination.bytes` are known, `network.bytes` is their
+      sum.'
+    example: 368
+  - name: direction
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: "Direction of the network traffic.\nRecommended values are:\n  *\
+      \ inbound\n  * outbound\n  * internal\n  * external\n  * unknown\n\nWhen mapping\
+      \ events from a host-based monitoring context, populate this field from the\
+      \ host's point of view.\nWhen mapping events from a network or perimeter-based\
+      \ monitoring context, populate this field from the point of view of your network\
+      \ perimeter."
+    example: inbound
+  - name: packets
+    level: core
+    type: long
+    description: 'Total packets transferred in both directions.
+
+      If `source.packets` and `destination.packets` are known, `network.packets` is
+      their sum.'
+    example: 24
+  - name: forwarded_ip
+    level: core
+    type: ip
+    description: Host IP address when the source IP address is the proxy.
+    example: 192.1.1.2
+- name: observer
+  type: group
+  fields:
+  - name: version
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Observer version.
+  - name: product
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: The product name of the observer.
+    example: s200
+  - name: ingress
+    type: group
+    fields:
+    - name: interface
+      type: group
+      fields:
+      - name: name
+        level: extended
+        type: keyword
+        ignore_above: 1024
+        description: Interface name as reported by the system.
+        example: eth0
+        default_field: false
+  - name: egress
+    type: group
+    fields:
+    - name: interface
+      type: group
+      fields:
+      - name: name
+        level: extended
+        type: keyword
+        ignore_above: 1024
+        description: Interface name as reported by the system.
+        example: eth0
+        default_field: false
+- name: file
+  type: group
+  fields:
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: Name of the file including the extension, without the directory.
+    example: example.png
+  - name: directory
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: Directory where the file is located. It should include the drive
+      letter, when appropriate.
+    example: /home/alice
+  - name: size
+    level: extended
+    type: long
+    description: 'File size in bytes.
+
+      Only relevant when `file.type` is "file".'
+    example: 16384
+  - name: type
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: File type (file, dir, or symlink).
+    example: file
+  - name: extension
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: File extension.
+    example: png
+  - name: path
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: Full path to the file, including the file name. It should include
+      the drive letter, when appropriate.
+    example: /home/alice/example.png
+  - name: attributes
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Array of file attributes.
+
+      Attributes names will vary by platform. Here''s a non-exhaustive list of values
+      that are expected in this field: archive, compressed, directory, encrypted,
+      execute, hidden, read, readonly, system, write.'
+    example: '["readonly", "system"]'
+    default_field: false
+- name: url
+  type: group
+  fields:
+  - name: original
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: 'Unmodified original url as seen in the event source.
+
+      Note that in network monitoring, the observed URL may be a full URL, whereas
+      in access logs, the URL is often just represented as a path.
+
+      This field is meant to represent the URL as it was observed, complete or not.'
+    example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
+  - name: query
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'The query field describes the query string of the request, such
+      as "q=elasticsearch".
+
+      The `?` is excluded from the query string. If a URL contains no `?`, there is
+      no query field. If there is a `?` but no query, the query field exists with
+      an empty string. The `exists` query can be used to differentiate between the
+      two cases.'
+  - name: domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Domain of the url, such as "www.elastic.co".
+
+      In some cases a URL may refer to an IP and/or port directly, without a domain
+      name. In this case, the IP address would go to the `domain` field.'
+    example: www.elastic.co
+  - name: path
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: Path of the request, such as "/search".
+  - name: top_level_domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'The effective top level domain (eTLD), also known as the domain
+      suffix, is the last part of the domain name. For example, the top level domain
+      for google.com is "com".
+
+      This value can be determined precisely with a list like the public suffix list
+      (http://publicsuffix.org). Trying to approximate this by simply taking the last
+      label will not work well for effective TLDs such as "co.uk".'
+    example: co.uk
+  - name: registered_domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'The highest registered url domain, stripped of the subdomain.
+
+      For example, the registered domain for "foo.google.com" is "google.com".
+
+      This value can be determined precisely with a list like the public suffix list
+      (http://publicsuffix.org). Trying to approximate this by simply taking the last
+      two labels will not work well for TLDs such as "co.uk".'
+    example: google.com
+- name: service
+  type: group
+  fields:
+  - name: name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Name of the service data is collected from.
+
+      The name of the service is normally user given. This allows for distributed
+      services that run on multiple hosts to correlate the related instances based
+      on the name.
+
+      In the case of Elasticsearch the `service.name` could contain the cluster name.
+      For Beats the `service.name` is by default a copy of the `service.type` field
+      if no name is specified.'
+    example: elasticsearch-metrics
+- name: server
+  type: group
+  fields:
+  - name: domain
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Server domain.
+- name: process
+  type: group
+  fields:
+  - name: pid
+    level: core
+    type: long
+    format: string
+    description: Process id.
+    example: 4242
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: 'Process name.
+
+      Sometimes called program name or similar.'
+    example: ssh
+  - name: ppid
+    level: extended
+    type: long
+    format: string
+    description: Parent process' pid.
+    example: 4241
+  - name: parent
+    type: group
+    fields:
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      default_field: false
+    - name: title
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      default_field: false
+  - name: title
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: 'Process title.
+
+      The proctitle, some times the same as process name. Can also be different: for
+      example a browser setting its title to the web page currently opened.'
+- name: rule
+  type: group
+  fields:
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: The name of the rule or signature generating the event.
+    example: BLOCK_DNS_over_TLS
+    default_field: false
+- name: user_agent
+  type: group
+  fields:
+  - name: original
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+    description: Unparsed user_agent string.
+    example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15
+      (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
+- name: http
+  type: group
+  fields:
+  - name: response
+    type: group
+    fields:
+    - name: body
+      type: group
+      fields:
+      - name: content
+        level: extended
+        type: keyword
+        ignore_above: 1024
+        multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+        description: The full HTTP response body.
+        example: Hello world
+  - name: request
+    type: group
+    fields:
+    - name: referrer
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Referrer for this HTTP request.
+      example: https://blog.example.com/
+    - name: method
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'HTTP request method.
+
+        The field value must be normalized to lowercase for querying. See the documentation
+        section "Implementing ECS".'
+      example: get, post, put
+- name: geo
+  type: group
+  fields:
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'User-defined description of a location, at the level of granularity
+      they care about.
+
+      Could be the name of their data centers, the floor number, if this describes
+      a local physical entity, city names.
+
+      Not typically used in automated geolocation.'
+    example: boston-dc
+  - name: country_name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Country name.
+    example: Canada
+  - name: city_name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: City name.
+    example: Montreal
+  - name: region_name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Region name.
+    example: Quebec
+- name: dns
+  type: group
+  fields:
+  - name: question
+    type: group
+    fields:
+    - name: type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The type of record being queried.
+      example: AAAA
+  - name: answers
+    type: group
+    fields:
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The domain name to which this resource record pertains.
+
+        If a chain of CNAME is being resolved, each answer''s `name` should be the
+        one that corresponds with the answer''s `data`. It should not simply be the
+        original `question.name` repeated.'
+      example: www.google.com
+    - name: type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The type of data contained in this resource record.
+      example: CNAME
diff --git a/packages/tenable/0.1.0/dataset/nessus_security/fields/fields.yml b/packages/tenable/0.1.0/dataset/nessus_security/fields/fields.yml
new file mode 100644
index 0000000000..2abc947fe7
--- /dev/null
+++ b/packages/tenable/0.1.0/dataset/nessus_security/fields/fields.yml
@@ -0,0 +1,1939 @@
+- name: rsa
+  type: group
+  fields:
+  - name: internal
+    type: group
+    fields:
+    - name: msg
+      type: keyword
+      description: This key is used to capture the raw message that comes into the
+        Log Decoder
+    - name: messageid
+      type: keyword
+    - name: event_desc
+      type: keyword
+    - name: message
+      type: keyword
+      description: This key captures the contents of instant messages
+    - name: time
+      type: date
+      description: This is the time at which a session hits a NetWitness Decoder.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness.
+    - name: level
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: msg_id
+      type: keyword
+      description: This is the Message ID1 value that identifies the exact log parser
+        definition which parses a particular log session. This key should never be
+        used to parse Meta data from a session (Logs/Packets) Directly, this is a
+        Reserved key in NetWitness
+    - name: msg_vid
+      type: keyword
+      description: This is the Message ID2 value that identifies the exact log parser
+        definition which parses a particular log session. This key should never be
+        used to parse Meta data from a session (Logs/Packets) Directly, this is a
+        Reserved key in NetWitness
+    - name: data
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: obj_server
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: obj_val
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: resource
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: obj_id
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: statement
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: audit_class
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: entry
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: hcode
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: inode
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: resource_class
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: dead
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: feed_desc
+      type: keyword
+      description: This is used to capture the description of the feed. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: feed_name
+      type: keyword
+      description: This is used to capture the name of the feed. This key should never
+        be used to parse Meta data from a session (Logs/Packets) Directly, this is
+        a Reserved key in NetWitness
+    - name: cid
+      type: keyword
+      description: This is the unique identifier used to identify a NetWitness Concentrator.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: device_class
+      type: keyword
+      description: This is the Classification of the Log Event Source under a predefined
+        fixed set of Event Source Classifications. This key should never be used to
+        parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
+        key in NetWitness
+    - name: device_group
+      type: keyword
+      description: This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_host
+      type: keyword
+      description: This is the Hostname of the log Event Source sending the logs to
+        NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_ip
+      type: ip
+      description: This is the IPv4 address of the Log Event Source sending the logs
+        to NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_ipv6
+      type: ip
+      description: This is the IPv6 address of the Log Event Source sending the logs
+        to NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_type
+      type: keyword
+      description: This is the name of the log parser which parsed a given session.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: device_type_id
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: did
+      type: keyword
+      description: This is the unique identifier used to identify a NetWitness Decoder.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: entropy_req
+      type: long
+      description: This key is only used by the Entropy Parser, the Meta Type can
+        be either UInt16 or Float32 based on the configuration
+    - name: entropy_res
+      type: long
+      description: This key is only used by the Entropy Parser, the Meta Type can
+        be either UInt16 or Float32 based on the configuration
+    - name: event_name
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: feed_category
+      type: keyword
+      description: This is used to capture the category of the feed. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: forward_ip
+      type: ip
+      description: This key should be used to capture the IPV4 address of a relay
+        system which forwarded the events from the original system to NetWitness.
+    - name: forward_ipv6
+      type: ip
+      description: This key is used to capture the IPV6 address of a relay system
+        which forwarded the events from the original system to NetWitness. This key
+        should never be used to parse Meta data from a session (Logs/Packets) Directly,
+        this is a Reserved key in NetWitness
+    - name: header_id
+      type: keyword
+      description: This is the Header ID value that identifies the exact log parser
+        header definition that parses a particular log session. This key should never
+        be used to parse Meta data from a session (Logs/Packets) Directly, this is
+        a Reserved key in NetWitness
+    - name: lc_cid
+      type: keyword
+      description: This is a unique Identifier of a Log Collector. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: lc_ctime
+      type: date
+      description: This is the time at which a log is collected in a NetWitness Log
+        Collector. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: mcb_req
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        request is simply which byte for each side (0 thru 255) was seen the most
+    - name: mcb_res
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        response is simply which byte for each side (0 thru 255) was seen the most
+    - name: mcbc_req
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        count is the number of times the most common byte (above) was seen in the
+        session streams
+    - name: mcbc_res
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        count is the number of times the most common byte (above) was seen in the
+        session streams
+    - name: medium
+      type: long
+      description: "This key is used to identify if it\u2019s a log/packet session\
+        \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
+        \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
+        \ 32 = log, 33 = correlation session, &lt; 32 is packet session"
+    - name: node_name
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: nwe_callback_id
+      type: keyword
+      description: This key denotes that event is endpoint related
+    - name: parse_error
+      type: keyword
+      description: This is a special key that stores any Meta key validation error
+        found while parsing a log session. This key should never be used to parse
+        Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
+        NetWitness
+    - name: payload_req
+      type: long
+      description: This key is only used by the Entropy Parser, the payload size metrics
+        are the payload sizes of each session side at the time of parsing. However,
+        in order to keep
+    - name: payload_res
+      type: long
+      description: This key is only used by the Entropy Parser, the payload size metrics
+        are the payload sizes of each session side at the time of parsing. However,
+        in order to keep
+    - name: process_vid_dst
+      type: keyword
+      description: Endpoint generates and uses a unique virtual ID to identify any
+        similar group of process. This ID represents the target process.
+    - name: process_vid_src
+      type: keyword
+      description: Endpoint generates and uses a unique virtual ID to identify any
+        similar group of process. This ID represents the source process.
+    - name: rid
+      type: long
+      description: This is a special ID of the Remote Session created by NetWitness
+        Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: session_split
+      type: keyword
+      description: This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: site
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: size
+      type: long
+      description: This is the size of the session as seen by the NetWitness Decoder.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: sourcefile
+      type: keyword
+      description: This is the name of the log file or PCAPs that can be imported
+        into NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: ubc_req
+      type: long
+      description: This key is only used by the Entropy Parser, Unique byte count
+        is the number of unique bytes seen in each stream. 256 would mean all byte
+        values of 0 thru 255 were seen at least once
+    - name: ubc_res
+      type: long
+      description: This key is only used by the Entropy Parser, Unique byte count
+        is the number of unique bytes seen in each stream. 256 would mean all byte
+        values of 0 thru 255 were seen at least once
+    - name: word
+      type: keyword
+      description: This is used by the Word Parsing technology to capture the first
+        5 character of every word in an unparsed log
+  - name: time
+    type: group
+    fields:
+    - name: event_time
+      type: date
+      description: This key is used to capture the time mentioned in a raw session
+        that represents the actual time an event occured in a standard normalized
+        form
+    - name: duration_time
+      type: double
+      description: This key is used to capture the normalized duration/lifetime in
+        seconds.
+    - name: event_time_str
+      type: keyword
+      description: This key is used to capture the incomplete time mentioned in a
+        session as a string
+    - name: starttime
+      type: date
+      description: This key is used to capture the Start time mentioned in a session
+        in a standard form
+    - name: month
+      type: keyword
+    - name: day
+      type: keyword
+    - name: endtime
+      type: date
+      description: This key is used to capture the End time mentioned in a session
+        in a standard form
+    - name: timezone
+      type: keyword
+      description: This key is used to capture the timezone of the Event Time
+    - name: duration_str
+      type: keyword
+      description: A text string version of the duration
+    - name: date
+      type: keyword
+    - name: year
+      type: keyword
+    - name: recorded_time
+      type: date
+      description: The event time as recorded by the system the event is collected
+        from. The usage scenario is a multi-tier application where the management
+        layer of the system records it's own timestamp at the time of collection from
+        its child nodes. Must be in timestamp format.
+    - name: datetime
+      type: keyword
+    - name: effective_time
+      type: date
+      description: This key is the effective time referenced by an individual event
+        in a Standard Timestamp format
+    - name: expire_time
+      type: date
+      description: This key is the timestamp that explicitly refers to an expiration.
+    - name: process_time
+      type: keyword
+      description: Deprecated, use duration.time
+    - name: hour
+      type: keyword
+    - name: min
+      type: keyword
+    - name: timestamp
+      type: keyword
+    - name: event_queue_time
+      type: date
+      description: This key is the Time that the event was queued.
+    - name: p_time1
+      type: keyword
+    - name: tzone
+      type: keyword
+    - name: eventtime
+      type: keyword
+    - name: gmtdate
+      type: keyword
+    - name: gmttime
+      type: keyword
+    - name: p_date
+      type: keyword
+    - name: p_month
+      type: keyword
+    - name: p_time
+      type: keyword
+    - name: p_time2
+      type: keyword
+    - name: p_year
+      type: keyword
+    - name: expire_time_str
+      type: keyword
+      description: This key is used to capture incomplete timestamp that explicitly
+        refers to an expiration.
+    - name: stamp
+      type: date
+      description: Deprecated key defined only in table map.
+  - name: misc
+    type: group
+    fields:
+    - name: action
+      type: keyword
+    - name: result
+      type: keyword
+      description: This key is used to capture the outcome/result string value of
+        an action in a session.
+    - name: severity
+      type: keyword
+      description: This key is used to capture the severity given the session
+    - name: event_type
+      type: keyword
+      description: This key captures the event category type as specified by the event
+        source.
+    - name: reference_id
+      type: keyword
+      description: This key is used to capture an event id from the session directly
+    - name: version
+      type: keyword
+      description: This key captures Version of the application or OS which is generating
+        the event.
+    - name: disposition
+      type: keyword
+      description: This key captures the The end state of an action.
+    - name: result_code
+      type: keyword
+      description: This key is used to capture the outcome/result numeric value of
+        an action in a session
+    - name: category
+      type: keyword
+      description: This key is used to capture the category of an event given by the
+        vendor in the session
+    - name: obj_name
+      type: keyword
+      description: This is used to capture name of object
+    - name: obj_type
+      type: keyword
+      description: This is used to capture type of object
+    - name: event_source
+      type: keyword
+      description: "This key captures Source of the event that\u2019s not a hostname"
+    - name: log_session_id
+      type: keyword
+      description: This key is used to capture a sessionid from the session directly
+    - name: group
+      type: keyword
+      description: This key captures the Group Name value
+    - name: policy_name
+      type: keyword
+      description: This key is used to capture the Policy Name only.
+    - name: rule_name
+      type: keyword
+      description: This key captures the Rule Name
+    - name: context
+      type: keyword
+      description: This key captures Information which adds additional context to
+        the event.
+    - name: change_new
+      type: keyword
+      description: "This key is used to capture the new values of the attribute that\u2019\
+        s changing in a session"
+    - name: space
+      type: keyword
+    - name: client
+      type: keyword
+      description: This key is used to capture only the name of the client application
+        requesting resources of the server. See the user.agent meta key for capture
+        of the specific user agent identifier or browser identification string.
+    - name: msgIdPart1
+      type: keyword
+    - name: msgIdPart2
+      type: keyword
+    - name: change_old
+      type: keyword
+      description: "This key is used to capture the old value of the attribute that\u2019\
+        s changing in a session"
+    - name: operation_id
+      type: keyword
+      description: An alert number or operation number. The values should be unique
+        and non-repeating.
+    - name: event_state
+      type: keyword
+      description: This key captures the current state of the object/item referenced
+        within the event. Describing an on-going event.
+    - name: group_object
+      type: keyword
+      description: This key captures a collection/grouping of entities. Specific usage
+    - name: node
+      type: keyword
+      description: Common use case is the node name within a cluster. The cluster
+        name is reflected by the host name.
+    - name: rule
+      type: keyword
+      description: This key captures the Rule number
+    - name: device_name
+      type: keyword
+      description: 'This is used to capture name of the Device associated with the
+        node Like: a physical disk, printer, etc'
+    - name: param
+      type: keyword
+      description: This key is the parameters passed as part of a command or application,
+        etc.
+    - name: change_attrib
+      type: keyword
+      description: "This key is used to capture the name of the attribute that\u2019\
+        s changing in a session"
+    - name: event_computer
+      type: keyword
+      description: This key is a windows only concept, where this key is used to capture
+        fully qualified domain name in a windows log.
+    - name: reference_id1
+      type: keyword
+      description: This key is for Linked ID to be used as an addition to "reference.id"
+    - name: event_log
+      type: keyword
+      description: This key captures the Name of the event log
+    - name: OS
+      type: keyword
+      description: This key captures the Name of the Operating System
+    - name: terminal
+      type: keyword
+      description: This key captures the Terminal Names only
+    - name: msgIdPart3
+      type: keyword
+    - name: filter
+      type: keyword
+      description: This key captures Filter used to reduce result set
+    - name: serial_number
+      type: keyword
+      description: This key is the Serial number associated with a physical asset.
+    - name: checksum
+      type: keyword
+      description: This key is used to capture the checksum or hash of the entity
+        such as a file or process. Checksum should be used over checksum.src or checksum.dst
+        when it is unclear whether the entity is a source or target of an action.
+    - name: event_user
+      type: keyword
+      description: This key is a windows only concept, where this key is used to capture
+        combination of domain name and username in a windows log.
+    - name: virusname
+      type: keyword
+      description: This key captures the name of the virus
+    - name: content_type
+      type: keyword
+      description: This key is used to capture Content Type only.
+    - name: group_id
+      type: keyword
+      description: This key captures Group ID Number (related to the group name)
+    - name: policy_id
+      type: keyword
+      description: This key is used to capture the Policy ID only, this should be
+        a numeric value, use policy.name otherwise
+    - name: vsys
+      type: keyword
+      description: This key captures Virtual System Name
+    - name: connection_id
+      type: keyword
+      description: This key captures the Connection ID
+    - name: reference_id2
+      type: keyword
+      description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
+        or "reference.id1" value but should not be used unless the other two variables
+        are in play.
+    - name: sensor
+      type: keyword
+      description: This key captures Name of the sensor. Typically used in IDS/IPS
+        based devices
+    - name: sig_id
+      type: long
+      description: This key captures IDS/IPS Int Signature ID
+    - name: port_name
+      type: keyword
+      description: 'This key is used for Physical or logical port connection but does
+        NOT include a network port. (Example: Printer port name).'
+    - name: rule_group
+      type: keyword
+      description: This key captures the Rule group name
+    - name: risk_num
+      type: double
+      description: This key captures a Numeric Risk value
+    - name: trigger_val
+      type: keyword
+      description: This key captures the Value of the trigger or threshold condition.
+    - name: log_session_id1
+      type: keyword
+      description: This key is used to capture a Linked (Related) Session ID from
+        the session directly
+    - name: comp_version
+      type: keyword
+      description: This key captures the Version level of a sub-component of a product.
+    - name: content_version
+      type: keyword
+      description: This key captures Version level of a signature or database content.
+    - name: hardware_id
+      type: keyword
+      description: This key is used to capture unique identifier for a device or system
+        (NOT a Mac address)
+    - name: risk
+      type: keyword
+      description: This key captures the non-numeric risk value
+    - name: event_id
+      type: keyword
+    - name: reason
+      type: keyword
+    - name: status
+      type: keyword
+    - name: mail_id
+      type: keyword
+      description: This key is used to capture the mailbox id/name
+    - name: rule_uid
+      type: keyword
+      description: This key is the Unique Identifier for a rule.
+    - name: trigger_desc
+      type: keyword
+      description: This key captures the Description of the trigger or threshold condition.
+    - name: inout
+      type: keyword
+    - name: p_msgid
+      type: keyword
+    - name: data_type
+      type: keyword
+    - name: msgIdPart4
+      type: keyword
+    - name: error
+      type: keyword
+      description: This key captures All non successful Error codes or responses
+    - name: index
+      type: keyword
+    - name: listnum
+      type: keyword
+      description: This key is used to capture listname or listnumber, primarily for
+        collecting access-list
+    - name: ntype
+      type: keyword
+    - name: observed_val
+      type: keyword
+      description: This key captures the Value observed (from the perspective of the
+        device generating the log).
+    - name: policy_value
+      type: keyword
+      description: This key captures the contents of the policy. This contains details
+        about the policy
+    - name: pool_name
+      type: keyword
+      description: This key captures the name of a resource pool
+    - name: rule_template
+      type: keyword
+      description: A default set of parameters which are overlayed onto a rule (or
+        rulename) which efffectively constitutes a template
+    - name: count
+      type: keyword
+    - name: number
+      type: keyword
+    - name: sigcat
+      type: keyword
+    - name: type
+      type: keyword
+    - name: comments
+      type: keyword
+      description: Comment information provided in the log message
+    - name: doc_number
+      type: long
+      description: This key captures File Identification number
+    - name: expected_val
+      type: keyword
+      description: This key captures the Value expected (from the perspective of the
+        device generating the log).
+    - name: job_num
+      type: keyword
+      description: This key captures the Job Number
+    - name: spi_dst
+      type: keyword
+      description: Destination SPI Index
+    - name: spi_src
+      type: keyword
+      description: Source SPI Index
+    - name: code
+      type: keyword
+    - name: agent_id
+      type: keyword
+      description: This key is used to capture agent id
+    - name: message_body
+      type: keyword
+      description: This key captures the The contents of the message body.
+    - name: phone
+      type: keyword
+    - name: sig_id_str
+      type: keyword
+      description: This key captures a string object of the sigid variable.
+    - name: cmd
+      type: keyword
+    - name: misc
+      type: keyword
+    - name: name
+      type: keyword
+    - name: cpu
+      type: long
+      description: This key is the CPU time used in the execution of the event being
+        recorded.
+    - name: event_desc
+      type: keyword
+      description: This key is used to capture a description of an event available
+        directly or inferred
+    - name: sig_id1
+      type: long
+      description: This key captures IDS/IPS Int Signature ID. This must be linked
+        to the sig.id
+    - name: im_buddyid
+      type: keyword
+    - name: im_client
+      type: keyword
+    - name: im_userid
+      type: keyword
+    - name: pid
+      type: keyword
+    - name: priority
+      type: keyword
+    - name: context_subject
+      type: keyword
+      description: This key is to be used in an audit context where the subject is
+        the object being identified
+    - name: context_target
+      type: keyword
+    - name: cve
+      type: keyword
+      description: This key captures CVE (Common Vulnerabilities and Exposures) -
+        an identifier for known information security vulnerabilities.
+    - name: fcatnum
+      type: keyword
+      description: This key captures Filter Category Number. Legacy Usage
+    - name: library
+      type: keyword
+      description: This key is used to capture library information in mainframe devices
+    - name: parent_node
+      type: keyword
+      description: This key captures the Parent Node Name. Must be related to node
+        variable.
+    - name: risk_info
+      type: keyword
+      description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: tcp_flags
+      type: long
+      description: This key is captures the TCP flags set in any packet of session
+    - name: tos
+      type: long
+      description: This key describes the type of service
+    - name: vm_target
+      type: keyword
+      description: VMWare Target **VMWARE** only varaible.
+    - name: workspace
+      type: keyword
+      description: This key captures Workspace Description
+    - name: command
+      type: keyword
+    - name: event_category
+      type: keyword
+    - name: facilityname
+      type: keyword
+    - name: forensic_info
+      type: keyword
+    - name: jobname
+      type: keyword
+    - name: mode
+      type: keyword
+    - name: policy
+      type: keyword
+    - name: policy_waiver
+      type: keyword
+    - name: second
+      type: keyword
+    - name: space1
+      type: keyword
+    - name: subcategory
+      type: keyword
+    - name: tbdstr2
+      type: keyword
+    - name: alert_id
+      type: keyword
+      description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: checksum_dst
+      type: keyword
+      description: This key is used to capture the checksum or hash of the the target
+        entity such as a process or file.
+    - name: checksum_src
+      type: keyword
+      description: This key is used to capture the checksum or hash of the source
+        entity such as a file or process.
+    - name: fresult
+      type: long
+      description: This key captures the Filter Result
+    - name: payload_dst
+      type: keyword
+      description: This key is used to capture destination payload
+    - name: payload_src
+      type: keyword
+      description: This key is used to capture source payload
+    - name: pool_id
+      type: keyword
+      description: This key captures the identifier (typically numeric field) of a
+        resource pool
+    - name: process_id_val
+      type: keyword
+      description: This key is a failure key for Process ID when it is not an integer
+        value
+    - name: risk_num_comm
+      type: double
+      description: This key captures Risk Number Community
+    - name: risk_num_next
+      type: double
+      description: This key captures Risk Number NextGen
+    - name: risk_num_sand
+      type: double
+      description: This key captures Risk Number SandBox
+    - name: risk_num_static
+      type: double
+      description: This key captures Risk Number Static
+    - name: risk_suspicious
+      type: keyword
+      description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: risk_warning
+      type: keyword
+      description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: snmp_oid
+      type: keyword
+      description: SNMP Object Identifier
+    - name: sql
+      type: keyword
+      description: This key captures the SQL query
+    - name: vuln_ref
+      type: keyword
+      description: This key captures the Vulnerability Reference details
+    - name: acl_id
+      type: keyword
+    - name: acl_op
+      type: keyword
+    - name: acl_pos
+      type: keyword
+    - name: acl_table
+      type: keyword
+    - name: admin
+      type: keyword
+    - name: alarm_id
+      type: keyword
+    - name: alarmname
+      type: keyword
+    - name: app_id
+      type: keyword
+    - name: audit
+      type: keyword
+    - name: audit_object
+      type: keyword
+    - name: auditdata
+      type: keyword
+    - name: benchmark
+      type: keyword
+    - name: bypass
+      type: keyword
+    - name: cache
+      type: keyword
+    - name: cache_hit
+      type: keyword
+    - name: cefversion
+      type: keyword
+    - name: cfg_attr
+      type: keyword
+    - name: cfg_obj
+      type: keyword
+    - name: cfg_path
+      type: keyword
+    - name: changes
+      type: keyword
+    - name: client_ip
+      type: keyword
+    - name: clustermembers
+      type: keyword
+    - name: cn_acttimeout
+      type: keyword
+    - name: cn_asn_src
+      type: keyword
+    - name: cn_bgpv4nxthop
+      type: keyword
+    - name: cn_ctr_dst_code
+      type: keyword
+    - name: cn_dst_tos
+      type: keyword
+    - name: cn_dst_vlan
+      type: keyword
+    - name: cn_engine_id
+      type: keyword
+    - name: cn_engine_type
+      type: keyword
+    - name: cn_f_switch
+      type: keyword
+    - name: cn_flowsampid
+      type: keyword
+    - name: cn_flowsampintv
+      type: keyword
+    - name: cn_flowsampmode
+      type: keyword
+    - name: cn_inacttimeout
+      type: keyword
+    - name: cn_inpermbyts
+      type: keyword
+    - name: cn_inpermpckts
+      type: keyword
+    - name: cn_invalid
+      type: keyword
+    - name: cn_ip_proto_ver
+      type: keyword
+    - name: cn_ipv4_ident
+      type: keyword
+    - name: cn_l_switch
+      type: keyword
+    - name: cn_log_did
+      type: keyword
+    - name: cn_log_rid
+      type: keyword
+    - name: cn_max_ttl
+      type: keyword
+    - name: cn_maxpcktlen
+      type: keyword
+    - name: cn_min_ttl
+      type: keyword
+    - name: cn_minpcktlen
+      type: keyword
+    - name: cn_mpls_lbl_1
+      type: keyword
+    - name: cn_mpls_lbl_10
+      type: keyword
+    - name: cn_mpls_lbl_2
+      type: keyword
+    - name: cn_mpls_lbl_3
+      type: keyword
+    - name: cn_mpls_lbl_4
+      type: keyword
+    - name: cn_mpls_lbl_5
+      type: keyword
+    - name: cn_mpls_lbl_6
+      type: keyword
+    - name: cn_mpls_lbl_7
+      type: keyword
+    - name: cn_mpls_lbl_8
+      type: keyword
+    - name: cn_mpls_lbl_9
+      type: keyword
+    - name: cn_mplstoplabel
+      type: keyword
+    - name: cn_mplstoplabip
+      type: keyword
+    - name: cn_mul_dst_byt
+      type: keyword
+    - name: cn_mul_dst_pks
+      type: keyword
+    - name: cn_muligmptype
+      type: keyword
+    - name: cn_sampalgo
+      type: keyword
+    - name: cn_sampint
+      type: keyword
+    - name: cn_seqctr
+      type: keyword
+    - name: cn_spackets
+      type: keyword
+    - name: cn_src_tos
+      type: keyword
+    - name: cn_src_vlan
+      type: keyword
+    - name: cn_sysuptime
+      type: keyword
+    - name: cn_template_id
+      type: keyword
+    - name: cn_totbytsexp
+      type: keyword
+    - name: cn_totflowexp
+      type: keyword
+    - name: cn_totpcktsexp
+      type: keyword
+    - name: cn_unixnanosecs
+      type: keyword
+    - name: cn_v6flowlabel
+      type: keyword
+    - name: cn_v6optheaders
+      type: keyword
+    - name: comp_class
+      type: keyword
+    - name: comp_name
+      type: keyword
+    - name: comp_rbytes
+      type: keyword
+    - name: comp_sbytes
+      type: keyword
+    - name: cpu_data
+      type: keyword
+    - name: criticality
+      type: keyword
+    - name: cs_agency_dst
+      type: keyword
+    - name: cs_analyzedby
+      type: keyword
+    - name: cs_av_other
+      type: keyword
+    - name: cs_av_primary
+      type: keyword
+    - name: cs_av_secondary
+      type: keyword
+    - name: cs_bgpv6nxthop
+      type: keyword
+    - name: cs_bit9status
+      type: keyword
+    - name: cs_context
+      type: keyword
+    - name: cs_control
+      type: keyword
+    - name: cs_data
+      type: keyword
+    - name: cs_datecret
+      type: keyword
+    - name: cs_dst_tld
+      type: keyword
+    - name: cs_eth_dst_ven
+      type: keyword
+    - name: cs_eth_src_ven
+      type: keyword
+    - name: cs_event_uuid
+      type: keyword
+    - name: cs_filetype
+      type: keyword
+    - name: cs_fld
+      type: keyword
+    - name: cs_if_desc
+      type: keyword
+    - name: cs_if_name
+      type: keyword
+    - name: cs_ip_next_hop
+      type: keyword
+    - name: cs_ipv4dstpre
+      type: keyword
+    - name: cs_ipv4srcpre
+      type: keyword
+    - name: cs_lifetime
+      type: keyword
+    - name: cs_log_medium
+      type: keyword
+    - name: cs_loginname
+      type: keyword
+    - name: cs_modulescore
+      type: keyword
+    - name: cs_modulesign
+      type: keyword
+    - name: cs_opswatresult
+      type: keyword
+    - name: cs_payload
+      type: keyword
+    - name: cs_registrant
+      type: keyword
+    - name: cs_registrar
+      type: keyword
+    - name: cs_represult
+      type: keyword
+    - name: cs_rpayload
+      type: keyword
+    - name: cs_sampler_name
+      type: keyword
+    - name: cs_sourcemodule
+      type: keyword
+    - name: cs_streams
+      type: keyword
+    - name: cs_targetmodule
+      type: keyword
+    - name: cs_v6nxthop
+      type: keyword
+    - name: cs_whois_server
+      type: keyword
+    - name: cs_yararesult
+      type: keyword
+    - name: description
+      type: keyword
+    - name: devvendor
+      type: keyword
+    - name: distance
+      type: keyword
+    - name: dstburb
+      type: keyword
+    - name: edomain
+      type: keyword
+    - name: edomaub
+      type: keyword
+    - name: euid
+      type: keyword
+    - name: facility
+      type: keyword
+    - name: finterface
+      type: keyword
+    - name: flags
+      type: keyword
+    - name: gaddr
+      type: keyword
+    - name: id3
+      type: keyword
+    - name: im_buddyname
+      type: keyword
+    - name: im_croomid
+      type: keyword
+    - name: im_croomtype
+      type: keyword
+    - name: im_members
+      type: keyword
+    - name: im_username
+      type: keyword
+    - name: ipkt
+      type: keyword
+    - name: ipscat
+      type: keyword
+    - name: ipspri
+      type: keyword
+    - name: latitude
+      type: keyword
+    - name: linenum
+      type: keyword
+    - name: list_name
+      type: keyword
+    - name: load_data
+      type: keyword
+    - name: location_floor
+      type: keyword
+    - name: location_mark
+      type: keyword
+    - name: log_id
+      type: keyword
+    - name: log_type
+      type: keyword
+    - name: logid
+      type: keyword
+    - name: logip
+      type: keyword
+    - name: logname
+      type: keyword
+    - name: longitude
+      type: keyword
+    - name: lport
+      type: keyword
+    - name: mbug_data
+      type: keyword
+    - name: misc_name
+      type: keyword
+    - name: msg_type
+      type: keyword
+    - name: msgid
+      type: keyword
+    - name: netsessid
+      type: keyword
+    - name: num
+      type: keyword
+    - name: number1
+      type: keyword
+    - name: number2
+      type: keyword
+    - name: nwwn
+      type: keyword
+    - name: object
+      type: keyword
+    - name: operation
+      type: keyword
+    - name: opkt
+      type: keyword
+    - name: orig_from
+      type: keyword
+    - name: owner_id
+      type: keyword
+    - name: p_action
+      type: keyword
+    - name: p_filter
+      type: keyword
+    - name: p_group_object
+      type: keyword
+    - name: p_id
+      type: keyword
+    - name: p_msgid1
+      type: keyword
+    - name: p_msgid2
+      type: keyword
+    - name: p_result1
+      type: keyword
+    - name: password_chg
+      type: keyword
+    - name: password_expire
+      type: keyword
+    - name: permgranted
+      type: keyword
+    - name: permwanted
+      type: keyword
+    - name: pgid
+      type: keyword
+    - name: policyUUID
+      type: keyword
+    - name: prog_asp_num
+      type: keyword
+    - name: program
+      type: keyword
+    - name: real_data
+      type: keyword
+    - name: rec_asp_device
+      type: keyword
+    - name: rec_asp_num
+      type: keyword
+    - name: rec_library
+      type: keyword
+    - name: recordnum
+      type: keyword
+    - name: ruid
+      type: keyword
+    - name: sburb
+      type: keyword
+    - name: sdomain_fld
+      type: keyword
+    - name: sec
+      type: keyword
+    - name: sensorname
+      type: keyword
+    - name: seqnum
+      type: keyword
+    - name: session
+      type: keyword
+    - name: sessiontype
+      type: keyword
+    - name: sigUUID
+      type: keyword
+    - name: spi
+      type: keyword
+    - name: srcburb
+      type: keyword
+    - name: srcdom
+      type: keyword
+    - name: srcservice
+      type: keyword
+    - name: state
+      type: keyword
+    - name: status1
+      type: keyword
+    - name: svcno
+      type: keyword
+    - name: system
+      type: keyword
+    - name: tbdstr1
+      type: keyword
+    - name: tgtdom
+      type: keyword
+    - name: tgtdomain
+      type: keyword
+    - name: threshold
+      type: keyword
+    - name: type1
+      type: keyword
+    - name: udb_class
+      type: keyword
+    - name: url_fld
+      type: keyword
+    - name: user_div
+      type: keyword
+    - name: userid
+      type: keyword
+    - name: username_fld
+      type: keyword
+    - name: utcstamp
+      type: keyword
+    - name: v_instafname
+      type: keyword
+    - name: virt_data
+      type: keyword
+    - name: vpnid
+      type: keyword
+    - name: autorun_type
+      type: keyword
+      description: This is used to capture Auto Run type
+    - name: cc_number
+      type: long
+      description: Valid Credit Card Numbers only
+    - name: content
+      type: keyword
+      description: This key captures the content type from protocol headers
+    - name: ein_number
+      type: long
+      description: Employee Identification Numbers only
+    - name: found
+      type: keyword
+      description: This is used to capture the results of regex match
+    - name: language
+      type: keyword
+      description: This is used to capture list of languages the client support and
+        what it prefers
+    - name: lifetime
+      type: long
+      description: This key is used to capture the session lifetime in seconds.
+    - name: link
+      type: keyword
+      description: This key is used to link the sessions together. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: match
+      type: keyword
+      description: This key is for regex match name from search.ini
+    - name: param_dst
+      type: keyword
+      description: This key captures the command line/launch argument of the target
+        process or file
+    - name: param_src
+      type: keyword
+      description: This key captures source parameter
+    - name: search_text
+      type: keyword
+      description: This key captures the Search Text used
+    - name: sig_name
+      type: keyword
+      description: This key is used to capture the Signature Name only.
+    - name: snmp_value
+      type: keyword
+      description: SNMP set request value
+    - name: streams
+      type: long
+      description: This key captures number of streams in session
+  - name: db
+    type: group
+    fields:
+    - name: index
+      type: keyword
+      description: This key captures IndexID of the index.
+    - name: instance
+      type: keyword
+      description: This key is used to capture the database server instance name
+    - name: database
+      type: keyword
+      description: This key is used to capture the name of a database or an instance
+        as seen in a session
+    - name: transact_id
+      type: keyword
+      description: This key captures the SQL transantion ID of the current session
+    - name: permissions
+      type: keyword
+      description: This key captures permission or privilege level assigned to a resource.
+    - name: table_name
+      type: keyword
+      description: This key is used to capture the table name
+    - name: db_id
+      type: keyword
+      description: This key is used to capture the unique identifier for a database
+    - name: db_pid
+      type: long
+      description: This key captures the process id of a connection with database
+        server
+    - name: lread
+      type: long
+      description: This key is used for the number of logical reads
+    - name: lwrite
+      type: long
+      description: This key is used for the number of logical writes
+    - name: pread
+      type: long
+      description: This key is used for the number of physical writes
+  - name: network
+    type: group
+    fields:
+    - name: alias_host
+      type: keyword
+      description: This key should be used when the source or destination context
+        of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
+        that isnt ad.computer.
+    - name: domain
+      type: keyword
+    - name: host_dst
+      type: keyword
+      description: "This key should only be used when it\u2019s a Destination Hostname"
+    - name: network_service
+      type: keyword
+      description: This is used to capture layer 7 protocols/service names
+    - name: interface
+      type: keyword
+      description: This key should be used when the source or destination context
+        of an interface is not clear
+    - name: network_port
+      type: long
+      description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
+        used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
+    - name: eth_host
+      type: keyword
+      description: Deprecated, use alias.mac
+    - name: sinterface
+      type: keyword
+      description: "This key should only be used when it\u2019s a Source Interface"
+    - name: dinterface
+      type: keyword
+      description: "This key should only be used when it\u2019s a Destination Interface"
+    - name: vlan
+      type: long
+      description: This key should only be used to capture the ID of the Virtual LAN
+    - name: zone_src
+      type: keyword
+      description: "This key should only be used when it\u2019s a Source Zone."
+    - name: zone
+      type: keyword
+      description: This key should be used when the source or destination context
+        of a Zone is not clear
+    - name: zone_dst
+      type: keyword
+      description: "This key should only be used when it\u2019s a Destination Zone."
+    - name: gateway
+      type: keyword
+      description: This key is used to capture the IP Address of the gateway
+    - name: icmp_type
+      type: long
+      description: This key is used to capture the ICMP type only
+    - name: mask
+      type: keyword
+      description: This key is used to capture the device network IPmask.
+    - name: icmp_code
+      type: long
+      description: This key is used to capture the ICMP code only
+    - name: protocol_detail
+      type: keyword
+      description: This key should be used to capture additional protocol information
+    - name: dmask
+      type: keyword
+      description: This key is used for Destionation Device network mask
+    - name: port
+      type: long
+      description: This key should only be used to capture a Network Port when the
+        directionality is not clear
+    - name: smask
+      type: keyword
+      description: This key is used for capturing source Network Mask
+    - name: netname
+      type: keyword
+      description: This key is used to capture the network name associated with an
+        IP range. This is configured by the end user.
+    - name: paddr
+      type: ip
+      description: Deprecated
+    - name: faddr
+      type: keyword
+    - name: lhost
+      type: keyword
+    - name: origin
+      type: keyword
+    - name: remote_domain_id
+      type: keyword
+    - name: addr
+      type: keyword
+    - name: dns_a_record
+      type: keyword
+    - name: dns_ptr_record
+      type: keyword
+    - name: fhost
+      type: keyword
+    - name: fport
+      type: keyword
+    - name: laddr
+      type: keyword
+    - name: linterface
+      type: keyword
+    - name: phost
+      type: keyword
+    - name: ad_computer_dst
+      type: keyword
+      description: Deprecated, use host.dst
+    - name: eth_type
+      type: long
+      description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
+        Only
+    - name: ip_proto
+      type: long
+      description: This key should be used to capture the Protocol number, all the
+        protocol nubers are converted into string in UI
+    - name: dns_cname_record
+      type: keyword
+    - name: dns_id
+      type: keyword
+    - name: dns_opcode
+      type: keyword
+    - name: dns_resp
+      type: keyword
+    - name: dns_type
+      type: keyword
+    - name: domain1
+      type: keyword
+    - name: host_type
+      type: keyword
+    - name: packet_length
+      type: keyword
+    - name: host_orig
+      type: keyword
+      description: This is used to capture the original hostname in case of a Forwarding
+        Agent or a Proxy in between.
+    - name: rpayload
+      type: keyword
+      description: This key is used to capture the total number of payload bytes seen
+        in the retransmitted packets.
+    - name: vlan_name
+      type: keyword
+      description: This key should only be used to capture the name of the Virtual
+        LAN
+  - name: investigations
+    type: group
+    fields:
+    - name: ec_activity
+      type: keyword
+      description: This key captures the particular event activity(Ex:Logoff)
+    - name: ec_theme
+      type: keyword
+      description: This key captures the Theme of a particular Event(Ex:Authentication)
+    - name: ec_subject
+      type: keyword
+      description: This key captures the Subject of a particular Event(Ex:User)
+    - name: ec_outcome
+      type: keyword
+      description: This key captures the outcome of a particular Event(Ex:Success)
+    - name: event_cat
+      type: long
+      description: This key captures the Event category number
+    - name: event_cat_name
+      type: keyword
+      description: This key captures the event category name corresponding to the
+        event cat code
+    - name: event_vcat
+      type: keyword
+      description: This is a vendor supplied category. This should be used in situations
+        where the vendor has adopted their own event_category taxonomy.
+    - name: analysis_file
+      type: keyword
+      description: This is used to capture all indicators used in a File Analysis.
+        This key should be used to capture an analysis of a file
+    - name: analysis_service
+      type: keyword
+      description: This is used to capture all indicators used in a Service Analysis.
+        This key should be used to capture an analysis of a service
+    - name: analysis_session
+      type: keyword
+      description: This is used to capture all indicators used for a Session Analysis.
+        This key should be used to capture an analysis of a session
+    - name: boc
+      type: keyword
+      description: This is used to capture behaviour of compromise
+    - name: eoc
+      type: keyword
+      description: This is used to capture Enablers of Compromise
+    - name: inv_category
+      type: keyword
+      description: This used to capture investigation category
+    - name: inv_context
+      type: keyword
+      description: This used to capture investigation context
+    - name: ioc
+      type: keyword
+      description: This is key capture indicator of compromise
+  - name: counters
+    type: group
+    fields:
+    - name: dclass_c1
+      type: long
+      description: This is a generic counter key that should be used with the label
+        dclass.c1.str only
+    - name: dclass_c2
+      type: long
+      description: This is a generic counter key that should be used with the label
+        dclass.c2.str only
+    - name: event_counter
+      type: long
+      description: This is used to capture the number of times an event repeated
+    - name: dclass_r1
+      type: keyword
+      description: This is a generic ratio key that should be used with the label
+        dclass.r1.str only
+    - name: dclass_c3
+      type: long
+      description: This is a generic counter key that should be used with the label
+        dclass.c3.str only
+    - name: dclass_c1_str
+      type: keyword
+      description: This is a generic counter string key that should be used with the
+        label dclass.c1 only
+    - name: dclass_c2_str
+      type: keyword
+      description: This is a generic counter string key that should be used with the
+        label dclass.c2 only
+    - name: dclass_r1_str
+      type: keyword
+      description: This is a generic ratio string key that should be used with the
+        label dclass.r1 only
+    - name: dclass_r2
+      type: keyword
+      description: This is a generic ratio key that should be used with the label
+        dclass.r2.str only
+    - name: dclass_c3_str
+      type: keyword
+      description: This is a generic counter string key that should be used with the
+        label dclass.c3 only
+    - name: dclass_r3
+      type: keyword
+      description: This is a generic ratio key that should be used with the label
+        dclass.r3.str only
+    - name: dclass_r2_str
+      type: keyword
+      description: This is a generic ratio string key that should be used with the
+        label dclass.r2 only
+    - name: dclass_r3_str
+      type: keyword
+      description: This is a generic ratio string key that should be used with the
+        label dclass.r3 only
+  - name: identity
+    type: group
+    fields:
+    - name: auth_method
+      type: keyword
+      description: This key is used to capture authentication methods used only
+    - name: user_role
+      type: keyword
+      description: This key is used to capture the Role of a user only
+    - name: dn
+      type: keyword
+      description: X.500 (LDAP) Distinguished Name
+    - name: logon_type
+      type: keyword
+      description: This key is used to capture the type of logon method used.
+    - name: profile
+      type: keyword
+      description: This key is used to capture the user profile
+    - name: accesses
+      type: keyword
+      description: This key is used to capture actual privileges used in accessing
+        an object
+    - name: realm
+      type: keyword
+      description: Radius realm or similar grouping of accounts
+    - name: user_sid_dst
+      type: keyword
+      description: This key captures Destination User Session ID
+    - name: dn_src
+      type: keyword
+      description: An X.500 (LDAP) Distinguished name that is used in a context that
+        indicates a Source dn
+    - name: org
+      type: keyword
+      description: This key captures the User organization
+    - name: dn_dst
+      type: keyword
+      description: An X.500 (LDAP) Distinguished name that used in a context that
+        indicates a Destination dn
+    - name: firstname
+      type: keyword
+      description: This key is for First Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: lastname
+      type: keyword
+      description: This key is for Last Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: user_dept
+      type: keyword
+      description: User's Department Names only
+    - name: user_sid_src
+      type: keyword
+      description: This key captures Source User Session ID
+    - name: federated_sp
+      type: keyword
+      description: This key is the Federated Service Provider. This is the application
+        requesting authentication.
+    - name: federated_idp
+      type: keyword
+      description: This key is the federated Identity Provider. This is the server
+        providing the authentication.
+    - name: logon_type_desc
+      type: keyword
+      description: This key is used to capture the textual description of an integer
+        logon type as stored in the meta key 'logon.type'.
+    - name: middlename
+      type: keyword
+      description: This key is for Middle Names only, this is used for Healthcare
+        predominantly to capture Patients information
+    - name: password
+      type: keyword
+      description: This key is for Passwords seen in any session, plain text or encrypted
+    - name: host_role
+      type: keyword
+      description: This key should only be used to capture the role of a Host Machine
+    - name: ldap
+      type: keyword
+      description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
+        t have a clear query or response context"
+    - name: ldap_query
+      type: keyword
+      description: This key is the Search criteria from an LDAP search
+    - name: ldap_response
+      type: keyword
+      description: This key is to capture Results from an LDAP search
+    - name: owner
+      type: keyword
+      description: This is used to capture username the process or service is running
+        as, the author of the task
+    - name: service_account
+      type: keyword
+      description: This key is a windows specific key, used for capturing name of
+        the account a service (referenced in the event) is running under. Legacy Usage
+  - name: email
+    type: group
+    fields:
+    - name: email_dst
+      type: keyword
+      description: This key is used to capture the Destination email address only,
+        when the destination context is not clear use email
+    - name: email_src
+      type: keyword
+      description: This key is used to capture the source email address only, when
+        the source context is not clear use email
+    - name: subject
+      type: keyword
+      description: This key is used to capture the subject string from an Email only.
+    - name: email
+      type: keyword
+      description: This key is used to capture a generic email address where the source
+        or destination context is not clear
+    - name: trans_from
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: trans_to
+      type: keyword
+      description: Deprecated key defined only in table map.
+  - name: file
+    type: group
+    fields:
+    - name: privilege
+      type: keyword
+      description: Deprecated, use permissions
+    - name: attachment
+      type: keyword
+      description: This key captures the attachment file name
+    - name: filesystem
+      type: keyword
+    - name: binary
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: filename_dst
+      type: keyword
+      description: This is used to capture name of the file targeted by the action
+    - name: filename_src
+      type: keyword
+      description: This is used to capture name of the parent filename, the file which
+        performed the action
+    - name: filename_tmp
+      type: keyword
+    - name: directory_dst
+      type: keyword
+      description: <span>This key is used to capture the directory of the target process
+        or file</span>
+    - name: directory_src
+      type: keyword
+      description: This key is used to capture the directory of the source process
+        or file
+    - name: file_entropy
+      type: double
+      description: This is used to capture entropy vale of a file
+    - name: file_vendor
+      type: keyword
+      description: This is used to capture Company name of file located in version_info
+    - name: task_name
+      type: keyword
+      description: This is used to capture name of the task
+  - name: web
+    type: group
+    fields:
+    - name: fqdn
+      type: keyword
+      description: Fully Qualified Domain Names
+    - name: web_cookie
+      type: keyword
+      description: This key is used to capture the Web cookies specifically.
+    - name: alias_host
+      type: keyword
+    - name: reputation_num
+      type: double
+      description: Reputation Number of an entity. Typically used for Web Domains
+    - name: web_ref_domain
+      type: keyword
+      description: Web referer's domain
+    - name: web_ref_query
+      type: keyword
+      description: This key captures Web referer's query portion of the URL
+    - name: remote_domain
+      type: keyword
+    - name: web_ref_page
+      type: keyword
+      description: This key captures Web referer's page information
+    - name: web_ref_root
+      type: keyword
+      description: Web referer's root URL path
+    - name: cn_asn_dst
+      type: keyword
+    - name: cn_rpackets
+      type: keyword
+    - name: urlpage
+      type: keyword
+    - name: urlroot
+      type: keyword
+    - name: p_url
+      type: keyword
+    - name: p_user_agent
+      type: keyword
+    - name: p_web_cookie
+      type: keyword
+    - name: p_web_method
+      type: keyword
+    - name: p_web_referer
+      type: keyword
+    - name: web_extension_tmp
+      type: keyword
+    - name: web_page
+      type: keyword
+  - name: threat
+    type: group
+    fields:
+    - name: threat_category
+      type: keyword
+      description: This key captures Threat Name/Threat Category/Categorization of
+        alert
+    - name: threat_desc
+      type: keyword
+      description: This key is used to capture the threat description from the session
+        directly or inferred
+    - name: alert
+      type: keyword
+      description: This key is used to capture name of the alert
+    - name: threat_source
+      type: keyword
+      description: This key is used to capture source of the threat
+  - name: crypto
+    type: group
+    fields:
+    - name: crypto
+      type: keyword
+      description: This key is used to capture the Encryption Type or Encryption Key
+        only
+    - name: cipher_src
+      type: keyword
+      description: This key is for Source (Client) Cipher
+    - name: cert_subject
+      type: keyword
+      description: This key is used to capture the Certificate organization only
+    - name: peer
+      type: keyword
+      description: This key is for Encryption peer's IP Address
+    - name: cipher_size_src
+      type: long
+      description: This key captures Source (Client) Cipher Size
+    - name: ike
+      type: keyword
+      description: IKE negotiation phase.
+    - name: scheme
+      type: keyword
+      description: This key captures the Encryption scheme used
+    - name: peer_id
+      type: keyword
+      description: "This key is for Encryption peer\u2019s identity"
+    - name: sig_type
+      type: keyword
+      description: This key captures the Signature Type
+    - name: cert_issuer
+      type: keyword
+    - name: cert_host_name
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: cert_error
+      type: keyword
+      description: This key captures the Certificate Error String
+    - name: cipher_dst
+      type: keyword
+      description: This key is for Destination (Server) Cipher
+    - name: cipher_size_dst
+      type: long
+      description: This key captures Destination (Server) Cipher Size
+    - name: ssl_ver_src
+      type: keyword
+      description: Deprecated, use version
+    - name: d_certauth
+      type: keyword
+    - name: s_certauth
+      type: keyword
+    - name: ike_cookie1
+      type: keyword
+      description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
+    - name: ike_cookie2
+      type: keyword
+      description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
+    - name: cert_checksum
+      type: keyword
+    - name: cert_host_cat
+      type: keyword
+      description: This key is used for the hostname category value of a certificate
+    - name: cert_serial
+      type: keyword
+      description: This key is used to capture the Certificate serial number only
+    - name: cert_status
+      type: keyword
+      description: This key captures Certificate validation status
+    - name: ssl_ver_dst
+      type: keyword
+      description: Deprecated, use version
+    - name: cert_keysize
+      type: keyword
+    - name: cert_username
+      type: keyword
+    - name: https_insact
+      type: keyword
+    - name: https_valid
+      type: keyword
+    - name: cert_ca
+      type: keyword
+      description: This key is used to capture the Certificate signing authority only
+    - name: cert_common
+      type: keyword
+      description: This key is used to capture the Certificate common name only
+  - name: wireless
+    type: group
+    fields:
+    - name: wlan_ssid
+      type: keyword
+      description: This key is used to capture the ssid of a Wireless Session
+    - name: access_point
+      type: keyword
+      description: This key is used to capture the access point name.
+    - name: wlan_channel
+      type: long
+      description: This is used to capture the channel names
+    - name: wlan_name
+      type: keyword
+      description: This key captures either WLAN number/name
+  - name: storage
+    type: group
+    fields:
+    - name: disk_volume
+      type: keyword
+      description: A unique name assigned to logical units (volumes) within a physical
+        disk
+    - name: lun
+      type: keyword
+      description: Logical Unit Number.This key is a very useful concept in Storage.
+    - name: pwwn
+      type: keyword
+      description: This uniquely identifies a port on a HBA.
+  - name: physical
+    type: group
+    fields:
+    - name: org_dst
+      type: keyword
+      description: This is used to capture the destination organization based on the
+        GEOPIP Maxmind database.
+    - name: org_src
+      type: keyword
+      description: This is used to capture the source organization based on the GEOPIP
+        Maxmind database.
+  - name: healthcare
+    type: group
+    fields:
+    - name: patient_fname
+      type: keyword
+      description: This key is for First Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: patient_id
+      type: keyword
+      description: This key captures the unique ID for a patient
+    - name: patient_lname
+      type: keyword
+      description: This key is for Last Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: patient_mname
+      type: keyword
+      description: This key is for Middle Names only, this is used for Healthcare
+        predominantly to capture Patients information
+  - name: endpoint
+    type: group
+    fields:
+    - name: host_state
+      type: keyword
+      description: This key is used to capture the current state of the machine, such
+        as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
+        disabled</strong> and so on
+    - name: registry_key
+      type: keyword
+      description: This key captures the path to the registry key
+    - name: registry_value
+      type: keyword
+      description: This key captures values or decorators used within a registry entry
diff --git a/packages/tenable/0.1.0/dataset/nessus_security/manifest.yml b/packages/tenable/0.1.0/dataset/nessus_security/manifest.yml
new file mode 100644
index 0000000000..1621f73813
--- /dev/null
+++ b/packages/tenable/0.1.0/dataset/nessus_security/manifest.yml
@@ -0,0 +1,155 @@
+title: Tenable Network Security Nessus logs
+release: experimental
+type: logs
+streams:
+- input: udp
+  title: Tenable Network Security Nessus logs
+  description: Collect Tenable Network Security Nessus logs
+  template_path: udp.yml.hbs
+  vars:
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - tenable-nessus_security
+      - forwarded
+  - name: udp_host
+    type: text
+    title: UDP host to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: localhost
+  - name: udp_port
+    type: integer
+    title: UDP port to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: 9515
+  - name: tz_offset
+    type: text
+    title: Timezone offset (+HH:mm format)
+    required: false
+    show_user: true
+    default: "local"
+  - name: rsa_fields
+    type: bool
+    title: Add non-ECS fields
+    required: false
+    show_user: true
+    default: true
+  - name: keep_raw_fields
+    type: bool
+    title: Keep raw parser fields
+    required: false
+    show_user: false
+    default: false
+  - name: debug
+    type: bool
+    title: Enable debug logging
+    required: false
+    show_user: false
+    default: false
+
+- input: tcp
+  title: Tenable Network Security Nessus logs
+  description: Collect Tenable Network Security Nessus logs
+  template_path: tcp.yml.hbs
+  vars:
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - tenable-nessus_security
+      - forwarded
+  - name: tcp_host
+    type: text
+    title: TCP host to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: localhost
+  - name: tcp_port
+    type: integer
+    title: TCP port to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: 9515
+  - name: tz_offset
+    type: text
+    title: Timezone offset (+HH:mm format)
+    required: false
+    show_user: true
+    default: "local"
+  - name: rsa_fields
+    type: bool
+    title: Add non-ECS fields
+    required: false
+    show_user: true
+    default: true
+  - name: keep_raw_fields
+    type: bool
+    title: Keep raw parser fields
+    required: false
+    show_user: false
+    default: false
+  - name: debug
+    type: bool
+    title: Enable debug logging
+    required: false
+    show_user: false
+    default: false
+
+- input: file
+  title: Tenable Network Security Nessus logs
+  description: Collect Tenable Network Security Nessus logs from file
+  vars:
+  - name: paths
+    type: text
+    title: Paths
+    multi: true
+    required: true
+    show_user: true
+    default:
+      - /var/log/tenable-nessus_security.log
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - tenable-nessus_security
+      - forwarded
+  - name: tz_offset
+    type: text
+    title: Timezone offset (+HH:mm format)
+    required: false
+    show_user: true
+    default: "local"
+  - name: rsa_fields
+    type: bool
+    title: Add non-ECS fields
+    required: false
+    show_user: true
+    default: true
+  - name: keep_raw_fields
+    type: bool
+    title: Keep raw parser fields
+    required: false
+    show_user: false
+    default: false
+  - name: debug
+    type: bool
+    title: Enable debug logging
+    required: false
+    show_user: false
+    default: false
diff --git a/packages/tenable/0.1.0/docs/README.md b/packages/tenable/0.1.0/docs/README.md
new file mode 100644
index 0000000000..50820eaa0b
--- /dev/null
+++ b/packages/tenable/0.1.0/docs/README.md
@@ -0,0 +1,780 @@
+# Tenable integration
+
+This integration is for Tenable device's logs. It includes the following
+datasets for receiving logs over syslog or read from a file:
+- `nessus_security` dataset: supports Tenable Network Security Nessus logs.
+
+### Nessus_security
+
+The `nessus_security` dataset collects Tenable Network Security Nessus logs.
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
+| dataset.name | Dataset name. | constant_keyword |
+| dataset.namespace | Dataset namespace. | constant_keyword |
+| dataset.type | Dataset type. | constant_keyword |
+| datastream.dataset | Datastream dataset. | constant_keyword |
+| datastream.namespace | Datastream namespace. | constant_keyword |
+| datastream.type | Datastream type. | constant_keyword |
+| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| destination.bytes | Bytes sent from the destination to the source. | long |
+| destination.domain | Destination domain. | keyword |
+| destination.geo.city_name | City name. | keyword |
+| destination.geo.country_name | Country name. | keyword |
+| destination.geo.location.lat |  | double |
+| destination.geo.location.lon |  | double |
+| destination.ip | IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses. | ip |
+| destination.mac | MAC address of the destination. | keyword |
+| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip |
+| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long |
+| destination.port | Port of the destination. | long |
+| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword |
+| dns.answers.type | The type of data contained in this resource record. | keyword |
+| dns.question.type | The type of record being queried. | keyword |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword |
+| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword |
+| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword |
+| file.extension | File extension. | keyword |
+| file.name | Name of the file including the extension, without the directory. | keyword |
+| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword |
+| file.size | File size in bytes. Only relevant when `file.type` is "file". | long |
+| file.type | File type (file, dir, or symlink). | keyword |
+| geo.city_name | City name. | keyword |
+| geo.country_name | Country name. | keyword |
+| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| geo.region_name | Region name. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| http.request.method | HTTP request method. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| http.request.referrer | Referrer for this HTTP request. | keyword |
+| http.response.body.content | The full HTTP response body. | keyword |
+| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword |
+| log.original | This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. | keyword |
+| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long |
+| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. | long |
+| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text |
+| network.application | A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long |
+| network.direction | Direction of the network traffic. Recommended values are: * inbound * outbound * internal * external * unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view. When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. | keyword |
+| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip |
+| network.interface.name |  | keyword |
+| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long |
+| network.protocol | L7 Network protocol name. ex. http, lumberjack, transport protocol. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| observer.egress.interface.name | Interface name as reported by the system. | keyword |
+| observer.ingress.interface.name | Interface name as reported by the system. | keyword |
+| observer.product | The product name of the observer. | keyword |
+| observer.version | Observer version. | keyword |
+| process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.parent.name | Process name. Sometimes called program name or similar. | keyword |
+| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword |
+| process.pid | Process id. | long |
+| process.ppid | Parent process' pid. | long |
+| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword |
+| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long |
+| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword |
+| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long |
+| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword |
+| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long |
+| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword |
+| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword |
+| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword |
+| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword |
+| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword |
+| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword |
+| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword |
+| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long |
+| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword |
+| rsa.crypto.cert_checksum |  | keyword |
+| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword |
+| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword |
+| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword |
+| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword |
+| rsa.crypto.cert_issuer |  | keyword |
+| rsa.crypto.cert_keysize |  | keyword |
+| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword |
+| rsa.crypto.cert_status | This key captures Certificate validation status | keyword |
+| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword |
+| rsa.crypto.cert_username |  | keyword |
+| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword |
+| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long |
+| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long |
+| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword |
+| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword |
+| rsa.crypto.d_certauth |  | keyword |
+| rsa.crypto.https_insact |  | keyword |
+| rsa.crypto.https_valid |  | keyword |
+| rsa.crypto.ike | IKE negotiation phase. | keyword |
+| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword |
+| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword |
+| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword |
+| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword |
+| rsa.crypto.s_certauth |  | keyword |
+| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword |
+| rsa.crypto.sig_type | This key captures the Signature Type | keyword |
+| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword |
+| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword |
+| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword |
+| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword |
+| rsa.db.db_pid | This key captures the process id of a connection with database server | long |
+| rsa.db.index | This key captures IndexID of the index. | keyword |
+| rsa.db.instance | This key is used to capture the database server instance name | keyword |
+| rsa.db.lread | This key is used for the number of logical reads | long |
+| rsa.db.lwrite | This key is used for the number of logical writes | long |
+| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword |
+| rsa.db.pread | This key is used for the number of physical writes | long |
+| rsa.db.table_name | This key is used to capture the table name | keyword |
+| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword |
+| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword |
+| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword |
+| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword |
+| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword |
+| rsa.email.trans_from | Deprecated key defined only in table map. | keyword |
+| rsa.email.trans_to | Deprecated key defined only in table map. | keyword |
+| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall disabled</strong> and so on | keyword |
+| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword |
+| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword |
+| rsa.file.attachment | This key captures the attachment file name | keyword |
+| rsa.file.binary | Deprecated key defined only in table map. | keyword |
+| rsa.file.directory_dst | <span>This key is used to capture the directory of the target process or file</span> | keyword |
+| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword |
+| rsa.file.file_entropy | This is used to capture entropy vale of a file | double |
+| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword |
+| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword |
+| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword |
+| rsa.file.filename_tmp |  | keyword |
+| rsa.file.filesystem |  | keyword |
+| rsa.file.privilege | Deprecated, use permissions | keyword |
+| rsa.file.task_name | This is used to capture name of the task | keyword |
+| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword |
+| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword |
+| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword |
+| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword |
+| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword |
+| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword |
+| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword |
+| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword |
+| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword |
+| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword |
+| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword |
+| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword |
+| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword |
+| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword |
+| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.org | This key captures the User organization | keyword |
+| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword |
+| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword |
+| rsa.identity.profile | This key is used to capture the user profile | keyword |
+| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword |
+| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword |
+| rsa.identity.user_dept | User's Department Names only | keyword |
+| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword |
+| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword |
+| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword |
+| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword |
+| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.data | Deprecated key defined only in table map. | keyword |
+| rsa.internal.dead | Deprecated key defined only in table map. | long |
+| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_type_id | Deprecated key defined only in table map. | long |
+| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long |
+| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long |
+| rsa.internal.entry | Deprecated key defined only in table map. | keyword |
+| rsa.internal.event_desc |  | keyword |
+| rsa.internal.event_name | Deprecated key defined only in table map. | keyword |
+| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip |
+| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.hcode | Deprecated key defined only in table map. | keyword |
+| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.inode | Deprecated key defined only in table map. | long |
+| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date |
+| rsa.internal.level | Deprecated key defined only in table map. | long |
+| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long |
+| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long |
+| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long |
+| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long |
+| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, &lt; 32 is packet session | long |
+| rsa.internal.message | This key captures the contents of instant messages | keyword |
+| rsa.internal.messageid |  | keyword |
+| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword |
+| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.node_name | Deprecated key defined only in table map. | keyword |
+| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword |
+| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword |
+| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword |
+| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword |
+| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long |
+| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long |
+| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword |
+| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword |
+| rsa.internal.resource | Deprecated key defined only in table map. | keyword |
+| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword |
+| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long |
+| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.site | Deprecated key defined only in table map. | keyword |
+| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long |
+| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.statement | Deprecated key defined only in table map. | keyword |
+| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date |
+| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long |
+| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long |
+| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword |
+| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword |
+| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword |
+| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword |
+| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword |
+| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword |
+| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword |
+| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword |
+| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword |
+| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword |
+| rsa.investigations.event_cat | This key captures the Event category number | long |
+| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword |
+| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword |
+| rsa.investigations.inv_category | This used to capture investigation category | keyword |
+| rsa.investigations.inv_context | This used to capture investigation context | keyword |
+| rsa.investigations.ioc | This is key capture indicator of compromise | keyword |
+| rsa.misc.OS | This key captures the Name of the Operating System | keyword |
+| rsa.misc.acl_id |  | keyword |
+| rsa.misc.acl_op |  | keyword |
+| rsa.misc.acl_pos |  | keyword |
+| rsa.misc.acl_table |  | keyword |
+| rsa.misc.action |  | keyword |
+| rsa.misc.admin |  | keyword |
+| rsa.misc.agent_id | This key is used to capture agent id | keyword |
+| rsa.misc.alarm_id |  | keyword |
+| rsa.misc.alarmname |  | keyword |
+| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.app_id |  | keyword |
+| rsa.misc.audit |  | keyword |
+| rsa.misc.audit_object |  | keyword |
+| rsa.misc.auditdata |  | keyword |
+| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword |
+| rsa.misc.benchmark |  | keyword |
+| rsa.misc.bypass |  | keyword |
+| rsa.misc.cache |  | keyword |
+| rsa.misc.cache_hit |  | keyword |
+| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword |
+| rsa.misc.cc_number | Valid Credit Card Numbers only | long |
+| rsa.misc.cefversion |  | keyword |
+| rsa.misc.cfg_attr |  | keyword |
+| rsa.misc.cfg_obj |  | keyword |
+| rsa.misc.cfg_path |  | keyword |
+| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword |
+| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword |
+| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword |
+| rsa.misc.changes |  | keyword |
+| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword |
+| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword |
+| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword |
+| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword |
+| rsa.misc.client_ip |  | keyword |
+| rsa.misc.clustermembers |  | keyword |
+| rsa.misc.cmd |  | keyword |
+| rsa.misc.cn_acttimeout |  | keyword |
+| rsa.misc.cn_asn_src |  | keyword |
+| rsa.misc.cn_bgpv4nxthop |  | keyword |
+| rsa.misc.cn_ctr_dst_code |  | keyword |
+| rsa.misc.cn_dst_tos |  | keyword |
+| rsa.misc.cn_dst_vlan |  | keyword |
+| rsa.misc.cn_engine_id |  | keyword |
+| rsa.misc.cn_engine_type |  | keyword |
+| rsa.misc.cn_f_switch |  | keyword |
+| rsa.misc.cn_flowsampid |  | keyword |
+| rsa.misc.cn_flowsampintv |  | keyword |
+| rsa.misc.cn_flowsampmode |  | keyword |
+| rsa.misc.cn_inacttimeout |  | keyword |
+| rsa.misc.cn_inpermbyts |  | keyword |
+| rsa.misc.cn_inpermpckts |  | keyword |
+| rsa.misc.cn_invalid |  | keyword |
+| rsa.misc.cn_ip_proto_ver |  | keyword |
+| rsa.misc.cn_ipv4_ident |  | keyword |
+| rsa.misc.cn_l_switch |  | keyword |
+| rsa.misc.cn_log_did |  | keyword |
+| rsa.misc.cn_log_rid |  | keyword |
+| rsa.misc.cn_max_ttl |  | keyword |
+| rsa.misc.cn_maxpcktlen |  | keyword |
+| rsa.misc.cn_min_ttl |  | keyword |
+| rsa.misc.cn_minpcktlen |  | keyword |
+| rsa.misc.cn_mpls_lbl_1 |  | keyword |
+| rsa.misc.cn_mpls_lbl_10 |  | keyword |
+| rsa.misc.cn_mpls_lbl_2 |  | keyword |
+| rsa.misc.cn_mpls_lbl_3 |  | keyword |
+| rsa.misc.cn_mpls_lbl_4 |  | keyword |
+| rsa.misc.cn_mpls_lbl_5 |  | keyword |
+| rsa.misc.cn_mpls_lbl_6 |  | keyword |
+| rsa.misc.cn_mpls_lbl_7 |  | keyword |
+| rsa.misc.cn_mpls_lbl_8 |  | keyword |
+| rsa.misc.cn_mpls_lbl_9 |  | keyword |
+| rsa.misc.cn_mplstoplabel |  | keyword |
+| rsa.misc.cn_mplstoplabip |  | keyword |
+| rsa.misc.cn_mul_dst_byt |  | keyword |
+| rsa.misc.cn_mul_dst_pks |  | keyword |
+| rsa.misc.cn_muligmptype |  | keyword |
+| rsa.misc.cn_sampalgo |  | keyword |
+| rsa.misc.cn_sampint |  | keyword |
+| rsa.misc.cn_seqctr |  | keyword |
+| rsa.misc.cn_spackets |  | keyword |
+| rsa.misc.cn_src_tos |  | keyword |
+| rsa.misc.cn_src_vlan |  | keyword |
+| rsa.misc.cn_sysuptime |  | keyword |
+| rsa.misc.cn_template_id |  | keyword |
+| rsa.misc.cn_totbytsexp |  | keyword |
+| rsa.misc.cn_totflowexp |  | keyword |
+| rsa.misc.cn_totpcktsexp |  | keyword |
+| rsa.misc.cn_unixnanosecs |  | keyword |
+| rsa.misc.cn_v6flowlabel |  | keyword |
+| rsa.misc.cn_v6optheaders |  | keyword |
+| rsa.misc.code |  | keyword |
+| rsa.misc.command |  | keyword |
+| rsa.misc.comments | Comment information provided in the log message | keyword |
+| rsa.misc.comp_class |  | keyword |
+| rsa.misc.comp_name |  | keyword |
+| rsa.misc.comp_rbytes |  | keyword |
+| rsa.misc.comp_sbytes |  | keyword |
+| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword |
+| rsa.misc.connection_id | This key captures the Connection ID | keyword |
+| rsa.misc.content | This key captures the content type from protocol headers | keyword |
+| rsa.misc.content_type | This key is used to capture Content Type only. | keyword |
+| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword |
+| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword |
+| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword |
+| rsa.misc.context_target |  | keyword |
+| rsa.misc.count |  | keyword |
+| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long |
+| rsa.misc.cpu_data |  | keyword |
+| rsa.misc.criticality |  | keyword |
+| rsa.misc.cs_agency_dst |  | keyword |
+| rsa.misc.cs_analyzedby |  | keyword |
+| rsa.misc.cs_av_other |  | keyword |
+| rsa.misc.cs_av_primary |  | keyword |
+| rsa.misc.cs_av_secondary |  | keyword |
+| rsa.misc.cs_bgpv6nxthop |  | keyword |
+| rsa.misc.cs_bit9status |  | keyword |
+| rsa.misc.cs_context |  | keyword |
+| rsa.misc.cs_control |  | keyword |
+| rsa.misc.cs_data |  | keyword |
+| rsa.misc.cs_datecret |  | keyword |
+| rsa.misc.cs_dst_tld |  | keyword |
+| rsa.misc.cs_eth_dst_ven |  | keyword |
+| rsa.misc.cs_eth_src_ven |  | keyword |
+| rsa.misc.cs_event_uuid |  | keyword |
+| rsa.misc.cs_filetype |  | keyword |
+| rsa.misc.cs_fld |  | keyword |
+| rsa.misc.cs_if_desc |  | keyword |
+| rsa.misc.cs_if_name |  | keyword |
+| rsa.misc.cs_ip_next_hop |  | keyword |
+| rsa.misc.cs_ipv4dstpre |  | keyword |
+| rsa.misc.cs_ipv4srcpre |  | keyword |
+| rsa.misc.cs_lifetime |  | keyword |
+| rsa.misc.cs_log_medium |  | keyword |
+| rsa.misc.cs_loginname |  | keyword |
+| rsa.misc.cs_modulescore |  | keyword |
+| rsa.misc.cs_modulesign |  | keyword |
+| rsa.misc.cs_opswatresult |  | keyword |
+| rsa.misc.cs_payload |  | keyword |
+| rsa.misc.cs_registrant |  | keyword |
+| rsa.misc.cs_registrar |  | keyword |
+| rsa.misc.cs_represult |  | keyword |
+| rsa.misc.cs_rpayload |  | keyword |
+| rsa.misc.cs_sampler_name |  | keyword |
+| rsa.misc.cs_sourcemodule |  | keyword |
+| rsa.misc.cs_streams |  | keyword |
+| rsa.misc.cs_targetmodule |  | keyword |
+| rsa.misc.cs_v6nxthop |  | keyword |
+| rsa.misc.cs_whois_server |  | keyword |
+| rsa.misc.cs_yararesult |  | keyword |
+| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword |
+| rsa.misc.data_type |  | keyword |
+| rsa.misc.description |  | keyword |
+| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword |
+| rsa.misc.devvendor |  | keyword |
+| rsa.misc.disposition | This key captures the The end state of an action. | keyword |
+| rsa.misc.distance |  | keyword |
+| rsa.misc.doc_number | This key captures File Identification number | long |
+| rsa.misc.dstburb |  | keyword |
+| rsa.misc.edomain |  | keyword |
+| rsa.misc.edomaub |  | keyword |
+| rsa.misc.ein_number | Employee Identification Numbers only | long |
+| rsa.misc.error | This key captures All non successful Error codes or responses | keyword |
+| rsa.misc.euid |  | keyword |
+| rsa.misc.event_category |  | keyword |
+| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword |
+| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword |
+| rsa.misc.event_id |  | keyword |
+| rsa.misc.event_log | This key captures the Name of the event log | keyword |
+| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword |
+| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword |
+| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword |
+| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword |
+| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword |
+| rsa.misc.facility |  | keyword |
+| rsa.misc.facilityname |  | keyword |
+| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword |
+| rsa.misc.filter | This key captures Filter used to reduce result set | keyword |
+| rsa.misc.finterface |  | keyword |
+| rsa.misc.flags |  | keyword |
+| rsa.misc.forensic_info |  | keyword |
+| rsa.misc.found | This is used to capture the results of regex match | keyword |
+| rsa.misc.fresult | This key captures the Filter Result | long |
+| rsa.misc.gaddr |  | keyword |
+| rsa.misc.group | This key captures the Group Name value | keyword |
+| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword |
+| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword |
+| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword |
+| rsa.misc.id3 |  | keyword |
+| rsa.misc.im_buddyid |  | keyword |
+| rsa.misc.im_buddyname |  | keyword |
+| rsa.misc.im_client |  | keyword |
+| rsa.misc.im_croomid |  | keyword |
+| rsa.misc.im_croomtype |  | keyword |
+| rsa.misc.im_members |  | keyword |
+| rsa.misc.im_userid |  | keyword |
+| rsa.misc.im_username |  | keyword |
+| rsa.misc.index |  | keyword |
+| rsa.misc.inout |  | keyword |
+| rsa.misc.ipkt |  | keyword |
+| rsa.misc.ipscat |  | keyword |
+| rsa.misc.ipspri |  | keyword |
+| rsa.misc.job_num | This key captures the Job Number | keyword |
+| rsa.misc.jobname |  | keyword |
+| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword |
+| rsa.misc.latitude |  | keyword |
+| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword |
+| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long |
+| rsa.misc.linenum |  | keyword |
+| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.misc.list_name |  | keyword |
+| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword |
+| rsa.misc.load_data |  | keyword |
+| rsa.misc.location_floor |  | keyword |
+| rsa.misc.location_mark |  | keyword |
+| rsa.misc.log_id |  | keyword |
+| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword |
+| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword |
+| rsa.misc.log_type |  | keyword |
+| rsa.misc.logid |  | keyword |
+| rsa.misc.logip |  | keyword |
+| rsa.misc.logname |  | keyword |
+| rsa.misc.longitude |  | keyword |
+| rsa.misc.lport |  | keyword |
+| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword |
+| rsa.misc.match | This key is for regex match name from search.ini | keyword |
+| rsa.misc.mbug_data |  | keyword |
+| rsa.misc.message_body | This key captures the The contents of the message body. | keyword |
+| rsa.misc.misc |  | keyword |
+| rsa.misc.misc_name |  | keyword |
+| rsa.misc.mode |  | keyword |
+| rsa.misc.msgIdPart1 |  | keyword |
+| rsa.misc.msgIdPart2 |  | keyword |
+| rsa.misc.msgIdPart3 |  | keyword |
+| rsa.misc.msgIdPart4 |  | keyword |
+| rsa.misc.msg_type |  | keyword |
+| rsa.misc.msgid |  | keyword |
+| rsa.misc.name |  | keyword |
+| rsa.misc.netsessid |  | keyword |
+| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword |
+| rsa.misc.ntype |  | keyword |
+| rsa.misc.num |  | keyword |
+| rsa.misc.number |  | keyword |
+| rsa.misc.number1 |  | keyword |
+| rsa.misc.number2 |  | keyword |
+| rsa.misc.nwwn |  | keyword |
+| rsa.misc.obj_name | This is used to capture name of object | keyword |
+| rsa.misc.obj_type | This is used to capture type of object | keyword |
+| rsa.misc.object |  | keyword |
+| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword |
+| rsa.misc.operation |  | keyword |
+| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword |
+| rsa.misc.opkt |  | keyword |
+| rsa.misc.orig_from |  | keyword |
+| rsa.misc.owner_id |  | keyword |
+| rsa.misc.p_action |  | keyword |
+| rsa.misc.p_filter |  | keyword |
+| rsa.misc.p_group_object |  | keyword |
+| rsa.misc.p_id |  | keyword |
+| rsa.misc.p_msgid |  | keyword |
+| rsa.misc.p_msgid1 |  | keyword |
+| rsa.misc.p_msgid2 |  | keyword |
+| rsa.misc.p_result1 |  | keyword |
+| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword |
+| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword |
+| rsa.misc.param_src | This key captures source parameter | keyword |
+| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword |
+| rsa.misc.password_chg |  | keyword |
+| rsa.misc.password_expire |  | keyword |
+| rsa.misc.payload_dst | This key is used to capture destination payload | keyword |
+| rsa.misc.payload_src | This key is used to capture source payload | keyword |
+| rsa.misc.permgranted |  | keyword |
+| rsa.misc.permwanted |  | keyword |
+| rsa.misc.pgid |  | keyword |
+| rsa.misc.phone |  | keyword |
+| rsa.misc.pid |  | keyword |
+| rsa.misc.policy |  | keyword |
+| rsa.misc.policyUUID |  | keyword |
+| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword |
+| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword |
+| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword |
+| rsa.misc.policy_waiver |  | keyword |
+| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword |
+| rsa.misc.pool_name | This key captures the name of a resource pool | keyword |
+| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword |
+| rsa.misc.priority |  | keyword |
+| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword |
+| rsa.misc.prog_asp_num |  | keyword |
+| rsa.misc.program |  | keyword |
+| rsa.misc.real_data |  | keyword |
+| rsa.misc.reason |  | keyword |
+| rsa.misc.rec_asp_device |  | keyword |
+| rsa.misc.rec_asp_num |  | keyword |
+| rsa.misc.rec_library |  | keyword |
+| rsa.misc.recordnum |  | keyword |
+| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword |
+| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword |
+| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword |
+| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword |
+| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword |
+| rsa.misc.risk | This key captures the non-numeric risk value | keyword |
+| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.risk_num | This key captures a Numeric Risk value | double |
+| rsa.misc.risk_num_comm | This key captures Risk Number Community | double |
+| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double |
+| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double |
+| rsa.misc.risk_num_static | This key captures Risk Number Static | double |
+| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.ruid |  | keyword |
+| rsa.misc.rule | This key captures the Rule number | keyword |
+| rsa.misc.rule_group | This key captures the Rule group name | keyword |
+| rsa.misc.rule_name | This key captures the Rule Name | keyword |
+| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword |
+| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword |
+| rsa.misc.sburb |  | keyword |
+| rsa.misc.sdomain_fld |  | keyword |
+| rsa.misc.search_text | This key captures the Search Text used | keyword |
+| rsa.misc.sec |  | keyword |
+| rsa.misc.second |  | keyword |
+| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword |
+| rsa.misc.sensorname |  | keyword |
+| rsa.misc.seqnum |  | keyword |
+| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword |
+| rsa.misc.session |  | keyword |
+| rsa.misc.sessiontype |  | keyword |
+| rsa.misc.severity | This key is used to capture the severity given the session | keyword |
+| rsa.misc.sigUUID |  | keyword |
+| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long |
+| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long |
+| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword |
+| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword |
+| rsa.misc.sigcat |  | keyword |
+| rsa.misc.snmp_oid | SNMP Object Identifier | keyword |
+| rsa.misc.snmp_value | SNMP set request value | keyword |
+| rsa.misc.space |  | keyword |
+| rsa.misc.space1 |  | keyword |
+| rsa.misc.spi |  | keyword |
+| rsa.misc.spi_dst | Destination SPI Index | keyword |
+| rsa.misc.spi_src | Source SPI Index | keyword |
+| rsa.misc.sql | This key captures the SQL query | keyword |
+| rsa.misc.srcburb |  | keyword |
+| rsa.misc.srcdom |  | keyword |
+| rsa.misc.srcservice |  | keyword |
+| rsa.misc.state |  | keyword |
+| rsa.misc.status |  | keyword |
+| rsa.misc.status1 |  | keyword |
+| rsa.misc.streams | This key captures number of streams in session | long |
+| rsa.misc.subcategory |  | keyword |
+| rsa.misc.svcno |  | keyword |
+| rsa.misc.system |  | keyword |
+| rsa.misc.tbdstr1 |  | keyword |
+| rsa.misc.tbdstr2 |  | keyword |
+| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long |
+| rsa.misc.terminal | This key captures the Terminal Names only | keyword |
+| rsa.misc.tgtdom |  | keyword |
+| rsa.misc.tgtdomain |  | keyword |
+| rsa.misc.threshold |  | keyword |
+| rsa.misc.tos | This key describes the type of service | long |
+| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword |
+| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword |
+| rsa.misc.type |  | keyword |
+| rsa.misc.type1 |  | keyword |
+| rsa.misc.udb_class |  | keyword |
+| rsa.misc.url_fld |  | keyword |
+| rsa.misc.user_div |  | keyword |
+| rsa.misc.userid |  | keyword |
+| rsa.misc.username_fld |  | keyword |
+| rsa.misc.utcstamp |  | keyword |
+| rsa.misc.v_instafname |  | keyword |
+| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword |
+| rsa.misc.virt_data |  | keyword |
+| rsa.misc.virusname | This key captures the name of the virus | keyword |
+| rsa.misc.vm_target | VMWare Target **VMWARE** only varaible. | keyword |
+| rsa.misc.vpnid |  | keyword |
+| rsa.misc.vsys | This key captures Virtual System Name | keyword |
+| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword |
+| rsa.misc.workspace | This key captures Workspace Description | keyword |
+| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword |
+| rsa.network.addr |  | keyword |
+| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword |
+| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword |
+| rsa.network.dmask | This key is used for Destionation Device network mask | keyword |
+| rsa.network.dns_a_record |  | keyword |
+| rsa.network.dns_cname_record |  | keyword |
+| rsa.network.dns_id |  | keyword |
+| rsa.network.dns_opcode |  | keyword |
+| rsa.network.dns_ptr_record |  | keyword |
+| rsa.network.dns_resp |  | keyword |
+| rsa.network.dns_type |  | keyword |
+| rsa.network.domain |  | keyword |
+| rsa.network.domain1 |  | keyword |
+| rsa.network.eth_host | Deprecated, use alias.mac | keyword |
+| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long |
+| rsa.network.faddr |  | keyword |
+| rsa.network.fhost |  | keyword |
+| rsa.network.fport |  | keyword |
+| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword |
+| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword |
+| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword |
+| rsa.network.host_type |  | keyword |
+| rsa.network.icmp_code | This key is used to capture the ICMP code only | long |
+| rsa.network.icmp_type | This key is used to capture the ICMP type only | long |
+| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword |
+| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long |
+| rsa.network.laddr |  | keyword |
+| rsa.network.lhost |  | keyword |
+| rsa.network.linterface |  | keyword |
+| rsa.network.mask | This key is used to capture the device network IPmask. | keyword |
+| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword |
+| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long |
+| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword |
+| rsa.network.origin |  | keyword |
+| rsa.network.packet_length |  | keyword |
+| rsa.network.paddr | Deprecated | ip |
+| rsa.network.phost |  | keyword |
+| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long |
+| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword |
+| rsa.network.remote_domain_id |  | keyword |
+| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword |
+| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword |
+| rsa.network.smask | This key is used for capturing source Network Mask | keyword |
+| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long |
+| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword |
+| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword |
+| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword |
+| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword |
+| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword |
+| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword |
+| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword |
+| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword |
+| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword |
+| rsa.threat.alert | This key is used to capture name of the alert | keyword |
+| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword |
+| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword |
+| rsa.threat.threat_source | This key is used to capture source of the threat | keyword |
+| rsa.time.date |  | keyword |
+| rsa.time.datetime |  | keyword |
+| rsa.time.day |  | keyword |
+| rsa.time.duration_str | A text string version of the duration | keyword |
+| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double |
+| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date |
+| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date |
+| rsa.time.event_queue_time | This key is the Time that the event was queued. | date |
+| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date |
+| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword |
+| rsa.time.eventtime |  | keyword |
+| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date |
+| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword |
+| rsa.time.gmtdate |  | keyword |
+| rsa.time.gmttime |  | keyword |
+| rsa.time.hour |  | keyword |
+| rsa.time.min |  | keyword |
+| rsa.time.month |  | keyword |
+| rsa.time.p_date |  | keyword |
+| rsa.time.p_month |  | keyword |
+| rsa.time.p_time |  | keyword |
+| rsa.time.p_time1 |  | keyword |
+| rsa.time.p_time2 |  | keyword |
+| rsa.time.p_year |  | keyword |
+| rsa.time.process_time | Deprecated, use duration.time | keyword |
+| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date |
+| rsa.time.stamp | Deprecated key defined only in table map. | date |
+| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date |
+| rsa.time.timestamp |  | keyword |
+| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword |
+| rsa.time.tzone |  | keyword |
+| rsa.time.year |  | keyword |
+| rsa.web.alias_host |  | keyword |
+| rsa.web.cn_asn_dst |  | keyword |
+| rsa.web.cn_rpackets |  | keyword |
+| rsa.web.fqdn | Fully Qualified Domain Names | keyword |
+| rsa.web.p_url |  | keyword |
+| rsa.web.p_user_agent |  | keyword |
+| rsa.web.p_web_cookie |  | keyword |
+| rsa.web.p_web_method |  | keyword |
+| rsa.web.p_web_referer |  | keyword |
+| rsa.web.remote_domain |  | keyword |
+| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double |
+| rsa.web.urlpage |  | keyword |
+| rsa.web.urlroot |  | keyword |
+| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword |
+| rsa.web.web_extension_tmp |  | keyword |
+| rsa.web.web_page |  | keyword |
+| rsa.web.web_ref_domain | Web referer's domain | keyword |
+| rsa.web.web_ref_page | This key captures Web referer's page information | keyword |
+| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword |
+| rsa.web.web_ref_root | Web referer's root URL path | keyword |
+| rsa.wireless.access_point | This key is used to capture the access point name. | keyword |
+| rsa.wireless.wlan_channel | This is used to capture the channel names | long |
+| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword |
+| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword |
+| rule.name | The name of the rule or signature generating the event. | keyword |
+| server.domain | Server domain. | keyword |
+| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword |
+| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.bytes | Bytes sent from the source to the destination. | long |
+| source.domain | Source domain. | keyword |
+| source.geo.city_name | City name. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location.lat |  | double |
+| source.geo.location.lon |  | double |
+| source.ip | IP address of the source. Can be one or multiple IPv4 or IPv6 addresses. | ip |
+| source.mac | MAC address of the source. | keyword |
+| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip |
+| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long |
+| source.port | Port of the source. | long |
+| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. | keyword |
+| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | keyword |
+| url.path | Path of the request, such as "/search". | keyword |
+| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword |
+| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.google.com" is "google.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword |
+| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword |
+| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| user.full_name | User's full name, if available. | keyword |
+| user.id | Unique identifiers of the user. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user_agent.original | Unparsed user_agent string. | keyword |
diff --git a/packages/tenable/0.1.0/img/logo.svg b/packages/tenable/0.1.0/img/logo.svg
new file mode 100644
index 0000000000..8b39bf845d
--- /dev/null
+++ b/packages/tenable/0.1.0/img/logo.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 325.86 72.46"><defs><style>.cls-header-logo-1{fill:#445464;}.cls-header-logo-2{fill:#00a6b4;}</style></defs><title>Tenable Logo</title><g id="Layer_2" data-name="Layer 2"><g id="Layer_1-2" data-name="Layer 1"><path class="cls-header-logo-1" d="M85.34,50.06V30.27H79V21.52h6.3V11.11h10V21.52h7.73v8.75H95.35V47.38c0,2.44,1.27,4.25,3.47,4.25a5,5,0,0,0,3.47-1.18l2.13,7.65c-1.5,1.34-4.18,2.44-8.36,2.44C89.05,60.54,85.34,56.91,85.34,50.06Z"/><path class="cls-header-logo-1" d="M105.37,40.52c0-11,8.19-20,19.7-20s19.08,8.52,19.08,20.89v2.37h-28.3c.71,4.65,4.49,8.51,11,8.51,3.23,0,7.64-1.34,10.09-3.7l4.49,6.62c-3.78,3.47-9.77,5.28-15.69,5.28C114.12,60.54,105.37,52.74,105.37,40.52Zm19.7-11.75c-6.22,0-8.9,4.34-9.3,8.12h18.76C134.22,33.27,131.7,28.77,125.07,28.77Z"/><path class="cls-header-logo-1" d="M173.6,59.59v-23c0-5.28-2.76-7.1-7-7.1a11.14,11.14,0,0,0-8.67,4.42V59.59h-10V21.52h10v4.89a17.81,17.81,0,0,1,13.32-5.84c8.44,0,12.46,4.73,12.46,12.14V59.59Z"/><path class="cls-header-logo-1" d="M212.21,59.59v-4c-2.6,3.16-7.09,5-12.06,5-6.07,0-13.16-4.1-13.16-12.61,0-9,7.09-12.3,13.16-12.3,5.13,0,9.54,1.66,12.06,4.65V35.47c0-3.86-3.31-6.38-8.35-6.38a16,16,0,0,0-11,4.49l-3.94-7a24.61,24.61,0,0,1,16.63-6c8.75,0,16.71,3.47,16.71,14.43V59.59Zm0-9.14V45.72c-1.65-2.21-4.8-3.39-8-3.39-3.94,0-7.17,2.13-7.17,5.76s3.23,5.67,7.17,5.67C207.41,53.76,210.56,52.66,212.21,50.45Z"/><path class="cls-header-logo-1" d="M226.59,59.59V7h10v19.4a14.47,14.47,0,0,1,11.75-5.84c9.7,0,16.87,7.57,16.87,20,0,12.77-7.25,20-16.87,20a14.81,14.81,0,0,1-11.75-5.83v4.88Zm18.69-8c5.75,0,9.61-4.49,9.61-11.11s-3.86-11-9.61-11a11.2,11.2,0,0,0-8.68,4.42V47.38A11.32,11.32,0,0,0,245.28,51.63Z"/><path class="cls-header-logo-1" d="M268.6,59.59V7h10V59.59Z"/><path class="cls-header-logo-1" d="M282.37,40.52c0-11,8.19-20,19.7-20s19.08,8.52,19.08,20.89v2.37h-28.3c.71,4.65,4.49,8.51,11,8.51,3.23,0,7.64-1.34,10.09-3.7l4.49,6.62c-3.78,3.47-9.77,5.28-15.69,5.28C291.12,60.54,282.37,52.74,282.37,40.52Zm19.7-11.75c-6.22,0-8.9,4.34-9.3,8.12h18.76C311.22,33.27,308.7,28.77,302.07,28.77Z"/><path class="cls-header-logo-1" d="M324.23,16.72a3.24,3.24,0,0,1,1.2,1.21,3.34,3.34,0,0,1,.43,1.68,3.3,3.3,0,0,1-.43,1.67,3.14,3.14,0,0,1-1.2,1.2,3.24,3.24,0,0,1-1.68.44,3.25,3.25,0,0,1-2.84-1.64,3.31,3.31,0,0,1-.44-1.67,3.34,3.34,0,0,1,.44-1.68,3.21,3.21,0,0,1,1.19-1.21,3.15,3.15,0,0,1,1.65-.45A3.25,3.25,0,0,1,324.23,16.72Zm-.34,5.22a2.43,2.43,0,0,0,.93-1,3.05,3.05,0,0,0,0-2.76,2.42,2.42,0,0,0-.93-1,2.51,2.51,0,0,0-1.34-.35,2.46,2.46,0,0,0-1.32.35,2.37,2.37,0,0,0-.91,1,3.05,3.05,0,0,0,0,2.76,2.38,2.38,0,0,0,.91,1,2.55,2.55,0,0,0,1.32.35A2.6,2.6,0,0,0,323.89,21.94Zm-.16-2.45a1.39,1.39,0,0,1-.61.37l1,1.49h-.87L322.42,20h-.31v1.38h-.75V17.76h1c1.06,0,1.58.37,1.58,1.1A.88.88,0,0,1,323.73,19.49Zm-1.62-.09h.38c.47,0,.71-.18.71-.54a.44.44,0,0,0-.18-.4,1,1,0,0,0-.55-.12h-.36Z"/><path class="cls-header-logo-2" d="M63.54,11.25c.2.76.94,3.51,1.64,6.13h0l5.55,20.71c.7,2.62,1.44,5.37,1.65,6.13h0a3.54,3.54,0,0,1-.85,3.17h0L67,51.88h0L51.88,67C50,69,48,71,47.39,71.53h0a3.54,3.54,0,0,1-3.17.85h0l-6.13-1.64h0L17.38,65.19l-6.13-1.65h0a3.36,3.36,0,0,1-1.45-.87h0a3.36,3.36,0,0,1-.87-1.45h0c-.21-.75-.95-3.52-1.65-6.13h0L1.73,34.38.09,28.25h0L.88,28l.8-.21c.2.76.94,3.52,1.64,6.13h0L8.87,54.66c.7,2.62,1.44,5.38,1.64,6.14h0a1.8,1.8,0,0,0,.45.71h0a1.8,1.8,0,0,0,.71.45h0L17.8,63.6h0l20.71,5.55,6.14,1.64h0a2,2,0,0,0,1.58-.42h0l4.49-4.49h0L65.88,50.72l4.49-4.49h0a2,2,0,0,0,.42-1.58h0c-.21-.76-.94-3.52-1.64-6.14h0l-5.56-20.7c-.69-2.62-1.44-5.38-1.64-6.13h0A1.8,1.8,0,0,0,61.5,11h0a1.55,1.55,0,0,0-.71-.45h0L54.66,8.87h0L34,3.32,27.82,1.68h0a2,2,0,0,0-1.58.42h0L21.75,6.59h0L6.59,21.75,2.1,26.24h0a1.93,1.93,0,0,0-.42,1.58h0L.88,28l-.79.22a3.5,3.5,0,0,1,.85-3.17h0l4.49-4.5h0L20.59,5.43,25.08.94h0A3.49,3.49,0,0,1,28.25.09h0l6.13,1.64h0l20.7,5.56,6.13,1.64h0a3.32,3.32,0,0,1,1.45.88h0a3.17,3.17,0,0,1,.88,1.44Z"/><path class="cls-header-logo-2" d="M37.59,5.75l4.53,2.62h0l15.3,8.83L62,19.82h0a2.89,2.89,0,0,1,1.35,2.34h0v5.23h0V50.3h0A2.89,2.89,0,0,1,62,52.64h0l-4.53,2.62h0L42.12,64.09l-4.53,2.62h0a2.71,2.71,0,0,1-1.36.33h0a2.7,2.7,0,0,1-1.35-.33h0L30.35,64.1h0L15,55.26l-4.53-2.62h0l.34-.58.34-.59,4.53,2.62h0L31,62.92l4.54,2.62h0a1.38,1.38,0,0,0,.67.15h0a1.4,1.4,0,0,0,.68-.15h0l4.53-2.62h0l15.31-8.83,4.53-2.62h0A1.64,1.64,0,0,0,62,50.3h0V45.06h0V22.16h0A1.62,1.62,0,0,0,61.28,21h0l-4.53-2.62h0L41.44,9.54,36.91,6.93h0a1.29,1.29,0,0,0-.68-.15h0a1.26,1.26,0,0,0-.67.15h0L31,9.54h0l-15.3,8.83L11.19,21h0a1.62,1.62,0,0,0-.68,1.17h0v5.23h0V50.3h0a1.64,1.64,0,0,0,.68,1.17h0l-.34.59-.34.58A2.87,2.87,0,0,1,9.16,50.3h0c0-.65,0-3,0-5.24h0V22.16h0a2.87,2.87,0,0,1,1.35-2.34h0L15,17.2h0L30.35,8.37l4.53-2.62h0a2.81,2.81,0,0,1,1.35-.33h0a2.79,2.79,0,0,1,1.36.33Z"/><path class="cls-header-logo-2" d="M17.9,16l4.5-1.21h0l15.19-4.07,4.5-1.21h0a2.58,2.58,0,0,1,2.33.63h0l3.3,3.29h0L58.84,24.55l3.29,3.3h0a2.55,2.55,0,0,1,.62,2.33h0c-.14.55-.69,2.58-1.2,4.5h0L57.48,49.87c-.52,1.92-1.06,4-1.21,4.5h0a2.41,2.41,0,0,1-.64,1.06h0a2.41,2.41,0,0,1-1.06.64h0l-4.5,1.21h0l-15.2,4.07-4.5,1.21h0L30.22,62l-.16-.59,4.5-1.2h0l15.2-4.07,4.5-1.21h0a1.35,1.35,0,0,0,.52-.33h0a1.35,1.35,0,0,0,.33-.52h0l1.2-4.5h0l4.07-15.2c.52-1.92,1.06-3.94,1.21-4.5h0a1.43,1.43,0,0,0-.31-1.16h0L58,25.41h0L46.86,14.29,43.57,11h0a1.43,1.43,0,0,0-1.16-.31h0L37.9,11.89h0L22.71,16l-4.49,1.21h0a1.17,1.17,0,0,0-.53.33h0a1.1,1.1,0,0,0-.32.52h0c-.15.55-.7,2.58-1.21,4.5h0L12.08,37.71c-.51,1.92-1.05,3.95-1.2,4.5h0a1.4,1.4,0,0,0,.31,1.16h0l3.29,3.3h0L25.6,57.79l3.3,3.29h0a1.43,1.43,0,0,0,1.16.31h0l.16.59.15.58a2.56,2.56,0,0,1-2.32-.63h0l-3.3-3.29h0L13.63,47.52l-3.29-3.3h0a2.56,2.56,0,0,1-.63-2.32h0c.15-.56.7-2.58,1.21-4.5h0L15,22.2l1.21-4.49h0a2.44,2.44,0,0,1,.64-1.07h0A2.46,2.46,0,0,1,17.9,16Z"/><path class="cls-header-logo-2" d="M13.9,58.57a31.59,31.59,0,1,1,44.67,0A31.58,31.58,0,0,1,13.9,58.57Zm43.63-1a30.08,30.08,0,1,0-42.6.06A30.12,30.12,0,0,0,57.53,57.59Z"/><path class="cls-header-logo-2" d="M37.24,13.37l3.35,1.93h0l11.33,6.54,3.36,1.94h0a2.16,2.16,0,0,1,1,1.74h0v3.87h0v17h0a2.15,2.15,0,0,1-1,1.73h0L51.93,50h0L40.59,56.57l-3.35,1.94h0a2.1,2.1,0,0,1-1,.25h0a2.09,2.09,0,0,1-1-.25h0l-3.36-1.94h0L20.54,50l-3.36-1.94h0l.25-.44.25-.43L21,49.16h0l11.34,6.55,3.35,1.93h0a.91.91,0,0,0,.5.11h0a.88.88,0,0,0,.5-.11h0l3.36-1.93h0l11.33-6.55,3.36-1.94h0a1.17,1.17,0,0,0,.5-.86h0V42.48h0v-17h0a1.17,1.17,0,0,0-.5-.87h0l-3.36-1.94h0L40.09,16.17l-3.36-1.94h0a1.09,1.09,0,0,0-.5-.11h0a1.12,1.12,0,0,0-.5.11h0l-3.36,1.94h0L21,22.71l-3.36,1.94h0a1.24,1.24,0,0,0-.5.87h0v3.87h0v17h0a1.24,1.24,0,0,0,.5.86h0l-.25.43-.25.44a2.12,2.12,0,0,1-1-1.73h0V42.48h0v-17h0a2.12,2.12,0,0,1,1-1.74h0l3.36-1.94h0L31.87,15.3l3.36-1.93h0a2,2,0,0,1,1-.25h0a2,2,0,0,1,1,.25Z"/><path class="cls-header-logo-2" d="M19.69,52.48a23.39,23.39,0,1,1,33.08,0A23.4,23.4,0,0,1,19.69,52.48ZM52,51.75a22.27,22.27,0,1,0-31.55,0A22.29,22.29,0,0,0,52,51.75Z"/></g></g></svg>
diff --git a/packages/tenable/0.1.0/manifest.yml b/packages/tenable/0.1.0/manifest.yml
new file mode 100644
index 0000000000..9bd5d2ad3a
--- /dev/null
+++ b/packages/tenable/0.1.0/manifest.yml
@@ -0,0 +1,36 @@
+format_version: 1.0.0
+name: tenable
+title: Tenable Network Security Nessus
+version: 0.1.0
+description: Tenable Network Security Nessus Integration
+categories: ["security"]
+release: experimental
+removable: true
+license: basic
+type: integration
+conditions:
+    kibana:
+        version: '>=7.9.0'
+    elasticsearch:
+        version: '>=7.9.0'
+config_templates:
+- name: nessus_security
+  title: Tenable Network Security Nessus
+  description: Collect Tenable Network Security Nessus logs from syslog or a file.
+  inputs:
+      - type: udp
+        title: Collect logs from Tenable Network Security Nessus via UDP
+        description: Collecting syslog from Tenable Network Security Nessus via UDP
+      - type: tcp
+        title: Collect logs from Tenable Network Security Nessus via TCP
+        description: Collecting syslog from Tenable Network Security Nessus via TCP
+      - type: file
+        title: Collect logs from Tenable Network Security Nessus via file
+        description: Collecting syslog from Tenable Network Security Nessus via file.
+# No icon
+icons:
+ - src: /img/logo.svg
+   title: Tenable Network Security Nessus logo
+   size: 32x32
+   type: image/svg+xml
+
diff --git a/packages/tomcat/0.1.0/dataset/log/agent/stream/stream.yml.hbs b/packages/tomcat/0.1.0/dataset/log/agent/stream/stream.yml.hbs
new file mode 100644
index 0000000000..e66f7cad22
--- /dev/null
+++ b/packages/tomcat/0.1.0/dataset/log/agent/stream/stream.yml.hbs
@@ -0,0 +1,2552 @@
+paths:
+{{#each paths as |path i|}}
+  - {{path}}
+{{/each}}
+exclude_files: [".gz$"]
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "Apache"
+        product: "TomCat"
+        type: "Web"
+publisher_pipeline.disable_host: true
+
+processors:
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.error(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(populate_fields);
+      	builder.Add(restore_flags);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var dup1 = setc("eventcategory","1204000000");
+      
+      var dup2 = date_time({
+      	dest: "event_time",
+      	args: ["fld7"],
+      	fmts: [
+      		[dD,dc("/"),dB,dc("/"),dW,dc(":"),dN,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup3 = domain("web_ref_domain","web_referer");
+      
+      var dup4 = domain("web_domain","web_host");
+      
+      var dup5 = setf("fqdn","web_host");
+      
+      var dup6 = setf("msg","$MSG");
+      
+      var dup7 = match("MESSAGE#0:ABCD", "nwparser.payload", "%{saddr}||%{fld5}||%{username}||[%{fld7->} %{timezone}]||%{web_method}||%{web_host}||%{webpage}||%{web_query}||%{network_service}||%{resultcode}||%{sbytes}||%{web_referer}||%{user_agent}||%{web_cookie}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup6,
+      ]));
+      
+      var hdr1 = match("HEADER#0:0001", "message", "%APACHETOMCAT-%{level}-%{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0001"),
+      ]));
+      
+      var hdr2 = match("HEADER#1:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hostname->} %APACHETOMCAT- %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0002"),
+      ]));
+      
+      var select1 = linear_select([
+      	hdr1,
+      	hdr2,
+      ]);
+      
+      var msg1 = msg("ABCD", dup7);
+      
+      var msg2 = msg("BADMETHOD", dup7);
+      
+      var msg3 = msg("BADMTHD", dup7);
+      
+      var msg4 = msg("BDMTHD", dup7);
+      
+      var msg5 = msg("INDEX", dup7);
+      
+      var msg6 = msg("CFYZ", dup7);
+      
+      var msg7 = msg("CONNECT", dup7);
+      
+      var msg8 = msg("DELETE", dup7);
+      
+      var msg9 = msg("DETECT_METHOD_TYPE", dup7);
+      
+      var msg10 = msg("FGET", dup7);
+      
+      var msg11 = msg("GET", dup7);
+      
+      var msg12 = msg("get", dup7);
+      
+      var msg13 = msg("HEAD", dup7);
+      
+      var msg14 = msg("id", dup7);
+      
+      var msg15 = msg("LOCK", dup7);
+      
+      var msg16 = msg("MKCOL", dup7);
+      
+      var msg17 = msg("NCIRCLE", dup7);
+      
+      var msg18 = msg("OPTIONS", dup7);
+      
+      var msg19 = msg("POST", dup7);
+      
+      var msg20 = msg("PRONECT", dup7);
+      
+      var msg21 = msg("PROPFIND", dup7);
+      
+      var msg22 = msg("PUT", dup7);
+      
+      var msg23 = msg("QUALYS", dup7);
+      
+      var msg24 = msg("SEARCH", dup7);
+      
+      var msg25 = msg("TRACK", dup7);
+      
+      var msg26 = msg("TRACE", dup7);
+      
+      var msg27 = msg("uGET", dup7);
+      
+      var msg28 = msg("null", dup7);
+      
+      var msg29 = msg("rndmmtd", dup7);
+      
+      var msg30 = msg("RNDMMTD", dup7);
+      
+      var msg31 = msg("asdf", dup7);
+      
+      var msg32 = msg("DEBUG", dup7);
+      
+      var msg33 = msg("COOK", dup7);
+      
+      var msg34 = msg("nGET", dup7);
+      
+      var chain1 = processor_chain([
+      	select1,
+      	msgid_select({
+      		"ABCD": msg1,
+      		"BADMETHOD": msg2,
+      		"BADMTHD": msg3,
+      		"BDMTHD": msg4,
+      		"CFYZ": msg6,
+      		"CONNECT": msg7,
+      		"COOK": msg33,
+      		"DEBUG": msg32,
+      		"DELETE": msg8,
+      		"DETECT_METHOD_TYPE": msg9,
+      		"FGET": msg10,
+      		"GET": msg11,
+      		"HEAD": msg13,
+      		"INDEX": msg5,
+      		"LOCK": msg15,
+      		"MKCOL": msg16,
+      		"NCIRCLE": msg17,
+      		"OPTIONS": msg18,
+      		"POST": msg19,
+      		"PRONECT": msg20,
+      		"PROPFIND": msg21,
+      		"PUT": msg22,
+      		"QUALYS": msg23,
+      		"RNDMMTD": msg30,
+      		"SEARCH": msg24,
+      		"TRACE": msg26,
+      		"TRACK": msg25,
+      		"asdf": msg31,
+      		"get": msg12,
+      		"id": msg14,
+      		"nGET": msg34,
+      		"null": msg28,
+      		"rndmmtd": msg29,
+      		"uGET": msg27,
+      	}),
+      ]);
+      
+      var part1 = match("MESSAGE#0:ABCD", "nwparser.payload", "%{saddr}||%{fld5}||%{username}||[%{fld7->} %{timezone}]||%{web_method}||%{web_host}||%{webpage}||%{web_query}||%{network_service}||%{resultcode}||%{sbytes}||%{web_referer}||%{user_agent}||%{web_cookie}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup6,
+      ]));
+      
+- community_id:
+- add_locale: ~
+- add_fields:
+    target: ''
+    fields:
+        ecs.version: 1.5.0
diff --git a/packages/tomcat/0.1.0/dataset/log/agent/stream/tcp.yml.hbs b/packages/tomcat/0.1.0/dataset/log/agent/stream/tcp.yml.hbs
new file mode 100644
index 0000000000..13bcf6639b
--- /dev/null
+++ b/packages/tomcat/0.1.0/dataset/log/agent/stream/tcp.yml.hbs
@@ -0,0 +1,2549 @@
+tcp:
+host: "{{tcp_host}}:{{tcp_port}}"
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "Apache"
+        product: "TomCat"
+        type: "Web"
+publisher_pipeline.disable_host: true
+
+processors:
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.error(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(populate_fields);
+      	builder.Add(restore_flags);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var dup1 = setc("eventcategory","1204000000");
+      
+      var dup2 = date_time({
+      	dest: "event_time",
+      	args: ["fld7"],
+      	fmts: [
+      		[dD,dc("/"),dB,dc("/"),dW,dc(":"),dN,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup3 = domain("web_ref_domain","web_referer");
+      
+      var dup4 = domain("web_domain","web_host");
+      
+      var dup5 = setf("fqdn","web_host");
+      
+      var dup6 = setf("msg","$MSG");
+      
+      var dup7 = match("MESSAGE#0:ABCD", "nwparser.payload", "%{saddr}||%{fld5}||%{username}||[%{fld7->} %{timezone}]||%{web_method}||%{web_host}||%{webpage}||%{web_query}||%{network_service}||%{resultcode}||%{sbytes}||%{web_referer}||%{user_agent}||%{web_cookie}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup6,
+      ]));
+      
+      var hdr1 = match("HEADER#0:0001", "message", "%APACHETOMCAT-%{level}-%{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0001"),
+      ]));
+      
+      var hdr2 = match("HEADER#1:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hostname->} %APACHETOMCAT- %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0002"),
+      ]));
+      
+      var select1 = linear_select([
+      	hdr1,
+      	hdr2,
+      ]);
+      
+      var msg1 = msg("ABCD", dup7);
+      
+      var msg2 = msg("BADMETHOD", dup7);
+      
+      var msg3 = msg("BADMTHD", dup7);
+      
+      var msg4 = msg("BDMTHD", dup7);
+      
+      var msg5 = msg("INDEX", dup7);
+      
+      var msg6 = msg("CFYZ", dup7);
+      
+      var msg7 = msg("CONNECT", dup7);
+      
+      var msg8 = msg("DELETE", dup7);
+      
+      var msg9 = msg("DETECT_METHOD_TYPE", dup7);
+      
+      var msg10 = msg("FGET", dup7);
+      
+      var msg11 = msg("GET", dup7);
+      
+      var msg12 = msg("get", dup7);
+      
+      var msg13 = msg("HEAD", dup7);
+      
+      var msg14 = msg("id", dup7);
+      
+      var msg15 = msg("LOCK", dup7);
+      
+      var msg16 = msg("MKCOL", dup7);
+      
+      var msg17 = msg("NCIRCLE", dup7);
+      
+      var msg18 = msg("OPTIONS", dup7);
+      
+      var msg19 = msg("POST", dup7);
+      
+      var msg20 = msg("PRONECT", dup7);
+      
+      var msg21 = msg("PROPFIND", dup7);
+      
+      var msg22 = msg("PUT", dup7);
+      
+      var msg23 = msg("QUALYS", dup7);
+      
+      var msg24 = msg("SEARCH", dup7);
+      
+      var msg25 = msg("TRACK", dup7);
+      
+      var msg26 = msg("TRACE", dup7);
+      
+      var msg27 = msg("uGET", dup7);
+      
+      var msg28 = msg("null", dup7);
+      
+      var msg29 = msg("rndmmtd", dup7);
+      
+      var msg30 = msg("RNDMMTD", dup7);
+      
+      var msg31 = msg("asdf", dup7);
+      
+      var msg32 = msg("DEBUG", dup7);
+      
+      var msg33 = msg("COOK", dup7);
+      
+      var msg34 = msg("nGET", dup7);
+      
+      var chain1 = processor_chain([
+      	select1,
+      	msgid_select({
+      		"ABCD": msg1,
+      		"BADMETHOD": msg2,
+      		"BADMTHD": msg3,
+      		"BDMTHD": msg4,
+      		"CFYZ": msg6,
+      		"CONNECT": msg7,
+      		"COOK": msg33,
+      		"DEBUG": msg32,
+      		"DELETE": msg8,
+      		"DETECT_METHOD_TYPE": msg9,
+      		"FGET": msg10,
+      		"GET": msg11,
+      		"HEAD": msg13,
+      		"INDEX": msg5,
+      		"LOCK": msg15,
+      		"MKCOL": msg16,
+      		"NCIRCLE": msg17,
+      		"OPTIONS": msg18,
+      		"POST": msg19,
+      		"PRONECT": msg20,
+      		"PROPFIND": msg21,
+      		"PUT": msg22,
+      		"QUALYS": msg23,
+      		"RNDMMTD": msg30,
+      		"SEARCH": msg24,
+      		"TRACE": msg26,
+      		"TRACK": msg25,
+      		"asdf": msg31,
+      		"get": msg12,
+      		"id": msg14,
+      		"nGET": msg34,
+      		"null": msg28,
+      		"rndmmtd": msg29,
+      		"uGET": msg27,
+      	}),
+      ]);
+      
+      var part1 = match("MESSAGE#0:ABCD", "nwparser.payload", "%{saddr}||%{fld5}||%{username}||[%{fld7->} %{timezone}]||%{web_method}||%{web_host}||%{webpage}||%{web_query}||%{network_service}||%{resultcode}||%{sbytes}||%{web_referer}||%{user_agent}||%{web_cookie}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup6,
+      ]));
+      
+- community_id:
+- add_locale: ~
+- add_fields:
+    target: ''
+    fields:
+        ecs.version: 1.5.0
diff --git a/packages/tomcat/0.1.0/dataset/log/agent/stream/udp.yml.hbs b/packages/tomcat/0.1.0/dataset/log/agent/stream/udp.yml.hbs
new file mode 100644
index 0000000000..1ce973083e
--- /dev/null
+++ b/packages/tomcat/0.1.0/dataset/log/agent/stream/udp.yml.hbs
@@ -0,0 +1,2549 @@
+udp:
+host: "{{udp_host}}:{{udp_port}}"
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "Apache"
+        product: "TomCat"
+        type: "Web"
+publisher_pipeline.disable_host: true
+
+processors:
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.error(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(populate_fields);
+      	builder.Add(restore_flags);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var dup1 = setc("eventcategory","1204000000");
+      
+      var dup2 = date_time({
+      	dest: "event_time",
+      	args: ["fld7"],
+      	fmts: [
+      		[dD,dc("/"),dB,dc("/"),dW,dc(":"),dN,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup3 = domain("web_ref_domain","web_referer");
+      
+      var dup4 = domain("web_domain","web_host");
+      
+      var dup5 = setf("fqdn","web_host");
+      
+      var dup6 = setf("msg","$MSG");
+      
+      var dup7 = match("MESSAGE#0:ABCD", "nwparser.payload", "%{saddr}||%{fld5}||%{username}||[%{fld7->} %{timezone}]||%{web_method}||%{web_host}||%{webpage}||%{web_query}||%{network_service}||%{resultcode}||%{sbytes}||%{web_referer}||%{user_agent}||%{web_cookie}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup6,
+      ]));
+      
+      var hdr1 = match("HEADER#0:0001", "message", "%APACHETOMCAT-%{level}-%{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0001"),
+      ]));
+      
+      var hdr2 = match("HEADER#1:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hostname->} %APACHETOMCAT- %{messageid}: %{payload}", processor_chain([
+      	setc("header_id","0002"),
+      ]));
+      
+      var select1 = linear_select([
+      	hdr1,
+      	hdr2,
+      ]);
+      
+      var msg1 = msg("ABCD", dup7);
+      
+      var msg2 = msg("BADMETHOD", dup7);
+      
+      var msg3 = msg("BADMTHD", dup7);
+      
+      var msg4 = msg("BDMTHD", dup7);
+      
+      var msg5 = msg("INDEX", dup7);
+      
+      var msg6 = msg("CFYZ", dup7);
+      
+      var msg7 = msg("CONNECT", dup7);
+      
+      var msg8 = msg("DELETE", dup7);
+      
+      var msg9 = msg("DETECT_METHOD_TYPE", dup7);
+      
+      var msg10 = msg("FGET", dup7);
+      
+      var msg11 = msg("GET", dup7);
+      
+      var msg12 = msg("get", dup7);
+      
+      var msg13 = msg("HEAD", dup7);
+      
+      var msg14 = msg("id", dup7);
+      
+      var msg15 = msg("LOCK", dup7);
+      
+      var msg16 = msg("MKCOL", dup7);
+      
+      var msg17 = msg("NCIRCLE", dup7);
+      
+      var msg18 = msg("OPTIONS", dup7);
+      
+      var msg19 = msg("POST", dup7);
+      
+      var msg20 = msg("PRONECT", dup7);
+      
+      var msg21 = msg("PROPFIND", dup7);
+      
+      var msg22 = msg("PUT", dup7);
+      
+      var msg23 = msg("QUALYS", dup7);
+      
+      var msg24 = msg("SEARCH", dup7);
+      
+      var msg25 = msg("TRACK", dup7);
+      
+      var msg26 = msg("TRACE", dup7);
+      
+      var msg27 = msg("uGET", dup7);
+      
+      var msg28 = msg("null", dup7);
+      
+      var msg29 = msg("rndmmtd", dup7);
+      
+      var msg30 = msg("RNDMMTD", dup7);
+      
+      var msg31 = msg("asdf", dup7);
+      
+      var msg32 = msg("DEBUG", dup7);
+      
+      var msg33 = msg("COOK", dup7);
+      
+      var msg34 = msg("nGET", dup7);
+      
+      var chain1 = processor_chain([
+      	select1,
+      	msgid_select({
+      		"ABCD": msg1,
+      		"BADMETHOD": msg2,
+      		"BADMTHD": msg3,
+      		"BDMTHD": msg4,
+      		"CFYZ": msg6,
+      		"CONNECT": msg7,
+      		"COOK": msg33,
+      		"DEBUG": msg32,
+      		"DELETE": msg8,
+      		"DETECT_METHOD_TYPE": msg9,
+      		"FGET": msg10,
+      		"GET": msg11,
+      		"HEAD": msg13,
+      		"INDEX": msg5,
+      		"LOCK": msg15,
+      		"MKCOL": msg16,
+      		"NCIRCLE": msg17,
+      		"OPTIONS": msg18,
+      		"POST": msg19,
+      		"PRONECT": msg20,
+      		"PROPFIND": msg21,
+      		"PUT": msg22,
+      		"QUALYS": msg23,
+      		"RNDMMTD": msg30,
+      		"SEARCH": msg24,
+      		"TRACE": msg26,
+      		"TRACK": msg25,
+      		"asdf": msg31,
+      		"get": msg12,
+      		"id": msg14,
+      		"nGET": msg34,
+      		"null": msg28,
+      		"rndmmtd": msg29,
+      		"uGET": msg27,
+      	}),
+      ]);
+      
+      var part1 = match("MESSAGE#0:ABCD", "nwparser.payload", "%{saddr}||%{fld5}||%{username}||[%{fld7->} %{timezone}]||%{web_method}||%{web_host}||%{webpage}||%{web_query}||%{network_service}||%{resultcode}||%{sbytes}||%{web_referer}||%{user_agent}||%{web_cookie}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup6,
+      ]));
+      
+- community_id:
+- add_locale: ~
+- add_fields:
+    target: ''
+    fields:
+        ecs.version: 1.5.0
diff --git a/packages/tomcat/0.1.0/dataset/log/elasticsearch/ingest_pipeline/default.yml b/packages/tomcat/0.1.0/dataset/log/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 0000000000..e5cd87682e
--- /dev/null
+++ b/packages/tomcat/0.1.0/dataset/log/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,55 @@
+---
+description: Pipeline for Apache Tomcat
+
+processors:
+  # User agent
+  - user_agent:
+        field: user_agent.original
+        ignore_missing: true
+  # IP Geolocation Lookup
+  - geoip:
+        field: source.ip
+        target_field: source.geo
+        ignore_missing: true
+  - geoip:
+        field: destination.ip
+        target_field: destination.geo
+        ignore_missing: true
+
+  # IP Autonomous System (AS) Lookup
+  - geoip:
+        database_file: GeoLite2-ASN.mmdb
+        field: source.ip
+        target_field: source.as
+        properties:
+            - asn
+            - organization_name
+        ignore_missing: true
+  - geoip:
+        database_file: GeoLite2-ASN.mmdb
+        field: destination.ip
+        target_field: destination.as
+        properties:
+            - asn
+            - organization_name
+        ignore_missing: true
+  - rename:
+        field: source.as.asn
+        target_field: source.as.number
+        ignore_missing: true
+  - rename:
+        field: source.as.organization_name
+        target_field: source.as.organization.name
+        ignore_missing: true
+  - rename:
+        field: destination.as.asn
+        target_field: destination.as.number
+        ignore_missing: true
+  - rename:
+        field: destination.as.organization_name
+        target_field: destination.as.organization.name
+        ignore_missing: true
+on_failure:
+  - append:
+        field: error.message
+        value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/tomcat/0.1.0/dataset/log/fields/base-fields.yml b/packages/tomcat/0.1.0/dataset/log/fields/base-fields.yml
new file mode 100644
index 0000000000..b294eaf20e
--- /dev/null
+++ b/packages/tomcat/0.1.0/dataset/log/fields/base-fields.yml
@@ -0,0 +1,26 @@
+- name: datastream.type
+  type: constant_keyword
+  description: Datastream type.
+- name: datastream.dataset
+  type: constant_keyword
+  description: Datastream dataset.
+- name: datastream.namespace
+  type: constant_keyword
+  description: Datastream namespace.
+
+- name: dataset.type
+  type: constant_keyword
+  description: >
+    Dataset type.
+- name: dataset.name
+  type: constant_keyword
+  description: >
+    Dataset name.
+- name: dataset.namespace
+  type: constant_keyword
+  description: >
+    Dataset namespace.
+- name: "@timestamp"
+  type: date
+  description: >
+    Event timestamp.
diff --git a/packages/tomcat/0.1.0/dataset/log/fields/ecs.yml b/packages/tomcat/0.1.0/dataset/log/fields/ecs.yml
new file mode 100644
index 0000000000..92af91c339
--- /dev/null
+++ b/packages/tomcat/0.1.0/dataset/log/fields/ecs.yml
@@ -0,0 +1,836 @@
+- name: log
+  type: group
+  fields:
+  - name: original
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'This is the original log message and contains the full log message
+      before splitting it up in multiple parts.
+
+      In contrast to the `message` field which can contain an extracted part of the
+      log message, this field contains the original, full log message. It can have
+      already some modifications applied like encoding or new lines removed to clean
+      up the log message.
+
+      This field is not indexed and doc_values are disabled so it can''t be queried
+      but the value can be retrieved from `_source`.'
+    example: Sep 19 08:26:10 localhost My log
+  - name: level
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Original log level of the log event.
+
+      If the source of the event provides a log level or textual severity, this is
+      the one that goes in `log.level`. If your source doesn''t specify one, you may
+      put your event transport''s severity here (e.g. Syslog severity).
+
+      Some examples are `warn`, `err`, `i`, `informational`.'
+    example: error
+  - name: syslog
+    type: group
+    fields:
+    - name: priority
+      level: extended
+      type: long
+      format: string
+      description: 'Syslog numeric priority of the event, if available.
+
+        According to RFCs 5424 and 3164, the priority is 8 * facility + severity.
+        This number is therefore expected to contain a value between 0 and 191.'
+      example: 135
+    - name: facility
+      type: group
+      fields:
+      - name: code
+        level: extended
+        type: long
+        format: string
+        description: 'The Syslog numeric facility of the log event, if available.
+
+          According to RFCs 5424 and 3164, this value should be an integer between
+          0 and 23.'
+        example: 23
+    - name: severity
+      type: group
+      fields:
+      - name: code
+        level: extended
+        type: long
+        description: 'The Syslog numeric severity of the log event, if available.
+
+          If the event source publishing via Syslog provides a different numeric severity
+          value (e.g. firewall, IDS), your source''s numeric severity should go to
+          `event.severity`. If the event source does not specify a distinct severity,
+          you can optionally copy the Syslog severity to `event.severity`.'
+        example: 3
+- name: event
+  type: group
+  fields:
+  - name: code
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Identification code for this event, if one exists.
+
+      Some event sources use event codes to identify messages unambiguously, regardless
+      of message language or wording adjustments over time. An example of this is
+      the Windows Event ID.'
+    example: 4648
+  - name: action
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'The action captured by the event.
+
+      This describes the information in the event. It is more specific than `event.category`.
+      Examples are `group-add`, `process-started`, `file-created`. The value is normally
+      defined by the implementer.'
+    example: user-password-change
+  - name: outcome
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'This is one of four ECS Categorization Fields, and indicates the
+      lowest level in the ECS category hierarchy.
+
+      `event.outcome` simply denotes whether the event represents a success or a failure
+      from the perspective of the entity that produced the event.
+
+      Note that when a single transaction is described in multiple events, each event
+      may populate different values of `event.outcome`, according to their perspective.
+
+      Also note that in the case of a compound event (a single event that contains
+      multiple logical events), this field should be populated with the value that
+      best captures the overall success or failure from the perspective of the event
+      producer.
+
+      Further note that not all events will have an associated outcome. For example,
+      this field is generally not populated for metric events, events with `event.type:info`,
+      or any events for which an outcome does not make logical sense.'
+    example: success
+  - name: category
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'This is one of four ECS Categorization Fields, and indicates the
+      second level in the ECS category hierarchy.
+
+      `event.category` represents the "big buckets" of ECS categories. For example,
+      filtering on `event.category:process` yields all events relating to process
+      activity. This field is closely related to `event.type`, which is used as a
+      subcategory.
+
+      This field is an array. This will allow proper categorization of some events
+      that fall in multiple categories.'
+    example: authentication
+  - name: timezone
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'This field should be populated when the event''s timestamp does
+      not include timezone information already (e.g. default Syslog timestamps). It''s
+      optional otherwise.
+
+      Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated
+      (e.g. "EST") or an HH:mm differential (e.g. "-05:00").'
+- name: '@timestamp'
+  level: core
+  required: true
+  type: date
+  description: 'Date/time when the event originated.
+
+    This is the date/time extracted from the event, typically representing when the
+    event was generated by the source.
+
+    If the event source has no original timestamp, this value is typically populated
+    by the first time the event was received by the pipeline.
+
+    Required field for all events.'
+  example: '2016-05-23T08:05:34.853Z'
+- name: user
+  type: group
+  fields:
+  - name: name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: Short name or login of the user.
+    example: albert
+  - name: full_name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: User's full name, if available.
+    example: Albert Einstein
+  - name: domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Name of the directory the user is a member of.
+
+      For example, an LDAP or Active Directory domain name.'
+  - name: id
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Unique identifiers of the user.
+- name: message
+  level: core
+  type: text
+  description: 'For log events the message field contains the log message, optimized
+    for viewing in a log viewer.
+
+    For structured logs without an original message field, other fields can be concatenated
+    to form a human-readable summary of the event.
+
+    If multiple messages exist, they can be combined into one message.'
+  example: Hello World
+- name: source
+  type: group
+  fields:
+  - name: ip
+    level: core
+    type: ip
+    description: 'IP address of the source.
+
+      Can be one or multiple IPv4 or IPv6 addresses.'
+  - name: port
+    level: core
+    type: long
+    format: string
+    description: Port of the source.
+  - name: address
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Some event source addresses are defined ambiguously. The event will
+      sometimes list an IP, a domain or a unix socket.  You should always store the
+      raw address in the `.address` field.
+
+      Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+      is.'
+  - name: mac
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: MAC address of the source.
+  - name: bytes
+    level: core
+    type: long
+    format: bytes
+    description: Bytes sent from the source to the destination.
+    example: 184
+  - name: nat
+    type: group
+    fields:
+    - name: ip
+      level: extended
+      type: ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+    - name: port
+      level: extended
+      type: long
+      format: string
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+  - name: domain
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Source domain.
+  - name: geo
+    type: group
+    fields:
+    - name: country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+    - name: location
+      type: group
+      fields:
+      - type: double
+        name: lat
+      - type: double
+        name: lon
+    - name: city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+- name: host
+  type: group
+  fields:
+  - name: name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Name of the host.
+
+      It can contain what `hostname` returns on Unix systems, the fully qualified
+      domain name, or a name specified by the user. The sender decides which value
+      to use.'
+  - name: ip
+    level: core
+    type: ip
+    description: Host ip addresses.
+  - name: hostname
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Hostname of the host.
+
+      It normally contains what the `hostname` command returns on the host machine.'
+  - name: mac
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Host mac addresses.
+- name: destination
+  type: group
+  fields:
+  - name: ip
+    level: core
+    type: ip
+    description: 'IP address of the destination.
+
+      Can be one or multiple IPv4 or IPv6 addresses.'
+  - name: port
+    level: core
+    type: long
+    format: string
+    description: Port of the destination.
+  - name: address
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Some event destination addresses are defined ambiguously. The event
+      will sometimes list an IP, a domain or a unix socket.  You should always store
+      the raw address in the `.address` field.
+
+      Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+      is.'
+  - name: bytes
+    level: core
+    type: long
+    format: bytes
+    description: Bytes sent from the destination to the source.
+    example: 184
+  - name: mac
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: MAC address of the destination.
+  - name: nat
+    type: group
+    fields:
+    - name: ip
+      level: extended
+      type: ip
+      description: 'Translated ip of destination based NAT sessions (e.g. internet
+        to private DMZ)
+
+        Typically used with load balancers, firewalls, or routers.'
+    - name: port
+      level: extended
+      type: long
+      format: string
+      description: 'Port the source session is translated to by NAT Device.
+
+        Typically used with load balancers, firewalls, or routers.'
+  - name: domain
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Destination domain.
+  - name: geo
+    type: group
+    fields:
+    - name: country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+    - name: location
+      type: group
+      fields:
+      - type: double
+        name: lat
+      - type: double
+        name: lon
+    - name: city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+- name: network
+  type: group
+  fields:
+  - name: protocol
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'L7 Network protocol name. ex. http, lumberjack, transport protocol.
+
+      The field value must be normalized to lowercase for querying. See the documentation
+      section "Implementing ECS".'
+    example: http
+  - name: application
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'A name given to an application level protocol. This can be arbitrarily
+      assigned for things like microservices, but also apply to things like skype,
+      icq, facebook, twitter. This would be used in situations where the vendor or
+      service can be decoded such as from the source/dest IP owners, ports, or wire
+      format.
+
+      The field value must be normalized to lowercase for querying. See the documentation
+      section "Implementing ECS".'
+    example: aim
+  - name: interface
+    type: group
+    fields:
+    - type: keyword
+      name: name
+  - name: bytes
+    level: core
+    type: long
+    format: bytes
+    description: 'Total bytes transferred in both directions.
+
+      If `source.bytes` and `destination.bytes` are known, `network.bytes` is their
+      sum.'
+    example: 368
+  - name: direction
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: "Direction of the network traffic.\nRecommended values are:\n  *\
+      \ inbound\n  * outbound\n  * internal\n  * external\n  * unknown\n\nWhen mapping\
+      \ events from a host-based monitoring context, populate this field from the\
+      \ host's point of view.\nWhen mapping events from a network or perimeter-based\
+      \ monitoring context, populate this field from the point of view of your network\
+      \ perimeter."
+    example: inbound
+  - name: packets
+    level: core
+    type: long
+    description: 'Total packets transferred in both directions.
+
+      If `source.packets` and `destination.packets` are known, `network.packets` is
+      their sum.'
+    example: 24
+  - name: forwarded_ip
+    level: core
+    type: ip
+    description: Host IP address when the source IP address is the proxy.
+    example: 192.1.1.2
+- name: observer
+  type: group
+  fields:
+  - name: version
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Observer version.
+  - name: product
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: The product name of the observer.
+    example: s200
+  - name: ingress
+    type: group
+    fields:
+    - name: interface
+      type: group
+      fields:
+      - name: name
+        level: extended
+        type: keyword
+        ignore_above: 1024
+        description: Interface name as reported by the system.
+        example: eth0
+        default_field: false
+  - name: egress
+    type: group
+    fields:
+    - name: interface
+      type: group
+      fields:
+      - name: name
+        level: extended
+        type: keyword
+        ignore_above: 1024
+        description: Interface name as reported by the system.
+        example: eth0
+        default_field: false
+- name: file
+  type: group
+  fields:
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: Name of the file including the extension, without the directory.
+    example: example.png
+  - name: directory
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: Directory where the file is located. It should include the drive
+      letter, when appropriate.
+    example: /home/alice
+  - name: size
+    level: extended
+    type: long
+    description: 'File size in bytes.
+
+      Only relevant when `file.type` is "file".'
+    example: 16384
+  - name: type
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: File type (file, dir, or symlink).
+    example: file
+  - name: extension
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: File extension.
+    example: png
+  - name: path
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: Full path to the file, including the file name. It should include
+      the drive letter, when appropriate.
+    example: /home/alice/example.png
+  - name: attributes
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Array of file attributes.
+
+      Attributes names will vary by platform. Here''s a non-exhaustive list of values
+      that are expected in this field: archive, compressed, directory, encrypted,
+      execute, hidden, read, readonly, system, write.'
+    example: '["readonly", "system"]'
+    default_field: false
+- name: url
+  type: group
+  fields:
+  - name: original
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: 'Unmodified original url as seen in the event source.
+
+      Note that in network monitoring, the observed URL may be a full URL, whereas
+      in access logs, the URL is often just represented as a path.
+
+      This field is meant to represent the URL as it was observed, complete or not.'
+    example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
+  - name: query
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'The query field describes the query string of the request, such
+      as "q=elasticsearch".
+
+      The `?` is excluded from the query string. If a URL contains no `?`, there is
+      no query field. If there is a `?` but no query, the query field exists with
+      an empty string. The `exists` query can be used to differentiate between the
+      two cases.'
+  - name: domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Domain of the url, such as "www.elastic.co".
+
+      In some cases a URL may refer to an IP and/or port directly, without a domain
+      name. In this case, the IP address would go to the `domain` field.'
+    example: www.elastic.co
+  - name: path
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: Path of the request, such as "/search".
+  - name: top_level_domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'The effective top level domain (eTLD), also known as the domain
+      suffix, is the last part of the domain name. For example, the top level domain
+      for google.com is "com".
+
+      This value can be determined precisely with a list like the public suffix list
+      (http://publicsuffix.org). Trying to approximate this by simply taking the last
+      label will not work well for effective TLDs such as "co.uk".'
+    example: co.uk
+  - name: registered_domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'The highest registered url domain, stripped of the subdomain.
+
+      For example, the registered domain for "foo.google.com" is "google.com".
+
+      This value can be determined precisely with a list like the public suffix list
+      (http://publicsuffix.org). Trying to approximate this by simply taking the last
+      two labels will not work well for TLDs such as "co.uk".'
+    example: google.com
+- name: service
+  type: group
+  fields:
+  - name: name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Name of the service data is collected from.
+
+      The name of the service is normally user given. This allows for distributed
+      services that run on multiple hosts to correlate the related instances based
+      on the name.
+
+      In the case of Elasticsearch the `service.name` could contain the cluster name.
+      For Beats the `service.name` is by default a copy of the `service.type` field
+      if no name is specified.'
+    example: elasticsearch-metrics
+- name: server
+  type: group
+  fields:
+  - name: domain
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Server domain.
+- name: process
+  type: group
+  fields:
+  - name: pid
+    level: core
+    type: long
+    format: string
+    description: Process id.
+    example: 4242
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: 'Process name.
+
+      Sometimes called program name or similar.'
+    example: ssh
+  - name: ppid
+    level: extended
+    type: long
+    format: string
+    description: Parent process' pid.
+    example: 4241
+  - name: parent
+    type: group
+    fields:
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      default_field: false
+    - name: title
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      default_field: false
+  - name: title
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: 'Process title.
+
+      The proctitle, some times the same as process name. Can also be different: for
+      example a browser setting its title to the web page currently opened.'
+- name: rule
+  type: group
+  fields:
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: The name of the rule or signature generating the event.
+    example: BLOCK_DNS_over_TLS
+    default_field: false
+- name: user_agent
+  type: group
+  fields:
+  - name: original
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+    description: Unparsed user_agent string.
+    example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15
+      (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
+- name: http
+  type: group
+  fields:
+  - name: response
+    type: group
+    fields:
+    - name: body
+      type: group
+      fields:
+      - name: content
+        level: extended
+        type: keyword
+        ignore_above: 1024
+        multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+        description: The full HTTP response body.
+        example: Hello world
+  - name: request
+    type: group
+    fields:
+    - name: referrer
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Referrer for this HTTP request.
+      example: https://blog.example.com/
+    - name: method
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'HTTP request method.
+
+        The field value must be normalized to lowercase for querying. See the documentation
+        section "Implementing ECS".'
+      example: get, post, put
+- name: geo
+  type: group
+  fields:
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'User-defined description of a location, at the level of granularity
+      they care about.
+
+      Could be the name of their data centers, the floor number, if this describes
+      a local physical entity, city names.
+
+      Not typically used in automated geolocation.'
+    example: boston-dc
+  - name: country_name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Country name.
+    example: Canada
+  - name: city_name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: City name.
+    example: Montreal
+  - name: region_name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Region name.
+    example: Quebec
+- name: dns
+  type: group
+  fields:
+  - name: question
+    type: group
+    fields:
+    - name: type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The type of record being queried.
+      example: AAAA
+  - name: answers
+    type: group
+    fields:
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The domain name to which this resource record pertains.
+
+        If a chain of CNAME is being resolved, each answer''s `name` should be the
+        one that corresponds with the answer''s `data`. It should not simply be the
+        original `question.name` repeated.'
+      example: www.google.com
+    - name: type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The type of data contained in this resource record.
+      example: CNAME
diff --git a/packages/tomcat/0.1.0/dataset/log/fields/fields.yml b/packages/tomcat/0.1.0/dataset/log/fields/fields.yml
new file mode 100644
index 0000000000..2abc947fe7
--- /dev/null
+++ b/packages/tomcat/0.1.0/dataset/log/fields/fields.yml
@@ -0,0 +1,1939 @@
+- name: rsa
+  type: group
+  fields:
+  - name: internal
+    type: group
+    fields:
+    - name: msg
+      type: keyword
+      description: This key is used to capture the raw message that comes into the
+        Log Decoder
+    - name: messageid
+      type: keyword
+    - name: event_desc
+      type: keyword
+    - name: message
+      type: keyword
+      description: This key captures the contents of instant messages
+    - name: time
+      type: date
+      description: This is the time at which a session hits a NetWitness Decoder.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness.
+    - name: level
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: msg_id
+      type: keyword
+      description: This is the Message ID1 value that identifies the exact log parser
+        definition which parses a particular log session. This key should never be
+        used to parse Meta data from a session (Logs/Packets) Directly, this is a
+        Reserved key in NetWitness
+    - name: msg_vid
+      type: keyword
+      description: This is the Message ID2 value that identifies the exact log parser
+        definition which parses a particular log session. This key should never be
+        used to parse Meta data from a session (Logs/Packets) Directly, this is a
+        Reserved key in NetWitness
+    - name: data
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: obj_server
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: obj_val
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: resource
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: obj_id
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: statement
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: audit_class
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: entry
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: hcode
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: inode
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: resource_class
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: dead
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: feed_desc
+      type: keyword
+      description: This is used to capture the description of the feed. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: feed_name
+      type: keyword
+      description: This is used to capture the name of the feed. This key should never
+        be used to parse Meta data from a session (Logs/Packets) Directly, this is
+        a Reserved key in NetWitness
+    - name: cid
+      type: keyword
+      description: This is the unique identifier used to identify a NetWitness Concentrator.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: device_class
+      type: keyword
+      description: This is the Classification of the Log Event Source under a predefined
+        fixed set of Event Source Classifications. This key should never be used to
+        parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
+        key in NetWitness
+    - name: device_group
+      type: keyword
+      description: This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_host
+      type: keyword
+      description: This is the Hostname of the log Event Source sending the logs to
+        NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_ip
+      type: ip
+      description: This is the IPv4 address of the Log Event Source sending the logs
+        to NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_ipv6
+      type: ip
+      description: This is the IPv6 address of the Log Event Source sending the logs
+        to NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_type
+      type: keyword
+      description: This is the name of the log parser which parsed a given session.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: device_type_id
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: did
+      type: keyword
+      description: This is the unique identifier used to identify a NetWitness Decoder.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: entropy_req
+      type: long
+      description: This key is only used by the Entropy Parser, the Meta Type can
+        be either UInt16 or Float32 based on the configuration
+    - name: entropy_res
+      type: long
+      description: This key is only used by the Entropy Parser, the Meta Type can
+        be either UInt16 or Float32 based on the configuration
+    - name: event_name
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: feed_category
+      type: keyword
+      description: This is used to capture the category of the feed. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: forward_ip
+      type: ip
+      description: This key should be used to capture the IPV4 address of a relay
+        system which forwarded the events from the original system to NetWitness.
+    - name: forward_ipv6
+      type: ip
+      description: This key is used to capture the IPV6 address of a relay system
+        which forwarded the events from the original system to NetWitness. This key
+        should never be used to parse Meta data from a session (Logs/Packets) Directly,
+        this is a Reserved key in NetWitness
+    - name: header_id
+      type: keyword
+      description: This is the Header ID value that identifies the exact log parser
+        header definition that parses a particular log session. This key should never
+        be used to parse Meta data from a session (Logs/Packets) Directly, this is
+        a Reserved key in NetWitness
+    - name: lc_cid
+      type: keyword
+      description: This is a unique Identifier of a Log Collector. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: lc_ctime
+      type: date
+      description: This is the time at which a log is collected in a NetWitness Log
+        Collector. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: mcb_req
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        request is simply which byte for each side (0 thru 255) was seen the most
+    - name: mcb_res
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        response is simply which byte for each side (0 thru 255) was seen the most
+    - name: mcbc_req
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        count is the number of times the most common byte (above) was seen in the
+        session streams
+    - name: mcbc_res
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        count is the number of times the most common byte (above) was seen in the
+        session streams
+    - name: medium
+      type: long
+      description: "This key is used to identify if it\u2019s a log/packet session\
+        \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
+        \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
+        \ 32 = log, 33 = correlation session, &lt; 32 is packet session"
+    - name: node_name
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: nwe_callback_id
+      type: keyword
+      description: This key denotes that event is endpoint related
+    - name: parse_error
+      type: keyword
+      description: This is a special key that stores any Meta key validation error
+        found while parsing a log session. This key should never be used to parse
+        Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
+        NetWitness
+    - name: payload_req
+      type: long
+      description: This key is only used by the Entropy Parser, the payload size metrics
+        are the payload sizes of each session side at the time of parsing. However,
+        in order to keep
+    - name: payload_res
+      type: long
+      description: This key is only used by the Entropy Parser, the payload size metrics
+        are the payload sizes of each session side at the time of parsing. However,
+        in order to keep
+    - name: process_vid_dst
+      type: keyword
+      description: Endpoint generates and uses a unique virtual ID to identify any
+        similar group of process. This ID represents the target process.
+    - name: process_vid_src
+      type: keyword
+      description: Endpoint generates and uses a unique virtual ID to identify any
+        similar group of process. This ID represents the source process.
+    - name: rid
+      type: long
+      description: This is a special ID of the Remote Session created by NetWitness
+        Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: session_split
+      type: keyword
+      description: This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: site
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: size
+      type: long
+      description: This is the size of the session as seen by the NetWitness Decoder.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: sourcefile
+      type: keyword
+      description: This is the name of the log file or PCAPs that can be imported
+        into NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: ubc_req
+      type: long
+      description: This key is only used by the Entropy Parser, Unique byte count
+        is the number of unique bytes seen in each stream. 256 would mean all byte
+        values of 0 thru 255 were seen at least once
+    - name: ubc_res
+      type: long
+      description: This key is only used by the Entropy Parser, Unique byte count
+        is the number of unique bytes seen in each stream. 256 would mean all byte
+        values of 0 thru 255 were seen at least once
+    - name: word
+      type: keyword
+      description: This is used by the Word Parsing technology to capture the first
+        5 character of every word in an unparsed log
+  - name: time
+    type: group
+    fields:
+    - name: event_time
+      type: date
+      description: This key is used to capture the time mentioned in a raw session
+        that represents the actual time an event occured in a standard normalized
+        form
+    - name: duration_time
+      type: double
+      description: This key is used to capture the normalized duration/lifetime in
+        seconds.
+    - name: event_time_str
+      type: keyword
+      description: This key is used to capture the incomplete time mentioned in a
+        session as a string
+    - name: starttime
+      type: date
+      description: This key is used to capture the Start time mentioned in a session
+        in a standard form
+    - name: month
+      type: keyword
+    - name: day
+      type: keyword
+    - name: endtime
+      type: date
+      description: This key is used to capture the End time mentioned in a session
+        in a standard form
+    - name: timezone
+      type: keyword
+      description: This key is used to capture the timezone of the Event Time
+    - name: duration_str
+      type: keyword
+      description: A text string version of the duration
+    - name: date
+      type: keyword
+    - name: year
+      type: keyword
+    - name: recorded_time
+      type: date
+      description: The event time as recorded by the system the event is collected
+        from. The usage scenario is a multi-tier application where the management
+        layer of the system records it's own timestamp at the time of collection from
+        its child nodes. Must be in timestamp format.
+    - name: datetime
+      type: keyword
+    - name: effective_time
+      type: date
+      description: This key is the effective time referenced by an individual event
+        in a Standard Timestamp format
+    - name: expire_time
+      type: date
+      description: This key is the timestamp that explicitly refers to an expiration.
+    - name: process_time
+      type: keyword
+      description: Deprecated, use duration.time
+    - name: hour
+      type: keyword
+    - name: min
+      type: keyword
+    - name: timestamp
+      type: keyword
+    - name: event_queue_time
+      type: date
+      description: This key is the Time that the event was queued.
+    - name: p_time1
+      type: keyword
+    - name: tzone
+      type: keyword
+    - name: eventtime
+      type: keyword
+    - name: gmtdate
+      type: keyword
+    - name: gmttime
+      type: keyword
+    - name: p_date
+      type: keyword
+    - name: p_month
+      type: keyword
+    - name: p_time
+      type: keyword
+    - name: p_time2
+      type: keyword
+    - name: p_year
+      type: keyword
+    - name: expire_time_str
+      type: keyword
+      description: This key is used to capture incomplete timestamp that explicitly
+        refers to an expiration.
+    - name: stamp
+      type: date
+      description: Deprecated key defined only in table map.
+  - name: misc
+    type: group
+    fields:
+    - name: action
+      type: keyword
+    - name: result
+      type: keyword
+      description: This key is used to capture the outcome/result string value of
+        an action in a session.
+    - name: severity
+      type: keyword
+      description: This key is used to capture the severity given the session
+    - name: event_type
+      type: keyword
+      description: This key captures the event category type as specified by the event
+        source.
+    - name: reference_id
+      type: keyword
+      description: This key is used to capture an event id from the session directly
+    - name: version
+      type: keyword
+      description: This key captures Version of the application or OS which is generating
+        the event.
+    - name: disposition
+      type: keyword
+      description: This key captures the The end state of an action.
+    - name: result_code
+      type: keyword
+      description: This key is used to capture the outcome/result numeric value of
+        an action in a session
+    - name: category
+      type: keyword
+      description: This key is used to capture the category of an event given by the
+        vendor in the session
+    - name: obj_name
+      type: keyword
+      description: This is used to capture name of object
+    - name: obj_type
+      type: keyword
+      description: This is used to capture type of object
+    - name: event_source
+      type: keyword
+      description: "This key captures Source of the event that\u2019s not a hostname"
+    - name: log_session_id
+      type: keyword
+      description: This key is used to capture a sessionid from the session directly
+    - name: group
+      type: keyword
+      description: This key captures the Group Name value
+    - name: policy_name
+      type: keyword
+      description: This key is used to capture the Policy Name only.
+    - name: rule_name
+      type: keyword
+      description: This key captures the Rule Name
+    - name: context
+      type: keyword
+      description: This key captures Information which adds additional context to
+        the event.
+    - name: change_new
+      type: keyword
+      description: "This key is used to capture the new values of the attribute that\u2019\
+        s changing in a session"
+    - name: space
+      type: keyword
+    - name: client
+      type: keyword
+      description: This key is used to capture only the name of the client application
+        requesting resources of the server. See the user.agent meta key for capture
+        of the specific user agent identifier or browser identification string.
+    - name: msgIdPart1
+      type: keyword
+    - name: msgIdPart2
+      type: keyword
+    - name: change_old
+      type: keyword
+      description: "This key is used to capture the old value of the attribute that\u2019\
+        s changing in a session"
+    - name: operation_id
+      type: keyword
+      description: An alert number or operation number. The values should be unique
+        and non-repeating.
+    - name: event_state
+      type: keyword
+      description: This key captures the current state of the object/item referenced
+        within the event. Describing an on-going event.
+    - name: group_object
+      type: keyword
+      description: This key captures a collection/grouping of entities. Specific usage
+    - name: node
+      type: keyword
+      description: Common use case is the node name within a cluster. The cluster
+        name is reflected by the host name.
+    - name: rule
+      type: keyword
+      description: This key captures the Rule number
+    - name: device_name
+      type: keyword
+      description: 'This is used to capture name of the Device associated with the
+        node Like: a physical disk, printer, etc'
+    - name: param
+      type: keyword
+      description: This key is the parameters passed as part of a command or application,
+        etc.
+    - name: change_attrib
+      type: keyword
+      description: "This key is used to capture the name of the attribute that\u2019\
+        s changing in a session"
+    - name: event_computer
+      type: keyword
+      description: This key is a windows only concept, where this key is used to capture
+        fully qualified domain name in a windows log.
+    - name: reference_id1
+      type: keyword
+      description: This key is for Linked ID to be used as an addition to "reference.id"
+    - name: event_log
+      type: keyword
+      description: This key captures the Name of the event log
+    - name: OS
+      type: keyword
+      description: This key captures the Name of the Operating System
+    - name: terminal
+      type: keyword
+      description: This key captures the Terminal Names only
+    - name: msgIdPart3
+      type: keyword
+    - name: filter
+      type: keyword
+      description: This key captures Filter used to reduce result set
+    - name: serial_number
+      type: keyword
+      description: This key is the Serial number associated with a physical asset.
+    - name: checksum
+      type: keyword
+      description: This key is used to capture the checksum or hash of the entity
+        such as a file or process. Checksum should be used over checksum.src or checksum.dst
+        when it is unclear whether the entity is a source or target of an action.
+    - name: event_user
+      type: keyword
+      description: This key is a windows only concept, where this key is used to capture
+        combination of domain name and username in a windows log.
+    - name: virusname
+      type: keyword
+      description: This key captures the name of the virus
+    - name: content_type
+      type: keyword
+      description: This key is used to capture Content Type only.
+    - name: group_id
+      type: keyword
+      description: This key captures Group ID Number (related to the group name)
+    - name: policy_id
+      type: keyword
+      description: This key is used to capture the Policy ID only, this should be
+        a numeric value, use policy.name otherwise
+    - name: vsys
+      type: keyword
+      description: This key captures Virtual System Name
+    - name: connection_id
+      type: keyword
+      description: This key captures the Connection ID
+    - name: reference_id2
+      type: keyword
+      description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
+        or "reference.id1" value but should not be used unless the other two variables
+        are in play.
+    - name: sensor
+      type: keyword
+      description: This key captures Name of the sensor. Typically used in IDS/IPS
+        based devices
+    - name: sig_id
+      type: long
+      description: This key captures IDS/IPS Int Signature ID
+    - name: port_name
+      type: keyword
+      description: 'This key is used for Physical or logical port connection but does
+        NOT include a network port. (Example: Printer port name).'
+    - name: rule_group
+      type: keyword
+      description: This key captures the Rule group name
+    - name: risk_num
+      type: double
+      description: This key captures a Numeric Risk value
+    - name: trigger_val
+      type: keyword
+      description: This key captures the Value of the trigger or threshold condition.
+    - name: log_session_id1
+      type: keyword
+      description: This key is used to capture a Linked (Related) Session ID from
+        the session directly
+    - name: comp_version
+      type: keyword
+      description: This key captures the Version level of a sub-component of a product.
+    - name: content_version
+      type: keyword
+      description: This key captures Version level of a signature or database content.
+    - name: hardware_id
+      type: keyword
+      description: This key is used to capture unique identifier for a device or system
+        (NOT a Mac address)
+    - name: risk
+      type: keyword
+      description: This key captures the non-numeric risk value
+    - name: event_id
+      type: keyword
+    - name: reason
+      type: keyword
+    - name: status
+      type: keyword
+    - name: mail_id
+      type: keyword
+      description: This key is used to capture the mailbox id/name
+    - name: rule_uid
+      type: keyword
+      description: This key is the Unique Identifier for a rule.
+    - name: trigger_desc
+      type: keyword
+      description: This key captures the Description of the trigger or threshold condition.
+    - name: inout
+      type: keyword
+    - name: p_msgid
+      type: keyword
+    - name: data_type
+      type: keyword
+    - name: msgIdPart4
+      type: keyword
+    - name: error
+      type: keyword
+      description: This key captures All non successful Error codes or responses
+    - name: index
+      type: keyword
+    - name: listnum
+      type: keyword
+      description: This key is used to capture listname or listnumber, primarily for
+        collecting access-list
+    - name: ntype
+      type: keyword
+    - name: observed_val
+      type: keyword
+      description: This key captures the Value observed (from the perspective of the
+        device generating the log).
+    - name: policy_value
+      type: keyword
+      description: This key captures the contents of the policy. This contains details
+        about the policy
+    - name: pool_name
+      type: keyword
+      description: This key captures the name of a resource pool
+    - name: rule_template
+      type: keyword
+      description: A default set of parameters which are overlayed onto a rule (or
+        rulename) which efffectively constitutes a template
+    - name: count
+      type: keyword
+    - name: number
+      type: keyword
+    - name: sigcat
+      type: keyword
+    - name: type
+      type: keyword
+    - name: comments
+      type: keyword
+      description: Comment information provided in the log message
+    - name: doc_number
+      type: long
+      description: This key captures File Identification number
+    - name: expected_val
+      type: keyword
+      description: This key captures the Value expected (from the perspective of the
+        device generating the log).
+    - name: job_num
+      type: keyword
+      description: This key captures the Job Number
+    - name: spi_dst
+      type: keyword
+      description: Destination SPI Index
+    - name: spi_src
+      type: keyword
+      description: Source SPI Index
+    - name: code
+      type: keyword
+    - name: agent_id
+      type: keyword
+      description: This key is used to capture agent id
+    - name: message_body
+      type: keyword
+      description: This key captures the The contents of the message body.
+    - name: phone
+      type: keyword
+    - name: sig_id_str
+      type: keyword
+      description: This key captures a string object of the sigid variable.
+    - name: cmd
+      type: keyword
+    - name: misc
+      type: keyword
+    - name: name
+      type: keyword
+    - name: cpu
+      type: long
+      description: This key is the CPU time used in the execution of the event being
+        recorded.
+    - name: event_desc
+      type: keyword
+      description: This key is used to capture a description of an event available
+        directly or inferred
+    - name: sig_id1
+      type: long
+      description: This key captures IDS/IPS Int Signature ID. This must be linked
+        to the sig.id
+    - name: im_buddyid
+      type: keyword
+    - name: im_client
+      type: keyword
+    - name: im_userid
+      type: keyword
+    - name: pid
+      type: keyword
+    - name: priority
+      type: keyword
+    - name: context_subject
+      type: keyword
+      description: This key is to be used in an audit context where the subject is
+        the object being identified
+    - name: context_target
+      type: keyword
+    - name: cve
+      type: keyword
+      description: This key captures CVE (Common Vulnerabilities and Exposures) -
+        an identifier for known information security vulnerabilities.
+    - name: fcatnum
+      type: keyword
+      description: This key captures Filter Category Number. Legacy Usage
+    - name: library
+      type: keyword
+      description: This key is used to capture library information in mainframe devices
+    - name: parent_node
+      type: keyword
+      description: This key captures the Parent Node Name. Must be related to node
+        variable.
+    - name: risk_info
+      type: keyword
+      description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: tcp_flags
+      type: long
+      description: This key is captures the TCP flags set in any packet of session
+    - name: tos
+      type: long
+      description: This key describes the type of service
+    - name: vm_target
+      type: keyword
+      description: VMWare Target **VMWARE** only varaible.
+    - name: workspace
+      type: keyword
+      description: This key captures Workspace Description
+    - name: command
+      type: keyword
+    - name: event_category
+      type: keyword
+    - name: facilityname
+      type: keyword
+    - name: forensic_info
+      type: keyword
+    - name: jobname
+      type: keyword
+    - name: mode
+      type: keyword
+    - name: policy
+      type: keyword
+    - name: policy_waiver
+      type: keyword
+    - name: second
+      type: keyword
+    - name: space1
+      type: keyword
+    - name: subcategory
+      type: keyword
+    - name: tbdstr2
+      type: keyword
+    - name: alert_id
+      type: keyword
+      description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: checksum_dst
+      type: keyword
+      description: This key is used to capture the checksum or hash of the the target
+        entity such as a process or file.
+    - name: checksum_src
+      type: keyword
+      description: This key is used to capture the checksum or hash of the source
+        entity such as a file or process.
+    - name: fresult
+      type: long
+      description: This key captures the Filter Result
+    - name: payload_dst
+      type: keyword
+      description: This key is used to capture destination payload
+    - name: payload_src
+      type: keyword
+      description: This key is used to capture source payload
+    - name: pool_id
+      type: keyword
+      description: This key captures the identifier (typically numeric field) of a
+        resource pool
+    - name: process_id_val
+      type: keyword
+      description: This key is a failure key for Process ID when it is not an integer
+        value
+    - name: risk_num_comm
+      type: double
+      description: This key captures Risk Number Community
+    - name: risk_num_next
+      type: double
+      description: This key captures Risk Number NextGen
+    - name: risk_num_sand
+      type: double
+      description: This key captures Risk Number SandBox
+    - name: risk_num_static
+      type: double
+      description: This key captures Risk Number Static
+    - name: risk_suspicious
+      type: keyword
+      description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: risk_warning
+      type: keyword
+      description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: snmp_oid
+      type: keyword
+      description: SNMP Object Identifier
+    - name: sql
+      type: keyword
+      description: This key captures the SQL query
+    - name: vuln_ref
+      type: keyword
+      description: This key captures the Vulnerability Reference details
+    - name: acl_id
+      type: keyword
+    - name: acl_op
+      type: keyword
+    - name: acl_pos
+      type: keyword
+    - name: acl_table
+      type: keyword
+    - name: admin
+      type: keyword
+    - name: alarm_id
+      type: keyword
+    - name: alarmname
+      type: keyword
+    - name: app_id
+      type: keyword
+    - name: audit
+      type: keyword
+    - name: audit_object
+      type: keyword
+    - name: auditdata
+      type: keyword
+    - name: benchmark
+      type: keyword
+    - name: bypass
+      type: keyword
+    - name: cache
+      type: keyword
+    - name: cache_hit
+      type: keyword
+    - name: cefversion
+      type: keyword
+    - name: cfg_attr
+      type: keyword
+    - name: cfg_obj
+      type: keyword
+    - name: cfg_path
+      type: keyword
+    - name: changes
+      type: keyword
+    - name: client_ip
+      type: keyword
+    - name: clustermembers
+      type: keyword
+    - name: cn_acttimeout
+      type: keyword
+    - name: cn_asn_src
+      type: keyword
+    - name: cn_bgpv4nxthop
+      type: keyword
+    - name: cn_ctr_dst_code
+      type: keyword
+    - name: cn_dst_tos
+      type: keyword
+    - name: cn_dst_vlan
+      type: keyword
+    - name: cn_engine_id
+      type: keyword
+    - name: cn_engine_type
+      type: keyword
+    - name: cn_f_switch
+      type: keyword
+    - name: cn_flowsampid
+      type: keyword
+    - name: cn_flowsampintv
+      type: keyword
+    - name: cn_flowsampmode
+      type: keyword
+    - name: cn_inacttimeout
+      type: keyword
+    - name: cn_inpermbyts
+      type: keyword
+    - name: cn_inpermpckts
+      type: keyword
+    - name: cn_invalid
+      type: keyword
+    - name: cn_ip_proto_ver
+      type: keyword
+    - name: cn_ipv4_ident
+      type: keyword
+    - name: cn_l_switch
+      type: keyword
+    - name: cn_log_did
+      type: keyword
+    - name: cn_log_rid
+      type: keyword
+    - name: cn_max_ttl
+      type: keyword
+    - name: cn_maxpcktlen
+      type: keyword
+    - name: cn_min_ttl
+      type: keyword
+    - name: cn_minpcktlen
+      type: keyword
+    - name: cn_mpls_lbl_1
+      type: keyword
+    - name: cn_mpls_lbl_10
+      type: keyword
+    - name: cn_mpls_lbl_2
+      type: keyword
+    - name: cn_mpls_lbl_3
+      type: keyword
+    - name: cn_mpls_lbl_4
+      type: keyword
+    - name: cn_mpls_lbl_5
+      type: keyword
+    - name: cn_mpls_lbl_6
+      type: keyword
+    - name: cn_mpls_lbl_7
+      type: keyword
+    - name: cn_mpls_lbl_8
+      type: keyword
+    - name: cn_mpls_lbl_9
+      type: keyword
+    - name: cn_mplstoplabel
+      type: keyword
+    - name: cn_mplstoplabip
+      type: keyword
+    - name: cn_mul_dst_byt
+      type: keyword
+    - name: cn_mul_dst_pks
+      type: keyword
+    - name: cn_muligmptype
+      type: keyword
+    - name: cn_sampalgo
+      type: keyword
+    - name: cn_sampint
+      type: keyword
+    - name: cn_seqctr
+      type: keyword
+    - name: cn_spackets
+      type: keyword
+    - name: cn_src_tos
+      type: keyword
+    - name: cn_src_vlan
+      type: keyword
+    - name: cn_sysuptime
+      type: keyword
+    - name: cn_template_id
+      type: keyword
+    - name: cn_totbytsexp
+      type: keyword
+    - name: cn_totflowexp
+      type: keyword
+    - name: cn_totpcktsexp
+      type: keyword
+    - name: cn_unixnanosecs
+      type: keyword
+    - name: cn_v6flowlabel
+      type: keyword
+    - name: cn_v6optheaders
+      type: keyword
+    - name: comp_class
+      type: keyword
+    - name: comp_name
+      type: keyword
+    - name: comp_rbytes
+      type: keyword
+    - name: comp_sbytes
+      type: keyword
+    - name: cpu_data
+      type: keyword
+    - name: criticality
+      type: keyword
+    - name: cs_agency_dst
+      type: keyword
+    - name: cs_analyzedby
+      type: keyword
+    - name: cs_av_other
+      type: keyword
+    - name: cs_av_primary
+      type: keyword
+    - name: cs_av_secondary
+      type: keyword
+    - name: cs_bgpv6nxthop
+      type: keyword
+    - name: cs_bit9status
+      type: keyword
+    - name: cs_context
+      type: keyword
+    - name: cs_control
+      type: keyword
+    - name: cs_data
+      type: keyword
+    - name: cs_datecret
+      type: keyword
+    - name: cs_dst_tld
+      type: keyword
+    - name: cs_eth_dst_ven
+      type: keyword
+    - name: cs_eth_src_ven
+      type: keyword
+    - name: cs_event_uuid
+      type: keyword
+    - name: cs_filetype
+      type: keyword
+    - name: cs_fld
+      type: keyword
+    - name: cs_if_desc
+      type: keyword
+    - name: cs_if_name
+      type: keyword
+    - name: cs_ip_next_hop
+      type: keyword
+    - name: cs_ipv4dstpre
+      type: keyword
+    - name: cs_ipv4srcpre
+      type: keyword
+    - name: cs_lifetime
+      type: keyword
+    - name: cs_log_medium
+      type: keyword
+    - name: cs_loginname
+      type: keyword
+    - name: cs_modulescore
+      type: keyword
+    - name: cs_modulesign
+      type: keyword
+    - name: cs_opswatresult
+      type: keyword
+    - name: cs_payload
+      type: keyword
+    - name: cs_registrant
+      type: keyword
+    - name: cs_registrar
+      type: keyword
+    - name: cs_represult
+      type: keyword
+    - name: cs_rpayload
+      type: keyword
+    - name: cs_sampler_name
+      type: keyword
+    - name: cs_sourcemodule
+      type: keyword
+    - name: cs_streams
+      type: keyword
+    - name: cs_targetmodule
+      type: keyword
+    - name: cs_v6nxthop
+      type: keyword
+    - name: cs_whois_server
+      type: keyword
+    - name: cs_yararesult
+      type: keyword
+    - name: description
+      type: keyword
+    - name: devvendor
+      type: keyword
+    - name: distance
+      type: keyword
+    - name: dstburb
+      type: keyword
+    - name: edomain
+      type: keyword
+    - name: edomaub
+      type: keyword
+    - name: euid
+      type: keyword
+    - name: facility
+      type: keyword
+    - name: finterface
+      type: keyword
+    - name: flags
+      type: keyword
+    - name: gaddr
+      type: keyword
+    - name: id3
+      type: keyword
+    - name: im_buddyname
+      type: keyword
+    - name: im_croomid
+      type: keyword
+    - name: im_croomtype
+      type: keyword
+    - name: im_members
+      type: keyword
+    - name: im_username
+      type: keyword
+    - name: ipkt
+      type: keyword
+    - name: ipscat
+      type: keyword
+    - name: ipspri
+      type: keyword
+    - name: latitude
+      type: keyword
+    - name: linenum
+      type: keyword
+    - name: list_name
+      type: keyword
+    - name: load_data
+      type: keyword
+    - name: location_floor
+      type: keyword
+    - name: location_mark
+      type: keyword
+    - name: log_id
+      type: keyword
+    - name: log_type
+      type: keyword
+    - name: logid
+      type: keyword
+    - name: logip
+      type: keyword
+    - name: logname
+      type: keyword
+    - name: longitude
+      type: keyword
+    - name: lport
+      type: keyword
+    - name: mbug_data
+      type: keyword
+    - name: misc_name
+      type: keyword
+    - name: msg_type
+      type: keyword
+    - name: msgid
+      type: keyword
+    - name: netsessid
+      type: keyword
+    - name: num
+      type: keyword
+    - name: number1
+      type: keyword
+    - name: number2
+      type: keyword
+    - name: nwwn
+      type: keyword
+    - name: object
+      type: keyword
+    - name: operation
+      type: keyword
+    - name: opkt
+      type: keyword
+    - name: orig_from
+      type: keyword
+    - name: owner_id
+      type: keyword
+    - name: p_action
+      type: keyword
+    - name: p_filter
+      type: keyword
+    - name: p_group_object
+      type: keyword
+    - name: p_id
+      type: keyword
+    - name: p_msgid1
+      type: keyword
+    - name: p_msgid2
+      type: keyword
+    - name: p_result1
+      type: keyword
+    - name: password_chg
+      type: keyword
+    - name: password_expire
+      type: keyword
+    - name: permgranted
+      type: keyword
+    - name: permwanted
+      type: keyword
+    - name: pgid
+      type: keyword
+    - name: policyUUID
+      type: keyword
+    - name: prog_asp_num
+      type: keyword
+    - name: program
+      type: keyword
+    - name: real_data
+      type: keyword
+    - name: rec_asp_device
+      type: keyword
+    - name: rec_asp_num
+      type: keyword
+    - name: rec_library
+      type: keyword
+    - name: recordnum
+      type: keyword
+    - name: ruid
+      type: keyword
+    - name: sburb
+      type: keyword
+    - name: sdomain_fld
+      type: keyword
+    - name: sec
+      type: keyword
+    - name: sensorname
+      type: keyword
+    - name: seqnum
+      type: keyword
+    - name: session
+      type: keyword
+    - name: sessiontype
+      type: keyword
+    - name: sigUUID
+      type: keyword
+    - name: spi
+      type: keyword
+    - name: srcburb
+      type: keyword
+    - name: srcdom
+      type: keyword
+    - name: srcservice
+      type: keyword
+    - name: state
+      type: keyword
+    - name: status1
+      type: keyword
+    - name: svcno
+      type: keyword
+    - name: system
+      type: keyword
+    - name: tbdstr1
+      type: keyword
+    - name: tgtdom
+      type: keyword
+    - name: tgtdomain
+      type: keyword
+    - name: threshold
+      type: keyword
+    - name: type1
+      type: keyword
+    - name: udb_class
+      type: keyword
+    - name: url_fld
+      type: keyword
+    - name: user_div
+      type: keyword
+    - name: userid
+      type: keyword
+    - name: username_fld
+      type: keyword
+    - name: utcstamp
+      type: keyword
+    - name: v_instafname
+      type: keyword
+    - name: virt_data
+      type: keyword
+    - name: vpnid
+      type: keyword
+    - name: autorun_type
+      type: keyword
+      description: This is used to capture Auto Run type
+    - name: cc_number
+      type: long
+      description: Valid Credit Card Numbers only
+    - name: content
+      type: keyword
+      description: This key captures the content type from protocol headers
+    - name: ein_number
+      type: long
+      description: Employee Identification Numbers only
+    - name: found
+      type: keyword
+      description: This is used to capture the results of regex match
+    - name: language
+      type: keyword
+      description: This is used to capture list of languages the client support and
+        what it prefers
+    - name: lifetime
+      type: long
+      description: This key is used to capture the session lifetime in seconds.
+    - name: link
+      type: keyword
+      description: This key is used to link the sessions together. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: match
+      type: keyword
+      description: This key is for regex match name from search.ini
+    - name: param_dst
+      type: keyword
+      description: This key captures the command line/launch argument of the target
+        process or file
+    - name: param_src
+      type: keyword
+      description: This key captures source parameter
+    - name: search_text
+      type: keyword
+      description: This key captures the Search Text used
+    - name: sig_name
+      type: keyword
+      description: This key is used to capture the Signature Name only.
+    - name: snmp_value
+      type: keyword
+      description: SNMP set request value
+    - name: streams
+      type: long
+      description: This key captures number of streams in session
+  - name: db
+    type: group
+    fields:
+    - name: index
+      type: keyword
+      description: This key captures IndexID of the index.
+    - name: instance
+      type: keyword
+      description: This key is used to capture the database server instance name
+    - name: database
+      type: keyword
+      description: This key is used to capture the name of a database or an instance
+        as seen in a session
+    - name: transact_id
+      type: keyword
+      description: This key captures the SQL transantion ID of the current session
+    - name: permissions
+      type: keyword
+      description: This key captures permission or privilege level assigned to a resource.
+    - name: table_name
+      type: keyword
+      description: This key is used to capture the table name
+    - name: db_id
+      type: keyword
+      description: This key is used to capture the unique identifier for a database
+    - name: db_pid
+      type: long
+      description: This key captures the process id of a connection with database
+        server
+    - name: lread
+      type: long
+      description: This key is used for the number of logical reads
+    - name: lwrite
+      type: long
+      description: This key is used for the number of logical writes
+    - name: pread
+      type: long
+      description: This key is used for the number of physical writes
+  - name: network
+    type: group
+    fields:
+    - name: alias_host
+      type: keyword
+      description: This key should be used when the source or destination context
+        of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
+        that isnt ad.computer.
+    - name: domain
+      type: keyword
+    - name: host_dst
+      type: keyword
+      description: "This key should only be used when it\u2019s a Destination Hostname"
+    - name: network_service
+      type: keyword
+      description: This is used to capture layer 7 protocols/service names
+    - name: interface
+      type: keyword
+      description: This key should be used when the source or destination context
+        of an interface is not clear
+    - name: network_port
+      type: long
+      description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
+        used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
+    - name: eth_host
+      type: keyword
+      description: Deprecated, use alias.mac
+    - name: sinterface
+      type: keyword
+      description: "This key should only be used when it\u2019s a Source Interface"
+    - name: dinterface
+      type: keyword
+      description: "This key should only be used when it\u2019s a Destination Interface"
+    - name: vlan
+      type: long
+      description: This key should only be used to capture the ID of the Virtual LAN
+    - name: zone_src
+      type: keyword
+      description: "This key should only be used when it\u2019s a Source Zone."
+    - name: zone
+      type: keyword
+      description: This key should be used when the source or destination context
+        of a Zone is not clear
+    - name: zone_dst
+      type: keyword
+      description: "This key should only be used when it\u2019s a Destination Zone."
+    - name: gateway
+      type: keyword
+      description: This key is used to capture the IP Address of the gateway
+    - name: icmp_type
+      type: long
+      description: This key is used to capture the ICMP type only
+    - name: mask
+      type: keyword
+      description: This key is used to capture the device network IPmask.
+    - name: icmp_code
+      type: long
+      description: This key is used to capture the ICMP code only
+    - name: protocol_detail
+      type: keyword
+      description: This key should be used to capture additional protocol information
+    - name: dmask
+      type: keyword
+      description: This key is used for Destionation Device network mask
+    - name: port
+      type: long
+      description: This key should only be used to capture a Network Port when the
+        directionality is not clear
+    - name: smask
+      type: keyword
+      description: This key is used for capturing source Network Mask
+    - name: netname
+      type: keyword
+      description: This key is used to capture the network name associated with an
+        IP range. This is configured by the end user.
+    - name: paddr
+      type: ip
+      description: Deprecated
+    - name: faddr
+      type: keyword
+    - name: lhost
+      type: keyword
+    - name: origin
+      type: keyword
+    - name: remote_domain_id
+      type: keyword
+    - name: addr
+      type: keyword
+    - name: dns_a_record
+      type: keyword
+    - name: dns_ptr_record
+      type: keyword
+    - name: fhost
+      type: keyword
+    - name: fport
+      type: keyword
+    - name: laddr
+      type: keyword
+    - name: linterface
+      type: keyword
+    - name: phost
+      type: keyword
+    - name: ad_computer_dst
+      type: keyword
+      description: Deprecated, use host.dst
+    - name: eth_type
+      type: long
+      description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
+        Only
+    - name: ip_proto
+      type: long
+      description: This key should be used to capture the Protocol number, all the
+        protocol nubers are converted into string in UI
+    - name: dns_cname_record
+      type: keyword
+    - name: dns_id
+      type: keyword
+    - name: dns_opcode
+      type: keyword
+    - name: dns_resp
+      type: keyword
+    - name: dns_type
+      type: keyword
+    - name: domain1
+      type: keyword
+    - name: host_type
+      type: keyword
+    - name: packet_length
+      type: keyword
+    - name: host_orig
+      type: keyword
+      description: This is used to capture the original hostname in case of a Forwarding
+        Agent or a Proxy in between.
+    - name: rpayload
+      type: keyword
+      description: This key is used to capture the total number of payload bytes seen
+        in the retransmitted packets.
+    - name: vlan_name
+      type: keyword
+      description: This key should only be used to capture the name of the Virtual
+        LAN
+  - name: investigations
+    type: group
+    fields:
+    - name: ec_activity
+      type: keyword
+      description: This key captures the particular event activity(Ex:Logoff)
+    - name: ec_theme
+      type: keyword
+      description: This key captures the Theme of a particular Event(Ex:Authentication)
+    - name: ec_subject
+      type: keyword
+      description: This key captures the Subject of a particular Event(Ex:User)
+    - name: ec_outcome
+      type: keyword
+      description: This key captures the outcome of a particular Event(Ex:Success)
+    - name: event_cat
+      type: long
+      description: This key captures the Event category number
+    - name: event_cat_name
+      type: keyword
+      description: This key captures the event category name corresponding to the
+        event cat code
+    - name: event_vcat
+      type: keyword
+      description: This is a vendor supplied category. This should be used in situations
+        where the vendor has adopted their own event_category taxonomy.
+    - name: analysis_file
+      type: keyword
+      description: This is used to capture all indicators used in a File Analysis.
+        This key should be used to capture an analysis of a file
+    - name: analysis_service
+      type: keyword
+      description: This is used to capture all indicators used in a Service Analysis.
+        This key should be used to capture an analysis of a service
+    - name: analysis_session
+      type: keyword
+      description: This is used to capture all indicators used for a Session Analysis.
+        This key should be used to capture an analysis of a session
+    - name: boc
+      type: keyword
+      description: This is used to capture behaviour of compromise
+    - name: eoc
+      type: keyword
+      description: This is used to capture Enablers of Compromise
+    - name: inv_category
+      type: keyword
+      description: This used to capture investigation category
+    - name: inv_context
+      type: keyword
+      description: This used to capture investigation context
+    - name: ioc
+      type: keyword
+      description: This is key capture indicator of compromise
+  - name: counters
+    type: group
+    fields:
+    - name: dclass_c1
+      type: long
+      description: This is a generic counter key that should be used with the label
+        dclass.c1.str only
+    - name: dclass_c2
+      type: long
+      description: This is a generic counter key that should be used with the label
+        dclass.c2.str only
+    - name: event_counter
+      type: long
+      description: This is used to capture the number of times an event repeated
+    - name: dclass_r1
+      type: keyword
+      description: This is a generic ratio key that should be used with the label
+        dclass.r1.str only
+    - name: dclass_c3
+      type: long
+      description: This is a generic counter key that should be used with the label
+        dclass.c3.str only
+    - name: dclass_c1_str
+      type: keyword
+      description: This is a generic counter string key that should be used with the
+        label dclass.c1 only
+    - name: dclass_c2_str
+      type: keyword
+      description: This is a generic counter string key that should be used with the
+        label dclass.c2 only
+    - name: dclass_r1_str
+      type: keyword
+      description: This is a generic ratio string key that should be used with the
+        label dclass.r1 only
+    - name: dclass_r2
+      type: keyword
+      description: This is a generic ratio key that should be used with the label
+        dclass.r2.str only
+    - name: dclass_c3_str
+      type: keyword
+      description: This is a generic counter string key that should be used with the
+        label dclass.c3 only
+    - name: dclass_r3
+      type: keyword
+      description: This is a generic ratio key that should be used with the label
+        dclass.r3.str only
+    - name: dclass_r2_str
+      type: keyword
+      description: This is a generic ratio string key that should be used with the
+        label dclass.r2 only
+    - name: dclass_r3_str
+      type: keyword
+      description: This is a generic ratio string key that should be used with the
+        label dclass.r3 only
+  - name: identity
+    type: group
+    fields:
+    - name: auth_method
+      type: keyword
+      description: This key is used to capture authentication methods used only
+    - name: user_role
+      type: keyword
+      description: This key is used to capture the Role of a user only
+    - name: dn
+      type: keyword
+      description: X.500 (LDAP) Distinguished Name
+    - name: logon_type
+      type: keyword
+      description: This key is used to capture the type of logon method used.
+    - name: profile
+      type: keyword
+      description: This key is used to capture the user profile
+    - name: accesses
+      type: keyword
+      description: This key is used to capture actual privileges used in accessing
+        an object
+    - name: realm
+      type: keyword
+      description: Radius realm or similar grouping of accounts
+    - name: user_sid_dst
+      type: keyword
+      description: This key captures Destination User Session ID
+    - name: dn_src
+      type: keyword
+      description: An X.500 (LDAP) Distinguished name that is used in a context that
+        indicates a Source dn
+    - name: org
+      type: keyword
+      description: This key captures the User organization
+    - name: dn_dst
+      type: keyword
+      description: An X.500 (LDAP) Distinguished name that used in a context that
+        indicates a Destination dn
+    - name: firstname
+      type: keyword
+      description: This key is for First Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: lastname
+      type: keyword
+      description: This key is for Last Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: user_dept
+      type: keyword
+      description: User's Department Names only
+    - name: user_sid_src
+      type: keyword
+      description: This key captures Source User Session ID
+    - name: federated_sp
+      type: keyword
+      description: This key is the Federated Service Provider. This is the application
+        requesting authentication.
+    - name: federated_idp
+      type: keyword
+      description: This key is the federated Identity Provider. This is the server
+        providing the authentication.
+    - name: logon_type_desc
+      type: keyword
+      description: This key is used to capture the textual description of an integer
+        logon type as stored in the meta key 'logon.type'.
+    - name: middlename
+      type: keyword
+      description: This key is for Middle Names only, this is used for Healthcare
+        predominantly to capture Patients information
+    - name: password
+      type: keyword
+      description: This key is for Passwords seen in any session, plain text or encrypted
+    - name: host_role
+      type: keyword
+      description: This key should only be used to capture the role of a Host Machine
+    - name: ldap
+      type: keyword
+      description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
+        t have a clear query or response context"
+    - name: ldap_query
+      type: keyword
+      description: This key is the Search criteria from an LDAP search
+    - name: ldap_response
+      type: keyword
+      description: This key is to capture Results from an LDAP search
+    - name: owner
+      type: keyword
+      description: This is used to capture username the process or service is running
+        as, the author of the task
+    - name: service_account
+      type: keyword
+      description: This key is a windows specific key, used for capturing name of
+        the account a service (referenced in the event) is running under. Legacy Usage
+  - name: email
+    type: group
+    fields:
+    - name: email_dst
+      type: keyword
+      description: This key is used to capture the Destination email address only,
+        when the destination context is not clear use email
+    - name: email_src
+      type: keyword
+      description: This key is used to capture the source email address only, when
+        the source context is not clear use email
+    - name: subject
+      type: keyword
+      description: This key is used to capture the subject string from an Email only.
+    - name: email
+      type: keyword
+      description: This key is used to capture a generic email address where the source
+        or destination context is not clear
+    - name: trans_from
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: trans_to
+      type: keyword
+      description: Deprecated key defined only in table map.
+  - name: file
+    type: group
+    fields:
+    - name: privilege
+      type: keyword
+      description: Deprecated, use permissions
+    - name: attachment
+      type: keyword
+      description: This key captures the attachment file name
+    - name: filesystem
+      type: keyword
+    - name: binary
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: filename_dst
+      type: keyword
+      description: This is used to capture name of the file targeted by the action
+    - name: filename_src
+      type: keyword
+      description: This is used to capture name of the parent filename, the file which
+        performed the action
+    - name: filename_tmp
+      type: keyword
+    - name: directory_dst
+      type: keyword
+      description: <span>This key is used to capture the directory of the target process
+        or file</span>
+    - name: directory_src
+      type: keyword
+      description: This key is used to capture the directory of the source process
+        or file
+    - name: file_entropy
+      type: double
+      description: This is used to capture entropy vale of a file
+    - name: file_vendor
+      type: keyword
+      description: This is used to capture Company name of file located in version_info
+    - name: task_name
+      type: keyword
+      description: This is used to capture name of the task
+  - name: web
+    type: group
+    fields:
+    - name: fqdn
+      type: keyword
+      description: Fully Qualified Domain Names
+    - name: web_cookie
+      type: keyword
+      description: This key is used to capture the Web cookies specifically.
+    - name: alias_host
+      type: keyword
+    - name: reputation_num
+      type: double
+      description: Reputation Number of an entity. Typically used for Web Domains
+    - name: web_ref_domain
+      type: keyword
+      description: Web referer's domain
+    - name: web_ref_query
+      type: keyword
+      description: This key captures Web referer's query portion of the URL
+    - name: remote_domain
+      type: keyword
+    - name: web_ref_page
+      type: keyword
+      description: This key captures Web referer's page information
+    - name: web_ref_root
+      type: keyword
+      description: Web referer's root URL path
+    - name: cn_asn_dst
+      type: keyword
+    - name: cn_rpackets
+      type: keyword
+    - name: urlpage
+      type: keyword
+    - name: urlroot
+      type: keyword
+    - name: p_url
+      type: keyword
+    - name: p_user_agent
+      type: keyword
+    - name: p_web_cookie
+      type: keyword
+    - name: p_web_method
+      type: keyword
+    - name: p_web_referer
+      type: keyword
+    - name: web_extension_tmp
+      type: keyword
+    - name: web_page
+      type: keyword
+  - name: threat
+    type: group
+    fields:
+    - name: threat_category
+      type: keyword
+      description: This key captures Threat Name/Threat Category/Categorization of
+        alert
+    - name: threat_desc
+      type: keyword
+      description: This key is used to capture the threat description from the session
+        directly or inferred
+    - name: alert
+      type: keyword
+      description: This key is used to capture name of the alert
+    - name: threat_source
+      type: keyword
+      description: This key is used to capture source of the threat
+  - name: crypto
+    type: group
+    fields:
+    - name: crypto
+      type: keyword
+      description: This key is used to capture the Encryption Type or Encryption Key
+        only
+    - name: cipher_src
+      type: keyword
+      description: This key is for Source (Client) Cipher
+    - name: cert_subject
+      type: keyword
+      description: This key is used to capture the Certificate organization only
+    - name: peer
+      type: keyword
+      description: This key is for Encryption peer's IP Address
+    - name: cipher_size_src
+      type: long
+      description: This key captures Source (Client) Cipher Size
+    - name: ike
+      type: keyword
+      description: IKE negotiation phase.
+    - name: scheme
+      type: keyword
+      description: This key captures the Encryption scheme used
+    - name: peer_id
+      type: keyword
+      description: "This key is for Encryption peer\u2019s identity"
+    - name: sig_type
+      type: keyword
+      description: This key captures the Signature Type
+    - name: cert_issuer
+      type: keyword
+    - name: cert_host_name
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: cert_error
+      type: keyword
+      description: This key captures the Certificate Error String
+    - name: cipher_dst
+      type: keyword
+      description: This key is for Destination (Server) Cipher
+    - name: cipher_size_dst
+      type: long
+      description: This key captures Destination (Server) Cipher Size
+    - name: ssl_ver_src
+      type: keyword
+      description: Deprecated, use version
+    - name: d_certauth
+      type: keyword
+    - name: s_certauth
+      type: keyword
+    - name: ike_cookie1
+      type: keyword
+      description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
+    - name: ike_cookie2
+      type: keyword
+      description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
+    - name: cert_checksum
+      type: keyword
+    - name: cert_host_cat
+      type: keyword
+      description: This key is used for the hostname category value of a certificate
+    - name: cert_serial
+      type: keyword
+      description: This key is used to capture the Certificate serial number only
+    - name: cert_status
+      type: keyword
+      description: This key captures Certificate validation status
+    - name: ssl_ver_dst
+      type: keyword
+      description: Deprecated, use version
+    - name: cert_keysize
+      type: keyword
+    - name: cert_username
+      type: keyword
+    - name: https_insact
+      type: keyword
+    - name: https_valid
+      type: keyword
+    - name: cert_ca
+      type: keyword
+      description: This key is used to capture the Certificate signing authority only
+    - name: cert_common
+      type: keyword
+      description: This key is used to capture the Certificate common name only
+  - name: wireless
+    type: group
+    fields:
+    - name: wlan_ssid
+      type: keyword
+      description: This key is used to capture the ssid of a Wireless Session
+    - name: access_point
+      type: keyword
+      description: This key is used to capture the access point name.
+    - name: wlan_channel
+      type: long
+      description: This is used to capture the channel names
+    - name: wlan_name
+      type: keyword
+      description: This key captures either WLAN number/name
+  - name: storage
+    type: group
+    fields:
+    - name: disk_volume
+      type: keyword
+      description: A unique name assigned to logical units (volumes) within a physical
+        disk
+    - name: lun
+      type: keyword
+      description: Logical Unit Number.This key is a very useful concept in Storage.
+    - name: pwwn
+      type: keyword
+      description: This uniquely identifies a port on a HBA.
+  - name: physical
+    type: group
+    fields:
+    - name: org_dst
+      type: keyword
+      description: This is used to capture the destination organization based on the
+        GEOPIP Maxmind database.
+    - name: org_src
+      type: keyword
+      description: This is used to capture the source organization based on the GEOPIP
+        Maxmind database.
+  - name: healthcare
+    type: group
+    fields:
+    - name: patient_fname
+      type: keyword
+      description: This key is for First Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: patient_id
+      type: keyword
+      description: This key captures the unique ID for a patient
+    - name: patient_lname
+      type: keyword
+      description: This key is for Last Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: patient_mname
+      type: keyword
+      description: This key is for Middle Names only, this is used for Healthcare
+        predominantly to capture Patients information
+  - name: endpoint
+    type: group
+    fields:
+    - name: host_state
+      type: keyword
+      description: This key is used to capture the current state of the machine, such
+        as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
+        disabled</strong> and so on
+    - name: registry_key
+      type: keyword
+      description: This key captures the path to the registry key
+    - name: registry_value
+      type: keyword
+      description: This key captures values or decorators used within a registry entry
diff --git a/packages/tomcat/0.1.0/dataset/log/manifest.yml b/packages/tomcat/0.1.0/dataset/log/manifest.yml
new file mode 100644
index 0000000000..1c272aa623
--- /dev/null
+++ b/packages/tomcat/0.1.0/dataset/log/manifest.yml
@@ -0,0 +1,155 @@
+title: Apache Tomcat logs
+release: experimental
+type: logs
+streams:
+- input: udp
+  title: Apache Tomcat logs
+  description: Collect Apache Tomcat logs
+  template_path: udp.yml.hbs
+  vars:
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - tomcat-log
+      - forwarded
+  - name: udp_host
+    type: text
+    title: UDP host to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: localhost
+  - name: udp_port
+    type: integer
+    title: UDP port to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: 9501
+  - name: tz_offset
+    type: text
+    title: Timezone offset (+HH:mm format)
+    required: false
+    show_user: true
+    default: "local"
+  - name: rsa_fields
+    type: bool
+    title: Add non-ECS fields
+    required: false
+    show_user: true
+    default: true
+  - name: keep_raw_fields
+    type: bool
+    title: Keep raw parser fields
+    required: false
+    show_user: false
+    default: false
+  - name: debug
+    type: bool
+    title: Enable debug logging
+    required: false
+    show_user: false
+    default: false
+
+- input: tcp
+  title: Apache Tomcat logs
+  description: Collect Apache Tomcat logs
+  template_path: tcp.yml.hbs
+  vars:
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - tomcat-log
+      - forwarded
+  - name: tcp_host
+    type: text
+    title: TCP host to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: localhost
+  - name: tcp_port
+    type: integer
+    title: TCP port to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: 9501
+  - name: tz_offset
+    type: text
+    title: Timezone offset (+HH:mm format)
+    required: false
+    show_user: true
+    default: "local"
+  - name: rsa_fields
+    type: bool
+    title: Add non-ECS fields
+    required: false
+    show_user: true
+    default: true
+  - name: keep_raw_fields
+    type: bool
+    title: Keep raw parser fields
+    required: false
+    show_user: false
+    default: false
+  - name: debug
+    type: bool
+    title: Enable debug logging
+    required: false
+    show_user: false
+    default: false
+
+- input: file
+  title: Apache Tomcat logs
+  description: Collect Apache Tomcat logs from file
+  vars:
+  - name: paths
+    type: text
+    title: Paths
+    multi: true
+    required: true
+    show_user: true
+    default:
+      - /var/log/tomcat-log.log
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - tomcat-log
+      - forwarded
+  - name: tz_offset
+    type: text
+    title: Timezone offset (+HH:mm format)
+    required: false
+    show_user: true
+    default: "local"
+  - name: rsa_fields
+    type: bool
+    title: Add non-ECS fields
+    required: false
+    show_user: true
+    default: true
+  - name: keep_raw_fields
+    type: bool
+    title: Keep raw parser fields
+    required: false
+    show_user: false
+    default: false
+  - name: debug
+    type: bool
+    title: Enable debug logging
+    required: false
+    show_user: false
+    default: false
diff --git a/packages/tomcat/0.1.0/docs/README.md b/packages/tomcat/0.1.0/docs/README.md
new file mode 100644
index 0000000000..45d551deec
--- /dev/null
+++ b/packages/tomcat/0.1.0/docs/README.md
@@ -0,0 +1,780 @@
+# Tomcat integration
+
+This integration is for Tomcat device's logs. It includes the following
+datasets for receiving logs over syslog or read from a file:
+- `log` dataset: supports Apache Tomcat logs.
+
+### Log
+
+The `log` dataset collects Apache Tomcat logs.
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
+| dataset.name | Dataset name. | constant_keyword |
+| dataset.namespace | Dataset namespace. | constant_keyword |
+| dataset.type | Dataset type. | constant_keyword |
+| datastream.dataset | Datastream dataset. | constant_keyword |
+| datastream.namespace | Datastream namespace. | constant_keyword |
+| datastream.type | Datastream type. | constant_keyword |
+| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| destination.bytes | Bytes sent from the destination to the source. | long |
+| destination.domain | Destination domain. | keyword |
+| destination.geo.city_name | City name. | keyword |
+| destination.geo.country_name | Country name. | keyword |
+| destination.geo.location.lat |  | double |
+| destination.geo.location.lon |  | double |
+| destination.ip | IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses. | ip |
+| destination.mac | MAC address of the destination. | keyword |
+| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip |
+| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long |
+| destination.port | Port of the destination. | long |
+| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword |
+| dns.answers.type | The type of data contained in this resource record. | keyword |
+| dns.question.type | The type of record being queried. | keyword |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword |
+| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword |
+| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword |
+| file.extension | File extension. | keyword |
+| file.name | Name of the file including the extension, without the directory. | keyword |
+| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword |
+| file.size | File size in bytes. Only relevant when `file.type` is "file". | long |
+| file.type | File type (file, dir, or symlink). | keyword |
+| geo.city_name | City name. | keyword |
+| geo.country_name | Country name. | keyword |
+| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| geo.region_name | Region name. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| http.request.method | HTTP request method. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| http.request.referrer | Referrer for this HTTP request. | keyword |
+| http.response.body.content | The full HTTP response body. | keyword |
+| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword |
+| log.original | This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. | keyword |
+| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long |
+| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. | long |
+| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text |
+| network.application | A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long |
+| network.direction | Direction of the network traffic. Recommended values are: * inbound * outbound * internal * external * unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view. When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. | keyword |
+| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip |
+| network.interface.name |  | keyword |
+| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long |
+| network.protocol | L7 Network protocol name. ex. http, lumberjack, transport protocol. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| observer.egress.interface.name | Interface name as reported by the system. | keyword |
+| observer.ingress.interface.name | Interface name as reported by the system. | keyword |
+| observer.product | The product name of the observer. | keyword |
+| observer.version | Observer version. | keyword |
+| process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.parent.name | Process name. Sometimes called program name or similar. | keyword |
+| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword |
+| process.pid | Process id. | long |
+| process.ppid | Parent process' pid. | long |
+| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword |
+| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long |
+| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword |
+| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long |
+| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword |
+| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long |
+| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword |
+| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword |
+| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword |
+| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword |
+| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword |
+| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword |
+| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword |
+| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long |
+| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword |
+| rsa.crypto.cert_checksum |  | keyword |
+| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword |
+| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword |
+| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword |
+| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword |
+| rsa.crypto.cert_issuer |  | keyword |
+| rsa.crypto.cert_keysize |  | keyword |
+| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword |
+| rsa.crypto.cert_status | This key captures Certificate validation status | keyword |
+| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword |
+| rsa.crypto.cert_username |  | keyword |
+| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword |
+| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long |
+| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long |
+| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword |
+| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword |
+| rsa.crypto.d_certauth |  | keyword |
+| rsa.crypto.https_insact |  | keyword |
+| rsa.crypto.https_valid |  | keyword |
+| rsa.crypto.ike | IKE negotiation phase. | keyword |
+| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword |
+| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword |
+| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword |
+| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword |
+| rsa.crypto.s_certauth |  | keyword |
+| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword |
+| rsa.crypto.sig_type | This key captures the Signature Type | keyword |
+| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword |
+| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword |
+| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword |
+| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword |
+| rsa.db.db_pid | This key captures the process id of a connection with database server | long |
+| rsa.db.index | This key captures IndexID of the index. | keyword |
+| rsa.db.instance | This key is used to capture the database server instance name | keyword |
+| rsa.db.lread | This key is used for the number of logical reads | long |
+| rsa.db.lwrite | This key is used for the number of logical writes | long |
+| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword |
+| rsa.db.pread | This key is used for the number of physical writes | long |
+| rsa.db.table_name | This key is used to capture the table name | keyword |
+| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword |
+| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword |
+| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword |
+| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword |
+| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword |
+| rsa.email.trans_from | Deprecated key defined only in table map. | keyword |
+| rsa.email.trans_to | Deprecated key defined only in table map. | keyword |
+| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall disabled</strong> and so on | keyword |
+| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword |
+| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword |
+| rsa.file.attachment | This key captures the attachment file name | keyword |
+| rsa.file.binary | Deprecated key defined only in table map. | keyword |
+| rsa.file.directory_dst | <span>This key is used to capture the directory of the target process or file</span> | keyword |
+| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword |
+| rsa.file.file_entropy | This is used to capture entropy vale of a file | double |
+| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword |
+| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword |
+| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword |
+| rsa.file.filename_tmp |  | keyword |
+| rsa.file.filesystem |  | keyword |
+| rsa.file.privilege | Deprecated, use permissions | keyword |
+| rsa.file.task_name | This is used to capture name of the task | keyword |
+| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword |
+| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword |
+| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword |
+| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword |
+| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword |
+| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword |
+| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword |
+| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword |
+| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword |
+| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword |
+| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword |
+| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword |
+| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword |
+| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword |
+| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.org | This key captures the User organization | keyword |
+| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword |
+| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword |
+| rsa.identity.profile | This key is used to capture the user profile | keyword |
+| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword |
+| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword |
+| rsa.identity.user_dept | User's Department Names only | keyword |
+| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword |
+| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword |
+| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword |
+| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword |
+| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.data | Deprecated key defined only in table map. | keyword |
+| rsa.internal.dead | Deprecated key defined only in table map. | long |
+| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_type_id | Deprecated key defined only in table map. | long |
+| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long |
+| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long |
+| rsa.internal.entry | Deprecated key defined only in table map. | keyword |
+| rsa.internal.event_desc |  | keyword |
+| rsa.internal.event_name | Deprecated key defined only in table map. | keyword |
+| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip |
+| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.hcode | Deprecated key defined only in table map. | keyword |
+| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.inode | Deprecated key defined only in table map. | long |
+| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date |
+| rsa.internal.level | Deprecated key defined only in table map. | long |
+| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long |
+| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long |
+| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long |
+| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long |
+| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, &lt; 32 is packet session | long |
+| rsa.internal.message | This key captures the contents of instant messages | keyword |
+| rsa.internal.messageid |  | keyword |
+| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword |
+| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.node_name | Deprecated key defined only in table map. | keyword |
+| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword |
+| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword |
+| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword |
+| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword |
+| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long |
+| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long |
+| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword |
+| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword |
+| rsa.internal.resource | Deprecated key defined only in table map. | keyword |
+| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword |
+| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long |
+| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.site | Deprecated key defined only in table map. | keyword |
+| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long |
+| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.statement | Deprecated key defined only in table map. | keyword |
+| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date |
+| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long |
+| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long |
+| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword |
+| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword |
+| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword |
+| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword |
+| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword |
+| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword |
+| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword |
+| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword |
+| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword |
+| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword |
+| rsa.investigations.event_cat | This key captures the Event category number | long |
+| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword |
+| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword |
+| rsa.investigations.inv_category | This used to capture investigation category | keyword |
+| rsa.investigations.inv_context | This used to capture investigation context | keyword |
+| rsa.investigations.ioc | This is key capture indicator of compromise | keyword |
+| rsa.misc.OS | This key captures the Name of the Operating System | keyword |
+| rsa.misc.acl_id |  | keyword |
+| rsa.misc.acl_op |  | keyword |
+| rsa.misc.acl_pos |  | keyword |
+| rsa.misc.acl_table |  | keyword |
+| rsa.misc.action |  | keyword |
+| rsa.misc.admin |  | keyword |
+| rsa.misc.agent_id | This key is used to capture agent id | keyword |
+| rsa.misc.alarm_id |  | keyword |
+| rsa.misc.alarmname |  | keyword |
+| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.app_id |  | keyword |
+| rsa.misc.audit |  | keyword |
+| rsa.misc.audit_object |  | keyword |
+| rsa.misc.auditdata |  | keyword |
+| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword |
+| rsa.misc.benchmark |  | keyword |
+| rsa.misc.bypass |  | keyword |
+| rsa.misc.cache |  | keyword |
+| rsa.misc.cache_hit |  | keyword |
+| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword |
+| rsa.misc.cc_number | Valid Credit Card Numbers only | long |
+| rsa.misc.cefversion |  | keyword |
+| rsa.misc.cfg_attr |  | keyword |
+| rsa.misc.cfg_obj |  | keyword |
+| rsa.misc.cfg_path |  | keyword |
+| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword |
+| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword |
+| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword |
+| rsa.misc.changes |  | keyword |
+| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword |
+| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword |
+| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword |
+| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword |
+| rsa.misc.client_ip |  | keyword |
+| rsa.misc.clustermembers |  | keyword |
+| rsa.misc.cmd |  | keyword |
+| rsa.misc.cn_acttimeout |  | keyword |
+| rsa.misc.cn_asn_src |  | keyword |
+| rsa.misc.cn_bgpv4nxthop |  | keyword |
+| rsa.misc.cn_ctr_dst_code |  | keyword |
+| rsa.misc.cn_dst_tos |  | keyword |
+| rsa.misc.cn_dst_vlan |  | keyword |
+| rsa.misc.cn_engine_id |  | keyword |
+| rsa.misc.cn_engine_type |  | keyword |
+| rsa.misc.cn_f_switch |  | keyword |
+| rsa.misc.cn_flowsampid |  | keyword |
+| rsa.misc.cn_flowsampintv |  | keyword |
+| rsa.misc.cn_flowsampmode |  | keyword |
+| rsa.misc.cn_inacttimeout |  | keyword |
+| rsa.misc.cn_inpermbyts |  | keyword |
+| rsa.misc.cn_inpermpckts |  | keyword |
+| rsa.misc.cn_invalid |  | keyword |
+| rsa.misc.cn_ip_proto_ver |  | keyword |
+| rsa.misc.cn_ipv4_ident |  | keyword |
+| rsa.misc.cn_l_switch |  | keyword |
+| rsa.misc.cn_log_did |  | keyword |
+| rsa.misc.cn_log_rid |  | keyword |
+| rsa.misc.cn_max_ttl |  | keyword |
+| rsa.misc.cn_maxpcktlen |  | keyword |
+| rsa.misc.cn_min_ttl |  | keyword |
+| rsa.misc.cn_minpcktlen |  | keyword |
+| rsa.misc.cn_mpls_lbl_1 |  | keyword |
+| rsa.misc.cn_mpls_lbl_10 |  | keyword |
+| rsa.misc.cn_mpls_lbl_2 |  | keyword |
+| rsa.misc.cn_mpls_lbl_3 |  | keyword |
+| rsa.misc.cn_mpls_lbl_4 |  | keyword |
+| rsa.misc.cn_mpls_lbl_5 |  | keyword |
+| rsa.misc.cn_mpls_lbl_6 |  | keyword |
+| rsa.misc.cn_mpls_lbl_7 |  | keyword |
+| rsa.misc.cn_mpls_lbl_8 |  | keyword |
+| rsa.misc.cn_mpls_lbl_9 |  | keyword |
+| rsa.misc.cn_mplstoplabel |  | keyword |
+| rsa.misc.cn_mplstoplabip |  | keyword |
+| rsa.misc.cn_mul_dst_byt |  | keyword |
+| rsa.misc.cn_mul_dst_pks |  | keyword |
+| rsa.misc.cn_muligmptype |  | keyword |
+| rsa.misc.cn_sampalgo |  | keyword |
+| rsa.misc.cn_sampint |  | keyword |
+| rsa.misc.cn_seqctr |  | keyword |
+| rsa.misc.cn_spackets |  | keyword |
+| rsa.misc.cn_src_tos |  | keyword |
+| rsa.misc.cn_src_vlan |  | keyword |
+| rsa.misc.cn_sysuptime |  | keyword |
+| rsa.misc.cn_template_id |  | keyword |
+| rsa.misc.cn_totbytsexp |  | keyword |
+| rsa.misc.cn_totflowexp |  | keyword |
+| rsa.misc.cn_totpcktsexp |  | keyword |
+| rsa.misc.cn_unixnanosecs |  | keyword |
+| rsa.misc.cn_v6flowlabel |  | keyword |
+| rsa.misc.cn_v6optheaders |  | keyword |
+| rsa.misc.code |  | keyword |
+| rsa.misc.command |  | keyword |
+| rsa.misc.comments | Comment information provided in the log message | keyword |
+| rsa.misc.comp_class |  | keyword |
+| rsa.misc.comp_name |  | keyword |
+| rsa.misc.comp_rbytes |  | keyword |
+| rsa.misc.comp_sbytes |  | keyword |
+| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword |
+| rsa.misc.connection_id | This key captures the Connection ID | keyword |
+| rsa.misc.content | This key captures the content type from protocol headers | keyword |
+| rsa.misc.content_type | This key is used to capture Content Type only. | keyword |
+| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword |
+| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword |
+| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword |
+| rsa.misc.context_target |  | keyword |
+| rsa.misc.count |  | keyword |
+| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long |
+| rsa.misc.cpu_data |  | keyword |
+| rsa.misc.criticality |  | keyword |
+| rsa.misc.cs_agency_dst |  | keyword |
+| rsa.misc.cs_analyzedby |  | keyword |
+| rsa.misc.cs_av_other |  | keyword |
+| rsa.misc.cs_av_primary |  | keyword |
+| rsa.misc.cs_av_secondary |  | keyword |
+| rsa.misc.cs_bgpv6nxthop |  | keyword |
+| rsa.misc.cs_bit9status |  | keyword |
+| rsa.misc.cs_context |  | keyword |
+| rsa.misc.cs_control |  | keyword |
+| rsa.misc.cs_data |  | keyword |
+| rsa.misc.cs_datecret |  | keyword |
+| rsa.misc.cs_dst_tld |  | keyword |
+| rsa.misc.cs_eth_dst_ven |  | keyword |
+| rsa.misc.cs_eth_src_ven |  | keyword |
+| rsa.misc.cs_event_uuid |  | keyword |
+| rsa.misc.cs_filetype |  | keyword |
+| rsa.misc.cs_fld |  | keyword |
+| rsa.misc.cs_if_desc |  | keyword |
+| rsa.misc.cs_if_name |  | keyword |
+| rsa.misc.cs_ip_next_hop |  | keyword |
+| rsa.misc.cs_ipv4dstpre |  | keyword |
+| rsa.misc.cs_ipv4srcpre |  | keyword |
+| rsa.misc.cs_lifetime |  | keyword |
+| rsa.misc.cs_log_medium |  | keyword |
+| rsa.misc.cs_loginname |  | keyword |
+| rsa.misc.cs_modulescore |  | keyword |
+| rsa.misc.cs_modulesign |  | keyword |
+| rsa.misc.cs_opswatresult |  | keyword |
+| rsa.misc.cs_payload |  | keyword |
+| rsa.misc.cs_registrant |  | keyword |
+| rsa.misc.cs_registrar |  | keyword |
+| rsa.misc.cs_represult |  | keyword |
+| rsa.misc.cs_rpayload |  | keyword |
+| rsa.misc.cs_sampler_name |  | keyword |
+| rsa.misc.cs_sourcemodule |  | keyword |
+| rsa.misc.cs_streams |  | keyword |
+| rsa.misc.cs_targetmodule |  | keyword |
+| rsa.misc.cs_v6nxthop |  | keyword |
+| rsa.misc.cs_whois_server |  | keyword |
+| rsa.misc.cs_yararesult |  | keyword |
+| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword |
+| rsa.misc.data_type |  | keyword |
+| rsa.misc.description |  | keyword |
+| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword |
+| rsa.misc.devvendor |  | keyword |
+| rsa.misc.disposition | This key captures the The end state of an action. | keyword |
+| rsa.misc.distance |  | keyword |
+| rsa.misc.doc_number | This key captures File Identification number | long |
+| rsa.misc.dstburb |  | keyword |
+| rsa.misc.edomain |  | keyword |
+| rsa.misc.edomaub |  | keyword |
+| rsa.misc.ein_number | Employee Identification Numbers only | long |
+| rsa.misc.error | This key captures All non successful Error codes or responses | keyword |
+| rsa.misc.euid |  | keyword |
+| rsa.misc.event_category |  | keyword |
+| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword |
+| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword |
+| rsa.misc.event_id |  | keyword |
+| rsa.misc.event_log | This key captures the Name of the event log | keyword |
+| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword |
+| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword |
+| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword |
+| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword |
+| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword |
+| rsa.misc.facility |  | keyword |
+| rsa.misc.facilityname |  | keyword |
+| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword |
+| rsa.misc.filter | This key captures Filter used to reduce result set | keyword |
+| rsa.misc.finterface |  | keyword |
+| rsa.misc.flags |  | keyword |
+| rsa.misc.forensic_info |  | keyword |
+| rsa.misc.found | This is used to capture the results of regex match | keyword |
+| rsa.misc.fresult | This key captures the Filter Result | long |
+| rsa.misc.gaddr |  | keyword |
+| rsa.misc.group | This key captures the Group Name value | keyword |
+| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword |
+| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword |
+| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword |
+| rsa.misc.id3 |  | keyword |
+| rsa.misc.im_buddyid |  | keyword |
+| rsa.misc.im_buddyname |  | keyword |
+| rsa.misc.im_client |  | keyword |
+| rsa.misc.im_croomid |  | keyword |
+| rsa.misc.im_croomtype |  | keyword |
+| rsa.misc.im_members |  | keyword |
+| rsa.misc.im_userid |  | keyword |
+| rsa.misc.im_username |  | keyword |
+| rsa.misc.index |  | keyword |
+| rsa.misc.inout |  | keyword |
+| rsa.misc.ipkt |  | keyword |
+| rsa.misc.ipscat |  | keyword |
+| rsa.misc.ipspri |  | keyword |
+| rsa.misc.job_num | This key captures the Job Number | keyword |
+| rsa.misc.jobname |  | keyword |
+| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword |
+| rsa.misc.latitude |  | keyword |
+| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword |
+| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long |
+| rsa.misc.linenum |  | keyword |
+| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.misc.list_name |  | keyword |
+| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword |
+| rsa.misc.load_data |  | keyword |
+| rsa.misc.location_floor |  | keyword |
+| rsa.misc.location_mark |  | keyword |
+| rsa.misc.log_id |  | keyword |
+| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword |
+| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword |
+| rsa.misc.log_type |  | keyword |
+| rsa.misc.logid |  | keyword |
+| rsa.misc.logip |  | keyword |
+| rsa.misc.logname |  | keyword |
+| rsa.misc.longitude |  | keyword |
+| rsa.misc.lport |  | keyword |
+| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword |
+| rsa.misc.match | This key is for regex match name from search.ini | keyword |
+| rsa.misc.mbug_data |  | keyword |
+| rsa.misc.message_body | This key captures the The contents of the message body. | keyword |
+| rsa.misc.misc |  | keyword |
+| rsa.misc.misc_name |  | keyword |
+| rsa.misc.mode |  | keyword |
+| rsa.misc.msgIdPart1 |  | keyword |
+| rsa.misc.msgIdPart2 |  | keyword |
+| rsa.misc.msgIdPart3 |  | keyword |
+| rsa.misc.msgIdPart4 |  | keyword |
+| rsa.misc.msg_type |  | keyword |
+| rsa.misc.msgid |  | keyword |
+| rsa.misc.name |  | keyword |
+| rsa.misc.netsessid |  | keyword |
+| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword |
+| rsa.misc.ntype |  | keyword |
+| rsa.misc.num |  | keyword |
+| rsa.misc.number |  | keyword |
+| rsa.misc.number1 |  | keyword |
+| rsa.misc.number2 |  | keyword |
+| rsa.misc.nwwn |  | keyword |
+| rsa.misc.obj_name | This is used to capture name of object | keyword |
+| rsa.misc.obj_type | This is used to capture type of object | keyword |
+| rsa.misc.object |  | keyword |
+| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword |
+| rsa.misc.operation |  | keyword |
+| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword |
+| rsa.misc.opkt |  | keyword |
+| rsa.misc.orig_from |  | keyword |
+| rsa.misc.owner_id |  | keyword |
+| rsa.misc.p_action |  | keyword |
+| rsa.misc.p_filter |  | keyword |
+| rsa.misc.p_group_object |  | keyword |
+| rsa.misc.p_id |  | keyword |
+| rsa.misc.p_msgid |  | keyword |
+| rsa.misc.p_msgid1 |  | keyword |
+| rsa.misc.p_msgid2 |  | keyword |
+| rsa.misc.p_result1 |  | keyword |
+| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword |
+| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword |
+| rsa.misc.param_src | This key captures source parameter | keyword |
+| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword |
+| rsa.misc.password_chg |  | keyword |
+| rsa.misc.password_expire |  | keyword |
+| rsa.misc.payload_dst | This key is used to capture destination payload | keyword |
+| rsa.misc.payload_src | This key is used to capture source payload | keyword |
+| rsa.misc.permgranted |  | keyword |
+| rsa.misc.permwanted |  | keyword |
+| rsa.misc.pgid |  | keyword |
+| rsa.misc.phone |  | keyword |
+| rsa.misc.pid |  | keyword |
+| rsa.misc.policy |  | keyword |
+| rsa.misc.policyUUID |  | keyword |
+| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword |
+| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword |
+| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword |
+| rsa.misc.policy_waiver |  | keyword |
+| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword |
+| rsa.misc.pool_name | This key captures the name of a resource pool | keyword |
+| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword |
+| rsa.misc.priority |  | keyword |
+| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword |
+| rsa.misc.prog_asp_num |  | keyword |
+| rsa.misc.program |  | keyword |
+| rsa.misc.real_data |  | keyword |
+| rsa.misc.reason |  | keyword |
+| rsa.misc.rec_asp_device |  | keyword |
+| rsa.misc.rec_asp_num |  | keyword |
+| rsa.misc.rec_library |  | keyword |
+| rsa.misc.recordnum |  | keyword |
+| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword |
+| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword |
+| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword |
+| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword |
+| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword |
+| rsa.misc.risk | This key captures the non-numeric risk value | keyword |
+| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.risk_num | This key captures a Numeric Risk value | double |
+| rsa.misc.risk_num_comm | This key captures Risk Number Community | double |
+| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double |
+| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double |
+| rsa.misc.risk_num_static | This key captures Risk Number Static | double |
+| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.ruid |  | keyword |
+| rsa.misc.rule | This key captures the Rule number | keyword |
+| rsa.misc.rule_group | This key captures the Rule group name | keyword |
+| rsa.misc.rule_name | This key captures the Rule Name | keyword |
+| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword |
+| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword |
+| rsa.misc.sburb |  | keyword |
+| rsa.misc.sdomain_fld |  | keyword |
+| rsa.misc.search_text | This key captures the Search Text used | keyword |
+| rsa.misc.sec |  | keyword |
+| rsa.misc.second |  | keyword |
+| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword |
+| rsa.misc.sensorname |  | keyword |
+| rsa.misc.seqnum |  | keyword |
+| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword |
+| rsa.misc.session |  | keyword |
+| rsa.misc.sessiontype |  | keyword |
+| rsa.misc.severity | This key is used to capture the severity given the session | keyword |
+| rsa.misc.sigUUID |  | keyword |
+| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long |
+| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long |
+| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword |
+| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword |
+| rsa.misc.sigcat |  | keyword |
+| rsa.misc.snmp_oid | SNMP Object Identifier | keyword |
+| rsa.misc.snmp_value | SNMP set request value | keyword |
+| rsa.misc.space |  | keyword |
+| rsa.misc.space1 |  | keyword |
+| rsa.misc.spi |  | keyword |
+| rsa.misc.spi_dst | Destination SPI Index | keyword |
+| rsa.misc.spi_src | Source SPI Index | keyword |
+| rsa.misc.sql | This key captures the SQL query | keyword |
+| rsa.misc.srcburb |  | keyword |
+| rsa.misc.srcdom |  | keyword |
+| rsa.misc.srcservice |  | keyword |
+| rsa.misc.state |  | keyword |
+| rsa.misc.status |  | keyword |
+| rsa.misc.status1 |  | keyword |
+| rsa.misc.streams | This key captures number of streams in session | long |
+| rsa.misc.subcategory |  | keyword |
+| rsa.misc.svcno |  | keyword |
+| rsa.misc.system |  | keyword |
+| rsa.misc.tbdstr1 |  | keyword |
+| rsa.misc.tbdstr2 |  | keyword |
+| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long |
+| rsa.misc.terminal | This key captures the Terminal Names only | keyword |
+| rsa.misc.tgtdom |  | keyword |
+| rsa.misc.tgtdomain |  | keyword |
+| rsa.misc.threshold |  | keyword |
+| rsa.misc.tos | This key describes the type of service | long |
+| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword |
+| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword |
+| rsa.misc.type |  | keyword |
+| rsa.misc.type1 |  | keyword |
+| rsa.misc.udb_class |  | keyword |
+| rsa.misc.url_fld |  | keyword |
+| rsa.misc.user_div |  | keyword |
+| rsa.misc.userid |  | keyword |
+| rsa.misc.username_fld |  | keyword |
+| rsa.misc.utcstamp |  | keyword |
+| rsa.misc.v_instafname |  | keyword |
+| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword |
+| rsa.misc.virt_data |  | keyword |
+| rsa.misc.virusname | This key captures the name of the virus | keyword |
+| rsa.misc.vm_target | VMWare Target **VMWARE** only varaible. | keyword |
+| rsa.misc.vpnid |  | keyword |
+| rsa.misc.vsys | This key captures Virtual System Name | keyword |
+| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword |
+| rsa.misc.workspace | This key captures Workspace Description | keyword |
+| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword |
+| rsa.network.addr |  | keyword |
+| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword |
+| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword |
+| rsa.network.dmask | This key is used for Destionation Device network mask | keyword |
+| rsa.network.dns_a_record |  | keyword |
+| rsa.network.dns_cname_record |  | keyword |
+| rsa.network.dns_id |  | keyword |
+| rsa.network.dns_opcode |  | keyword |
+| rsa.network.dns_ptr_record |  | keyword |
+| rsa.network.dns_resp |  | keyword |
+| rsa.network.dns_type |  | keyword |
+| rsa.network.domain |  | keyword |
+| rsa.network.domain1 |  | keyword |
+| rsa.network.eth_host | Deprecated, use alias.mac | keyword |
+| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long |
+| rsa.network.faddr |  | keyword |
+| rsa.network.fhost |  | keyword |
+| rsa.network.fport |  | keyword |
+| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword |
+| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword |
+| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword |
+| rsa.network.host_type |  | keyword |
+| rsa.network.icmp_code | This key is used to capture the ICMP code only | long |
+| rsa.network.icmp_type | This key is used to capture the ICMP type only | long |
+| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword |
+| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long |
+| rsa.network.laddr |  | keyword |
+| rsa.network.lhost |  | keyword |
+| rsa.network.linterface |  | keyword |
+| rsa.network.mask | This key is used to capture the device network IPmask. | keyword |
+| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword |
+| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long |
+| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword |
+| rsa.network.origin |  | keyword |
+| rsa.network.packet_length |  | keyword |
+| rsa.network.paddr | Deprecated | ip |
+| rsa.network.phost |  | keyword |
+| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long |
+| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword |
+| rsa.network.remote_domain_id |  | keyword |
+| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword |
+| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword |
+| rsa.network.smask | This key is used for capturing source Network Mask | keyword |
+| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long |
+| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword |
+| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword |
+| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword |
+| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword |
+| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword |
+| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword |
+| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword |
+| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword |
+| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword |
+| rsa.threat.alert | This key is used to capture name of the alert | keyword |
+| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword |
+| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword |
+| rsa.threat.threat_source | This key is used to capture source of the threat | keyword |
+| rsa.time.date |  | keyword |
+| rsa.time.datetime |  | keyword |
+| rsa.time.day |  | keyword |
+| rsa.time.duration_str | A text string version of the duration | keyword |
+| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double |
+| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date |
+| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date |
+| rsa.time.event_queue_time | This key is the Time that the event was queued. | date |
+| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date |
+| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword |
+| rsa.time.eventtime |  | keyword |
+| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date |
+| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword |
+| rsa.time.gmtdate |  | keyword |
+| rsa.time.gmttime |  | keyword |
+| rsa.time.hour |  | keyword |
+| rsa.time.min |  | keyword |
+| rsa.time.month |  | keyword |
+| rsa.time.p_date |  | keyword |
+| rsa.time.p_month |  | keyword |
+| rsa.time.p_time |  | keyword |
+| rsa.time.p_time1 |  | keyword |
+| rsa.time.p_time2 |  | keyword |
+| rsa.time.p_year |  | keyword |
+| rsa.time.process_time | Deprecated, use duration.time | keyword |
+| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date |
+| rsa.time.stamp | Deprecated key defined only in table map. | date |
+| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date |
+| rsa.time.timestamp |  | keyword |
+| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword |
+| rsa.time.tzone |  | keyword |
+| rsa.time.year |  | keyword |
+| rsa.web.alias_host |  | keyword |
+| rsa.web.cn_asn_dst |  | keyword |
+| rsa.web.cn_rpackets |  | keyword |
+| rsa.web.fqdn | Fully Qualified Domain Names | keyword |
+| rsa.web.p_url |  | keyword |
+| rsa.web.p_user_agent |  | keyword |
+| rsa.web.p_web_cookie |  | keyword |
+| rsa.web.p_web_method |  | keyword |
+| rsa.web.p_web_referer |  | keyword |
+| rsa.web.remote_domain |  | keyword |
+| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double |
+| rsa.web.urlpage |  | keyword |
+| rsa.web.urlroot |  | keyword |
+| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword |
+| rsa.web.web_extension_tmp |  | keyword |
+| rsa.web.web_page |  | keyword |
+| rsa.web.web_ref_domain | Web referer's domain | keyword |
+| rsa.web.web_ref_page | This key captures Web referer's page information | keyword |
+| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword |
+| rsa.web.web_ref_root | Web referer's root URL path | keyword |
+| rsa.wireless.access_point | This key is used to capture the access point name. | keyword |
+| rsa.wireless.wlan_channel | This is used to capture the channel names | long |
+| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword |
+| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword |
+| rule.name | The name of the rule or signature generating the event. | keyword |
+| server.domain | Server domain. | keyword |
+| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword |
+| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.bytes | Bytes sent from the source to the destination. | long |
+| source.domain | Source domain. | keyword |
+| source.geo.city_name | City name. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location.lat |  | double |
+| source.geo.location.lon |  | double |
+| source.ip | IP address of the source. Can be one or multiple IPv4 or IPv6 addresses. | ip |
+| source.mac | MAC address of the source. | keyword |
+| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip |
+| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long |
+| source.port | Port of the source. | long |
+| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. | keyword |
+| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | keyword |
+| url.path | Path of the request, such as "/search". | keyword |
+| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword |
+| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.google.com" is "google.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword |
+| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword |
+| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| user.full_name | User's full name, if available. | keyword |
+| user.id | Unique identifiers of the user. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user_agent.original | Unparsed user_agent string. | keyword |
diff --git a/packages/tomcat/0.1.0/img/logo.svg b/packages/tomcat/0.1.0/img/logo.svg
new file mode 100644
index 0000000000..410a468872
--- /dev/null
+++ b/packages/tomcat/0.1.0/img/logo.svg
@@ -0,0 +1,107 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Generator: Adobe Illustrator 14.0.0, SVG Export Plug-In . SVG Version: 6.00 Build 43363)  -->
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" width="300px"
+	 height="200px" viewBox="0 0 300 200" enable-background="new 0 0 300 200" xml:space="preserve">
+<g id="Calque_3">
+	<g id="XMLID_1_">
+		<path fill="#D1A41A" d="M53.7299805,130c2.9599609,3.6503906,6.25,7.3496094,9.8701172,11.0693359
+			c-10.5400391,3.1708984-17.4501953,9.0605469-21.7602539,14.2607422
+			c-6.8198242,8.2304688-10.4296875,19.1005859-9.5996094,28.4296875H14.0898438
+			C17.7299805,175.8603516,32.2597656,153.0400391,53.7299805,130z"/>
+		<path fill="#D1A41A" d="M263.9902344,188.7099609h-22.0703125
+			c-50.6298828-26.4199219-95.0800781-45.0498047-142.2998047-49.1201172
+			c0.1000977-6.5703125,1.2700195-14.0097656,3.5200195-22.2998047l-4.3500977-1.1699219
+			c-2.3100586,8.5195313-3.5200195,16.2294922-3.6601563,23.1298828c-4.9199219-0.3300781-9.8701172-0.4902344-14.8701172-0.4902344
+			c-4.2299805,0-8.0898438,0.390625-11.6098633,1.0703125c-4.5898438-4.5800781-8.5-8.9599609-11.8198242-13.109375
+			c21.7797852-22.6806641,57.6499023-43.2011719,88.8701172-50.9208984
+			c8.7900391,29.2197266,27.6601563,49.2402344,50.5595703,62.7099609c1.6796875-0.9599609,3.3300781-1.9599609,4.9501953-3.0195313
+			L241.1601563,178.5l1.75-0.1503906c10.9091797-0.9394531,17.109375,4.9804688,18.75,6.8203125
+			C262.8701172,186.5097656,263.5898438,187.7402344,263.9902344,188.7099609z"/>
+		<path fill="#FFDC76" d="M244.5,44.8496094c0.8105469,39.6904297-19.4394531,71.2802734-47.7900391,87.4804688
+			c-48.1201172-23.9697266-57.1801758-84.7099609-48.9799805-117.2900391
+			C150.0097656,27.5,154.1601563,35.3105469,163.1201172,39.140625c19.5400391-5.5908203,46.4296875-6.03125,66.2402344-0.5703125
+			c8.25-6,11.4501953-15.1699219,13.2001953-23.1796875C244.7402344,24.7099609,244.4902344,44.8496094,244.5,44.8496094z"/>
+	</g>
+</g>
+<g id="Layer_1">
+	<polygon points="123.4584961,82.4277344 130.8007813,104.1835938 108.5014648,89.2265625 	"/>
+	<polygon points="101.9750977,91.9462891 109.8613281,105.5429688 93.2729492,97.1132813 	"/>
+	<polygon points="84.0268555,102.5517578 87.8339844,116.1494141 76.4125977,108.2626953 	"/>
+	<polygon points="205.5849609,138.9921875 198.5146484,149.8701172 211.0234375,144.1591797 	"/>
+	<polygon points="216.734375,151.5019531 205.3134766,160.2041016 221.0859375,156.125 	"/>
+	<polygon points="188.9960938,33.4785156 197.4267578,51.9707031 202.8652344,33.2070313 	"/>
+	<polygon points="146.3017578,60.4003906 159.6269531,67.4707031 147.6611328,68.2871094 	"/>
+	<polygon points="149.5649414,74.8144531 157.7231445,78.0771484 150.9248047,79.9804688 	"/>
+	<polygon points="244.7451172,65.5683594 233.8671875,70.1914063 242.8408203,71.5507813 	"/>
+	<polygon points="240.3935547,78.8925781 231.9638672,81.3408203 238.7617188,83.7880859 	"/>
+</g>
+<g id="Calque_4">
+	<rect x="141.9233398" y="99.3027344" width="26.2446289" height="3.2392578"/>
+	<rect x="141.9233398" y="91.5253906" width="26.2446289" height="3.2402344"/>
+	<rect x="222.0634766" y="99.3027344" width="26.2441406" height="3.2392578"/>
+	<rect x="222.0634766" y="91.5253906" width="26.2441406" height="3.2402344"/>
+	<g>
+		<path d="M212.8134766,72.3164063h-27.1875h-3.0205078h-12.5605469v-2.9160156h13.3095703
+			c1.6386719-7.0175781,1.9628906-13.7246094-0.0136719-17.125c-0.84375-1.4453125-2.0097656-2.1210938-3.6738281-2.1210938
+			c-7.609375,0-10.7529297,8.046875-10.8837891,8.3886719l0.0019531-0.0019531l-2.7304688-1.0244141
+			c0.15625-0.4199219,3.9648438-10.2783203,13.6123047-10.2783203c2.6923828,0,4.8339844,1.2363281,6.1914063,3.5703125
+			c2.4101563,4.140625,2.1269531,11.3046875,0.4941406,18.5917969h23.3544922
+			c3.1025391-9.1152344,9.5810547-13.4130859,20.4052734-13.4130859v2.9150391
+			c-11.7324219,0-15.0185547,4.9736328-17.3662109,10.4980469h12.7431641l-0.0292969,2.9013672L212.8134766,72.3164063z"/>
+		<path d="M214.7304688,86.7177734l0.0185547-0.0029297c-3.4589844-5.1005859-4.5546875-9.4550781-3.1083984-14.4130859
+			l-2.9707031,0.0146484c-1.0351563,3.3007813-0.6201172,8.2734375,1.9287109,12.5400391h-29.6748047
+			c1.8056641-3.6162109,3.4794922-8.0253906,4.7021484-12.5400391h-3.0205078
+			c-1.3476563,4.7871094-3.2412109,9.5244141-5.3720703,13.2773438l-0.6894531,1.2128906l16.6523438,10.4824219l-9.375,6.1777344
+			l1.6054688,2.4355469l10.4785156-6.9082031l11.3115234,7.3818359l1.5537109-2.4677734l-10.4882813-6.4882813
+			c0,0,15.6816406-10.1865234,16.4609375-10.6835938C214.7382813,86.7294922,214.7353516,86.7236328,214.7304688,86.7177734z
+			 M195.8701172,95.5263672l-12.3173828-7.7548828l24.0712891,0.0058594L195.8701172,95.5263672z"/>
+	</g>
+</g>
+<g id="Calque_2">
+	<path d="M249.394043,41.3330078c-0.0185547-5.0703125-1.5976563-26.5-4.5-32.4003906
+		c-7.8691406,2.9902344-22.1894531,12.6796875-25.4306641,22.5878906
+		c-15.5322266-2.3193359-33.0419922-2.0449219-48.3808594,0.609375c-2.5625-10.6601563-15.4243164-18.8183594-25.1274414-23.4140625
+		c-4.0927734,6.90625-5.90625,22.9199219-5.4448242,34.2792969c-0.0175781,0.0117188-0.0366211,0.0234375-0.0541992,0.0361328
+		c1.7998047,47.7001953,25.199707,77.3994141,55.7993164,95.3994141
+		c31.4814453-17.9882813,53.9716797-53.0566406,53.1005859-97.1191406
+		C249.3686523,41.3193359,249.3823242,41.3251953,249.394043,41.3330078z M223.1977539,32.1367188
+		c0.1142578,0.0205078,0.2285156,0.0419922,0.34375,0.0634766
+		C223.4272461,32.1787109,223.3129883,32.1572266,223.1977539,32.1367188z M221.2397461,31.7988281
+		c0.2753906,0.0439453,0.5537109,0.09375,0.8300781,0.140625C221.793457,31.8925781,221.5170898,31.8447266,221.2397461,31.7988281z
+		 M244.496582,44.7744141c0.8095703,39.6904297-19.4404297,71.2792969-47.7900391,87.4804688
+		c-48.1181641-23.9765625-57.1826172-84.7109375-48.9770508-117.2890625
+		c2.2827148,12.4550781,6.4243164,20.2666016,15.3935547,24.0986328c19.5327148-5.5908203,46.4233398-6.0322266,66.230957-0.5693359
+		c8.2548828-6.0019531,11.4560547-15.1699219,13.2041016-23.1796875
+		C244.7416992,24.6367188,244.4897461,44.7705078,244.496582,44.7744141z"/>
+	<path d="M265.0170898,182.0908203c-4.9414063-5.5283203-14.6230469-8.1445313-22.7070313-7.9511719
+		c-5.7382813-6.8300781-39.0039063-41.8613281-39.0039063-41.8613281l-2.3056641,2.9033203l40.1621094,43.2382813
+		l1.7431641-0.1494141c10.9121094-0.9345703,17.1152344,4.9833984,18.7568359,6.8193359
+		c1.2041016,1.3466797,1.9306641,2.5751953,2.3261719,3.5390625h-22.0751953
+		c-50.6240234-26.4160156-95.078125-45.0439453-142.2973633-49.1123047
+		c0.1035156-6.5712891,1.2734375-14.0097656,3.5180664-22.2988281l-4.3432617-1.1767578
+		c-2.3076172,8.5205078-3.5234375,16.2363281-3.6606445,23.1328125c-4.9199219-0.3261719-9.8720703-0.4951172-14.8676758-0.4951172
+		c-4.2368164,0-8.0952148,0.3935547-11.6142578,1.0771484c-4.5898438-4.5869141-8.5-8.9589844-11.8227539-13.1083984
+		c21.9360352-22.8496094,58.1499023-43.4980469,89.5332031-51.0917969l-1.0151367-4.3964844
+		c-33.7919922,8.1484375-70.7797852,30.3349609-91.390625,51.7617188
+		c-9.5649414-12.9101563-13.3598633-23.5039063-14.4868164-31.5322266
+		c-1.4238281-10.1396484,0.996582-19.4414063,6.9990234-26.8994141c9.3969727-11.6738281,22.7490234-12.4960938,36.4770508-10.1875
+		c-0.2680664,2.1679688,0.0170898,4.2402344,0.8852539,5.5224609c3.6308594,5.3623047,23.1435547,7.2460938,34.7910156,2.0498047
+		c-8.5952148-12.0449219-26.0058594-17.9257813-30.8300781-15.5693359
+		c-1.5981445,0.7802734-2.8037109,2.2138672-3.6298828,3.8857422c-4.7451172-0.8486328-9.4580078-1.4804688-12.902832-1.4550781
+		c-12.1074219,0.0888672-21.3632813,4.3193359-28.2958984,12.9326172
+		c-6.8017578,8.4501953-9.5507813,18.9443359-7.9501953,30.3466797
+		c1.5161133,10.7998047,6.8632813,22.2861328,15.8251953,34.1982422c-1.4887695,1.5966797-2.9277344,3.1738281-4.3125,4.7226563
+		c-21.8432617,24.4414063-37.8100586,50.6503906-37.8100586,54.9931641v2.25h28.815918l-0.5048828-2.6679688
+		c-1.6274414-8.6005859,1.6225586-19.3505859,8.2792969-27.3847656
+		c4.1791992-5.0439453,11.0996094-10.8007813,21.9677734-13.4570313
+		c9.6630859,9.4306641,21.9746094,19.4462891,35.6787109,29.109375h21.4135742v-2.25
+		c0-2.5390625-1.2587891-4.7617188-3.5449219-6.2568359c-3.3828125-2.2119141-8.6049805-2.5166016-13.4018555-0.8808594
+		c-4.5732422-5.0927734-7.137207-11.8964844-7.690918-20.3466797
+		c46.4741211,4.1152344,90.9267578,22.8828125,141.0849609,49.0849609h27.5976563l0.3613281-1.8085938
+		C269.284668,188.7451172,267.8813477,185.2949219,265.0170898,182.0908203z M41.8378906,155.2548828
+		c-6.815918,8.2265625-10.4287109,19.09375-9.6010742,28.4238281h-18.152832
+		c3.6474609-7.8935547,18.1762695-30.7119141,39.6435547-53.7597656c2.9580078,3.65625,6.2529297,7.3496094,9.8720703,11.0732422
+		C53.0595703,144.1601563,46.1494141,150.0517578,41.8378906,155.2548828z"/>
+</g>
+</svg>
diff --git a/packages/tomcat/0.1.0/manifest.yml b/packages/tomcat/0.1.0/manifest.yml
new file mode 100644
index 0000000000..f4e00fae4a
--- /dev/null
+++ b/packages/tomcat/0.1.0/manifest.yml
@@ -0,0 +1,36 @@
+format_version: 1.0.0
+name: tomcat
+title: Apache Tomcat
+version: 0.1.0
+description: Apache Tomcat Integration
+categories: ["web","security"]
+release: experimental
+removable: true
+license: basic
+type: integration
+conditions:
+    kibana:
+        version: '>=7.9.0'
+    elasticsearch:
+        version: '>=7.9.0'
+config_templates:
+- name: log
+  title: Apache Tomcat
+  description: Collect Apache Tomcat logs from syslog or a file.
+  inputs:
+      - type: udp
+        title: Collect logs from Apache Tomcat via UDP
+        description: Collecting syslog from Apache Tomcat via UDP
+      - type: tcp
+        title: Collect logs from Apache Tomcat via TCP
+        description: Collecting syslog from Apache Tomcat via TCP
+      - type: file
+        title: Collect logs from Apache Tomcat via file
+        description: Collecting syslog from Apache Tomcat via file.
+# No icon
+icons:
+ - src: /img/logo.svg
+   title: Apache Tomcat logo
+   size: 32x32
+   type: image/svg+xml
+
diff --git a/packages/zscaler/0.1.0/dataset/zia/agent/stream/stream.yml.hbs b/packages/zscaler/0.1.0/dataset/zia/agent/stream/stream.yml.hbs
new file mode 100644
index 0000000000..24e1d85640
--- /dev/null
+++ b/packages/zscaler/0.1.0/dataset/zia/agent/stream/stream.yml.hbs
@@ -0,0 +1,2440 @@
+paths:
+{{#each paths as |path i|}}
+  - {{path}}
+{{/each}}
+exclude_files: [".gz$"]
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "Zscaler"
+        product: "Internet"
+        type: "Configuration"
+publisher_pipeline.disable_host: true
+
+processors:
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.error(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(populate_fields);
+      	builder.Add(restore_flags);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var map_getEventCategoryActivity = {
+      	keyvaluepairs: {
+      		"Allowed": constant("Permit"),
+      		"Blocked": constant("Deny"),
+      	},
+      };
+      
+      var hdr1 = match("HEADER#0:0001", "message", "%{data->} ZSCALERNSS: time=%{hfld2->} %{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hyear}^^timezone=%{timezone}^^%{payload}", processor_chain([
+      	setc("header_id","0001"),
+      	setc("messageid","ZSCALERNSS_1"),
+      ]));
+      
+      var select1 = linear_select([
+      	hdr1,
+      ]);
+      
+      var part1 = match("MESSAGE#0:ZSCALERNSS_1", "nwparser.payload", "action=%{action}^^reason=%{result}^^hostname=%{hostname}^^protocol=%{protocol}^^serverip=%{daddr}^^url=%{url}^^urlcategory=%{filter}^^urlclass=%{info}^^dlpdictionaries=%{fld3}^^dlpengine=%{fld4}^^filetype=%{filetype}^^threatcategory=%{category}^^threatclass=%{vendor_event_cat}^^pagerisk=%{fld8}^^threatname=%{threat_name}^^clientpublicIP=%{fld9}^^ClientIP=%{saddr}^^location=%{fld11}^^refererURL=%{web_referer}^^useragent=%{user_agent}^^department=%{user_dept}^^user=%{username}^^event_id=%{id}^^clienttranstime=%{fld17}^^requestmethod=%{web_method}^^requestsize=%{sbytes}^^requestversion=%{fld20}^^status=%{resultcode}^^responsesize=%{rbytes}^^responseversion=%{fld23}^^transactionsize=%{bytes}", processor_chain([
+      	setc("eventcategory","1605000000"),
+      	setf("fqdn","hostname"),
+      	setf("msg","$MSG"),
+      	date_time({
+      		dest: "event_time",
+      		args: ["hmonth","hday","hyear","hhour","hmin","hsec"],
+      		fmts: [
+      			[dB,dF,dW,dN,dU,dO],
+      		],
+      	}),
+      	lookup({
+      		dest: "nwparser.ec_activity",
+      		map: map_getEventCategoryActivity,
+      		key: field("action"),
+      	}),
+      	setc("ec_theme","Communication"),
+      	setc("ec_subject","User"),
+      ]));
+      
+      var msg1 = msg("ZSCALERNSS_1", part1);
+      
+      var chain1 = processor_chain([
+      	select1,
+      	msgid_select({
+      		"ZSCALERNSS_1": msg1,
+      	}),
+      ]);
+      
+- community_id:
+- add_locale: ~
+- add_fields:
+    target: ''
+    fields:
+        ecs.version: 1.5.0
diff --git a/packages/zscaler/0.1.0/dataset/zia/agent/stream/tcp.yml.hbs b/packages/zscaler/0.1.0/dataset/zia/agent/stream/tcp.yml.hbs
new file mode 100644
index 0000000000..8b47055f79
--- /dev/null
+++ b/packages/zscaler/0.1.0/dataset/zia/agent/stream/tcp.yml.hbs
@@ -0,0 +1,2437 @@
+tcp:
+host: "{{tcp_host}}:{{tcp_port}}"
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "Zscaler"
+        product: "Internet"
+        type: "Configuration"
+publisher_pipeline.disable_host: true
+
+processors:
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.error(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(populate_fields);
+      	builder.Add(restore_flags);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var map_getEventCategoryActivity = {
+      	keyvaluepairs: {
+      		"Allowed": constant("Permit"),
+      		"Blocked": constant("Deny"),
+      	},
+      };
+      
+      var hdr1 = match("HEADER#0:0001", "message", "%{data->} ZSCALERNSS: time=%{hfld2->} %{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hyear}^^timezone=%{timezone}^^%{payload}", processor_chain([
+      	setc("header_id","0001"),
+      	setc("messageid","ZSCALERNSS_1"),
+      ]));
+      
+      var select1 = linear_select([
+      	hdr1,
+      ]);
+      
+      var part1 = match("MESSAGE#0:ZSCALERNSS_1", "nwparser.payload", "action=%{action}^^reason=%{result}^^hostname=%{hostname}^^protocol=%{protocol}^^serverip=%{daddr}^^url=%{url}^^urlcategory=%{filter}^^urlclass=%{info}^^dlpdictionaries=%{fld3}^^dlpengine=%{fld4}^^filetype=%{filetype}^^threatcategory=%{category}^^threatclass=%{vendor_event_cat}^^pagerisk=%{fld8}^^threatname=%{threat_name}^^clientpublicIP=%{fld9}^^ClientIP=%{saddr}^^location=%{fld11}^^refererURL=%{web_referer}^^useragent=%{user_agent}^^department=%{user_dept}^^user=%{username}^^event_id=%{id}^^clienttranstime=%{fld17}^^requestmethod=%{web_method}^^requestsize=%{sbytes}^^requestversion=%{fld20}^^status=%{resultcode}^^responsesize=%{rbytes}^^responseversion=%{fld23}^^transactionsize=%{bytes}", processor_chain([
+      	setc("eventcategory","1605000000"),
+      	setf("fqdn","hostname"),
+      	setf("msg","$MSG"),
+      	date_time({
+      		dest: "event_time",
+      		args: ["hmonth","hday","hyear","hhour","hmin","hsec"],
+      		fmts: [
+      			[dB,dF,dW,dN,dU,dO],
+      		],
+      	}),
+      	lookup({
+      		dest: "nwparser.ec_activity",
+      		map: map_getEventCategoryActivity,
+      		key: field("action"),
+      	}),
+      	setc("ec_theme","Communication"),
+      	setc("ec_subject","User"),
+      ]));
+      
+      var msg1 = msg("ZSCALERNSS_1", part1);
+      
+      var chain1 = processor_chain([
+      	select1,
+      	msgid_select({
+      		"ZSCALERNSS_1": msg1,
+      	}),
+      ]);
+      
+- community_id:
+- add_locale: ~
+- add_fields:
+    target: ''
+    fields:
+        ecs.version: 1.5.0
diff --git a/packages/zscaler/0.1.0/dataset/zia/agent/stream/udp.yml.hbs b/packages/zscaler/0.1.0/dataset/zia/agent/stream/udp.yml.hbs
new file mode 100644
index 0000000000..290fcebeee
--- /dev/null
+++ b/packages/zscaler/0.1.0/dataset/zia/agent/stream/udp.yml.hbs
@@ -0,0 +1,2437 @@
+udp:
+host: "{{udp_host}}:{{udp_port}}"
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "Zscaler"
+        product: "Internet"
+        type: "Configuration"
+publisher_pipeline.disable_host: true
+
+processors:
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.error(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(populate_fields);
+      	builder.Add(restore_flags);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var map_getEventCategoryActivity = {
+      	keyvaluepairs: {
+      		"Allowed": constant("Permit"),
+      		"Blocked": constant("Deny"),
+      	},
+      };
+      
+      var hdr1 = match("HEADER#0:0001", "message", "%{data->} ZSCALERNSS: time=%{hfld2->} %{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hyear}^^timezone=%{timezone}^^%{payload}", processor_chain([
+      	setc("header_id","0001"),
+      	setc("messageid","ZSCALERNSS_1"),
+      ]));
+      
+      var select1 = linear_select([
+      	hdr1,
+      ]);
+      
+      var part1 = match("MESSAGE#0:ZSCALERNSS_1", "nwparser.payload", "action=%{action}^^reason=%{result}^^hostname=%{hostname}^^protocol=%{protocol}^^serverip=%{daddr}^^url=%{url}^^urlcategory=%{filter}^^urlclass=%{info}^^dlpdictionaries=%{fld3}^^dlpengine=%{fld4}^^filetype=%{filetype}^^threatcategory=%{category}^^threatclass=%{vendor_event_cat}^^pagerisk=%{fld8}^^threatname=%{threat_name}^^clientpublicIP=%{fld9}^^ClientIP=%{saddr}^^location=%{fld11}^^refererURL=%{web_referer}^^useragent=%{user_agent}^^department=%{user_dept}^^user=%{username}^^event_id=%{id}^^clienttranstime=%{fld17}^^requestmethod=%{web_method}^^requestsize=%{sbytes}^^requestversion=%{fld20}^^status=%{resultcode}^^responsesize=%{rbytes}^^responseversion=%{fld23}^^transactionsize=%{bytes}", processor_chain([
+      	setc("eventcategory","1605000000"),
+      	setf("fqdn","hostname"),
+      	setf("msg","$MSG"),
+      	date_time({
+      		dest: "event_time",
+      		args: ["hmonth","hday","hyear","hhour","hmin","hsec"],
+      		fmts: [
+      			[dB,dF,dW,dN,dU,dO],
+      		],
+      	}),
+      	lookup({
+      		dest: "nwparser.ec_activity",
+      		map: map_getEventCategoryActivity,
+      		key: field("action"),
+      	}),
+      	setc("ec_theme","Communication"),
+      	setc("ec_subject","User"),
+      ]));
+      
+      var msg1 = msg("ZSCALERNSS_1", part1);
+      
+      var chain1 = processor_chain([
+      	select1,
+      	msgid_select({
+      		"ZSCALERNSS_1": msg1,
+      	}),
+      ]);
+      
+- community_id:
+- add_locale: ~
+- add_fields:
+    target: ''
+    fields:
+        ecs.version: 1.5.0
diff --git a/packages/zscaler/0.1.0/dataset/zia/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler/0.1.0/dataset/zia/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 0000000000..3354fb0674
--- /dev/null
+++ b/packages/zscaler/0.1.0/dataset/zia/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,55 @@
+---
+description: Pipeline for Zscaler NSS
+
+processors:
+  # User agent
+  - user_agent:
+        field: user_agent.original
+        ignore_missing: true
+  # IP Geolocation Lookup
+  - geoip:
+        field: source.ip
+        target_field: source.geo
+        ignore_missing: true
+  - geoip:
+        field: destination.ip
+        target_field: destination.geo
+        ignore_missing: true
+
+  # IP Autonomous System (AS) Lookup
+  - geoip:
+        database_file: GeoLite2-ASN.mmdb
+        field: source.ip
+        target_field: source.as
+        properties:
+            - asn
+            - organization_name
+        ignore_missing: true
+  - geoip:
+        database_file: GeoLite2-ASN.mmdb
+        field: destination.ip
+        target_field: destination.as
+        properties:
+            - asn
+            - organization_name
+        ignore_missing: true
+  - rename:
+        field: source.as.asn
+        target_field: source.as.number
+        ignore_missing: true
+  - rename:
+        field: source.as.organization_name
+        target_field: source.as.organization.name
+        ignore_missing: true
+  - rename:
+        field: destination.as.asn
+        target_field: destination.as.number
+        ignore_missing: true
+  - rename:
+        field: destination.as.organization_name
+        target_field: destination.as.organization.name
+        ignore_missing: true
+on_failure:
+  - append:
+        field: error.message
+        value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/zscaler/0.1.0/dataset/zia/fields/base-fields.yml b/packages/zscaler/0.1.0/dataset/zia/fields/base-fields.yml
new file mode 100644
index 0000000000..b294eaf20e
--- /dev/null
+++ b/packages/zscaler/0.1.0/dataset/zia/fields/base-fields.yml
@@ -0,0 +1,26 @@
+- name: datastream.type
+  type: constant_keyword
+  description: Datastream type.
+- name: datastream.dataset
+  type: constant_keyword
+  description: Datastream dataset.
+- name: datastream.namespace
+  type: constant_keyword
+  description: Datastream namespace.
+
+- name: dataset.type
+  type: constant_keyword
+  description: >
+    Dataset type.
+- name: dataset.name
+  type: constant_keyword
+  description: >
+    Dataset name.
+- name: dataset.namespace
+  type: constant_keyword
+  description: >
+    Dataset namespace.
+- name: "@timestamp"
+  type: date
+  description: >
+    Event timestamp.
diff --git a/packages/zscaler/0.1.0/dataset/zia/fields/ecs.yml b/packages/zscaler/0.1.0/dataset/zia/fields/ecs.yml
new file mode 100644
index 0000000000..92af91c339
--- /dev/null
+++ b/packages/zscaler/0.1.0/dataset/zia/fields/ecs.yml
@@ -0,0 +1,836 @@
+- name: log
+  type: group
+  fields:
+  - name: original
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'This is the original log message and contains the full log message
+      before splitting it up in multiple parts.
+
+      In contrast to the `message` field which can contain an extracted part of the
+      log message, this field contains the original, full log message. It can have
+      already some modifications applied like encoding or new lines removed to clean
+      up the log message.
+
+      This field is not indexed and doc_values are disabled so it can''t be queried
+      but the value can be retrieved from `_source`.'
+    example: Sep 19 08:26:10 localhost My log
+  - name: level
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Original log level of the log event.
+
+      If the source of the event provides a log level or textual severity, this is
+      the one that goes in `log.level`. If your source doesn''t specify one, you may
+      put your event transport''s severity here (e.g. Syslog severity).
+
+      Some examples are `warn`, `err`, `i`, `informational`.'
+    example: error
+  - name: syslog
+    type: group
+    fields:
+    - name: priority
+      level: extended
+      type: long
+      format: string
+      description: 'Syslog numeric priority of the event, if available.
+
+        According to RFCs 5424 and 3164, the priority is 8 * facility + severity.
+        This number is therefore expected to contain a value between 0 and 191.'
+      example: 135
+    - name: facility
+      type: group
+      fields:
+      - name: code
+        level: extended
+        type: long
+        format: string
+        description: 'The Syslog numeric facility of the log event, if available.
+
+          According to RFCs 5424 and 3164, this value should be an integer between
+          0 and 23.'
+        example: 23
+    - name: severity
+      type: group
+      fields:
+      - name: code
+        level: extended
+        type: long
+        description: 'The Syslog numeric severity of the log event, if available.
+
+          If the event source publishing via Syslog provides a different numeric severity
+          value (e.g. firewall, IDS), your source''s numeric severity should go to
+          `event.severity`. If the event source does not specify a distinct severity,
+          you can optionally copy the Syslog severity to `event.severity`.'
+        example: 3
+- name: event
+  type: group
+  fields:
+  - name: code
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Identification code for this event, if one exists.
+
+      Some event sources use event codes to identify messages unambiguously, regardless
+      of message language or wording adjustments over time. An example of this is
+      the Windows Event ID.'
+    example: 4648
+  - name: action
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'The action captured by the event.
+
+      This describes the information in the event. It is more specific than `event.category`.
+      Examples are `group-add`, `process-started`, `file-created`. The value is normally
+      defined by the implementer.'
+    example: user-password-change
+  - name: outcome
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'This is one of four ECS Categorization Fields, and indicates the
+      lowest level in the ECS category hierarchy.
+
+      `event.outcome` simply denotes whether the event represents a success or a failure
+      from the perspective of the entity that produced the event.
+
+      Note that when a single transaction is described in multiple events, each event
+      may populate different values of `event.outcome`, according to their perspective.
+
+      Also note that in the case of a compound event (a single event that contains
+      multiple logical events), this field should be populated with the value that
+      best captures the overall success or failure from the perspective of the event
+      producer.
+
+      Further note that not all events will have an associated outcome. For example,
+      this field is generally not populated for metric events, events with `event.type:info`,
+      or any events for which an outcome does not make logical sense.'
+    example: success
+  - name: category
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'This is one of four ECS Categorization Fields, and indicates the
+      second level in the ECS category hierarchy.
+
+      `event.category` represents the "big buckets" of ECS categories. For example,
+      filtering on `event.category:process` yields all events relating to process
+      activity. This field is closely related to `event.type`, which is used as a
+      subcategory.
+
+      This field is an array. This will allow proper categorization of some events
+      that fall in multiple categories.'
+    example: authentication
+  - name: timezone
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'This field should be populated when the event''s timestamp does
+      not include timezone information already (e.g. default Syslog timestamps). It''s
+      optional otherwise.
+
+      Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated
+      (e.g. "EST") or an HH:mm differential (e.g. "-05:00").'
+- name: '@timestamp'
+  level: core
+  required: true
+  type: date
+  description: 'Date/time when the event originated.
+
+    This is the date/time extracted from the event, typically representing when the
+    event was generated by the source.
+
+    If the event source has no original timestamp, this value is typically populated
+    by the first time the event was received by the pipeline.
+
+    Required field for all events.'
+  example: '2016-05-23T08:05:34.853Z'
+- name: user
+  type: group
+  fields:
+  - name: name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: Short name or login of the user.
+    example: albert
+  - name: full_name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: User's full name, if available.
+    example: Albert Einstein
+  - name: domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Name of the directory the user is a member of.
+
+      For example, an LDAP or Active Directory domain name.'
+  - name: id
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Unique identifiers of the user.
+- name: message
+  level: core
+  type: text
+  description: 'For log events the message field contains the log message, optimized
+    for viewing in a log viewer.
+
+    For structured logs without an original message field, other fields can be concatenated
+    to form a human-readable summary of the event.
+
+    If multiple messages exist, they can be combined into one message.'
+  example: Hello World
+- name: source
+  type: group
+  fields:
+  - name: ip
+    level: core
+    type: ip
+    description: 'IP address of the source.
+
+      Can be one or multiple IPv4 or IPv6 addresses.'
+  - name: port
+    level: core
+    type: long
+    format: string
+    description: Port of the source.
+  - name: address
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Some event source addresses are defined ambiguously. The event will
+      sometimes list an IP, a domain or a unix socket.  You should always store the
+      raw address in the `.address` field.
+
+      Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+      is.'
+  - name: mac
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: MAC address of the source.
+  - name: bytes
+    level: core
+    type: long
+    format: bytes
+    description: Bytes sent from the source to the destination.
+    example: 184
+  - name: nat
+    type: group
+    fields:
+    - name: ip
+      level: extended
+      type: ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+    - name: port
+      level: extended
+      type: long
+      format: string
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+  - name: domain
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Source domain.
+  - name: geo
+    type: group
+    fields:
+    - name: country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+    - name: location
+      type: group
+      fields:
+      - type: double
+        name: lat
+      - type: double
+        name: lon
+    - name: city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+- name: host
+  type: group
+  fields:
+  - name: name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Name of the host.
+
+      It can contain what `hostname` returns on Unix systems, the fully qualified
+      domain name, or a name specified by the user. The sender decides which value
+      to use.'
+  - name: ip
+    level: core
+    type: ip
+    description: Host ip addresses.
+  - name: hostname
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Hostname of the host.
+
+      It normally contains what the `hostname` command returns on the host machine.'
+  - name: mac
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Host mac addresses.
+- name: destination
+  type: group
+  fields:
+  - name: ip
+    level: core
+    type: ip
+    description: 'IP address of the destination.
+
+      Can be one or multiple IPv4 or IPv6 addresses.'
+  - name: port
+    level: core
+    type: long
+    format: string
+    description: Port of the destination.
+  - name: address
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Some event destination addresses are defined ambiguously. The event
+      will sometimes list an IP, a domain or a unix socket.  You should always store
+      the raw address in the `.address` field.
+
+      Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+      is.'
+  - name: bytes
+    level: core
+    type: long
+    format: bytes
+    description: Bytes sent from the destination to the source.
+    example: 184
+  - name: mac
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: MAC address of the destination.
+  - name: nat
+    type: group
+    fields:
+    - name: ip
+      level: extended
+      type: ip
+      description: 'Translated ip of destination based NAT sessions (e.g. internet
+        to private DMZ)
+
+        Typically used with load balancers, firewalls, or routers.'
+    - name: port
+      level: extended
+      type: long
+      format: string
+      description: 'Port the source session is translated to by NAT Device.
+
+        Typically used with load balancers, firewalls, or routers.'
+  - name: domain
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Destination domain.
+  - name: geo
+    type: group
+    fields:
+    - name: country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+    - name: location
+      type: group
+      fields:
+      - type: double
+        name: lat
+      - type: double
+        name: lon
+    - name: city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+- name: network
+  type: group
+  fields:
+  - name: protocol
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'L7 Network protocol name. ex. http, lumberjack, transport protocol.
+
+      The field value must be normalized to lowercase for querying. See the documentation
+      section "Implementing ECS".'
+    example: http
+  - name: application
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'A name given to an application level protocol. This can be arbitrarily
+      assigned for things like microservices, but also apply to things like skype,
+      icq, facebook, twitter. This would be used in situations where the vendor or
+      service can be decoded such as from the source/dest IP owners, ports, or wire
+      format.
+
+      The field value must be normalized to lowercase for querying. See the documentation
+      section "Implementing ECS".'
+    example: aim
+  - name: interface
+    type: group
+    fields:
+    - type: keyword
+      name: name
+  - name: bytes
+    level: core
+    type: long
+    format: bytes
+    description: 'Total bytes transferred in both directions.
+
+      If `source.bytes` and `destination.bytes` are known, `network.bytes` is their
+      sum.'
+    example: 368
+  - name: direction
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: "Direction of the network traffic.\nRecommended values are:\n  *\
+      \ inbound\n  * outbound\n  * internal\n  * external\n  * unknown\n\nWhen mapping\
+      \ events from a host-based monitoring context, populate this field from the\
+      \ host's point of view.\nWhen mapping events from a network or perimeter-based\
+      \ monitoring context, populate this field from the point of view of your network\
+      \ perimeter."
+    example: inbound
+  - name: packets
+    level: core
+    type: long
+    description: 'Total packets transferred in both directions.
+
+      If `source.packets` and `destination.packets` are known, `network.packets` is
+      their sum.'
+    example: 24
+  - name: forwarded_ip
+    level: core
+    type: ip
+    description: Host IP address when the source IP address is the proxy.
+    example: 192.1.1.2
+- name: observer
+  type: group
+  fields:
+  - name: version
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Observer version.
+  - name: product
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: The product name of the observer.
+    example: s200
+  - name: ingress
+    type: group
+    fields:
+    - name: interface
+      type: group
+      fields:
+      - name: name
+        level: extended
+        type: keyword
+        ignore_above: 1024
+        description: Interface name as reported by the system.
+        example: eth0
+        default_field: false
+  - name: egress
+    type: group
+    fields:
+    - name: interface
+      type: group
+      fields:
+      - name: name
+        level: extended
+        type: keyword
+        ignore_above: 1024
+        description: Interface name as reported by the system.
+        example: eth0
+        default_field: false
+- name: file
+  type: group
+  fields:
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: Name of the file including the extension, without the directory.
+    example: example.png
+  - name: directory
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: Directory where the file is located. It should include the drive
+      letter, when appropriate.
+    example: /home/alice
+  - name: size
+    level: extended
+    type: long
+    description: 'File size in bytes.
+
+      Only relevant when `file.type` is "file".'
+    example: 16384
+  - name: type
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: File type (file, dir, or symlink).
+    example: file
+  - name: extension
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: File extension.
+    example: png
+  - name: path
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: Full path to the file, including the file name. It should include
+      the drive letter, when appropriate.
+    example: /home/alice/example.png
+  - name: attributes
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Array of file attributes.
+
+      Attributes names will vary by platform. Here''s a non-exhaustive list of values
+      that are expected in this field: archive, compressed, directory, encrypted,
+      execute, hidden, read, readonly, system, write.'
+    example: '["readonly", "system"]'
+    default_field: false
+- name: url
+  type: group
+  fields:
+  - name: original
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: 'Unmodified original url as seen in the event source.
+
+      Note that in network monitoring, the observed URL may be a full URL, whereas
+      in access logs, the URL is often just represented as a path.
+
+      This field is meant to represent the URL as it was observed, complete or not.'
+    example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
+  - name: query
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'The query field describes the query string of the request, such
+      as "q=elasticsearch".
+
+      The `?` is excluded from the query string. If a URL contains no `?`, there is
+      no query field. If there is a `?` but no query, the query field exists with
+      an empty string. The `exists` query can be used to differentiate between the
+      two cases.'
+  - name: domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Domain of the url, such as "www.elastic.co".
+
+      In some cases a URL may refer to an IP and/or port directly, without a domain
+      name. In this case, the IP address would go to the `domain` field.'
+    example: www.elastic.co
+  - name: path
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: Path of the request, such as "/search".
+  - name: top_level_domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'The effective top level domain (eTLD), also known as the domain
+      suffix, is the last part of the domain name. For example, the top level domain
+      for google.com is "com".
+
+      This value can be determined precisely with a list like the public suffix list
+      (http://publicsuffix.org). Trying to approximate this by simply taking the last
+      label will not work well for effective TLDs such as "co.uk".'
+    example: co.uk
+  - name: registered_domain
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'The highest registered url domain, stripped of the subdomain.
+
+      For example, the registered domain for "foo.google.com" is "google.com".
+
+      This value can be determined precisely with a list like the public suffix list
+      (http://publicsuffix.org). Trying to approximate this by simply taking the last
+      two labels will not work well for TLDs such as "co.uk".'
+    example: google.com
+- name: service
+  type: group
+  fields:
+  - name: name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: 'Name of the service data is collected from.
+
+      The name of the service is normally user given. This allows for distributed
+      services that run on multiple hosts to correlate the related instances based
+      on the name.
+
+      In the case of Elasticsearch the `service.name` could contain the cluster name.
+      For Beats the `service.name` is by default a copy of the `service.type` field
+      if no name is specified.'
+    example: elasticsearch-metrics
+- name: server
+  type: group
+  fields:
+  - name: domain
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Server domain.
+- name: process
+  type: group
+  fields:
+  - name: pid
+    level: core
+    type: long
+    format: string
+    description: Process id.
+    example: 4242
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: 'Process name.
+
+      Sometimes called program name or similar.'
+    example: ssh
+  - name: ppid
+    level: extended
+    type: long
+    format: string
+    description: Parent process' pid.
+    example: 4241
+  - name: parent
+    type: group
+    fields:
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      default_field: false
+    - name: title
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      default_field: false
+  - name: title
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+      default_field: false
+    description: 'Process title.
+
+      The proctitle, some times the same as process name. Can also be different: for
+      example a browser setting its title to the web page currently opened.'
+- name: rule
+  type: group
+  fields:
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: The name of the rule or signature generating the event.
+    example: BLOCK_DNS_over_TLS
+    default_field: false
+- name: user_agent
+  type: group
+  fields:
+  - name: original
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    multi_fields:
+    - name: text
+      type: text
+      norms: false
+    description: Unparsed user_agent string.
+    example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15
+      (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
+- name: http
+  type: group
+  fields:
+  - name: response
+    type: group
+    fields:
+    - name: body
+      type: group
+      fields:
+      - name: content
+        level: extended
+        type: keyword
+        ignore_above: 1024
+        multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+        description: The full HTTP response body.
+        example: Hello world
+  - name: request
+    type: group
+    fields:
+    - name: referrer
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Referrer for this HTTP request.
+      example: https://blog.example.com/
+    - name: method
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'HTTP request method.
+
+        The field value must be normalized to lowercase for querying. See the documentation
+        section "Implementing ECS".'
+      example: get, post, put
+- name: geo
+  type: group
+  fields:
+  - name: name
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'User-defined description of a location, at the level of granularity
+      they care about.
+
+      Could be the name of their data centers, the floor number, if this describes
+      a local physical entity, city names.
+
+      Not typically used in automated geolocation.'
+    example: boston-dc
+  - name: country_name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Country name.
+    example: Canada
+  - name: city_name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: City name.
+    example: Montreal
+  - name: region_name
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: Region name.
+    example: Quebec
+- name: dns
+  type: group
+  fields:
+  - name: question
+    type: group
+    fields:
+    - name: type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The type of record being queried.
+      example: AAAA
+  - name: answers
+    type: group
+    fields:
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The domain name to which this resource record pertains.
+
+        If a chain of CNAME is being resolved, each answer''s `name` should be the
+        one that corresponds with the answer''s `data`. It should not simply be the
+        original `question.name` repeated.'
+      example: www.google.com
+    - name: type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The type of data contained in this resource record.
+      example: CNAME
diff --git a/packages/zscaler/0.1.0/dataset/zia/fields/fields.yml b/packages/zscaler/0.1.0/dataset/zia/fields/fields.yml
new file mode 100644
index 0000000000..2abc947fe7
--- /dev/null
+++ b/packages/zscaler/0.1.0/dataset/zia/fields/fields.yml
@@ -0,0 +1,1939 @@
+- name: rsa
+  type: group
+  fields:
+  - name: internal
+    type: group
+    fields:
+    - name: msg
+      type: keyword
+      description: This key is used to capture the raw message that comes into the
+        Log Decoder
+    - name: messageid
+      type: keyword
+    - name: event_desc
+      type: keyword
+    - name: message
+      type: keyword
+      description: This key captures the contents of instant messages
+    - name: time
+      type: date
+      description: This is the time at which a session hits a NetWitness Decoder.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness.
+    - name: level
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: msg_id
+      type: keyword
+      description: This is the Message ID1 value that identifies the exact log parser
+        definition which parses a particular log session. This key should never be
+        used to parse Meta data from a session (Logs/Packets) Directly, this is a
+        Reserved key in NetWitness
+    - name: msg_vid
+      type: keyword
+      description: This is the Message ID2 value that identifies the exact log parser
+        definition which parses a particular log session. This key should never be
+        used to parse Meta data from a session (Logs/Packets) Directly, this is a
+        Reserved key in NetWitness
+    - name: data
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: obj_server
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: obj_val
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: resource
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: obj_id
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: statement
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: audit_class
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: entry
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: hcode
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: inode
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: resource_class
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: dead
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: feed_desc
+      type: keyword
+      description: This is used to capture the description of the feed. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: feed_name
+      type: keyword
+      description: This is used to capture the name of the feed. This key should never
+        be used to parse Meta data from a session (Logs/Packets) Directly, this is
+        a Reserved key in NetWitness
+    - name: cid
+      type: keyword
+      description: This is the unique identifier used to identify a NetWitness Concentrator.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: device_class
+      type: keyword
+      description: This is the Classification of the Log Event Source under a predefined
+        fixed set of Event Source Classifications. This key should never be used to
+        parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
+        key in NetWitness
+    - name: device_group
+      type: keyword
+      description: This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_host
+      type: keyword
+      description: This is the Hostname of the log Event Source sending the logs to
+        NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_ip
+      type: ip
+      description: This is the IPv4 address of the Log Event Source sending the logs
+        to NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_ipv6
+      type: ip
+      description: This is the IPv6 address of the Log Event Source sending the logs
+        to NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: device_type
+      type: keyword
+      description: This is the name of the log parser which parsed a given session.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: device_type_id
+      type: long
+      description: Deprecated key defined only in table map.
+    - name: did
+      type: keyword
+      description: This is the unique identifier used to identify a NetWitness Decoder.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: entropy_req
+      type: long
+      description: This key is only used by the Entropy Parser, the Meta Type can
+        be either UInt16 or Float32 based on the configuration
+    - name: entropy_res
+      type: long
+      description: This key is only used by the Entropy Parser, the Meta Type can
+        be either UInt16 or Float32 based on the configuration
+    - name: event_name
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: feed_category
+      type: keyword
+      description: This is used to capture the category of the feed. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: forward_ip
+      type: ip
+      description: This key should be used to capture the IPV4 address of a relay
+        system which forwarded the events from the original system to NetWitness.
+    - name: forward_ipv6
+      type: ip
+      description: This key is used to capture the IPV6 address of a relay system
+        which forwarded the events from the original system to NetWitness. This key
+        should never be used to parse Meta data from a session (Logs/Packets) Directly,
+        this is a Reserved key in NetWitness
+    - name: header_id
+      type: keyword
+      description: This is the Header ID value that identifies the exact log parser
+        header definition that parses a particular log session. This key should never
+        be used to parse Meta data from a session (Logs/Packets) Directly, this is
+        a Reserved key in NetWitness
+    - name: lc_cid
+      type: keyword
+      description: This is a unique Identifier of a Log Collector. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: lc_ctime
+      type: date
+      description: This is the time at which a log is collected in a NetWitness Log
+        Collector. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: mcb_req
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        request is simply which byte for each side (0 thru 255) was seen the most
+    - name: mcb_res
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        response is simply which byte for each side (0 thru 255) was seen the most
+    - name: mcbc_req
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        count is the number of times the most common byte (above) was seen in the
+        session streams
+    - name: mcbc_res
+      type: long
+      description: This key is only used by the Entropy Parser, the most common byte
+        count is the number of times the most common byte (above) was seen in the
+        session streams
+    - name: medium
+      type: long
+      description: "This key is used to identify if it\u2019s a log/packet session\
+        \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
+        \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
+        \ 32 = log, 33 = correlation session, &lt; 32 is packet session"
+    - name: node_name
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: nwe_callback_id
+      type: keyword
+      description: This key denotes that event is endpoint related
+    - name: parse_error
+      type: keyword
+      description: This is a special key that stores any Meta key validation error
+        found while parsing a log session. This key should never be used to parse
+        Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
+        NetWitness
+    - name: payload_req
+      type: long
+      description: This key is only used by the Entropy Parser, the payload size metrics
+        are the payload sizes of each session side at the time of parsing. However,
+        in order to keep
+    - name: payload_res
+      type: long
+      description: This key is only used by the Entropy Parser, the payload size metrics
+        are the payload sizes of each session side at the time of parsing. However,
+        in order to keep
+    - name: process_vid_dst
+      type: keyword
+      description: Endpoint generates and uses a unique virtual ID to identify any
+        similar group of process. This ID represents the target process.
+    - name: process_vid_src
+      type: keyword
+      description: Endpoint generates and uses a unique virtual ID to identify any
+        similar group of process. This ID represents the source process.
+    - name: rid
+      type: long
+      description: This is a special ID of the Remote Session created by NetWitness
+        Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: session_split
+      type: keyword
+      description: This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: site
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: size
+      type: long
+      description: This is the size of the session as seen by the NetWitness Decoder.
+        This key should never be used to parse Meta data from a session (Logs/Packets)
+        Directly, this is a Reserved key in NetWitness
+    - name: sourcefile
+      type: keyword
+      description: This is the name of the log file or PCAPs that can be imported
+        into NetWitness. This key should never be used to parse Meta data from a session
+        (Logs/Packets) Directly, this is a Reserved key in NetWitness
+    - name: ubc_req
+      type: long
+      description: This key is only used by the Entropy Parser, Unique byte count
+        is the number of unique bytes seen in each stream. 256 would mean all byte
+        values of 0 thru 255 were seen at least once
+    - name: ubc_res
+      type: long
+      description: This key is only used by the Entropy Parser, Unique byte count
+        is the number of unique bytes seen in each stream. 256 would mean all byte
+        values of 0 thru 255 were seen at least once
+    - name: word
+      type: keyword
+      description: This is used by the Word Parsing technology to capture the first
+        5 character of every word in an unparsed log
+  - name: time
+    type: group
+    fields:
+    - name: event_time
+      type: date
+      description: This key is used to capture the time mentioned in a raw session
+        that represents the actual time an event occured in a standard normalized
+        form
+    - name: duration_time
+      type: double
+      description: This key is used to capture the normalized duration/lifetime in
+        seconds.
+    - name: event_time_str
+      type: keyword
+      description: This key is used to capture the incomplete time mentioned in a
+        session as a string
+    - name: starttime
+      type: date
+      description: This key is used to capture the Start time mentioned in a session
+        in a standard form
+    - name: month
+      type: keyword
+    - name: day
+      type: keyword
+    - name: endtime
+      type: date
+      description: This key is used to capture the End time mentioned in a session
+        in a standard form
+    - name: timezone
+      type: keyword
+      description: This key is used to capture the timezone of the Event Time
+    - name: duration_str
+      type: keyword
+      description: A text string version of the duration
+    - name: date
+      type: keyword
+    - name: year
+      type: keyword
+    - name: recorded_time
+      type: date
+      description: The event time as recorded by the system the event is collected
+        from. The usage scenario is a multi-tier application where the management
+        layer of the system records it's own timestamp at the time of collection from
+        its child nodes. Must be in timestamp format.
+    - name: datetime
+      type: keyword
+    - name: effective_time
+      type: date
+      description: This key is the effective time referenced by an individual event
+        in a Standard Timestamp format
+    - name: expire_time
+      type: date
+      description: This key is the timestamp that explicitly refers to an expiration.
+    - name: process_time
+      type: keyword
+      description: Deprecated, use duration.time
+    - name: hour
+      type: keyword
+    - name: min
+      type: keyword
+    - name: timestamp
+      type: keyword
+    - name: event_queue_time
+      type: date
+      description: This key is the Time that the event was queued.
+    - name: p_time1
+      type: keyword
+    - name: tzone
+      type: keyword
+    - name: eventtime
+      type: keyword
+    - name: gmtdate
+      type: keyword
+    - name: gmttime
+      type: keyword
+    - name: p_date
+      type: keyword
+    - name: p_month
+      type: keyword
+    - name: p_time
+      type: keyword
+    - name: p_time2
+      type: keyword
+    - name: p_year
+      type: keyword
+    - name: expire_time_str
+      type: keyword
+      description: This key is used to capture incomplete timestamp that explicitly
+        refers to an expiration.
+    - name: stamp
+      type: date
+      description: Deprecated key defined only in table map.
+  - name: misc
+    type: group
+    fields:
+    - name: action
+      type: keyword
+    - name: result
+      type: keyword
+      description: This key is used to capture the outcome/result string value of
+        an action in a session.
+    - name: severity
+      type: keyword
+      description: This key is used to capture the severity given the session
+    - name: event_type
+      type: keyword
+      description: This key captures the event category type as specified by the event
+        source.
+    - name: reference_id
+      type: keyword
+      description: This key is used to capture an event id from the session directly
+    - name: version
+      type: keyword
+      description: This key captures Version of the application or OS which is generating
+        the event.
+    - name: disposition
+      type: keyword
+      description: This key captures the The end state of an action.
+    - name: result_code
+      type: keyword
+      description: This key is used to capture the outcome/result numeric value of
+        an action in a session
+    - name: category
+      type: keyword
+      description: This key is used to capture the category of an event given by the
+        vendor in the session
+    - name: obj_name
+      type: keyword
+      description: This is used to capture name of object
+    - name: obj_type
+      type: keyword
+      description: This is used to capture type of object
+    - name: event_source
+      type: keyword
+      description: "This key captures Source of the event that\u2019s not a hostname"
+    - name: log_session_id
+      type: keyword
+      description: This key is used to capture a sessionid from the session directly
+    - name: group
+      type: keyword
+      description: This key captures the Group Name value
+    - name: policy_name
+      type: keyword
+      description: This key is used to capture the Policy Name only.
+    - name: rule_name
+      type: keyword
+      description: This key captures the Rule Name
+    - name: context
+      type: keyword
+      description: This key captures Information which adds additional context to
+        the event.
+    - name: change_new
+      type: keyword
+      description: "This key is used to capture the new values of the attribute that\u2019\
+        s changing in a session"
+    - name: space
+      type: keyword
+    - name: client
+      type: keyword
+      description: This key is used to capture only the name of the client application
+        requesting resources of the server. See the user.agent meta key for capture
+        of the specific user agent identifier or browser identification string.
+    - name: msgIdPart1
+      type: keyword
+    - name: msgIdPart2
+      type: keyword
+    - name: change_old
+      type: keyword
+      description: "This key is used to capture the old value of the attribute that\u2019\
+        s changing in a session"
+    - name: operation_id
+      type: keyword
+      description: An alert number or operation number. The values should be unique
+        and non-repeating.
+    - name: event_state
+      type: keyword
+      description: This key captures the current state of the object/item referenced
+        within the event. Describing an on-going event.
+    - name: group_object
+      type: keyword
+      description: This key captures a collection/grouping of entities. Specific usage
+    - name: node
+      type: keyword
+      description: Common use case is the node name within a cluster. The cluster
+        name is reflected by the host name.
+    - name: rule
+      type: keyword
+      description: This key captures the Rule number
+    - name: device_name
+      type: keyword
+      description: 'This is used to capture name of the Device associated with the
+        node Like: a physical disk, printer, etc'
+    - name: param
+      type: keyword
+      description: This key is the parameters passed as part of a command or application,
+        etc.
+    - name: change_attrib
+      type: keyword
+      description: "This key is used to capture the name of the attribute that\u2019\
+        s changing in a session"
+    - name: event_computer
+      type: keyword
+      description: This key is a windows only concept, where this key is used to capture
+        fully qualified domain name in a windows log.
+    - name: reference_id1
+      type: keyword
+      description: This key is for Linked ID to be used as an addition to "reference.id"
+    - name: event_log
+      type: keyword
+      description: This key captures the Name of the event log
+    - name: OS
+      type: keyword
+      description: This key captures the Name of the Operating System
+    - name: terminal
+      type: keyword
+      description: This key captures the Terminal Names only
+    - name: msgIdPart3
+      type: keyword
+    - name: filter
+      type: keyword
+      description: This key captures Filter used to reduce result set
+    - name: serial_number
+      type: keyword
+      description: This key is the Serial number associated with a physical asset.
+    - name: checksum
+      type: keyword
+      description: This key is used to capture the checksum or hash of the entity
+        such as a file or process. Checksum should be used over checksum.src or checksum.dst
+        when it is unclear whether the entity is a source or target of an action.
+    - name: event_user
+      type: keyword
+      description: This key is a windows only concept, where this key is used to capture
+        combination of domain name and username in a windows log.
+    - name: virusname
+      type: keyword
+      description: This key captures the name of the virus
+    - name: content_type
+      type: keyword
+      description: This key is used to capture Content Type only.
+    - name: group_id
+      type: keyword
+      description: This key captures Group ID Number (related to the group name)
+    - name: policy_id
+      type: keyword
+      description: This key is used to capture the Policy ID only, this should be
+        a numeric value, use policy.name otherwise
+    - name: vsys
+      type: keyword
+      description: This key captures Virtual System Name
+    - name: connection_id
+      type: keyword
+      description: This key captures the Connection ID
+    - name: reference_id2
+      type: keyword
+      description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
+        or "reference.id1" value but should not be used unless the other two variables
+        are in play.
+    - name: sensor
+      type: keyword
+      description: This key captures Name of the sensor. Typically used in IDS/IPS
+        based devices
+    - name: sig_id
+      type: long
+      description: This key captures IDS/IPS Int Signature ID
+    - name: port_name
+      type: keyword
+      description: 'This key is used for Physical or logical port connection but does
+        NOT include a network port. (Example: Printer port name).'
+    - name: rule_group
+      type: keyword
+      description: This key captures the Rule group name
+    - name: risk_num
+      type: double
+      description: This key captures a Numeric Risk value
+    - name: trigger_val
+      type: keyword
+      description: This key captures the Value of the trigger or threshold condition.
+    - name: log_session_id1
+      type: keyword
+      description: This key is used to capture a Linked (Related) Session ID from
+        the session directly
+    - name: comp_version
+      type: keyword
+      description: This key captures the Version level of a sub-component of a product.
+    - name: content_version
+      type: keyword
+      description: This key captures Version level of a signature or database content.
+    - name: hardware_id
+      type: keyword
+      description: This key is used to capture unique identifier for a device or system
+        (NOT a Mac address)
+    - name: risk
+      type: keyword
+      description: This key captures the non-numeric risk value
+    - name: event_id
+      type: keyword
+    - name: reason
+      type: keyword
+    - name: status
+      type: keyword
+    - name: mail_id
+      type: keyword
+      description: This key is used to capture the mailbox id/name
+    - name: rule_uid
+      type: keyword
+      description: This key is the Unique Identifier for a rule.
+    - name: trigger_desc
+      type: keyword
+      description: This key captures the Description of the trigger or threshold condition.
+    - name: inout
+      type: keyword
+    - name: p_msgid
+      type: keyword
+    - name: data_type
+      type: keyword
+    - name: msgIdPart4
+      type: keyword
+    - name: error
+      type: keyword
+      description: This key captures All non successful Error codes or responses
+    - name: index
+      type: keyword
+    - name: listnum
+      type: keyword
+      description: This key is used to capture listname or listnumber, primarily for
+        collecting access-list
+    - name: ntype
+      type: keyword
+    - name: observed_val
+      type: keyword
+      description: This key captures the Value observed (from the perspective of the
+        device generating the log).
+    - name: policy_value
+      type: keyword
+      description: This key captures the contents of the policy. This contains details
+        about the policy
+    - name: pool_name
+      type: keyword
+      description: This key captures the name of a resource pool
+    - name: rule_template
+      type: keyword
+      description: A default set of parameters which are overlayed onto a rule (or
+        rulename) which efffectively constitutes a template
+    - name: count
+      type: keyword
+    - name: number
+      type: keyword
+    - name: sigcat
+      type: keyword
+    - name: type
+      type: keyword
+    - name: comments
+      type: keyword
+      description: Comment information provided in the log message
+    - name: doc_number
+      type: long
+      description: This key captures File Identification number
+    - name: expected_val
+      type: keyword
+      description: This key captures the Value expected (from the perspective of the
+        device generating the log).
+    - name: job_num
+      type: keyword
+      description: This key captures the Job Number
+    - name: spi_dst
+      type: keyword
+      description: Destination SPI Index
+    - name: spi_src
+      type: keyword
+      description: Source SPI Index
+    - name: code
+      type: keyword
+    - name: agent_id
+      type: keyword
+      description: This key is used to capture agent id
+    - name: message_body
+      type: keyword
+      description: This key captures the The contents of the message body.
+    - name: phone
+      type: keyword
+    - name: sig_id_str
+      type: keyword
+      description: This key captures a string object of the sigid variable.
+    - name: cmd
+      type: keyword
+    - name: misc
+      type: keyword
+    - name: name
+      type: keyword
+    - name: cpu
+      type: long
+      description: This key is the CPU time used in the execution of the event being
+        recorded.
+    - name: event_desc
+      type: keyword
+      description: This key is used to capture a description of an event available
+        directly or inferred
+    - name: sig_id1
+      type: long
+      description: This key captures IDS/IPS Int Signature ID. This must be linked
+        to the sig.id
+    - name: im_buddyid
+      type: keyword
+    - name: im_client
+      type: keyword
+    - name: im_userid
+      type: keyword
+    - name: pid
+      type: keyword
+    - name: priority
+      type: keyword
+    - name: context_subject
+      type: keyword
+      description: This key is to be used in an audit context where the subject is
+        the object being identified
+    - name: context_target
+      type: keyword
+    - name: cve
+      type: keyword
+      description: This key captures CVE (Common Vulnerabilities and Exposures) -
+        an identifier for known information security vulnerabilities.
+    - name: fcatnum
+      type: keyword
+      description: This key captures Filter Category Number. Legacy Usage
+    - name: library
+      type: keyword
+      description: This key is used to capture library information in mainframe devices
+    - name: parent_node
+      type: keyword
+      description: This key captures the Parent Node Name. Must be related to node
+        variable.
+    - name: risk_info
+      type: keyword
+      description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: tcp_flags
+      type: long
+      description: This key is captures the TCP flags set in any packet of session
+    - name: tos
+      type: long
+      description: This key describes the type of service
+    - name: vm_target
+      type: keyword
+      description: VMWare Target **VMWARE** only varaible.
+    - name: workspace
+      type: keyword
+      description: This key captures Workspace Description
+    - name: command
+      type: keyword
+    - name: event_category
+      type: keyword
+    - name: facilityname
+      type: keyword
+    - name: forensic_info
+      type: keyword
+    - name: jobname
+      type: keyword
+    - name: mode
+      type: keyword
+    - name: policy
+      type: keyword
+    - name: policy_waiver
+      type: keyword
+    - name: second
+      type: keyword
+    - name: space1
+      type: keyword
+    - name: subcategory
+      type: keyword
+    - name: tbdstr2
+      type: keyword
+    - name: alert_id
+      type: keyword
+      description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: checksum_dst
+      type: keyword
+      description: This key is used to capture the checksum or hash of the the target
+        entity such as a process or file.
+    - name: checksum_src
+      type: keyword
+      description: This key is used to capture the checksum or hash of the source
+        entity such as a file or process.
+    - name: fresult
+      type: long
+      description: This key captures the Filter Result
+    - name: payload_dst
+      type: keyword
+      description: This key is used to capture destination payload
+    - name: payload_src
+      type: keyword
+      description: This key is used to capture source payload
+    - name: pool_id
+      type: keyword
+      description: This key captures the identifier (typically numeric field) of a
+        resource pool
+    - name: process_id_val
+      type: keyword
+      description: This key is a failure key for Process ID when it is not an integer
+        value
+    - name: risk_num_comm
+      type: double
+      description: This key captures Risk Number Community
+    - name: risk_num_next
+      type: double
+      description: This key captures Risk Number NextGen
+    - name: risk_num_sand
+      type: double
+      description: This key captures Risk Number SandBox
+    - name: risk_num_static
+      type: double
+      description: This key captures Risk Number Static
+    - name: risk_suspicious
+      type: keyword
+      description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: risk_warning
+      type: keyword
+      description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+    - name: snmp_oid
+      type: keyword
+      description: SNMP Object Identifier
+    - name: sql
+      type: keyword
+      description: This key captures the SQL query
+    - name: vuln_ref
+      type: keyword
+      description: This key captures the Vulnerability Reference details
+    - name: acl_id
+      type: keyword
+    - name: acl_op
+      type: keyword
+    - name: acl_pos
+      type: keyword
+    - name: acl_table
+      type: keyword
+    - name: admin
+      type: keyword
+    - name: alarm_id
+      type: keyword
+    - name: alarmname
+      type: keyword
+    - name: app_id
+      type: keyword
+    - name: audit
+      type: keyword
+    - name: audit_object
+      type: keyword
+    - name: auditdata
+      type: keyword
+    - name: benchmark
+      type: keyword
+    - name: bypass
+      type: keyword
+    - name: cache
+      type: keyword
+    - name: cache_hit
+      type: keyword
+    - name: cefversion
+      type: keyword
+    - name: cfg_attr
+      type: keyword
+    - name: cfg_obj
+      type: keyword
+    - name: cfg_path
+      type: keyword
+    - name: changes
+      type: keyword
+    - name: client_ip
+      type: keyword
+    - name: clustermembers
+      type: keyword
+    - name: cn_acttimeout
+      type: keyword
+    - name: cn_asn_src
+      type: keyword
+    - name: cn_bgpv4nxthop
+      type: keyword
+    - name: cn_ctr_dst_code
+      type: keyword
+    - name: cn_dst_tos
+      type: keyword
+    - name: cn_dst_vlan
+      type: keyword
+    - name: cn_engine_id
+      type: keyword
+    - name: cn_engine_type
+      type: keyword
+    - name: cn_f_switch
+      type: keyword
+    - name: cn_flowsampid
+      type: keyword
+    - name: cn_flowsampintv
+      type: keyword
+    - name: cn_flowsampmode
+      type: keyword
+    - name: cn_inacttimeout
+      type: keyword
+    - name: cn_inpermbyts
+      type: keyword
+    - name: cn_inpermpckts
+      type: keyword
+    - name: cn_invalid
+      type: keyword
+    - name: cn_ip_proto_ver
+      type: keyword
+    - name: cn_ipv4_ident
+      type: keyword
+    - name: cn_l_switch
+      type: keyword
+    - name: cn_log_did
+      type: keyword
+    - name: cn_log_rid
+      type: keyword
+    - name: cn_max_ttl
+      type: keyword
+    - name: cn_maxpcktlen
+      type: keyword
+    - name: cn_min_ttl
+      type: keyword
+    - name: cn_minpcktlen
+      type: keyword
+    - name: cn_mpls_lbl_1
+      type: keyword
+    - name: cn_mpls_lbl_10
+      type: keyword
+    - name: cn_mpls_lbl_2
+      type: keyword
+    - name: cn_mpls_lbl_3
+      type: keyword
+    - name: cn_mpls_lbl_4
+      type: keyword
+    - name: cn_mpls_lbl_5
+      type: keyword
+    - name: cn_mpls_lbl_6
+      type: keyword
+    - name: cn_mpls_lbl_7
+      type: keyword
+    - name: cn_mpls_lbl_8
+      type: keyword
+    - name: cn_mpls_lbl_9
+      type: keyword
+    - name: cn_mplstoplabel
+      type: keyword
+    - name: cn_mplstoplabip
+      type: keyword
+    - name: cn_mul_dst_byt
+      type: keyword
+    - name: cn_mul_dst_pks
+      type: keyword
+    - name: cn_muligmptype
+      type: keyword
+    - name: cn_sampalgo
+      type: keyword
+    - name: cn_sampint
+      type: keyword
+    - name: cn_seqctr
+      type: keyword
+    - name: cn_spackets
+      type: keyword
+    - name: cn_src_tos
+      type: keyword
+    - name: cn_src_vlan
+      type: keyword
+    - name: cn_sysuptime
+      type: keyword
+    - name: cn_template_id
+      type: keyword
+    - name: cn_totbytsexp
+      type: keyword
+    - name: cn_totflowexp
+      type: keyword
+    - name: cn_totpcktsexp
+      type: keyword
+    - name: cn_unixnanosecs
+      type: keyword
+    - name: cn_v6flowlabel
+      type: keyword
+    - name: cn_v6optheaders
+      type: keyword
+    - name: comp_class
+      type: keyword
+    - name: comp_name
+      type: keyword
+    - name: comp_rbytes
+      type: keyword
+    - name: comp_sbytes
+      type: keyword
+    - name: cpu_data
+      type: keyword
+    - name: criticality
+      type: keyword
+    - name: cs_agency_dst
+      type: keyword
+    - name: cs_analyzedby
+      type: keyword
+    - name: cs_av_other
+      type: keyword
+    - name: cs_av_primary
+      type: keyword
+    - name: cs_av_secondary
+      type: keyword
+    - name: cs_bgpv6nxthop
+      type: keyword
+    - name: cs_bit9status
+      type: keyword
+    - name: cs_context
+      type: keyword
+    - name: cs_control
+      type: keyword
+    - name: cs_data
+      type: keyword
+    - name: cs_datecret
+      type: keyword
+    - name: cs_dst_tld
+      type: keyword
+    - name: cs_eth_dst_ven
+      type: keyword
+    - name: cs_eth_src_ven
+      type: keyword
+    - name: cs_event_uuid
+      type: keyword
+    - name: cs_filetype
+      type: keyword
+    - name: cs_fld
+      type: keyword
+    - name: cs_if_desc
+      type: keyword
+    - name: cs_if_name
+      type: keyword
+    - name: cs_ip_next_hop
+      type: keyword
+    - name: cs_ipv4dstpre
+      type: keyword
+    - name: cs_ipv4srcpre
+      type: keyword
+    - name: cs_lifetime
+      type: keyword
+    - name: cs_log_medium
+      type: keyword
+    - name: cs_loginname
+      type: keyword
+    - name: cs_modulescore
+      type: keyword
+    - name: cs_modulesign
+      type: keyword
+    - name: cs_opswatresult
+      type: keyword
+    - name: cs_payload
+      type: keyword
+    - name: cs_registrant
+      type: keyword
+    - name: cs_registrar
+      type: keyword
+    - name: cs_represult
+      type: keyword
+    - name: cs_rpayload
+      type: keyword
+    - name: cs_sampler_name
+      type: keyword
+    - name: cs_sourcemodule
+      type: keyword
+    - name: cs_streams
+      type: keyword
+    - name: cs_targetmodule
+      type: keyword
+    - name: cs_v6nxthop
+      type: keyword
+    - name: cs_whois_server
+      type: keyword
+    - name: cs_yararesult
+      type: keyword
+    - name: description
+      type: keyword
+    - name: devvendor
+      type: keyword
+    - name: distance
+      type: keyword
+    - name: dstburb
+      type: keyword
+    - name: edomain
+      type: keyword
+    - name: edomaub
+      type: keyword
+    - name: euid
+      type: keyword
+    - name: facility
+      type: keyword
+    - name: finterface
+      type: keyword
+    - name: flags
+      type: keyword
+    - name: gaddr
+      type: keyword
+    - name: id3
+      type: keyword
+    - name: im_buddyname
+      type: keyword
+    - name: im_croomid
+      type: keyword
+    - name: im_croomtype
+      type: keyword
+    - name: im_members
+      type: keyword
+    - name: im_username
+      type: keyword
+    - name: ipkt
+      type: keyword
+    - name: ipscat
+      type: keyword
+    - name: ipspri
+      type: keyword
+    - name: latitude
+      type: keyword
+    - name: linenum
+      type: keyword
+    - name: list_name
+      type: keyword
+    - name: load_data
+      type: keyword
+    - name: location_floor
+      type: keyword
+    - name: location_mark
+      type: keyword
+    - name: log_id
+      type: keyword
+    - name: log_type
+      type: keyword
+    - name: logid
+      type: keyword
+    - name: logip
+      type: keyword
+    - name: logname
+      type: keyword
+    - name: longitude
+      type: keyword
+    - name: lport
+      type: keyword
+    - name: mbug_data
+      type: keyword
+    - name: misc_name
+      type: keyword
+    - name: msg_type
+      type: keyword
+    - name: msgid
+      type: keyword
+    - name: netsessid
+      type: keyword
+    - name: num
+      type: keyword
+    - name: number1
+      type: keyword
+    - name: number2
+      type: keyword
+    - name: nwwn
+      type: keyword
+    - name: object
+      type: keyword
+    - name: operation
+      type: keyword
+    - name: opkt
+      type: keyword
+    - name: orig_from
+      type: keyword
+    - name: owner_id
+      type: keyword
+    - name: p_action
+      type: keyword
+    - name: p_filter
+      type: keyword
+    - name: p_group_object
+      type: keyword
+    - name: p_id
+      type: keyword
+    - name: p_msgid1
+      type: keyword
+    - name: p_msgid2
+      type: keyword
+    - name: p_result1
+      type: keyword
+    - name: password_chg
+      type: keyword
+    - name: password_expire
+      type: keyword
+    - name: permgranted
+      type: keyword
+    - name: permwanted
+      type: keyword
+    - name: pgid
+      type: keyword
+    - name: policyUUID
+      type: keyword
+    - name: prog_asp_num
+      type: keyword
+    - name: program
+      type: keyword
+    - name: real_data
+      type: keyword
+    - name: rec_asp_device
+      type: keyword
+    - name: rec_asp_num
+      type: keyword
+    - name: rec_library
+      type: keyword
+    - name: recordnum
+      type: keyword
+    - name: ruid
+      type: keyword
+    - name: sburb
+      type: keyword
+    - name: sdomain_fld
+      type: keyword
+    - name: sec
+      type: keyword
+    - name: sensorname
+      type: keyword
+    - name: seqnum
+      type: keyword
+    - name: session
+      type: keyword
+    - name: sessiontype
+      type: keyword
+    - name: sigUUID
+      type: keyword
+    - name: spi
+      type: keyword
+    - name: srcburb
+      type: keyword
+    - name: srcdom
+      type: keyword
+    - name: srcservice
+      type: keyword
+    - name: state
+      type: keyword
+    - name: status1
+      type: keyword
+    - name: svcno
+      type: keyword
+    - name: system
+      type: keyword
+    - name: tbdstr1
+      type: keyword
+    - name: tgtdom
+      type: keyword
+    - name: tgtdomain
+      type: keyword
+    - name: threshold
+      type: keyword
+    - name: type1
+      type: keyword
+    - name: udb_class
+      type: keyword
+    - name: url_fld
+      type: keyword
+    - name: user_div
+      type: keyword
+    - name: userid
+      type: keyword
+    - name: username_fld
+      type: keyword
+    - name: utcstamp
+      type: keyword
+    - name: v_instafname
+      type: keyword
+    - name: virt_data
+      type: keyword
+    - name: vpnid
+      type: keyword
+    - name: autorun_type
+      type: keyword
+      description: This is used to capture Auto Run type
+    - name: cc_number
+      type: long
+      description: Valid Credit Card Numbers only
+    - name: content
+      type: keyword
+      description: This key captures the content type from protocol headers
+    - name: ein_number
+      type: long
+      description: Employee Identification Numbers only
+    - name: found
+      type: keyword
+      description: This is used to capture the results of regex match
+    - name: language
+      type: keyword
+      description: This is used to capture list of languages the client support and
+        what it prefers
+    - name: lifetime
+      type: long
+      description: This key is used to capture the session lifetime in seconds.
+    - name: link
+      type: keyword
+      description: This key is used to link the sessions together. This key should
+        never be used to parse Meta data from a session (Logs/Packets) Directly, this
+        is a Reserved key in NetWitness
+    - name: match
+      type: keyword
+      description: This key is for regex match name from search.ini
+    - name: param_dst
+      type: keyword
+      description: This key captures the command line/launch argument of the target
+        process or file
+    - name: param_src
+      type: keyword
+      description: This key captures source parameter
+    - name: search_text
+      type: keyword
+      description: This key captures the Search Text used
+    - name: sig_name
+      type: keyword
+      description: This key is used to capture the Signature Name only.
+    - name: snmp_value
+      type: keyword
+      description: SNMP set request value
+    - name: streams
+      type: long
+      description: This key captures number of streams in session
+  - name: db
+    type: group
+    fields:
+    - name: index
+      type: keyword
+      description: This key captures IndexID of the index.
+    - name: instance
+      type: keyword
+      description: This key is used to capture the database server instance name
+    - name: database
+      type: keyword
+      description: This key is used to capture the name of a database or an instance
+        as seen in a session
+    - name: transact_id
+      type: keyword
+      description: This key captures the SQL transantion ID of the current session
+    - name: permissions
+      type: keyword
+      description: This key captures permission or privilege level assigned to a resource.
+    - name: table_name
+      type: keyword
+      description: This key is used to capture the table name
+    - name: db_id
+      type: keyword
+      description: This key is used to capture the unique identifier for a database
+    - name: db_pid
+      type: long
+      description: This key captures the process id of a connection with database
+        server
+    - name: lread
+      type: long
+      description: This key is used for the number of logical reads
+    - name: lwrite
+      type: long
+      description: This key is used for the number of logical writes
+    - name: pread
+      type: long
+      description: This key is used for the number of physical writes
+  - name: network
+    type: group
+    fields:
+    - name: alias_host
+      type: keyword
+      description: This key should be used when the source or destination context
+        of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
+        that isnt ad.computer.
+    - name: domain
+      type: keyword
+    - name: host_dst
+      type: keyword
+      description: "This key should only be used when it\u2019s a Destination Hostname"
+    - name: network_service
+      type: keyword
+      description: This is used to capture layer 7 protocols/service names
+    - name: interface
+      type: keyword
+      description: This key should be used when the source or destination context
+        of an interface is not clear
+    - name: network_port
+      type: long
+      description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
+        used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
+    - name: eth_host
+      type: keyword
+      description: Deprecated, use alias.mac
+    - name: sinterface
+      type: keyword
+      description: "This key should only be used when it\u2019s a Source Interface"
+    - name: dinterface
+      type: keyword
+      description: "This key should only be used when it\u2019s a Destination Interface"
+    - name: vlan
+      type: long
+      description: This key should only be used to capture the ID of the Virtual LAN
+    - name: zone_src
+      type: keyword
+      description: "This key should only be used when it\u2019s a Source Zone."
+    - name: zone
+      type: keyword
+      description: This key should be used when the source or destination context
+        of a Zone is not clear
+    - name: zone_dst
+      type: keyword
+      description: "This key should only be used when it\u2019s a Destination Zone."
+    - name: gateway
+      type: keyword
+      description: This key is used to capture the IP Address of the gateway
+    - name: icmp_type
+      type: long
+      description: This key is used to capture the ICMP type only
+    - name: mask
+      type: keyword
+      description: This key is used to capture the device network IPmask.
+    - name: icmp_code
+      type: long
+      description: This key is used to capture the ICMP code only
+    - name: protocol_detail
+      type: keyword
+      description: This key should be used to capture additional protocol information
+    - name: dmask
+      type: keyword
+      description: This key is used for Destionation Device network mask
+    - name: port
+      type: long
+      description: This key should only be used to capture a Network Port when the
+        directionality is not clear
+    - name: smask
+      type: keyword
+      description: This key is used for capturing source Network Mask
+    - name: netname
+      type: keyword
+      description: This key is used to capture the network name associated with an
+        IP range. This is configured by the end user.
+    - name: paddr
+      type: ip
+      description: Deprecated
+    - name: faddr
+      type: keyword
+    - name: lhost
+      type: keyword
+    - name: origin
+      type: keyword
+    - name: remote_domain_id
+      type: keyword
+    - name: addr
+      type: keyword
+    - name: dns_a_record
+      type: keyword
+    - name: dns_ptr_record
+      type: keyword
+    - name: fhost
+      type: keyword
+    - name: fport
+      type: keyword
+    - name: laddr
+      type: keyword
+    - name: linterface
+      type: keyword
+    - name: phost
+      type: keyword
+    - name: ad_computer_dst
+      type: keyword
+      description: Deprecated, use host.dst
+    - name: eth_type
+      type: long
+      description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
+        Only
+    - name: ip_proto
+      type: long
+      description: This key should be used to capture the Protocol number, all the
+        protocol nubers are converted into string in UI
+    - name: dns_cname_record
+      type: keyword
+    - name: dns_id
+      type: keyword
+    - name: dns_opcode
+      type: keyword
+    - name: dns_resp
+      type: keyword
+    - name: dns_type
+      type: keyword
+    - name: domain1
+      type: keyword
+    - name: host_type
+      type: keyword
+    - name: packet_length
+      type: keyword
+    - name: host_orig
+      type: keyword
+      description: This is used to capture the original hostname in case of a Forwarding
+        Agent or a Proxy in between.
+    - name: rpayload
+      type: keyword
+      description: This key is used to capture the total number of payload bytes seen
+        in the retransmitted packets.
+    - name: vlan_name
+      type: keyword
+      description: This key should only be used to capture the name of the Virtual
+        LAN
+  - name: investigations
+    type: group
+    fields:
+    - name: ec_activity
+      type: keyword
+      description: This key captures the particular event activity(Ex:Logoff)
+    - name: ec_theme
+      type: keyword
+      description: This key captures the Theme of a particular Event(Ex:Authentication)
+    - name: ec_subject
+      type: keyword
+      description: This key captures the Subject of a particular Event(Ex:User)
+    - name: ec_outcome
+      type: keyword
+      description: This key captures the outcome of a particular Event(Ex:Success)
+    - name: event_cat
+      type: long
+      description: This key captures the Event category number
+    - name: event_cat_name
+      type: keyword
+      description: This key captures the event category name corresponding to the
+        event cat code
+    - name: event_vcat
+      type: keyword
+      description: This is a vendor supplied category. This should be used in situations
+        where the vendor has adopted their own event_category taxonomy.
+    - name: analysis_file
+      type: keyword
+      description: This is used to capture all indicators used in a File Analysis.
+        This key should be used to capture an analysis of a file
+    - name: analysis_service
+      type: keyword
+      description: This is used to capture all indicators used in a Service Analysis.
+        This key should be used to capture an analysis of a service
+    - name: analysis_session
+      type: keyword
+      description: This is used to capture all indicators used for a Session Analysis.
+        This key should be used to capture an analysis of a session
+    - name: boc
+      type: keyword
+      description: This is used to capture behaviour of compromise
+    - name: eoc
+      type: keyword
+      description: This is used to capture Enablers of Compromise
+    - name: inv_category
+      type: keyword
+      description: This used to capture investigation category
+    - name: inv_context
+      type: keyword
+      description: This used to capture investigation context
+    - name: ioc
+      type: keyword
+      description: This is key capture indicator of compromise
+  - name: counters
+    type: group
+    fields:
+    - name: dclass_c1
+      type: long
+      description: This is a generic counter key that should be used with the label
+        dclass.c1.str only
+    - name: dclass_c2
+      type: long
+      description: This is a generic counter key that should be used with the label
+        dclass.c2.str only
+    - name: event_counter
+      type: long
+      description: This is used to capture the number of times an event repeated
+    - name: dclass_r1
+      type: keyword
+      description: This is a generic ratio key that should be used with the label
+        dclass.r1.str only
+    - name: dclass_c3
+      type: long
+      description: This is a generic counter key that should be used with the label
+        dclass.c3.str only
+    - name: dclass_c1_str
+      type: keyword
+      description: This is a generic counter string key that should be used with the
+        label dclass.c1 only
+    - name: dclass_c2_str
+      type: keyword
+      description: This is a generic counter string key that should be used with the
+        label dclass.c2 only
+    - name: dclass_r1_str
+      type: keyword
+      description: This is a generic ratio string key that should be used with the
+        label dclass.r1 only
+    - name: dclass_r2
+      type: keyword
+      description: This is a generic ratio key that should be used with the label
+        dclass.r2.str only
+    - name: dclass_c3_str
+      type: keyword
+      description: This is a generic counter string key that should be used with the
+        label dclass.c3 only
+    - name: dclass_r3
+      type: keyword
+      description: This is a generic ratio key that should be used with the label
+        dclass.r3.str only
+    - name: dclass_r2_str
+      type: keyword
+      description: This is a generic ratio string key that should be used with the
+        label dclass.r2 only
+    - name: dclass_r3_str
+      type: keyword
+      description: This is a generic ratio string key that should be used with the
+        label dclass.r3 only
+  - name: identity
+    type: group
+    fields:
+    - name: auth_method
+      type: keyword
+      description: This key is used to capture authentication methods used only
+    - name: user_role
+      type: keyword
+      description: This key is used to capture the Role of a user only
+    - name: dn
+      type: keyword
+      description: X.500 (LDAP) Distinguished Name
+    - name: logon_type
+      type: keyword
+      description: This key is used to capture the type of logon method used.
+    - name: profile
+      type: keyword
+      description: This key is used to capture the user profile
+    - name: accesses
+      type: keyword
+      description: This key is used to capture actual privileges used in accessing
+        an object
+    - name: realm
+      type: keyword
+      description: Radius realm or similar grouping of accounts
+    - name: user_sid_dst
+      type: keyword
+      description: This key captures Destination User Session ID
+    - name: dn_src
+      type: keyword
+      description: An X.500 (LDAP) Distinguished name that is used in a context that
+        indicates a Source dn
+    - name: org
+      type: keyword
+      description: This key captures the User organization
+    - name: dn_dst
+      type: keyword
+      description: An X.500 (LDAP) Distinguished name that used in a context that
+        indicates a Destination dn
+    - name: firstname
+      type: keyword
+      description: This key is for First Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: lastname
+      type: keyword
+      description: This key is for Last Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: user_dept
+      type: keyword
+      description: User's Department Names only
+    - name: user_sid_src
+      type: keyword
+      description: This key captures Source User Session ID
+    - name: federated_sp
+      type: keyword
+      description: This key is the Federated Service Provider. This is the application
+        requesting authentication.
+    - name: federated_idp
+      type: keyword
+      description: This key is the federated Identity Provider. This is the server
+        providing the authentication.
+    - name: logon_type_desc
+      type: keyword
+      description: This key is used to capture the textual description of an integer
+        logon type as stored in the meta key 'logon.type'.
+    - name: middlename
+      type: keyword
+      description: This key is for Middle Names only, this is used for Healthcare
+        predominantly to capture Patients information
+    - name: password
+      type: keyword
+      description: This key is for Passwords seen in any session, plain text or encrypted
+    - name: host_role
+      type: keyword
+      description: This key should only be used to capture the role of a Host Machine
+    - name: ldap
+      type: keyword
+      description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
+        t have a clear query or response context"
+    - name: ldap_query
+      type: keyword
+      description: This key is the Search criteria from an LDAP search
+    - name: ldap_response
+      type: keyword
+      description: This key is to capture Results from an LDAP search
+    - name: owner
+      type: keyword
+      description: This is used to capture username the process or service is running
+        as, the author of the task
+    - name: service_account
+      type: keyword
+      description: This key is a windows specific key, used for capturing name of
+        the account a service (referenced in the event) is running under. Legacy Usage
+  - name: email
+    type: group
+    fields:
+    - name: email_dst
+      type: keyword
+      description: This key is used to capture the Destination email address only,
+        when the destination context is not clear use email
+    - name: email_src
+      type: keyword
+      description: This key is used to capture the source email address only, when
+        the source context is not clear use email
+    - name: subject
+      type: keyword
+      description: This key is used to capture the subject string from an Email only.
+    - name: email
+      type: keyword
+      description: This key is used to capture a generic email address where the source
+        or destination context is not clear
+    - name: trans_from
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: trans_to
+      type: keyword
+      description: Deprecated key defined only in table map.
+  - name: file
+    type: group
+    fields:
+    - name: privilege
+      type: keyword
+      description: Deprecated, use permissions
+    - name: attachment
+      type: keyword
+      description: This key captures the attachment file name
+    - name: filesystem
+      type: keyword
+    - name: binary
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: filename_dst
+      type: keyword
+      description: This is used to capture name of the file targeted by the action
+    - name: filename_src
+      type: keyword
+      description: This is used to capture name of the parent filename, the file which
+        performed the action
+    - name: filename_tmp
+      type: keyword
+    - name: directory_dst
+      type: keyword
+      description: <span>This key is used to capture the directory of the target process
+        or file</span>
+    - name: directory_src
+      type: keyword
+      description: This key is used to capture the directory of the source process
+        or file
+    - name: file_entropy
+      type: double
+      description: This is used to capture entropy vale of a file
+    - name: file_vendor
+      type: keyword
+      description: This is used to capture Company name of file located in version_info
+    - name: task_name
+      type: keyword
+      description: This is used to capture name of the task
+  - name: web
+    type: group
+    fields:
+    - name: fqdn
+      type: keyword
+      description: Fully Qualified Domain Names
+    - name: web_cookie
+      type: keyword
+      description: This key is used to capture the Web cookies specifically.
+    - name: alias_host
+      type: keyword
+    - name: reputation_num
+      type: double
+      description: Reputation Number of an entity. Typically used for Web Domains
+    - name: web_ref_domain
+      type: keyword
+      description: Web referer's domain
+    - name: web_ref_query
+      type: keyword
+      description: This key captures Web referer's query portion of the URL
+    - name: remote_domain
+      type: keyword
+    - name: web_ref_page
+      type: keyword
+      description: This key captures Web referer's page information
+    - name: web_ref_root
+      type: keyword
+      description: Web referer's root URL path
+    - name: cn_asn_dst
+      type: keyword
+    - name: cn_rpackets
+      type: keyword
+    - name: urlpage
+      type: keyword
+    - name: urlroot
+      type: keyword
+    - name: p_url
+      type: keyword
+    - name: p_user_agent
+      type: keyword
+    - name: p_web_cookie
+      type: keyword
+    - name: p_web_method
+      type: keyword
+    - name: p_web_referer
+      type: keyword
+    - name: web_extension_tmp
+      type: keyword
+    - name: web_page
+      type: keyword
+  - name: threat
+    type: group
+    fields:
+    - name: threat_category
+      type: keyword
+      description: This key captures Threat Name/Threat Category/Categorization of
+        alert
+    - name: threat_desc
+      type: keyword
+      description: This key is used to capture the threat description from the session
+        directly or inferred
+    - name: alert
+      type: keyword
+      description: This key is used to capture name of the alert
+    - name: threat_source
+      type: keyword
+      description: This key is used to capture source of the threat
+  - name: crypto
+    type: group
+    fields:
+    - name: crypto
+      type: keyword
+      description: This key is used to capture the Encryption Type or Encryption Key
+        only
+    - name: cipher_src
+      type: keyword
+      description: This key is for Source (Client) Cipher
+    - name: cert_subject
+      type: keyword
+      description: This key is used to capture the Certificate organization only
+    - name: peer
+      type: keyword
+      description: This key is for Encryption peer's IP Address
+    - name: cipher_size_src
+      type: long
+      description: This key captures Source (Client) Cipher Size
+    - name: ike
+      type: keyword
+      description: IKE negotiation phase.
+    - name: scheme
+      type: keyword
+      description: This key captures the Encryption scheme used
+    - name: peer_id
+      type: keyword
+      description: "This key is for Encryption peer\u2019s identity"
+    - name: sig_type
+      type: keyword
+      description: This key captures the Signature Type
+    - name: cert_issuer
+      type: keyword
+    - name: cert_host_name
+      type: keyword
+      description: Deprecated key defined only in table map.
+    - name: cert_error
+      type: keyword
+      description: This key captures the Certificate Error String
+    - name: cipher_dst
+      type: keyword
+      description: This key is for Destination (Server) Cipher
+    - name: cipher_size_dst
+      type: long
+      description: This key captures Destination (Server) Cipher Size
+    - name: ssl_ver_src
+      type: keyword
+      description: Deprecated, use version
+    - name: d_certauth
+      type: keyword
+    - name: s_certauth
+      type: keyword
+    - name: ike_cookie1
+      type: keyword
+      description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
+    - name: ike_cookie2
+      type: keyword
+      description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
+    - name: cert_checksum
+      type: keyword
+    - name: cert_host_cat
+      type: keyword
+      description: This key is used for the hostname category value of a certificate
+    - name: cert_serial
+      type: keyword
+      description: This key is used to capture the Certificate serial number only
+    - name: cert_status
+      type: keyword
+      description: This key captures Certificate validation status
+    - name: ssl_ver_dst
+      type: keyword
+      description: Deprecated, use version
+    - name: cert_keysize
+      type: keyword
+    - name: cert_username
+      type: keyword
+    - name: https_insact
+      type: keyword
+    - name: https_valid
+      type: keyword
+    - name: cert_ca
+      type: keyword
+      description: This key is used to capture the Certificate signing authority only
+    - name: cert_common
+      type: keyword
+      description: This key is used to capture the Certificate common name only
+  - name: wireless
+    type: group
+    fields:
+    - name: wlan_ssid
+      type: keyword
+      description: This key is used to capture the ssid of a Wireless Session
+    - name: access_point
+      type: keyword
+      description: This key is used to capture the access point name.
+    - name: wlan_channel
+      type: long
+      description: This is used to capture the channel names
+    - name: wlan_name
+      type: keyword
+      description: This key captures either WLAN number/name
+  - name: storage
+    type: group
+    fields:
+    - name: disk_volume
+      type: keyword
+      description: A unique name assigned to logical units (volumes) within a physical
+        disk
+    - name: lun
+      type: keyword
+      description: Logical Unit Number.This key is a very useful concept in Storage.
+    - name: pwwn
+      type: keyword
+      description: This uniquely identifies a port on a HBA.
+  - name: physical
+    type: group
+    fields:
+    - name: org_dst
+      type: keyword
+      description: This is used to capture the destination organization based on the
+        GEOPIP Maxmind database.
+    - name: org_src
+      type: keyword
+      description: This is used to capture the source organization based on the GEOPIP
+        Maxmind database.
+  - name: healthcare
+    type: group
+    fields:
+    - name: patient_fname
+      type: keyword
+      description: This key is for First Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: patient_id
+      type: keyword
+      description: This key captures the unique ID for a patient
+    - name: patient_lname
+      type: keyword
+      description: This key is for Last Names only, this is used for Healthcare predominantly
+        to capture Patients information
+    - name: patient_mname
+      type: keyword
+      description: This key is for Middle Names only, this is used for Healthcare
+        predominantly to capture Patients information
+  - name: endpoint
+    type: group
+    fields:
+    - name: host_state
+      type: keyword
+      description: This key is used to capture the current state of the machine, such
+        as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
+        disabled</strong> and so on
+    - name: registry_key
+      type: keyword
+      description: This key captures the path to the registry key
+    - name: registry_value
+      type: keyword
+      description: This key captures values or decorators used within a registry entry
diff --git a/packages/zscaler/0.1.0/dataset/zia/manifest.yml b/packages/zscaler/0.1.0/dataset/zia/manifest.yml
new file mode 100644
index 0000000000..65f2fac362
--- /dev/null
+++ b/packages/zscaler/0.1.0/dataset/zia/manifest.yml
@@ -0,0 +1,155 @@
+title: Zscaler NSS logs
+release: experimental
+type: logs
+streams:
+- input: udp
+  title: Zscaler NSS logs
+  description: Collect Zscaler NSS logs
+  template_path: udp.yml.hbs
+  vars:
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - zscaler-zia
+      - forwarded
+  - name: udp_host
+    type: text
+    title: UDP host to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: localhost
+  - name: udp_port
+    type: integer
+    title: UDP port to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: 9521
+  - name: tz_offset
+    type: text
+    title: Timezone offset (+HH:mm format)
+    required: false
+    show_user: true
+    default: "local"
+  - name: rsa_fields
+    type: bool
+    title: Add non-ECS fields
+    required: false
+    show_user: true
+    default: true
+  - name: keep_raw_fields
+    type: bool
+    title: Keep raw parser fields
+    required: false
+    show_user: false
+    default: false
+  - name: debug
+    type: bool
+    title: Enable debug logging
+    required: false
+    show_user: false
+    default: false
+
+- input: tcp
+  title: Zscaler NSS logs
+  description: Collect Zscaler NSS logs
+  template_path: tcp.yml.hbs
+  vars:
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - zscaler-zia
+      - forwarded
+  - name: tcp_host
+    type: text
+    title: TCP host to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: localhost
+  - name: tcp_port
+    type: integer
+    title: TCP port to listen on
+    multi: false
+    required: true
+    show_user: true
+    default: 9521
+  - name: tz_offset
+    type: text
+    title: Timezone offset (+HH:mm format)
+    required: false
+    show_user: true
+    default: "local"
+  - name: rsa_fields
+    type: bool
+    title: Add non-ECS fields
+    required: false
+    show_user: true
+    default: true
+  - name: keep_raw_fields
+    type: bool
+    title: Keep raw parser fields
+    required: false
+    show_user: false
+    default: false
+  - name: debug
+    type: bool
+    title: Enable debug logging
+    required: false
+    show_user: false
+    default: false
+
+- input: file
+  title: Zscaler NSS logs
+  description: Collect Zscaler NSS logs from file
+  vars:
+  - name: paths
+    type: text
+    title: Paths
+    multi: true
+    required: true
+    show_user: true
+    default:
+      - /var/log/zscaler-zia.log
+  - name: tags
+    type: text
+    title: Tags
+    multi: true
+    required: true
+    show_user: false
+    default:
+      - zscaler-zia
+      - forwarded
+  - name: tz_offset
+    type: text
+    title: Timezone offset (+HH:mm format)
+    required: false
+    show_user: true
+    default: "local"
+  - name: rsa_fields
+    type: bool
+    title: Add non-ECS fields
+    required: false
+    show_user: true
+    default: true
+  - name: keep_raw_fields
+    type: bool
+    title: Keep raw parser fields
+    required: false
+    show_user: false
+    default: false
+  - name: debug
+    type: bool
+    title: Enable debug logging
+    required: false
+    show_user: false
+    default: false
diff --git a/packages/zscaler/0.1.0/docs/README.md b/packages/zscaler/0.1.0/docs/README.md
new file mode 100644
index 0000000000..a6be4fe237
--- /dev/null
+++ b/packages/zscaler/0.1.0/docs/README.md
@@ -0,0 +1,780 @@
+# Zscaler integration
+
+This integration is for Zscaler device's logs. It includes the following
+datasets for receiving logs over syslog or read from a file:
+- `zia` dataset: supports Zscaler NSS logs.
+
+### Zia
+
+The `zia` dataset collects Zscaler NSS logs.
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
+| dataset.name | Dataset name. | constant_keyword |
+| dataset.namespace | Dataset namespace. | constant_keyword |
+| dataset.type | Dataset type. | constant_keyword |
+| datastream.dataset | Datastream dataset. | constant_keyword |
+| datastream.namespace | Datastream namespace. | constant_keyword |
+| datastream.type | Datastream type. | constant_keyword |
+| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| destination.bytes | Bytes sent from the destination to the source. | long |
+| destination.domain | Destination domain. | keyword |
+| destination.geo.city_name | City name. | keyword |
+| destination.geo.country_name | Country name. | keyword |
+| destination.geo.location.lat |  | double |
+| destination.geo.location.lon |  | double |
+| destination.ip | IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses. | ip |
+| destination.mac | MAC address of the destination. | keyword |
+| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip |
+| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long |
+| destination.port | Port of the destination. | long |
+| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword |
+| dns.answers.type | The type of data contained in this resource record. | keyword |
+| dns.question.type | The type of record being queried. | keyword |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword |
+| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword |
+| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword |
+| file.extension | File extension. | keyword |
+| file.name | Name of the file including the extension, without the directory. | keyword |
+| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword |
+| file.size | File size in bytes. Only relevant when `file.type` is "file". | long |
+| file.type | File type (file, dir, or symlink). | keyword |
+| geo.city_name | City name. | keyword |
+| geo.country_name | Country name. | keyword |
+| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| geo.region_name | Region name. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| http.request.method | HTTP request method. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| http.request.referrer | Referrer for this HTTP request. | keyword |
+| http.response.body.content | The full HTTP response body. | keyword |
+| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword |
+| log.original | This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. | keyword |
+| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long |
+| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. | long |
+| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text |
+| network.application | A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long |
+| network.direction | Direction of the network traffic. Recommended values are: * inbound * outbound * internal * external * unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view. When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. | keyword |
+| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip |
+| network.interface.name |  | keyword |
+| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long |
+| network.protocol | L7 Network protocol name. ex. http, lumberjack, transport protocol. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| observer.egress.interface.name | Interface name as reported by the system. | keyword |
+| observer.ingress.interface.name | Interface name as reported by the system. | keyword |
+| observer.product | The product name of the observer. | keyword |
+| observer.version | Observer version. | keyword |
+| process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.parent.name | Process name. Sometimes called program name or similar. | keyword |
+| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword |
+| process.pid | Process id. | long |
+| process.ppid | Parent process' pid. | long |
+| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword |
+| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long |
+| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword |
+| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long |
+| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword |
+| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long |
+| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword |
+| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword |
+| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword |
+| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword |
+| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword |
+| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword |
+| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword |
+| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long |
+| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword |
+| rsa.crypto.cert_checksum |  | keyword |
+| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword |
+| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword |
+| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword |
+| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword |
+| rsa.crypto.cert_issuer |  | keyword |
+| rsa.crypto.cert_keysize |  | keyword |
+| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword |
+| rsa.crypto.cert_status | This key captures Certificate validation status | keyword |
+| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword |
+| rsa.crypto.cert_username |  | keyword |
+| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword |
+| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long |
+| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long |
+| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword |
+| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword |
+| rsa.crypto.d_certauth |  | keyword |
+| rsa.crypto.https_insact |  | keyword |
+| rsa.crypto.https_valid |  | keyword |
+| rsa.crypto.ike | IKE negotiation phase. | keyword |
+| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword |
+| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword |
+| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword |
+| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword |
+| rsa.crypto.s_certauth |  | keyword |
+| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword |
+| rsa.crypto.sig_type | This key captures the Signature Type | keyword |
+| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword |
+| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword |
+| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword |
+| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword |
+| rsa.db.db_pid | This key captures the process id of a connection with database server | long |
+| rsa.db.index | This key captures IndexID of the index. | keyword |
+| rsa.db.instance | This key is used to capture the database server instance name | keyword |
+| rsa.db.lread | This key is used for the number of logical reads | long |
+| rsa.db.lwrite | This key is used for the number of logical writes | long |
+| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword |
+| rsa.db.pread | This key is used for the number of physical writes | long |
+| rsa.db.table_name | This key is used to capture the table name | keyword |
+| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword |
+| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword |
+| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword |
+| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword |
+| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword |
+| rsa.email.trans_from | Deprecated key defined only in table map. | keyword |
+| rsa.email.trans_to | Deprecated key defined only in table map. | keyword |
+| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall disabled</strong> and so on | keyword |
+| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword |
+| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword |
+| rsa.file.attachment | This key captures the attachment file name | keyword |
+| rsa.file.binary | Deprecated key defined only in table map. | keyword |
+| rsa.file.directory_dst | <span>This key is used to capture the directory of the target process or file</span> | keyword |
+| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword |
+| rsa.file.file_entropy | This is used to capture entropy vale of a file | double |
+| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword |
+| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword |
+| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword |
+| rsa.file.filename_tmp |  | keyword |
+| rsa.file.filesystem |  | keyword |
+| rsa.file.privilege | Deprecated, use permissions | keyword |
+| rsa.file.task_name | This is used to capture name of the task | keyword |
+| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword |
+| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword |
+| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword |
+| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword |
+| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword |
+| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword |
+| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword |
+| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword |
+| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword |
+| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword |
+| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword |
+| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword |
+| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword |
+| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword |
+| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.org | This key captures the User organization | keyword |
+| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword |
+| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword |
+| rsa.identity.profile | This key is used to capture the user profile | keyword |
+| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword |
+| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword |
+| rsa.identity.user_dept | User's Department Names only | keyword |
+| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword |
+| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword |
+| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword |
+| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword |
+| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.data | Deprecated key defined only in table map. | keyword |
+| rsa.internal.dead | Deprecated key defined only in table map. | long |
+| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_type_id | Deprecated key defined only in table map. | long |
+| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long |
+| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long |
+| rsa.internal.entry | Deprecated key defined only in table map. | keyword |
+| rsa.internal.event_desc |  | keyword |
+| rsa.internal.event_name | Deprecated key defined only in table map. | keyword |
+| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip |
+| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.hcode | Deprecated key defined only in table map. | keyword |
+| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.inode | Deprecated key defined only in table map. | long |
+| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date |
+| rsa.internal.level | Deprecated key defined only in table map. | long |
+| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long |
+| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long |
+| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long |
+| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long |
+| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, &lt; 32 is packet session | long |
+| rsa.internal.message | This key captures the contents of instant messages | keyword |
+| rsa.internal.messageid |  | keyword |
+| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword |
+| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.node_name | Deprecated key defined only in table map. | keyword |
+| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword |
+| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword |
+| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword |
+| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword |
+| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long |
+| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long |
+| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword |
+| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword |
+| rsa.internal.resource | Deprecated key defined only in table map. | keyword |
+| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword |
+| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long |
+| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.site | Deprecated key defined only in table map. | keyword |
+| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long |
+| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.statement | Deprecated key defined only in table map. | keyword |
+| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date |
+| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long |
+| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long |
+| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword |
+| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword |
+| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword |
+| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword |
+| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword |
+| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword |
+| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword |
+| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword |
+| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword |
+| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword |
+| rsa.investigations.event_cat | This key captures the Event category number | long |
+| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword |
+| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword |
+| rsa.investigations.inv_category | This used to capture investigation category | keyword |
+| rsa.investigations.inv_context | This used to capture investigation context | keyword |
+| rsa.investigations.ioc | This is key capture indicator of compromise | keyword |
+| rsa.misc.OS | This key captures the Name of the Operating System | keyword |
+| rsa.misc.acl_id |  | keyword |
+| rsa.misc.acl_op |  | keyword |
+| rsa.misc.acl_pos |  | keyword |
+| rsa.misc.acl_table |  | keyword |
+| rsa.misc.action |  | keyword |
+| rsa.misc.admin |  | keyword |
+| rsa.misc.agent_id | This key is used to capture agent id | keyword |
+| rsa.misc.alarm_id |  | keyword |
+| rsa.misc.alarmname |  | keyword |
+| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.app_id |  | keyword |
+| rsa.misc.audit |  | keyword |
+| rsa.misc.audit_object |  | keyword |
+| rsa.misc.auditdata |  | keyword |
+| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword |
+| rsa.misc.benchmark |  | keyword |
+| rsa.misc.bypass |  | keyword |
+| rsa.misc.cache |  | keyword |
+| rsa.misc.cache_hit |  | keyword |
+| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword |
+| rsa.misc.cc_number | Valid Credit Card Numbers only | long |
+| rsa.misc.cefversion |  | keyword |
+| rsa.misc.cfg_attr |  | keyword |
+| rsa.misc.cfg_obj |  | keyword |
+| rsa.misc.cfg_path |  | keyword |
+| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword |
+| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword |
+| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword |
+| rsa.misc.changes |  | keyword |
+| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword |
+| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword |
+| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword |
+| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword |
+| rsa.misc.client_ip |  | keyword |
+| rsa.misc.clustermembers |  | keyword |
+| rsa.misc.cmd |  | keyword |
+| rsa.misc.cn_acttimeout |  | keyword |
+| rsa.misc.cn_asn_src |  | keyword |
+| rsa.misc.cn_bgpv4nxthop |  | keyword |
+| rsa.misc.cn_ctr_dst_code |  | keyword |
+| rsa.misc.cn_dst_tos |  | keyword |
+| rsa.misc.cn_dst_vlan |  | keyword |
+| rsa.misc.cn_engine_id |  | keyword |
+| rsa.misc.cn_engine_type |  | keyword |
+| rsa.misc.cn_f_switch |  | keyword |
+| rsa.misc.cn_flowsampid |  | keyword |
+| rsa.misc.cn_flowsampintv |  | keyword |
+| rsa.misc.cn_flowsampmode |  | keyword |
+| rsa.misc.cn_inacttimeout |  | keyword |
+| rsa.misc.cn_inpermbyts |  | keyword |
+| rsa.misc.cn_inpermpckts |  | keyword |
+| rsa.misc.cn_invalid |  | keyword |
+| rsa.misc.cn_ip_proto_ver |  | keyword |
+| rsa.misc.cn_ipv4_ident |  | keyword |
+| rsa.misc.cn_l_switch |  | keyword |
+| rsa.misc.cn_log_did |  | keyword |
+| rsa.misc.cn_log_rid |  | keyword |
+| rsa.misc.cn_max_ttl |  | keyword |
+| rsa.misc.cn_maxpcktlen |  | keyword |
+| rsa.misc.cn_min_ttl |  | keyword |
+| rsa.misc.cn_minpcktlen |  | keyword |
+| rsa.misc.cn_mpls_lbl_1 |  | keyword |
+| rsa.misc.cn_mpls_lbl_10 |  | keyword |
+| rsa.misc.cn_mpls_lbl_2 |  | keyword |
+| rsa.misc.cn_mpls_lbl_3 |  | keyword |
+| rsa.misc.cn_mpls_lbl_4 |  | keyword |
+| rsa.misc.cn_mpls_lbl_5 |  | keyword |
+| rsa.misc.cn_mpls_lbl_6 |  | keyword |
+| rsa.misc.cn_mpls_lbl_7 |  | keyword |
+| rsa.misc.cn_mpls_lbl_8 |  | keyword |
+| rsa.misc.cn_mpls_lbl_9 |  | keyword |
+| rsa.misc.cn_mplstoplabel |  | keyword |
+| rsa.misc.cn_mplstoplabip |  | keyword |
+| rsa.misc.cn_mul_dst_byt |  | keyword |
+| rsa.misc.cn_mul_dst_pks |  | keyword |
+| rsa.misc.cn_muligmptype |  | keyword |
+| rsa.misc.cn_sampalgo |  | keyword |
+| rsa.misc.cn_sampint |  | keyword |
+| rsa.misc.cn_seqctr |  | keyword |
+| rsa.misc.cn_spackets |  | keyword |
+| rsa.misc.cn_src_tos |  | keyword |
+| rsa.misc.cn_src_vlan |  | keyword |
+| rsa.misc.cn_sysuptime |  | keyword |
+| rsa.misc.cn_template_id |  | keyword |
+| rsa.misc.cn_totbytsexp |  | keyword |
+| rsa.misc.cn_totflowexp |  | keyword |
+| rsa.misc.cn_totpcktsexp |  | keyword |
+| rsa.misc.cn_unixnanosecs |  | keyword |
+| rsa.misc.cn_v6flowlabel |  | keyword |
+| rsa.misc.cn_v6optheaders |  | keyword |
+| rsa.misc.code |  | keyword |
+| rsa.misc.command |  | keyword |
+| rsa.misc.comments | Comment information provided in the log message | keyword |
+| rsa.misc.comp_class |  | keyword |
+| rsa.misc.comp_name |  | keyword |
+| rsa.misc.comp_rbytes |  | keyword |
+| rsa.misc.comp_sbytes |  | keyword |
+| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword |
+| rsa.misc.connection_id | This key captures the Connection ID | keyword |
+| rsa.misc.content | This key captures the content type from protocol headers | keyword |
+| rsa.misc.content_type | This key is used to capture Content Type only. | keyword |
+| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword |
+| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword |
+| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword |
+| rsa.misc.context_target |  | keyword |
+| rsa.misc.count |  | keyword |
+| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long |
+| rsa.misc.cpu_data |  | keyword |
+| rsa.misc.criticality |  | keyword |
+| rsa.misc.cs_agency_dst |  | keyword |
+| rsa.misc.cs_analyzedby |  | keyword |
+| rsa.misc.cs_av_other |  | keyword |
+| rsa.misc.cs_av_primary |  | keyword |
+| rsa.misc.cs_av_secondary |  | keyword |
+| rsa.misc.cs_bgpv6nxthop |  | keyword |
+| rsa.misc.cs_bit9status |  | keyword |
+| rsa.misc.cs_context |  | keyword |
+| rsa.misc.cs_control |  | keyword |
+| rsa.misc.cs_data |  | keyword |
+| rsa.misc.cs_datecret |  | keyword |
+| rsa.misc.cs_dst_tld |  | keyword |
+| rsa.misc.cs_eth_dst_ven |  | keyword |
+| rsa.misc.cs_eth_src_ven |  | keyword |
+| rsa.misc.cs_event_uuid |  | keyword |
+| rsa.misc.cs_filetype |  | keyword |
+| rsa.misc.cs_fld |  | keyword |
+| rsa.misc.cs_if_desc |  | keyword |
+| rsa.misc.cs_if_name |  | keyword |
+| rsa.misc.cs_ip_next_hop |  | keyword |
+| rsa.misc.cs_ipv4dstpre |  | keyword |
+| rsa.misc.cs_ipv4srcpre |  | keyword |
+| rsa.misc.cs_lifetime |  | keyword |
+| rsa.misc.cs_log_medium |  | keyword |
+| rsa.misc.cs_loginname |  | keyword |
+| rsa.misc.cs_modulescore |  | keyword |
+| rsa.misc.cs_modulesign |  | keyword |
+| rsa.misc.cs_opswatresult |  | keyword |
+| rsa.misc.cs_payload |  | keyword |
+| rsa.misc.cs_registrant |  | keyword |
+| rsa.misc.cs_registrar |  | keyword |
+| rsa.misc.cs_represult |  | keyword |
+| rsa.misc.cs_rpayload |  | keyword |
+| rsa.misc.cs_sampler_name |  | keyword |
+| rsa.misc.cs_sourcemodule |  | keyword |
+| rsa.misc.cs_streams |  | keyword |
+| rsa.misc.cs_targetmodule |  | keyword |
+| rsa.misc.cs_v6nxthop |  | keyword |
+| rsa.misc.cs_whois_server |  | keyword |
+| rsa.misc.cs_yararesult |  | keyword |
+| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword |
+| rsa.misc.data_type |  | keyword |
+| rsa.misc.description |  | keyword |
+| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword |
+| rsa.misc.devvendor |  | keyword |
+| rsa.misc.disposition | This key captures the The end state of an action. | keyword |
+| rsa.misc.distance |  | keyword |
+| rsa.misc.doc_number | This key captures File Identification number | long |
+| rsa.misc.dstburb |  | keyword |
+| rsa.misc.edomain |  | keyword |
+| rsa.misc.edomaub |  | keyword |
+| rsa.misc.ein_number | Employee Identification Numbers only | long |
+| rsa.misc.error | This key captures All non successful Error codes or responses | keyword |
+| rsa.misc.euid |  | keyword |
+| rsa.misc.event_category |  | keyword |
+| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword |
+| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword |
+| rsa.misc.event_id |  | keyword |
+| rsa.misc.event_log | This key captures the Name of the event log | keyword |
+| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword |
+| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword |
+| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword |
+| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword |
+| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword |
+| rsa.misc.facility |  | keyword |
+| rsa.misc.facilityname |  | keyword |
+| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword |
+| rsa.misc.filter | This key captures Filter used to reduce result set | keyword |
+| rsa.misc.finterface |  | keyword |
+| rsa.misc.flags |  | keyword |
+| rsa.misc.forensic_info |  | keyword |
+| rsa.misc.found | This is used to capture the results of regex match | keyword |
+| rsa.misc.fresult | This key captures the Filter Result | long |
+| rsa.misc.gaddr |  | keyword |
+| rsa.misc.group | This key captures the Group Name value | keyword |
+| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword |
+| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword |
+| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword |
+| rsa.misc.id3 |  | keyword |
+| rsa.misc.im_buddyid |  | keyword |
+| rsa.misc.im_buddyname |  | keyword |
+| rsa.misc.im_client |  | keyword |
+| rsa.misc.im_croomid |  | keyword |
+| rsa.misc.im_croomtype |  | keyword |
+| rsa.misc.im_members |  | keyword |
+| rsa.misc.im_userid |  | keyword |
+| rsa.misc.im_username |  | keyword |
+| rsa.misc.index |  | keyword |
+| rsa.misc.inout |  | keyword |
+| rsa.misc.ipkt |  | keyword |
+| rsa.misc.ipscat |  | keyword |
+| rsa.misc.ipspri |  | keyword |
+| rsa.misc.job_num | This key captures the Job Number | keyword |
+| rsa.misc.jobname |  | keyword |
+| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword |
+| rsa.misc.latitude |  | keyword |
+| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword |
+| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long |
+| rsa.misc.linenum |  | keyword |
+| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.misc.list_name |  | keyword |
+| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword |
+| rsa.misc.load_data |  | keyword |
+| rsa.misc.location_floor |  | keyword |
+| rsa.misc.location_mark |  | keyword |
+| rsa.misc.log_id |  | keyword |
+| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword |
+| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword |
+| rsa.misc.log_type |  | keyword |
+| rsa.misc.logid |  | keyword |
+| rsa.misc.logip |  | keyword |
+| rsa.misc.logname |  | keyword |
+| rsa.misc.longitude |  | keyword |
+| rsa.misc.lport |  | keyword |
+| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword |
+| rsa.misc.match | This key is for regex match name from search.ini | keyword |
+| rsa.misc.mbug_data |  | keyword |
+| rsa.misc.message_body | This key captures the The contents of the message body. | keyword |
+| rsa.misc.misc |  | keyword |
+| rsa.misc.misc_name |  | keyword |
+| rsa.misc.mode |  | keyword |
+| rsa.misc.msgIdPart1 |  | keyword |
+| rsa.misc.msgIdPart2 |  | keyword |
+| rsa.misc.msgIdPart3 |  | keyword |
+| rsa.misc.msgIdPart4 |  | keyword |
+| rsa.misc.msg_type |  | keyword |
+| rsa.misc.msgid |  | keyword |
+| rsa.misc.name |  | keyword |
+| rsa.misc.netsessid |  | keyword |
+| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword |
+| rsa.misc.ntype |  | keyword |
+| rsa.misc.num |  | keyword |
+| rsa.misc.number |  | keyword |
+| rsa.misc.number1 |  | keyword |
+| rsa.misc.number2 |  | keyword |
+| rsa.misc.nwwn |  | keyword |
+| rsa.misc.obj_name | This is used to capture name of object | keyword |
+| rsa.misc.obj_type | This is used to capture type of object | keyword |
+| rsa.misc.object |  | keyword |
+| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword |
+| rsa.misc.operation |  | keyword |
+| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword |
+| rsa.misc.opkt |  | keyword |
+| rsa.misc.orig_from |  | keyword |
+| rsa.misc.owner_id |  | keyword |
+| rsa.misc.p_action |  | keyword |
+| rsa.misc.p_filter |  | keyword |
+| rsa.misc.p_group_object |  | keyword |
+| rsa.misc.p_id |  | keyword |
+| rsa.misc.p_msgid |  | keyword |
+| rsa.misc.p_msgid1 |  | keyword |
+| rsa.misc.p_msgid2 |  | keyword |
+| rsa.misc.p_result1 |  | keyword |
+| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword |
+| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword |
+| rsa.misc.param_src | This key captures source parameter | keyword |
+| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword |
+| rsa.misc.password_chg |  | keyword |
+| rsa.misc.password_expire |  | keyword |
+| rsa.misc.payload_dst | This key is used to capture destination payload | keyword |
+| rsa.misc.payload_src | This key is used to capture source payload | keyword |
+| rsa.misc.permgranted |  | keyword |
+| rsa.misc.permwanted |  | keyword |
+| rsa.misc.pgid |  | keyword |
+| rsa.misc.phone |  | keyword |
+| rsa.misc.pid |  | keyword |
+| rsa.misc.policy |  | keyword |
+| rsa.misc.policyUUID |  | keyword |
+| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword |
+| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword |
+| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword |
+| rsa.misc.policy_waiver |  | keyword |
+| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword |
+| rsa.misc.pool_name | This key captures the name of a resource pool | keyword |
+| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword |
+| rsa.misc.priority |  | keyword |
+| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword |
+| rsa.misc.prog_asp_num |  | keyword |
+| rsa.misc.program |  | keyword |
+| rsa.misc.real_data |  | keyword |
+| rsa.misc.reason |  | keyword |
+| rsa.misc.rec_asp_device |  | keyword |
+| rsa.misc.rec_asp_num |  | keyword |
+| rsa.misc.rec_library |  | keyword |
+| rsa.misc.recordnum |  | keyword |
+| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword |
+| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword |
+| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword |
+| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword |
+| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword |
+| rsa.misc.risk | This key captures the non-numeric risk value | keyword |
+| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.risk_num | This key captures a Numeric Risk value | double |
+| rsa.misc.risk_num_comm | This key captures Risk Number Community | double |
+| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double |
+| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double |
+| rsa.misc.risk_num_static | This key captures Risk Number Static | double |
+| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword |
+| rsa.misc.ruid |  | keyword |
+| rsa.misc.rule | This key captures the Rule number | keyword |
+| rsa.misc.rule_group | This key captures the Rule group name | keyword |
+| rsa.misc.rule_name | This key captures the Rule Name | keyword |
+| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword |
+| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword |
+| rsa.misc.sburb |  | keyword |
+| rsa.misc.sdomain_fld |  | keyword |
+| rsa.misc.search_text | This key captures the Search Text used | keyword |
+| rsa.misc.sec |  | keyword |
+| rsa.misc.second |  | keyword |
+| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword |
+| rsa.misc.sensorname |  | keyword |
+| rsa.misc.seqnum |  | keyword |
+| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword |
+| rsa.misc.session |  | keyword |
+| rsa.misc.sessiontype |  | keyword |
+| rsa.misc.severity | This key is used to capture the severity given the session | keyword |
+| rsa.misc.sigUUID |  | keyword |
+| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long |
+| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long |
+| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword |
+| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword |
+| rsa.misc.sigcat |  | keyword |
+| rsa.misc.snmp_oid | SNMP Object Identifier | keyword |
+| rsa.misc.snmp_value | SNMP set request value | keyword |
+| rsa.misc.space |  | keyword |
+| rsa.misc.space1 |  | keyword |
+| rsa.misc.spi |  | keyword |
+| rsa.misc.spi_dst | Destination SPI Index | keyword |
+| rsa.misc.spi_src | Source SPI Index | keyword |
+| rsa.misc.sql | This key captures the SQL query | keyword |
+| rsa.misc.srcburb |  | keyword |
+| rsa.misc.srcdom |  | keyword |
+| rsa.misc.srcservice |  | keyword |
+| rsa.misc.state |  | keyword |
+| rsa.misc.status |  | keyword |
+| rsa.misc.status1 |  | keyword |
+| rsa.misc.streams | This key captures number of streams in session | long |
+| rsa.misc.subcategory |  | keyword |
+| rsa.misc.svcno |  | keyword |
+| rsa.misc.system |  | keyword |
+| rsa.misc.tbdstr1 |  | keyword |
+| rsa.misc.tbdstr2 |  | keyword |
+| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long |
+| rsa.misc.terminal | This key captures the Terminal Names only | keyword |
+| rsa.misc.tgtdom |  | keyword |
+| rsa.misc.tgtdomain |  | keyword |
+| rsa.misc.threshold |  | keyword |
+| rsa.misc.tos | This key describes the type of service | long |
+| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword |
+| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword |
+| rsa.misc.type |  | keyword |
+| rsa.misc.type1 |  | keyword |
+| rsa.misc.udb_class |  | keyword |
+| rsa.misc.url_fld |  | keyword |
+| rsa.misc.user_div |  | keyword |
+| rsa.misc.userid |  | keyword |
+| rsa.misc.username_fld |  | keyword |
+| rsa.misc.utcstamp |  | keyword |
+| rsa.misc.v_instafname |  | keyword |
+| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword |
+| rsa.misc.virt_data |  | keyword |
+| rsa.misc.virusname | This key captures the name of the virus | keyword |
+| rsa.misc.vm_target | VMWare Target **VMWARE** only varaible. | keyword |
+| rsa.misc.vpnid |  | keyword |
+| rsa.misc.vsys | This key captures Virtual System Name | keyword |
+| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword |
+| rsa.misc.workspace | This key captures Workspace Description | keyword |
+| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword |
+| rsa.network.addr |  | keyword |
+| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword |
+| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword |
+| rsa.network.dmask | This key is used for Destionation Device network mask | keyword |
+| rsa.network.dns_a_record |  | keyword |
+| rsa.network.dns_cname_record |  | keyword |
+| rsa.network.dns_id |  | keyword |
+| rsa.network.dns_opcode |  | keyword |
+| rsa.network.dns_ptr_record |  | keyword |
+| rsa.network.dns_resp |  | keyword |
+| rsa.network.dns_type |  | keyword |
+| rsa.network.domain |  | keyword |
+| rsa.network.domain1 |  | keyword |
+| rsa.network.eth_host | Deprecated, use alias.mac | keyword |
+| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long |
+| rsa.network.faddr |  | keyword |
+| rsa.network.fhost |  | keyword |
+| rsa.network.fport |  | keyword |
+| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword |
+| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword |
+| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword |
+| rsa.network.host_type |  | keyword |
+| rsa.network.icmp_code | This key is used to capture the ICMP code only | long |
+| rsa.network.icmp_type | This key is used to capture the ICMP type only | long |
+| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword |
+| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long |
+| rsa.network.laddr |  | keyword |
+| rsa.network.lhost |  | keyword |
+| rsa.network.linterface |  | keyword |
+| rsa.network.mask | This key is used to capture the device network IPmask. | keyword |
+| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword |
+| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long |
+| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword |
+| rsa.network.origin |  | keyword |
+| rsa.network.packet_length |  | keyword |
+| rsa.network.paddr | Deprecated | ip |
+| rsa.network.phost |  | keyword |
+| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long |
+| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword |
+| rsa.network.remote_domain_id |  | keyword |
+| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword |
+| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword |
+| rsa.network.smask | This key is used for capturing source Network Mask | keyword |
+| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long |
+| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword |
+| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword |
+| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword |
+| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword |
+| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword |
+| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword |
+| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword |
+| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword |
+| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword |
+| rsa.threat.alert | This key is used to capture name of the alert | keyword |
+| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword |
+| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword |
+| rsa.threat.threat_source | This key is used to capture source of the threat | keyword |
+| rsa.time.date |  | keyword |
+| rsa.time.datetime |  | keyword |
+| rsa.time.day |  | keyword |
+| rsa.time.duration_str | A text string version of the duration | keyword |
+| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double |
+| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date |
+| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date |
+| rsa.time.event_queue_time | This key is the Time that the event was queued. | date |
+| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date |
+| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword |
+| rsa.time.eventtime |  | keyword |
+| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date |
+| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword |
+| rsa.time.gmtdate |  | keyword |
+| rsa.time.gmttime |  | keyword |
+| rsa.time.hour |  | keyword |
+| rsa.time.min |  | keyword |
+| rsa.time.month |  | keyword |
+| rsa.time.p_date |  | keyword |
+| rsa.time.p_month |  | keyword |
+| rsa.time.p_time |  | keyword |
+| rsa.time.p_time1 |  | keyword |
+| rsa.time.p_time2 |  | keyword |
+| rsa.time.p_year |  | keyword |
+| rsa.time.process_time | Deprecated, use duration.time | keyword |
+| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date |
+| rsa.time.stamp | Deprecated key defined only in table map. | date |
+| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date |
+| rsa.time.timestamp |  | keyword |
+| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword |
+| rsa.time.tzone |  | keyword |
+| rsa.time.year |  | keyword |
+| rsa.web.alias_host |  | keyword |
+| rsa.web.cn_asn_dst |  | keyword |
+| rsa.web.cn_rpackets |  | keyword |
+| rsa.web.fqdn | Fully Qualified Domain Names | keyword |
+| rsa.web.p_url |  | keyword |
+| rsa.web.p_user_agent |  | keyword |
+| rsa.web.p_web_cookie |  | keyword |
+| rsa.web.p_web_method |  | keyword |
+| rsa.web.p_web_referer |  | keyword |
+| rsa.web.remote_domain |  | keyword |
+| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double |
+| rsa.web.urlpage |  | keyword |
+| rsa.web.urlroot |  | keyword |
+| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword |
+| rsa.web.web_extension_tmp |  | keyword |
+| rsa.web.web_page |  | keyword |
+| rsa.web.web_ref_domain | Web referer's domain | keyword |
+| rsa.web.web_ref_page | This key captures Web referer's page information | keyword |
+| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword |
+| rsa.web.web_ref_root | Web referer's root URL path | keyword |
+| rsa.wireless.access_point | This key is used to capture the access point name. | keyword |
+| rsa.wireless.wlan_channel | This is used to capture the channel names | long |
+| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword |
+| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword |
+| rule.name | The name of the rule or signature generating the event. | keyword |
+| server.domain | Server domain. | keyword |
+| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword |
+| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.bytes | Bytes sent from the source to the destination. | long |
+| source.domain | Source domain. | keyword |
+| source.geo.city_name | City name. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location.lat |  | double |
+| source.geo.location.lon |  | double |
+| source.ip | IP address of the source. Can be one or multiple IPv4 or IPv6 addresses. | ip |
+| source.mac | MAC address of the source. | keyword |
+| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip |
+| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long |
+| source.port | Port of the source. | long |
+| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. | keyword |
+| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | keyword |
+| url.path | Path of the request, such as "/search". | keyword |
+| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword |
+| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.google.com" is "google.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword |
+| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword |
+| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| user.full_name | User's full name, if available. | keyword |
+| user.id | Unique identifiers of the user. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user_agent.original | Unparsed user_agent string. | keyword |
diff --git a/packages/zscaler/0.1.0/img/logo.svg b/packages/zscaler/0.1.0/img/logo.svg
new file mode 100644
index 0000000000..b8a21a2fa6
--- /dev/null
+++ b/packages/zscaler/0.1.0/img/logo.svg
@@ -0,0 +1 @@
+<svg id="Layer_1_copy" data-name="Layer 1 copy" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 659.81 136.68"><defs><style>.cls-1{fill:#009cda;}</style></defs><title>Zscaler-Logo-TM-Blue-RGB-May2019</title><path class="cls-1" d="M291.36,142.38c3.58,21.86-15.41,34.17-34.64,35.59-12.24,25.17-55.41,42.16-92.79,23.84-16,2.43-24.77-1.57-31.54-9.21,13.68-17.6,55.09-49.27,105.68-32.92,27,8.72,34-11.78,27.23-19.47-25.48-28.94-83-2.89-85.08-.72C202.82,104.92,283.66,95.22,291.36,142.38Zm-77.47-39.73c.14-.05-18.37-6.59-44.26,4.59a29.64,29.64,0,0,1-3.06-1.32C191.47,89.39,213.3,82.36,232,85.09c-11.3-13-65.6-22.56-96.71,8.6-38.46-7.57-65.36,25-63.83,54.78s34,48.3,52.5,43.28a5.48,5.48,0,0,1,1.34,0C129.39,172.08,146.1,126.32,213.89,102.65Zm154.88,27.2,3.45-15.15H314.31L313,120.57c-1.51,5.19,2.59,8.86,7,8.74h26.83l-47.56,42-3.21,14.08h61.35L360.94,170h-38.8Zm38.64,12.23c-2.72-.69-18-3-17-8.25,1.07-5.9,8.29-6.46,11.8-6.36,7.23.21,9.51,3.39,9.89,4.51,1,3,3.32,4.52,6.69,4.52h11.42c1.25-7.08,1.59-23.38-24.94-23.38-8.52,0-19.87,2.13-27.38,10.79-4,4.64-10.95,16.15-3.86,24.82,3.71,4.37,13.38,7.79,23.76,9.82,6.71,1.31,10.26,4,9.52,7.16-.45,2.13-3.12,6.93-13,6.92-4.42,0-14-.69-12.17-10.62H364.08c-2.12,9-2.9,24.7,24.64,24.7,10.62,0,32.24-1.34,37.87-23.92C430.65,146.54,412.33,143.32,407.41,142.08Zm63.84,25a16.14,16.14,0,0,1-11.6,4.26c-13.64.12-12.1-13.37-10.24-21.52s6.25-21.28,19.22-21.25c9.19,0,10.25,5.95,10.72,7.7h18.59c-.66-19.62-15.7-23.37-26.33-23.11-29.14.72-37.57,25.08-40.18,36.4-7.61,33.06,13.54,37.19,23.66,37.19,8.31,0,26.47-2,37.14-23.11H479C475.13,163.46,473.37,165.17,471.25,167Zm75.91,6.79a34.6,34.6,0,0,1-21,11.81c-16.15,2.67-38.35,2-32.76-21.24,1.79-7.43,4.56-12.28,10.13-15.94,9.33-6.13,21.73-7,25.74-7.44,1.37-.16,11.53-.92,13.27-6.93,1.7-5.84-7.62-6.32-10.23-6.35-8-.1-10.71,3.1-12,5h-17.8c7.19-18.92,27-19.65,32.4-19.65,6,0,30.06,0,25.47,19.94C553.32,163.48,553.06,166.51,547.16,173.83Zm-8-24.05c-2.86,1.57-10,3.11-11.14,3.44-3.71,1.13-10.67,1.56-14.1,4.78-2.91,2.75-8,14.11,4.16,14.35,7.56.15,17-4.1,19.68-16.44C538.4,153.12,539.2,149.78,539.2,149.78ZM585,94H575.4l-20.86,91.39h18.59L592,102.77C592.76,100.16,592.23,94.24,585,94Zm48.19,69.61h13.29c-4.18,8.44-15,23.13-37.16,23.11-28.28,0-26.54-25.22-23.65-37.19,8-33.26,30.28-36.4,40.19-36.4,13.22,0,33.93,5.47,23.42,41.7h-46c-1.12,4.81-2.08,16.62,10.6,16.48,6.67-.08,9.17-2.49,9.77-2.8C625.36,167.62,627,163.71,633.15,163.6ZM606,142.88h27.09c2.32-13-5.72-14.35-10.27-14.35C618.93,128.53,609.67,129.93,606,142.88Zm67-20.46c-12.45,8.49-16.56,22.14-18,28.7-1.14,5.15-7.83,34.26-7.83,34.26h18.61s7.05-32,8.29-36.39c1.47-5.12,6.26-19,24.8-18.43l4.3-15.86C688.17,114.21,678.27,118.82,673,122.42Zm32.46-21.51.47-2.21h10l-.47,2.21h-3.6l-2,9.79h-2.66l2.05-9.79Zm16.46-2.21.92,8.69h0l4.62-8.69h3.68l-2.54,12h-2.47l2.19-9.55h0l-5.07,9.55h-2l-1.16-9.55h0l-1.8,9.55h-2.49l2.52-12Z" transform="translate(-71.36 -72.83)"/></svg>
\ No newline at end of file
diff --git a/packages/zscaler/0.1.0/manifest.yml b/packages/zscaler/0.1.0/manifest.yml
new file mode 100644
index 0000000000..7a668d64a9
--- /dev/null
+++ b/packages/zscaler/0.1.0/manifest.yml
@@ -0,0 +1,36 @@
+format_version: 1.0.0
+name: zscaler
+title: Zscaler NSS
+version: 0.1.0
+description: Zscaler NSS Integration
+categories: ["network","security"]
+release: experimental
+removable: true
+license: basic
+type: integration
+conditions:
+    kibana:
+        version: '>=7.9.0'
+    elasticsearch:
+        version: '>=7.9.0'
+config_templates:
+- name: zia
+  title: Zscaler NSS
+  description: Collect Zscaler NSS logs from syslog or a file.
+  inputs:
+      - type: udp
+        title: Collect logs from Zscaler NSS via UDP
+        description: Collecting syslog from Zscaler NSS via UDP
+      - type: tcp
+        title: Collect logs from Zscaler NSS via TCP
+        description: Collecting syslog from Zscaler NSS via TCP
+      - type: file
+        title: Collect logs from Zscaler NSS via file
+        description: Collecting syslog from Zscaler NSS via file.
+# No icon
+icons:
+ - src: /img/logo.svg
+   title: Zscaler NSS logo
+   size: 32x32
+   type: image/svg+xml
+